Compare commits
14 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 3a1485213a | |||
| 9dbf6fdeb5 | |||
| 9496dd5336 | |||
| 29d28fba93 | |||
| 8196de4fa3 | |||
| 6fddafe9fd | |||
| 1e89062167 | |||
| 21a24fd95b | |||
| 03ef5e7f6e | |||
| 415b82a84a | |||
| f304cc67b4 | |||
| 0e12706176 | |||
| 6daf4c914d | |||
| 36e4341315 |
51
changelog.md
51
changelog.md
@ -1,5 +1,56 @@
|
||||
# Changelog
|
||||
|
||||
## 2025-03-11 - 3.41.0 - feat(PortProxy/TLS)
|
||||
Add allowSessionTicket option to control TLS session ticket handling
|
||||
|
||||
- Introduce 'allowSessionTicket' flag (default true) in PortProxy settings to enable or disable TLS session resumption via session tickets.
|
||||
- Update SniHandler with a new hasSessionResumption method to detect session ticket and PSK extensions in ClientHello messages.
|
||||
- Force connection cleanup during renegotiation and initial handshake when allowSessionTicket is set to false and a session ticket is detected.
|
||||
|
||||
## 2025-03-11 - 3.40.0 - feat(SniHandler)
|
||||
Add session cache support and tab reactivation detection to improve SNI extraction in TLS handshakes
|
||||
|
||||
- Introduce a session cache mechanism to store and retrieve cached SNI values based on client IP (and optionally client random) to better handle tab reactivation scenarios.
|
||||
- Implement functions to initialize, update, and clean up the session cache for TLS ClientHello messages.
|
||||
- Enhance SNI extraction logic to check for tab reactivation handshakes and to return cached SNI for resumed connections or 0-RTT scenarios.
|
||||
- Update PSK extension handling to safely skip over obfuscated ticket age bytes.
|
||||
|
||||
## 2025-03-11 - 3.39.0 - feat(PortProxy)
|
||||
Add domain-specific NetworkProxy integration support to PortProxy
|
||||
|
||||
- Introduced new properties 'useNetworkProxy' and 'networkProxyPort' in domain configurations.
|
||||
- Updated forwardToNetworkProxy to accept an optional custom proxy port parameter.
|
||||
- Enhanced TLS handshake processing to extract SNI and, if a matching domain config specifies NetworkProxy usage, forward the connection using the domain-specific port.
|
||||
- Refined connection routing logic to check for domain-specific NetworkProxy settings before falling back to default behavior.
|
||||
|
||||
## 2025-03-11 - 3.38.2 - fix(core)
|
||||
No code changes detected; bumping patch version for consistency.
|
||||
|
||||
|
||||
## 2025-03-11 - 3.38.1 - fix(PortProxy)
|
||||
Improve SNI extraction handling in PortProxy by passing explicit connection info to extractSNIWithResumptionSupport for better TLS renegotiation and debug logging.
|
||||
|
||||
- In the renegotiation handler, create and pass a connection info object (sourceIp, sourcePort, destIp, destPort) instead of a boolean flag.
|
||||
- Update the TLS handshake processing to construct a connection info object for detailed SNI extraction and logging.
|
||||
- Enhance consistency by using processTlsPacket with cached SNI hints during fallback.
|
||||
|
||||
## 2025-03-11 - 3.38.0 - feat(SniHandler)
|
||||
Enhance SNI extraction to support fragmented ClientHello messages, TLS 1.3 early data, and improved PSK parsing
|
||||
|
||||
- Added isTlsApplicationData method for detecting TLS application data packets
|
||||
- Implemented handleFragmentedClientHello to buffer and reassemble fragmented ClientHello messages
|
||||
- Extended extractSNIWithResumptionSupport to accept connection information and use reassembled data
|
||||
- Added detection for TLS 1.3 early data (0-RTT) in the ClientHello, supporting session resumption scenarios
|
||||
- Improved logging and heuristics for handling potential connection racing in modern browsers
|
||||
|
||||
## 2025-03-11 - 3.37.3 - fix(snihandler)
|
||||
Enhance SNI extraction to support TLS 1.3 PSK-based session resumption by adding a dedicated extractSNIFromPSKExtension method and improved logging for session resumption indicators.
|
||||
|
||||
- Defined TLS_PSK_EXTENSION_TYPE and TLS_PSK_KE_MODES_EXTENSION_TYPE constants.
|
||||
- Added extractSNIFromPSKExtension method to handle ClientHello messages containing PSK identities.
|
||||
- Improved logging to indicate when session resumption indicators (ticket or PSK) are present but no standard SNI is found.
|
||||
- Enhanced extractSNIWithResumptionSupport to attempt PSK extraction if standard SNI extraction fails.
|
||||
|
||||
## 2025-03-11 - 3.37.2 - fix(PortProxy)
|
||||
Improve buffering and data handling during connection setup in PortProxy to prevent data loss
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "@push.rocks/smartproxy",
|
||||
"version": "3.37.2",
|
||||
"version": "3.41.0",
|
||||
"private": false,
|
||||
"description": "A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.",
|
||||
"main": "dist_ts/index.js",
|
||||
|
||||
@ -3,6 +3,6 @@
|
||||
*/
|
||||
export const commitinfo = {
|
||||
name: '@push.rocks/smartproxy',
|
||||
version: '3.37.2',
|
||||
version: '3.41.0',
|
||||
description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.'
|
||||
}
|
||||
|
||||
@ -11,6 +11,10 @@ export interface IDomainConfig {
|
||||
portRanges?: Array<{ from: number; to: number }>; // Optional port ranges
|
||||
// Allow domain-specific timeout override
|
||||
connectionTimeout?: number; // Connection timeout override (ms)
|
||||
|
||||
// NetworkProxy integration options for this specific domain
|
||||
useNetworkProxy?: boolean; // Whether to use NetworkProxy for this domain
|
||||
networkProxyPort?: number; // Override default NetworkProxy port for this domain
|
||||
}
|
||||
|
||||
/** Port proxy settings including global allowed port ranges */
|
||||
@ -47,6 +51,7 @@ export interface IPortProxySettings extends plugins.tls.TlsOptions {
|
||||
enableDetailedLogging?: boolean; // Enable detailed connection logging
|
||||
enableTlsDebugLogging?: boolean; // Enable TLS handshake debug logging
|
||||
enableRandomizedTimeouts?: boolean; // Randomize timeouts slightly to prevent thundering herd
|
||||
allowSessionTicket?: boolean; // Allow TLS session ticket for reconnection (default: true)
|
||||
|
||||
// Rate limiting and security
|
||||
maxConnectionsPerIP?: number; // Maximum simultaneous connections from a single IP
|
||||
@ -232,6 +237,8 @@ export class PortProxy {
|
||||
enableDetailedLogging: settingsArg.enableDetailedLogging || false,
|
||||
enableTlsDebugLogging: settingsArg.enableTlsDebugLogging || false,
|
||||
enableRandomizedTimeouts: settingsArg.enableRandomizedTimeouts || false,
|
||||
allowSessionTicket: settingsArg.allowSessionTicket !== undefined
|
||||
? settingsArg.allowSessionTicket : true,
|
||||
|
||||
// Rate limiting defaults
|
||||
maxConnectionsPerIP: settingsArg.maxConnectionsPerIP || 100,
|
||||
@ -452,12 +459,14 @@ export class PortProxy {
|
||||
* @param socket - The incoming client socket
|
||||
* @param record - The connection record
|
||||
* @param initialData - Initial data chunk (TLS ClientHello)
|
||||
* @param customProxyPort - Optional custom port for NetworkProxy (for domain-specific settings)
|
||||
*/
|
||||
private forwardToNetworkProxy(
|
||||
connectionId: string,
|
||||
socket: plugins.net.Socket,
|
||||
record: IConnectionRecord,
|
||||
initialData: Buffer
|
||||
initialData: Buffer,
|
||||
customProxyPort?: number
|
||||
): void {
|
||||
// Ensure NetworkProxy is initialized
|
||||
if (!this.networkProxy) {
|
||||
@ -475,7 +484,8 @@ export class PortProxy {
|
||||
);
|
||||
}
|
||||
|
||||
const proxyPort = this.networkProxy.getListeningPort();
|
||||
// Use the custom port if provided, otherwise use the default NetworkProxy port
|
||||
const proxyPort = customProxyPort || this.networkProxy.getListeningPort();
|
||||
const proxyHost = 'localhost'; // Assuming NetworkProxy runs locally
|
||||
|
||||
if (this.settings.enableDetailedLogging) {
|
||||
@ -920,7 +930,30 @@ export class PortProxy {
|
||||
if (SniHandler.isClientHello(renegChunk)) {
|
||||
try {
|
||||
// Extract SNI from ClientHello
|
||||
const newSNI = SniHandler.extractSNIWithResumptionSupport(renegChunk, this.settings.enableTlsDebugLogging);
|
||||
// Create a connection info object for the existing connection
|
||||
const connInfo = {
|
||||
sourceIp: record.remoteIP,
|
||||
sourcePort: record.incoming.remotePort || 0,
|
||||
destIp: record.incoming.localAddress || '',
|
||||
destPort: record.incoming.localPort || 0
|
||||
};
|
||||
|
||||
// Check for session tickets if allowSessionTicket is disabled
|
||||
if (this.settings.allowSessionTicket === false) {
|
||||
// Analyze for session resumption attempt (session ticket or PSK)
|
||||
const hasSessionTicket = SniHandler.hasSessionResumption(renegChunk, this.settings.enableTlsDebugLogging);
|
||||
|
||||
if (hasSessionTicket) {
|
||||
console.log(
|
||||
`[${connectionId}] Session ticket detected in renegotiation with allowSessionTicket=false. ` +
|
||||
`Terminating connection to force new TLS handshake.`
|
||||
);
|
||||
this.initiateCleanupOnce(record, 'session_ticket_blocked');
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
const newSNI = SniHandler.extractSNIWithResumptionSupport(renegChunk, connInfo, this.settings.enableTlsDebugLogging);
|
||||
|
||||
// Skip if no SNI was found
|
||||
if (!newSNI) return;
|
||||
@ -955,6 +988,9 @@ export class PortProxy {
|
||||
|
||||
if (this.settings.enableDetailedLogging) {
|
||||
console.log(`[${connectionId}] TLS renegotiation handler installed for SNI domain: ${serverName}`);
|
||||
if (this.settings.allowSessionTicket === false) {
|
||||
console.log(`[${connectionId}] Session ticket usage is disabled. Connection will be reset on reconnection attempts.`);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -1478,9 +1514,12 @@ export class PortProxy {
|
||||
);
|
||||
}
|
||||
|
||||
// Check if this connection should be forwarded directly to NetworkProxy based on port
|
||||
const shouldUseNetworkProxy = this.settings.useNetworkProxy &&
|
||||
this.settings.useNetworkProxy.includes(localPort);
|
||||
// Check if this connection should be forwarded directly to NetworkProxy
|
||||
// First check port-based forwarding settings
|
||||
let shouldUseNetworkProxy = this.settings.useNetworkProxy &&
|
||||
this.settings.useNetworkProxy.includes(localPort);
|
||||
|
||||
// We'll look for domain-specific settings after SNI extraction
|
||||
|
||||
if (shouldUseNetworkProxy) {
|
||||
// For NetworkProxy ports, we want to capture the TLS handshake and forward directly
|
||||
@ -1523,7 +1562,68 @@ export class PortProxy {
|
||||
if (SniHandler.isTlsHandshake(chunk)) {
|
||||
connectionRecord.isTLS = true;
|
||||
|
||||
// Forward directly to NetworkProxy without SNI processing
|
||||
// Check for session tickets if allowSessionTicket is disabled
|
||||
if (this.settings.allowSessionTicket === false && SniHandler.isClientHello(chunk)) {
|
||||
// Analyze for session resumption attempt
|
||||
const hasSessionTicket = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
|
||||
|
||||
if (hasSessionTicket) {
|
||||
console.log(
|
||||
`[${connectionId}] Session ticket detected in initial ClientHello with allowSessionTicket=false. ` +
|
||||
`Terminating connection to force new TLS handshake.`
|
||||
);
|
||||
if (connectionRecord.incomingTerminationReason === null) {
|
||||
connectionRecord.incomingTerminationReason = 'session_ticket_blocked';
|
||||
this.incrementTerminationStat('incoming', 'session_ticket_blocked');
|
||||
}
|
||||
socket.end();
|
||||
this.cleanupConnection(connectionRecord, 'session_ticket_blocked');
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
// Try to extract SNI for domain-specific NetworkProxy handling
|
||||
const connInfo = {
|
||||
sourceIp: remoteIP,
|
||||
sourcePort: socket.remotePort || 0,
|
||||
destIp: socket.localAddress || '',
|
||||
destPort: socket.localPort || 0
|
||||
};
|
||||
|
||||
// Extract SNI to check for domain-specific NetworkProxy settings
|
||||
const serverName = SniHandler.processTlsPacket(
|
||||
chunk,
|
||||
connInfo,
|
||||
this.settings.enableTlsDebugLogging
|
||||
);
|
||||
|
||||
if (serverName) {
|
||||
// If we got an SNI, check for domain-specific NetworkProxy settings
|
||||
const domainConfig = this.settings.domainConfigs.find((config) =>
|
||||
config.domains.some((d) => plugins.minimatch(serverName, d))
|
||||
);
|
||||
|
||||
// Save domain config and SNI in connection record
|
||||
connectionRecord.domainConfig = domainConfig;
|
||||
connectionRecord.lockedDomain = serverName;
|
||||
|
||||
// Use domain-specific NetworkProxy port if configured
|
||||
if (domainConfig?.useNetworkProxy) {
|
||||
const networkProxyPort = domainConfig.networkProxyPort || this.settings.networkProxyPort;
|
||||
|
||||
if (this.settings.enableDetailedLogging) {
|
||||
console.log(
|
||||
`[${connectionId}] Using domain-specific NetworkProxy for ${serverName} on port ${networkProxyPort}`
|
||||
);
|
||||
}
|
||||
|
||||
// Forward to NetworkProxy with domain-specific port
|
||||
this.forwardToNetworkProxy(connectionId, socket, connectionRecord, chunk, networkProxyPort);
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
// Forward directly to NetworkProxy without domain-specific settings
|
||||
this.forwardToNetworkProxy(connectionId, socket, connectionRecord, chunk);
|
||||
} else {
|
||||
// If not TLS, use normal direct connection
|
||||
@ -1590,7 +1690,15 @@ export class PortProxy {
|
||||
`[${connectionId}] TLS handshake detected from ${remoteIP}, ${chunk.length} bytes`
|
||||
);
|
||||
// Try to extract SNI and log detailed debug info
|
||||
SniHandler.extractSNIWithResumptionSupport(chunk, true);
|
||||
// Create connection info for debug logging
|
||||
const debugConnInfo = {
|
||||
sourceIp: remoteIP,
|
||||
sourcePort: socket.remotePort || 0,
|
||||
destIp: socket.localAddress || '',
|
||||
destPort: socket.localPort || 0
|
||||
};
|
||||
|
||||
SniHandler.extractSNIWithResumptionSupport(chunk, debugConnInfo, true);
|
||||
}
|
||||
}
|
||||
});
|
||||
@ -1641,6 +1749,29 @@ export class PortProxy {
|
||||
|
||||
// Save domain config in connection record
|
||||
connectionRecord.domainConfig = domainConfig;
|
||||
|
||||
// Check if this domain should use NetworkProxy (domain-specific setting)
|
||||
if (domainConfig?.useNetworkProxy && this.networkProxy) {
|
||||
if (this.settings.enableDetailedLogging) {
|
||||
console.log(
|
||||
`[${connectionId}] Domain ${serverName} is configured to use NetworkProxy`
|
||||
);
|
||||
}
|
||||
|
||||
const networkProxyPort = domainConfig.networkProxyPort || this.settings.networkProxyPort;
|
||||
|
||||
if (initialChunk && connectionRecord.isTLS) {
|
||||
// For TLS connections with initial chunk, forward to NetworkProxy
|
||||
this.forwardToNetworkProxy(
|
||||
connectionId,
|
||||
socket,
|
||||
connectionRecord,
|
||||
initialChunk,
|
||||
networkProxyPort // Pass the domain-specific NetworkProxy port if configured
|
||||
);
|
||||
return; // Skip normal connection setup
|
||||
}
|
||||
}
|
||||
|
||||
// IP validation is skipped if allowedIPs is empty
|
||||
if (domainConfig) {
|
||||
@ -1796,8 +1927,42 @@ export class PortProxy {
|
||||
`[${connectionId}] Extracting SNI from TLS handshake, ${chunk.length} bytes`
|
||||
);
|
||||
}
|
||||
|
||||
// Check for session tickets if allowSessionTicket is disabled
|
||||
if (this.settings.allowSessionTicket === false && SniHandler.isClientHello(chunk)) {
|
||||
// Analyze for session resumption attempt
|
||||
const hasSessionTicket = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
|
||||
|
||||
if (hasSessionTicket) {
|
||||
console.log(
|
||||
`[${connectionId}] Session ticket detected in initial ClientHello with allowSessionTicket=false. ` +
|
||||
`Terminating connection to force new TLS handshake.`
|
||||
);
|
||||
if (connectionRecord.incomingTerminationReason === null) {
|
||||
connectionRecord.incomingTerminationReason = 'session_ticket_blocked';
|
||||
this.incrementTerminationStat('incoming', 'session_ticket_blocked');
|
||||
}
|
||||
socket.end();
|
||||
this.cleanupConnection(connectionRecord, 'session_ticket_blocked');
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
serverName = SniHandler.extractSNIWithResumptionSupport(chunk, this.settings.enableTlsDebugLogging) || '';
|
||||
// Create connection info object for SNI extraction
|
||||
const connInfo = {
|
||||
sourceIp: remoteIP,
|
||||
sourcePort: socket.remotePort || 0,
|
||||
destIp: socket.localAddress || '',
|
||||
destPort: socket.localPort || 0
|
||||
};
|
||||
|
||||
// Use the new processTlsPacket method for comprehensive handling
|
||||
serverName = SniHandler.processTlsPacket(
|
||||
chunk,
|
||||
connInfo,
|
||||
this.settings.enableTlsDebugLogging,
|
||||
connectionRecord.lockedDomain // Pass any previously negotiated domain as a hint
|
||||
) || '';
|
||||
}
|
||||
|
||||
// Lock the connection to the negotiated SNI.
|
||||
|
||||
@ -2,15 +2,151 @@ import { Buffer } from 'buffer';
|
||||
|
||||
/**
|
||||
* SNI (Server Name Indication) handler for TLS connections.
|
||||
* Provides robust extraction of SNI values from TLS ClientHello messages.
|
||||
* Provides robust extraction of SNI values from TLS ClientHello messages
|
||||
* with support for fragmented packets, TLS 1.3 resumption, Chrome-specific
|
||||
* connection behaviors, and tab hibernation/reactivation scenarios.
|
||||
*/
|
||||
export class SniHandler {
|
||||
// TLS record types and constants
|
||||
private static readonly TLS_HANDSHAKE_RECORD_TYPE = 22;
|
||||
private static readonly TLS_APPLICATION_DATA_TYPE = 23; // TLS Application Data record type
|
||||
private static readonly TLS_CLIENT_HELLO_HANDSHAKE_TYPE = 1;
|
||||
private static readonly TLS_SNI_EXTENSION_TYPE = 0x0000;
|
||||
private static readonly TLS_SESSION_TICKET_EXTENSION_TYPE = 0x0023;
|
||||
private static readonly TLS_SNI_HOST_NAME_TYPE = 0;
|
||||
private static readonly TLS_PSK_EXTENSION_TYPE = 0x0029; // Pre-Shared Key extension type for TLS 1.3
|
||||
private static readonly TLS_PSK_KE_MODES_EXTENSION_TYPE = 0x002D; // PSK Key Exchange Modes
|
||||
private static readonly TLS_EARLY_DATA_EXTENSION_TYPE = 0x002A; // Early Data (0-RTT) extension
|
||||
|
||||
// Buffer for handling fragmented ClientHello messages
|
||||
private static fragmentedBuffers: Map<string, Buffer> = new Map();
|
||||
private static fragmentTimeout: number = 1000; // ms to wait for fragments before cleanup
|
||||
|
||||
// Session tracking for tab reactivation scenarios
|
||||
private static sessionCache: Map<string, {
|
||||
sni: string;
|
||||
timestamp: number;
|
||||
clientRandom?: Buffer;
|
||||
}> = new Map();
|
||||
|
||||
// Longer timeout for session cache (24 hours by default)
|
||||
private static sessionCacheTimeout: number = 24 * 60 * 60 * 1000; // 24 hours in milliseconds
|
||||
|
||||
// Cleanup interval for session cache (run every hour)
|
||||
private static sessionCleanupInterval: NodeJS.Timeout | null = null;
|
||||
|
||||
/**
|
||||
* Initialize the session cache cleanup mechanism.
|
||||
* This should be called during application startup.
|
||||
*/
|
||||
public static initSessionCacheCleanup(): void {
|
||||
if (this.sessionCleanupInterval === null) {
|
||||
this.sessionCleanupInterval = setInterval(() => {
|
||||
this.cleanupSessionCache();
|
||||
}, 60 * 60 * 1000); // Run every hour
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Clean up expired entries from the session cache
|
||||
*/
|
||||
private static cleanupSessionCache(): void {
|
||||
const now = Date.now();
|
||||
const expiredKeys: string[] = [];
|
||||
|
||||
this.sessionCache.forEach((session, key) => {
|
||||
if (now - session.timestamp > this.sessionCacheTimeout) {
|
||||
expiredKeys.push(key);
|
||||
}
|
||||
});
|
||||
|
||||
expiredKeys.forEach(key => {
|
||||
this.sessionCache.delete(key);
|
||||
});
|
||||
}
|
||||
|
||||
/**
|
||||
* Create a client identity key for session tracking
|
||||
* Uses source IP and optional client random for uniqueness
|
||||
*
|
||||
* @param sourceIp - Client IP address
|
||||
* @param clientRandom - Optional TLS client random value
|
||||
* @returns A string key for the session cache
|
||||
*/
|
||||
private static createClientKey(sourceIp: string, clientRandom?: Buffer): string {
|
||||
if (clientRandom) {
|
||||
// If we have the client random, use it for more precise tracking
|
||||
return `${sourceIp}:${clientRandom.toString('hex')}`;
|
||||
}
|
||||
// Fall back to just IP-based tracking
|
||||
return sourceIp;
|
||||
}
|
||||
|
||||
/**
|
||||
* Store SNI information in the session cache
|
||||
*
|
||||
* @param sourceIp - Client IP address
|
||||
* @param sni - The extracted SNI value
|
||||
* @param clientRandom - Optional TLS client random value
|
||||
*/
|
||||
private static cacheSession(sourceIp: string, sni: string, clientRandom?: Buffer): void {
|
||||
const key = this.createClientKey(sourceIp, clientRandom);
|
||||
this.sessionCache.set(key, {
|
||||
sni,
|
||||
timestamp: Date.now(),
|
||||
clientRandom
|
||||
});
|
||||
}
|
||||
|
||||
/**
|
||||
* Retrieve SNI information from the session cache
|
||||
*
|
||||
* @param sourceIp - Client IP address
|
||||
* @param clientRandom - Optional TLS client random value
|
||||
* @returns The cached SNI or undefined if not found
|
||||
*/
|
||||
private static getCachedSession(sourceIp: string, clientRandom?: Buffer): string | undefined {
|
||||
// Try with client random first for precision
|
||||
if (clientRandom) {
|
||||
const preciseKey = this.createClientKey(sourceIp, clientRandom);
|
||||
const preciseSession = this.sessionCache.get(preciseKey);
|
||||
if (preciseSession) {
|
||||
return preciseSession.sni;
|
||||
}
|
||||
}
|
||||
|
||||
// Fall back to IP-only lookup
|
||||
const ipKey = this.createClientKey(sourceIp);
|
||||
const session = this.sessionCache.get(ipKey);
|
||||
if (session) {
|
||||
// Update the timestamp to keep the session alive
|
||||
session.timestamp = Date.now();
|
||||
return session.sni;
|
||||
}
|
||||
|
||||
return undefined;
|
||||
}
|
||||
|
||||
/**
|
||||
* Extract the client random value from a ClientHello message
|
||||
*
|
||||
* @param buffer - The buffer containing the ClientHello
|
||||
* @returns The 32-byte client random or undefined if extraction fails
|
||||
*/
|
||||
private static extractClientRandom(buffer: Buffer): Buffer | undefined {
|
||||
try {
|
||||
if (!this.isClientHello(buffer) || buffer.length < 46) {
|
||||
return undefined;
|
||||
}
|
||||
|
||||
// In a ClientHello message, the client random starts at position 11
|
||||
// after record header (5 bytes), handshake type (1 byte),
|
||||
// handshake length (3 bytes), and client version (2 bytes)
|
||||
return buffer.slice(11, 11 + 32);
|
||||
} catch (error) {
|
||||
return undefined;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks if a buffer contains a TLS handshake message (record type 22)
|
||||
@ -20,6 +156,107 @@ export class SniHandler {
|
||||
public static isTlsHandshake(buffer: Buffer): boolean {
|
||||
return buffer.length > 0 && buffer[0] === this.TLS_HANDSHAKE_RECORD_TYPE;
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks if a buffer contains TLS application data (record type 23)
|
||||
* @param buffer - The buffer to check
|
||||
* @returns true if the buffer starts with a TLS application data record type
|
||||
*/
|
||||
public static isTlsApplicationData(buffer: Buffer): boolean {
|
||||
return buffer.length > 0 && buffer[0] === this.TLS_APPLICATION_DATA_TYPE;
|
||||
}
|
||||
|
||||
/**
|
||||
* Creates a connection ID based on source/destination information
|
||||
* Used to track fragmented ClientHello messages across multiple packets
|
||||
*
|
||||
* @param connectionInfo - Object containing connection identifiers (IP/port)
|
||||
* @returns A string ID for the connection
|
||||
*/
|
||||
public static createConnectionId(connectionInfo: {
|
||||
sourceIp?: string;
|
||||
sourcePort?: number;
|
||||
destIp?: string;
|
||||
destPort?: number;
|
||||
}): string {
|
||||
const { sourceIp, sourcePort, destIp, destPort } = connectionInfo;
|
||||
return `${sourceIp}:${sourcePort}-${destIp}:${destPort}`;
|
||||
}
|
||||
|
||||
/**
|
||||
* Handles potential fragmented ClientHello messages by buffering and reassembling
|
||||
* TLS record fragments that might span multiple TCP packets.
|
||||
*
|
||||
* @param buffer - The current buffer fragment
|
||||
* @param connectionId - Unique identifier for the connection
|
||||
* @param enableLogging - Whether to enable logging
|
||||
* @returns A complete buffer if reassembly is successful, or undefined if more fragments are needed
|
||||
*/
|
||||
public static handleFragmentedClientHello(
|
||||
buffer: Buffer,
|
||||
connectionId: string,
|
||||
enableLogging: boolean = false
|
||||
): Buffer | undefined {
|
||||
const log = (message: string) => {
|
||||
if (enableLogging) {
|
||||
console.log(`[SNI Fragment] ${message}`);
|
||||
}
|
||||
};
|
||||
|
||||
// Check if we've seen this connection before
|
||||
if (!this.fragmentedBuffers.has(connectionId)) {
|
||||
// New connection, start with this buffer
|
||||
this.fragmentedBuffers.set(connectionId, buffer);
|
||||
|
||||
// Set timeout to clean up if we don't get a complete ClientHello
|
||||
setTimeout(() => {
|
||||
if (this.fragmentedBuffers.has(connectionId)) {
|
||||
this.fragmentedBuffers.delete(connectionId);
|
||||
log(`Connection ${connectionId} timed out waiting for complete ClientHello`);
|
||||
}
|
||||
}, this.fragmentTimeout);
|
||||
|
||||
// Evaluate if this buffer already contains a complete ClientHello
|
||||
try {
|
||||
if (buffer.length >= 5) {
|
||||
const recordLength = (buffer[3] << 8) + buffer[4];
|
||||
if (buffer.length >= recordLength + 5) {
|
||||
log(`Initial buffer contains complete ClientHello, length: ${buffer.length}`);
|
||||
return buffer;
|
||||
}
|
||||
}
|
||||
} catch (e) {
|
||||
log(`Error checking initial buffer completeness: ${e}`);
|
||||
}
|
||||
|
||||
log(`Started buffering connection ${connectionId}, initial size: ${buffer.length}`);
|
||||
return undefined; // Need more fragments
|
||||
} else {
|
||||
// Existing connection, append this buffer
|
||||
const existingBuffer = this.fragmentedBuffers.get(connectionId)!;
|
||||
const newBuffer = Buffer.concat([existingBuffer, buffer]);
|
||||
this.fragmentedBuffers.set(connectionId, newBuffer);
|
||||
|
||||
log(`Appended to buffer for ${connectionId}, new size: ${newBuffer.length}`);
|
||||
|
||||
// Check if we now have a complete ClientHello
|
||||
try {
|
||||
if (newBuffer.length >= 5) {
|
||||
const recordLength = (newBuffer[3] << 8) + newBuffer[4];
|
||||
if (newBuffer.length >= recordLength + 5) {
|
||||
log(`Assembled complete ClientHello, length: ${newBuffer.length}`);
|
||||
// Complete message received, remove from tracking
|
||||
this.fragmentedBuffers.delete(connectionId);
|
||||
return newBuffer;
|
||||
}
|
||||
}
|
||||
} catch (e) {
|
||||
log(`Error checking reassembled buffer completeness: ${e}`);
|
||||
}
|
||||
|
||||
return undefined; // Still need more fragments
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks if a buffer contains a TLS ClientHello message
|
||||
@ -42,6 +279,215 @@ export class SniHandler {
|
||||
return buffer[5] === this.TLS_CLIENT_HELLO_HANDSHAKE_TYPE;
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks if a ClientHello message contains session resumption indicators
|
||||
* such as session tickets or PSK (Pre-Shared Key) extensions.
|
||||
*
|
||||
* @param buffer - The buffer containing a ClientHello message
|
||||
* @param enableLogging - Whether to enable logging
|
||||
* @returns true if the ClientHello contains session resumption mechanisms
|
||||
*/
|
||||
public static hasSessionResumption(
|
||||
buffer: Buffer,
|
||||
enableLogging: boolean = false
|
||||
): boolean {
|
||||
const log = (message: string) => {
|
||||
if (enableLogging) {
|
||||
console.log(`[Session Resumption] ${message}`);
|
||||
}
|
||||
};
|
||||
|
||||
if (!this.isClientHello(buffer)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
try {
|
||||
// Check for session ID presence first
|
||||
let pos = 5 + 1 + 3 + 2; // Position after handshake type, length and client version
|
||||
pos += 32; // Skip client random
|
||||
|
||||
if (pos + 1 > buffer.length) return false;
|
||||
|
||||
const sessionIdLength = buffer[pos];
|
||||
let hasNonEmptySessionId = sessionIdLength > 0;
|
||||
|
||||
if (hasNonEmptySessionId) {
|
||||
log(`Detected non-empty session ID (length: ${sessionIdLength})`);
|
||||
}
|
||||
|
||||
// Continue to check for extensions
|
||||
pos += 1 + sessionIdLength;
|
||||
|
||||
// Skip cipher suites
|
||||
if (pos + 2 > buffer.length) return false;
|
||||
const cipherSuitesLength = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
pos += 2 + cipherSuitesLength;
|
||||
|
||||
// Skip compression methods
|
||||
if (pos + 1 > buffer.length) return false;
|
||||
const compressionMethodsLength = buffer[pos];
|
||||
pos += 1 + compressionMethodsLength;
|
||||
|
||||
// Check for extensions
|
||||
if (pos + 2 > buffer.length) return false;
|
||||
|
||||
// Look for session resumption extensions
|
||||
const extensionsLength = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
pos += 2;
|
||||
|
||||
// Extensions end position
|
||||
const extensionsEnd = pos + extensionsLength;
|
||||
if (extensionsEnd > buffer.length) return false;
|
||||
|
||||
// Track resumption indicators
|
||||
let hasSessionTicket = false;
|
||||
let hasPSK = false;
|
||||
let hasEarlyData = false;
|
||||
|
||||
// Iterate through extensions
|
||||
while (pos + 4 <= extensionsEnd) {
|
||||
const extensionType = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
pos += 2;
|
||||
|
||||
const extensionLength = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
pos += 2;
|
||||
|
||||
if (extensionType === this.TLS_SESSION_TICKET_EXTENSION_TYPE) {
|
||||
log('Found session ticket extension');
|
||||
hasSessionTicket = true;
|
||||
|
||||
// Check if session ticket has non-zero length (active ticket)
|
||||
if (extensionLength > 0) {
|
||||
log(`Session ticket has length ${extensionLength} - active ticket present`);
|
||||
}
|
||||
} else if (extensionType === this.TLS_PSK_EXTENSION_TYPE) {
|
||||
log('Found PSK extension (TLS 1.3 resumption mechanism)');
|
||||
hasPSK = true;
|
||||
} else if (extensionType === this.TLS_EARLY_DATA_EXTENSION_TYPE) {
|
||||
log('Found Early Data extension (TLS 1.3 0-RTT)');
|
||||
hasEarlyData = true;
|
||||
}
|
||||
|
||||
// Skip extension data
|
||||
pos += extensionLength;
|
||||
}
|
||||
|
||||
// Consider it a resumption if any resumption mechanism is present
|
||||
const isResumption = hasSessionTicket || hasPSK || hasEarlyData ||
|
||||
(hasNonEmptySessionId && !hasPSK); // Legacy resumption
|
||||
|
||||
if (isResumption) {
|
||||
log('Session resumption detected: ' +
|
||||
(hasSessionTicket ? 'session ticket, ' : '') +
|
||||
(hasPSK ? 'PSK, ' : '') +
|
||||
(hasEarlyData ? 'early data, ' : '') +
|
||||
(hasNonEmptySessionId ? 'session ID' : ''));
|
||||
}
|
||||
|
||||
return isResumption;
|
||||
} catch (error) {
|
||||
log(`Error checking for session resumption: ${error}`);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Detects characteristics of a tab reactivation TLS handshake
|
||||
* These often have specific patterns in Chrome and other browsers
|
||||
*
|
||||
* @param buffer - The buffer containing a ClientHello message
|
||||
* @param enableLogging - Whether to enable logging
|
||||
* @returns true if this appears to be a tab reactivation handshake
|
||||
*/
|
||||
public static isTabReactivationHandshake(
|
||||
buffer: Buffer,
|
||||
enableLogging: boolean = false
|
||||
): boolean {
|
||||
const log = (message: string) => {
|
||||
if (enableLogging) {
|
||||
console.log(`[Tab Reactivation] ${message}`);
|
||||
}
|
||||
};
|
||||
|
||||
if (!this.isClientHello(buffer)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
try {
|
||||
// Check for session ID presence (tab reactivation often has a session ID)
|
||||
let pos = 5 + 1 + 3 + 2; // Position after handshake type, length and client version
|
||||
pos += 32; // Skip client random
|
||||
|
||||
if (pos + 1 > buffer.length) return false;
|
||||
|
||||
const sessionIdLength = buffer[pos];
|
||||
|
||||
// Non-empty session ID is a good indicator
|
||||
if (sessionIdLength > 0) {
|
||||
log(`Detected non-empty session ID (length: ${sessionIdLength})`);
|
||||
|
||||
// Skip to extensions
|
||||
pos += 1 + sessionIdLength;
|
||||
|
||||
// Skip cipher suites
|
||||
if (pos + 2 > buffer.length) return false;
|
||||
const cipherSuitesLength = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
pos += 2 + cipherSuitesLength;
|
||||
|
||||
// Skip compression methods
|
||||
if (pos + 1 > buffer.length) return false;
|
||||
const compressionMethodsLength = buffer[pos];
|
||||
pos += 1 + compressionMethodsLength;
|
||||
|
||||
// Check for extensions
|
||||
if (pos + 2 > buffer.length) return false;
|
||||
|
||||
// Look for specific extensions that indicate tab reactivation
|
||||
const extensionsLength = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
pos += 2;
|
||||
|
||||
// Extensions end position
|
||||
const extensionsEnd = pos + extensionsLength;
|
||||
if (extensionsEnd > buffer.length) return false;
|
||||
|
||||
// Tab reactivation often has session tickets but no SNI
|
||||
let hasSessionTicket = false;
|
||||
let hasSNI = false;
|
||||
let hasPSK = false;
|
||||
|
||||
// Iterate through extensions
|
||||
while (pos + 4 <= extensionsEnd) {
|
||||
const extensionType = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
pos += 2;
|
||||
|
||||
const extensionLength = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
pos += 2;
|
||||
|
||||
if (extensionType === this.TLS_SESSION_TICKET_EXTENSION_TYPE) {
|
||||
hasSessionTicket = true;
|
||||
} else if (extensionType === this.TLS_SNI_EXTENSION_TYPE) {
|
||||
hasSNI = true;
|
||||
} else if (extensionType === this.TLS_PSK_EXTENSION_TYPE) {
|
||||
hasPSK = true;
|
||||
}
|
||||
|
||||
// Skip extension data
|
||||
pos += extensionLength;
|
||||
}
|
||||
|
||||
// Pattern for tab reactivation: session identifier + (ticket or PSK) but no SNI
|
||||
if ((hasSessionTicket || hasPSK) && !hasSNI) {
|
||||
log('Detected tab reactivation pattern: session resumption without SNI');
|
||||
return true;
|
||||
}
|
||||
}
|
||||
} catch (error) {
|
||||
log(`Error checking for tab reactivation: ${error}`);
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Extracts the SNI (Server Name Indication) from a TLS ClientHello message.
|
||||
* Implements robust parsing with support for session resumption edge cases.
|
||||
@ -178,6 +624,7 @@ export class SniHandler {
|
||||
|
||||
// Track if we found session tickets (for improved resumption handling)
|
||||
let hasSessionTicket = false;
|
||||
let hasPskExtension = false;
|
||||
|
||||
// Iterate through extensions
|
||||
while (pos + 4 <= extensionsEnd) {
|
||||
@ -275,15 +722,21 @@ export class SniHandler {
|
||||
log('Found session ticket extension');
|
||||
hasSessionTicket = true;
|
||||
pos += extensionLength; // Skip this extension
|
||||
} else if (extensionType === this.TLS_PSK_EXTENSION_TYPE) {
|
||||
// TLS 1.3 PSK extension - mark for resumption support
|
||||
log('Found PSK extension (TLS 1.3 resumption indicator)');
|
||||
hasPskExtension = true;
|
||||
// We'll skip the extension here and process it separately if needed
|
||||
pos += extensionLength;
|
||||
} else {
|
||||
// Skip this extension
|
||||
pos += extensionLength;
|
||||
}
|
||||
}
|
||||
|
||||
// Log if we found a session ticket but no SNI
|
||||
if (hasSessionTicket) {
|
||||
log('Session ticket present but no SNI found - possible resumption scenario');
|
||||
// Log if we found session resumption indicators but no SNI
|
||||
if (hasSessionTicket || hasPskExtension) {
|
||||
log('Session resumption indicators present but no SNI found');
|
||||
}
|
||||
|
||||
log('No SNI extension found in ClientHello');
|
||||
@ -295,35 +748,479 @@ export class SniHandler {
|
||||
}
|
||||
|
||||
/**
|
||||
* Attempts to extract SNI from an initial ClientHello packet and handles
|
||||
* session resumption edge cases more robustly than the standard extraction.
|
||||
* Attempts to extract SNI from the PSK extension in a TLS 1.3 ClientHello.
|
||||
*
|
||||
* This method is specifically designed for Chrome and other browsers that
|
||||
* may send different ClientHello formats during session resumption.
|
||||
* In TLS 1.3, when a client attempts to resume a session, it may include
|
||||
* the server name in the PSK identity hint rather than in the SNI extension.
|
||||
*
|
||||
* @param buffer - The buffer containing the TLS ClientHello message
|
||||
* @param enableLogging - Whether to enable detailed debug logging
|
||||
* @returns The extracted server name or undefined if not found
|
||||
*/
|
||||
public static extractSNIWithResumptionSupport(
|
||||
buffer: Buffer,
|
||||
public static extractSNIFromPSKExtension(
|
||||
buffer: Buffer,
|
||||
enableLogging: boolean = false
|
||||
): string | undefined {
|
||||
const log = (message: string) => {
|
||||
if (enableLogging) {
|
||||
console.log(`[PSK-SNI Extraction] ${message}`);
|
||||
}
|
||||
};
|
||||
|
||||
try {
|
||||
// Ensure this is a ClientHello
|
||||
if (!this.isClientHello(buffer)) {
|
||||
log('Not a ClientHello message');
|
||||
return undefined;
|
||||
}
|
||||
|
||||
// Find the start position of extensions
|
||||
let pos = 5; // Start after record header
|
||||
|
||||
// Skip handshake type (1 byte)
|
||||
pos += 1;
|
||||
|
||||
// Skip handshake length (3 bytes)
|
||||
pos += 3;
|
||||
|
||||
// Skip client version (2 bytes)
|
||||
pos += 2;
|
||||
|
||||
// Skip client random (32 bytes)
|
||||
pos += 32;
|
||||
|
||||
// Skip session ID
|
||||
if (pos + 1 > buffer.length) return undefined;
|
||||
const sessionIdLength = buffer[pos];
|
||||
pos += 1 + sessionIdLength;
|
||||
|
||||
// Skip cipher suites
|
||||
if (pos + 2 > buffer.length) return undefined;
|
||||
const cipherSuitesLength = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
pos += 2 + cipherSuitesLength;
|
||||
|
||||
// Skip compression methods
|
||||
if (pos + 1 > buffer.length) return undefined;
|
||||
const compressionMethodsLength = buffer[pos];
|
||||
pos += 1 + compressionMethodsLength;
|
||||
|
||||
// Check if we have extensions
|
||||
if (pos + 2 > buffer.length) {
|
||||
log('No extensions present');
|
||||
return undefined;
|
||||
}
|
||||
|
||||
// Get extensions length
|
||||
const extensionsLength = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
pos += 2;
|
||||
|
||||
// Extensions end position
|
||||
const extensionsEnd = pos + extensionsLength;
|
||||
if (extensionsEnd > buffer.length) return undefined;
|
||||
|
||||
// Look for PSK extension
|
||||
while (pos + 4 <= extensionsEnd) {
|
||||
const extensionType = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
pos += 2;
|
||||
|
||||
const extensionLength = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
pos += 2;
|
||||
|
||||
if (extensionType === this.TLS_PSK_EXTENSION_TYPE) {
|
||||
log('Found PSK extension');
|
||||
|
||||
// PSK extension structure:
|
||||
// 2 bytes: identities list length
|
||||
if (pos + 2 > extensionsEnd) break;
|
||||
const identitiesLength = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
pos += 2;
|
||||
|
||||
// End of identities list
|
||||
const identitiesEnd = pos + identitiesLength;
|
||||
if (identitiesEnd > extensionsEnd) break;
|
||||
|
||||
// Process each PSK identity
|
||||
while (pos + 2 <= identitiesEnd) {
|
||||
// Identity length (2 bytes)
|
||||
if (pos + 2 > identitiesEnd) break;
|
||||
const identityLength = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
pos += 2;
|
||||
|
||||
if (pos + identityLength > identitiesEnd) break;
|
||||
|
||||
// Try to extract hostname from identity
|
||||
// Chrome often embeds the hostname in the PSK identity
|
||||
// This is a heuristic as there's no standard format
|
||||
if (identityLength > 0) {
|
||||
const identity = buffer.slice(pos, pos + identityLength);
|
||||
|
||||
// Skip identity bytes
|
||||
pos += identityLength;
|
||||
|
||||
// Skip obfuscated ticket age (4 bytes)
|
||||
if (pos + 4 <= identitiesEnd) {
|
||||
pos += 4;
|
||||
} else {
|
||||
break;
|
||||
}
|
||||
|
||||
// Try to parse the identity as UTF-8
|
||||
try {
|
||||
const identityStr = identity.toString('utf8');
|
||||
log(`PSK identity: ${identityStr}`);
|
||||
|
||||
// Check if the identity contains hostname hints
|
||||
// Chrome often embeds the hostname in a known format
|
||||
// Try to extract using common patterns
|
||||
|
||||
// Pattern 1: Look for domain name pattern
|
||||
const domainPattern = /([a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?/i;
|
||||
const domainMatch = identityStr.match(domainPattern);
|
||||
if (domainMatch && domainMatch[0]) {
|
||||
log(`Found domain in PSK identity: ${domainMatch[0]}`);
|
||||
return domainMatch[0];
|
||||
}
|
||||
|
||||
// Pattern 2: Chrome sometimes uses a specific format with delimiters
|
||||
// This is a heuristic approach since the format isn't standardized
|
||||
const parts = identityStr.split('|');
|
||||
if (parts.length > 1) {
|
||||
for (const part of parts) {
|
||||
if (part.includes('.') && !part.includes('/')) {
|
||||
const possibleDomain = part.trim();
|
||||
if (/^[a-z0-9.-]+$/i.test(possibleDomain)) {
|
||||
log(`Found possible domain in PSK delimiter format: ${possibleDomain}`);
|
||||
return possibleDomain;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
} catch (e) {
|
||||
log('Failed to parse PSK identity as UTF-8');
|
||||
}
|
||||
}
|
||||
}
|
||||
} else {
|
||||
// Skip this extension
|
||||
pos += extensionLength;
|
||||
}
|
||||
}
|
||||
|
||||
log('No hostname found in PSK extension');
|
||||
return undefined;
|
||||
} catch (error) {
|
||||
log(`Error parsing PSK: ${error instanceof Error ? error.message : String(error)}`);
|
||||
return undefined;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks if the buffer contains TLS 1.3 early data (0-RTT)
|
||||
* @param buffer - The buffer to check
|
||||
* @param enableLogging - Whether to enable logging
|
||||
* @returns true if early data is detected
|
||||
*/
|
||||
public static hasEarlyData(
|
||||
buffer: Buffer,
|
||||
enableLogging: boolean = false
|
||||
): boolean {
|
||||
const log = (message: string) => {
|
||||
if (enableLogging) {
|
||||
console.log(`[Early Data] ${message}`);
|
||||
}
|
||||
};
|
||||
|
||||
try {
|
||||
// Check if this is a valid ClientHello first
|
||||
if (!this.isClientHello(buffer)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Find the extensions section
|
||||
let pos = 5; // Start after record header
|
||||
|
||||
// Skip handshake type (1 byte)
|
||||
pos += 1;
|
||||
|
||||
// Skip handshake length (3 bytes)
|
||||
pos += 3;
|
||||
|
||||
// Skip client version (2 bytes)
|
||||
pos += 2;
|
||||
|
||||
// Skip client random (32 bytes)
|
||||
pos += 32;
|
||||
|
||||
// Skip session ID
|
||||
if (pos + 1 > buffer.length) return false;
|
||||
const sessionIdLength = buffer[pos];
|
||||
pos += 1 + sessionIdLength;
|
||||
|
||||
// Skip cipher suites
|
||||
if (pos + 2 > buffer.length) return false;
|
||||
const cipherSuitesLength = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
pos += 2 + cipherSuitesLength;
|
||||
|
||||
// Skip compression methods
|
||||
if (pos + 1 > buffer.length) return false;
|
||||
const compressionMethodsLength = buffer[pos];
|
||||
pos += 1 + compressionMethodsLength;
|
||||
|
||||
// Check if we have extensions
|
||||
if (pos + 2 > buffer.length) return false;
|
||||
|
||||
// Get extensions length
|
||||
const extensionsLength = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
pos += 2;
|
||||
|
||||
// Extensions end position
|
||||
const extensionsEnd = pos + extensionsLength;
|
||||
if (extensionsEnd > buffer.length) return false;
|
||||
|
||||
// Look for early data extension
|
||||
while (pos + 4 <= extensionsEnd) {
|
||||
const extensionType = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
pos += 2;
|
||||
|
||||
const extensionLength = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
pos += 2;
|
||||
|
||||
if (extensionType === this.TLS_EARLY_DATA_EXTENSION_TYPE) {
|
||||
log('Early Data (0-RTT) extension detected');
|
||||
return true;
|
||||
}
|
||||
|
||||
// Skip to next extension
|
||||
pos += extensionLength;
|
||||
}
|
||||
|
||||
return false;
|
||||
} catch (error) {
|
||||
log(`Error checking for early data: ${error}`);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Attempts to extract SNI from an initial ClientHello packet and handles
|
||||
* session resumption edge cases more robustly than the standard extraction.
|
||||
*
|
||||
* This method handles:
|
||||
* 1. Standard SNI extraction
|
||||
* 2. TLS 1.3 PSK-based resumption (Chrome, Firefox, etc.)
|
||||
* 3. Session ticket-based resumption
|
||||
* 4. Fragmented ClientHello messages
|
||||
* 5. TLS 1.3 Early Data (0-RTT)
|
||||
* 6. Chrome's connection racing behaviors
|
||||
* 7. Tab reactivation patterns with session cache
|
||||
*
|
||||
* @param buffer - The buffer containing the TLS ClientHello message
|
||||
* @param connectionInfo - Optional connection information for fragment handling
|
||||
* @param enableLogging - Whether to enable detailed debug logging
|
||||
* @returns The extracted server name or undefined if not found
|
||||
*/
|
||||
public static extractSNIWithResumptionSupport(
|
||||
buffer: Buffer,
|
||||
connectionInfo?: {
|
||||
sourceIp?: string;
|
||||
sourcePort?: number;
|
||||
destIp?: string;
|
||||
destPort?: number;
|
||||
},
|
||||
enableLogging: boolean = false
|
||||
): string | undefined {
|
||||
const log = (message: string) => {
|
||||
if (enableLogging) {
|
||||
console.log(`[SNI Extraction] ${message}`);
|
||||
}
|
||||
};
|
||||
|
||||
// Check if we need to handle fragmented packets
|
||||
let processBuffer = buffer;
|
||||
if (connectionInfo) {
|
||||
const connectionId = this.createConnectionId(connectionInfo);
|
||||
const reassembledBuffer = this.handleFragmentedClientHello(
|
||||
buffer,
|
||||
connectionId,
|
||||
enableLogging
|
||||
);
|
||||
|
||||
if (!reassembledBuffer) {
|
||||
log(`Waiting for more fragments on connection ${connectionId}`);
|
||||
return undefined; // Need more fragments to complete ClientHello
|
||||
}
|
||||
|
||||
processBuffer = reassembledBuffer;
|
||||
log(`Using reassembled buffer of length ${processBuffer.length}`);
|
||||
}
|
||||
|
||||
// First try the standard SNI extraction
|
||||
const standardSni = this.extractSNI(buffer, enableLogging);
|
||||
const standardSni = this.extractSNI(processBuffer, enableLogging);
|
||||
if (standardSni) {
|
||||
log(`Found standard SNI: ${standardSni}`);
|
||||
|
||||
// If we extracted a standard SNI, cache it for future use
|
||||
if (connectionInfo?.sourceIp) {
|
||||
const clientRandom = this.extractClientRandom(processBuffer);
|
||||
this.cacheSession(connectionInfo.sourceIp, standardSni, clientRandom);
|
||||
log(`Cached SNI for future reference: ${standardSni}`);
|
||||
}
|
||||
|
||||
return standardSni;
|
||||
}
|
||||
|
||||
// Check for tab reactivation pattern
|
||||
const isTabReactivation = this.isTabReactivationHandshake(processBuffer, enableLogging);
|
||||
if (isTabReactivation && connectionInfo?.sourceIp) {
|
||||
// Try to get the SNI from our session cache for tab reactivation
|
||||
const cachedSni = this.getCachedSession(connectionInfo.sourceIp);
|
||||
if (cachedSni) {
|
||||
log(`Retrieved cached SNI for tab reactivation: ${cachedSni}`);
|
||||
return cachedSni;
|
||||
}
|
||||
log('Tab reactivation detected but no cached SNI found');
|
||||
}
|
||||
|
||||
// Check for TLS 1.3 early data (0-RTT)
|
||||
const hasEarly = this.hasEarlyData(processBuffer, enableLogging);
|
||||
if (hasEarly) {
|
||||
log('TLS 1.3 Early Data detected, trying session cache');
|
||||
// For 0-RTT, check the session cache
|
||||
if (connectionInfo?.sourceIp) {
|
||||
const cachedSni = this.getCachedSession(connectionInfo.sourceIp);
|
||||
if (cachedSni) {
|
||||
log(`Retrieved cached SNI for 0-RTT: ${cachedSni}`);
|
||||
return cachedSni;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// If standard extraction failed and we have a valid ClientHello,
|
||||
// this might be a session resumption with non-standard format
|
||||
if (this.isClientHello(buffer)) {
|
||||
if (enableLogging) {
|
||||
console.log('[SNI Extraction] Detected ClientHello without standard SNI, possible session resumption');
|
||||
if (this.isClientHello(processBuffer)) {
|
||||
log('Detected ClientHello without standard SNI, possible session resumption');
|
||||
|
||||
// Try to extract from PSK extension (TLS 1.3 resumption)
|
||||
const pskSni = this.extractSNIFromPSKExtension(processBuffer, enableLogging);
|
||||
if (pskSni) {
|
||||
log(`Extracted SNI from PSK extension: ${pskSni}`);
|
||||
|
||||
// Cache this SNI for future reference
|
||||
if (connectionInfo?.sourceIp) {
|
||||
const clientRandom = this.extractClientRandom(processBuffer);
|
||||
this.cacheSession(connectionInfo.sourceIp, pskSni, clientRandom);
|
||||
log(`Cached PSK-derived SNI: ${pskSni}`);
|
||||
}
|
||||
|
||||
return pskSni;
|
||||
}
|
||||
|
||||
// Additional handling could be implemented here for specific browser behaviors
|
||||
// For now, this is a placeholder for future improvements
|
||||
// If we have a session ticket but no SNI or PSK identity,
|
||||
// check our session cache as a last resort
|
||||
if (connectionInfo?.sourceIp) {
|
||||
const cachedSni = this.getCachedSession(connectionInfo.sourceIp);
|
||||
if (cachedSni) {
|
||||
log(`Using cached SNI as last resort: ${cachedSni}`);
|
||||
return cachedSni;
|
||||
}
|
||||
}
|
||||
|
||||
log('Failed to extract SNI from resumption mechanisms');
|
||||
}
|
||||
|
||||
return undefined;
|
||||
}
|
||||
|
||||
/**
|
||||
* Main entry point for SNI extraction that handles all edge cases.
|
||||
* This should be called for each TLS packet received from a client.
|
||||
*
|
||||
* The method uses connection tracking to handle fragmented ClientHello
|
||||
* messages and various TLS 1.3 behaviors, including Chrome's connection
|
||||
* racing patterns and tab reactivation behaviors.
|
||||
*
|
||||
* @param buffer - The buffer containing TLS data
|
||||
* @param connectionInfo - Connection metadata (IPs and ports)
|
||||
* @param enableLogging - Whether to enable detailed debug logging
|
||||
* @param cachedSni - Optional cached SNI from previous connections (for racing detection)
|
||||
* @returns The extracted server name or undefined if not found or more data needed
|
||||
*/
|
||||
public static processTlsPacket(
|
||||
buffer: Buffer,
|
||||
connectionInfo: {
|
||||
sourceIp: string;
|
||||
sourcePort: number;
|
||||
destIp: string;
|
||||
destPort: number;
|
||||
timestamp?: number;
|
||||
},
|
||||
enableLogging: boolean = false,
|
||||
cachedSni?: string
|
||||
): string | undefined {
|
||||
const log = (message: string) => {
|
||||
if (enableLogging) {
|
||||
console.log(`[TLS Packet] ${message}`);
|
||||
}
|
||||
};
|
||||
|
||||
// Add timestamp if not provided
|
||||
if (!connectionInfo.timestamp) {
|
||||
connectionInfo.timestamp = Date.now();
|
||||
}
|
||||
|
||||
// Check if this is a TLS handshake or application data
|
||||
if (!this.isTlsHandshake(buffer) && !this.isTlsApplicationData(buffer)) {
|
||||
log('Not a TLS handshake or application data packet');
|
||||
return undefined;
|
||||
}
|
||||
|
||||
// Create connection ID for tracking
|
||||
const connectionId = this.createConnectionId(connectionInfo);
|
||||
log(`Processing TLS packet for connection ${connectionId}, buffer length: ${buffer.length}`);
|
||||
|
||||
// Handle application data with cached SNI (for connection racing)
|
||||
if (this.isTlsApplicationData(buffer)) {
|
||||
// First check if explicit cachedSni was provided
|
||||
if (cachedSni) {
|
||||
log(`Using provided cached SNI for application data: ${cachedSni}`);
|
||||
return cachedSni;
|
||||
}
|
||||
|
||||
// Otherwise check our session cache
|
||||
const sessionCachedSni = this.getCachedSession(connectionInfo.sourceIp);
|
||||
if (sessionCachedSni) {
|
||||
log(`Using session-cached SNI for application data: ${sessionCachedSni}`);
|
||||
return sessionCachedSni;
|
||||
}
|
||||
|
||||
log('Application data packet without cached SNI, cannot determine hostname');
|
||||
return undefined;
|
||||
}
|
||||
|
||||
// For handshake messages, try the full extraction process
|
||||
const sni = this.extractSNIWithResumptionSupport(
|
||||
buffer,
|
||||
connectionInfo,
|
||||
enableLogging
|
||||
);
|
||||
|
||||
if (sni) {
|
||||
log(`Successfully extracted SNI: ${sni}`);
|
||||
return sni;
|
||||
}
|
||||
|
||||
// If we couldn't extract an SNI, check if this is a valid ClientHello
|
||||
// If it is, but we couldn't get an SNI, it might be a fragment or
|
||||
// a connection race situation
|
||||
if (this.isClientHello(buffer)) {
|
||||
// Check if we have a cached session for this IP
|
||||
const sessionCachedSni = this.getCachedSession(connectionInfo.sourceIp);
|
||||
if (sessionCachedSni) {
|
||||
log(`Using session cache for ClientHello without SNI: ${sessionCachedSni}`);
|
||||
return sessionCachedSni;
|
||||
}
|
||||
|
||||
log('Valid ClientHello detected, but no SNI extracted - might need more data');
|
||||
}
|
||||
|
||||
return undefined;
|
||||
|
||||
Reference in New Issue
Block a user