@agentdance/node-webrtc-dtls 1.0.0

package/dist/state.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"state.d.ts","sourceRoot":"","sources":["../src/state.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AAEtC,oBAAY,SAAS;IACnB,GAAG,QAAQ;IACX,UAAU,eAAe;IACzB,SAAS,cAAc;IACvB,MAAM,WAAW;IACjB,MAAM,WAAW;CAClB;AAED,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,QAAQ,GAAG,QAAQ,CAAC;IAC5B,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;IACvB,aAAa,EAAE,MAAM,CAAC;IACtB,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,WAAW;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAE/B,QAAQ,EAAE,MAAM,EAAE,CAAC;IAEnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB,cAAc,CAAC,EAAE,MAAM,CAAC,SAAS,CAAC;IAClC,aAAa,CAAC,EAAE,MAAM,CAAC,SAAS,CAAC;IAEjC,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAE9B,eAAe,CAAC,EAAE,MAAM,CAAC;IAEzB,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAE7B,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;IAEvB,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB"}

package/dist/state.js

@@ -0,0 +1,10 @@
+// DTLS 1.2 state machine types and security parameters
+export var DtlsState;
+(function (DtlsState) {
+    DtlsState["New"] = "new";
+    DtlsState["Connecting"] = "connecting";
+    DtlsState["Connected"] = "connected";
+    DtlsState["Closed"] = "closed";
+    DtlsState["Failed"] = "failed";
+})(DtlsState || (DtlsState = {}));
+//# sourceMappingURL=state.js.map

package/dist/state.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"state.js","sourceRoot":"","sources":["../src/state.ts"],"names":[],"mappings":"AAAA,uDAAuD;AAIvD,MAAM,CAAN,IAAY,SAMX;AAND,WAAY,SAAS;IACnB,wBAAW,CAAA;IACX,sCAAyB,CAAA;IACzB,oCAAuB,CAAA;IACvB,8BAAiB,CAAA;IACjB,8BAAiB,CAAA;AACnB,CAAC,EANW,SAAS,KAAT,SAAS,QAMpB"}

package/dist/transport.d.ts

@@ -0,0 +1,87 @@
+import { EventEmitter } from 'node:events';
+import { type DtlsCertificate } from './certificate.js';
+import { DtlsState } from './state.js';
+export { DtlsState };
+export type { DtlsCertificate };
+export interface SrtpKeyingMaterial {
+    clientKey: Buffer;
+    clientSalt: Buffer;
+    serverKey: Buffer;
+    serverSalt: Buffer;
+    profile: number;
+}
+export interface DtlsTransportOptions {
+    role: 'client' | 'server';
+    remoteFingerprint?: {
+        algorithm: string;
+        value: string;
+    };
+    certificate?: DtlsCertificate;
+    mtu?: number;
+}
+export declare interface DtlsTransport {
+    on(event: 'connected', listener: (srtpKeys: SrtpKeyingMaterial) => void): this;
+    on(event: 'data', listener: (data: Buffer) => void): this;
+    on(event: 'error', listener: (err: Error) => void): this;
+    on(event: 'close', listener: () => void): this;
+}
+export declare class DtlsTransport extends EventEmitter {
+    readonly localCertificate: DtlsCertificate;
+    private _state;
+    private readonly role;
+    private readonly remoteFingerprint;
+    private readonly _mtu;
+    private sendCb;
+    private _startResolve;
+    private _startReject;
+    private ctx;
+    private cipherState;
+    private writeEpoch;
+    private writeSeq;
+    private srtpKeys;
+    private readonly _cookieSecret;
+    constructor(options: DtlsTransportOptions);
+    getState(): DtlsState;
+    getLocalFingerprint(): {
+        algorithm: 'sha-256';
+        value: string;
+    };
+    setSendCallback(cb: (data: Buffer) => void): void;
+    start(): Promise<SrtpKeyingMaterial>;
+    handleIncoming(data: Buffer): void;
+    private static readonly MAX_RECORD_PLAINTEXT;
+    send(data: Buffer): void;
+    close(): void;
+    private _processRecord;
+    private _processHandshakeRecord;
+    private _processHandshakeMessage;
+    private _processAsClient;
+    private _processAsServer;
+    private _sendClientHello;
+    private _sendClientKeyExchange;
+    /**
+     * Transmit HelloVerifyRequest WITHOUT adding it to the transcript.
+     * RFC 6347 §4.2.1: HVR is excluded from the handshake hash.
+     */
+    private _transmitHelloVerifyRequest;
+    private _sendServerFlight;
+    private _deriveKeys;
+    private _sendChangeCipherSpec;
+    private _processChangeCipherSpec;
+    private _computeFinished;
+    private _computePeerFinished;
+    private _sendFinished;
+    private _processServerFinished;
+    private _processClientFinished;
+    private _processApplicationData;
+    private _processAlert;
+    private _encryptRecord;
+    private _decryptRecord;
+    private _buildHandshakeMessage;
+    private _sendHandshakeBody;
+    private _sendHandshake;
+    private _generateCookie;
+    private _transmit;
+    private _fail;
+}
+//# sourceMappingURL=transport.d.ts.map

package/dist/transport.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"transport.d.ts","sourceRoot":"","sources":["../src/transport.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAoD3C,OAAO,EACL,KAAK,eAAe,EAIrB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,SAAS,EAA2C,MAAM,YAAY,CAAC;AAEhF,OAAO,EAAE,SAAS,EAAE,CAAC;AACrB,YAAY,EAAE,eAAe,EAAE,CAAC;AAEhC,MAAM,WAAW,kBAAkB;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,oBAAoB;IACnC,IAAI,EAAE,QAAQ,GAAG,QAAQ,CAAC;IAC1B,iBAAiB,CAAC,EAAE;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;IACzD,WAAW,CAAC,EAAE,eAAe,CAAC;IAC9B,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAOD,MAAM,CAAC,OAAO,WAAW,aAAa;IACpC,EAAE,CAAC,KAAK,EAAE,WAAW,EAAE,QAAQ,EAAE,CAAC,QAAQ,EAAE,kBAAkB,KAAK,IAAI,GAAG,IAAI,CAAC;IAC/E,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,GAAG,IAAI,CAAC;IAC1D,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,GAAG,EAAE,KAAK,KAAK,IAAI,GAAG,IAAI,CAAC;IACzD,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,IAAI,GAAG,IAAI,CAAC;CAChD;AAED,qBAAa,aAAc,SAAQ,YAAY;IAC7C,QAAQ,CAAC,gBAAgB,EAAE,eAAe,CAAC;IAE3C,OAAO,CAAC,MAAM,CAA4B;IAC1C,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAsB;IAC3C,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAmD;IACrF,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAS;IAE9B,OAAO,CAAC,MAAM,CAAuC;IACrD,OAAO,CAAC,aAAa,CAAmD;IACxE,OAAO,CAAC,YAAY,CAAqC;IAEzD,OAAO,CAAC,GAAG,CAIT;IAEF,OAAO,CAAC,WAAW,CAA0B;IAC7C,OAAO,CAAC,UAAU,CAAK;IACvB,OAAO,CAAC,QAAQ,CAAM;IACtB,OAAO,CAAC,QAAQ,CAAiC;IACjD,OAAO,CAAC,QAAQ,CAAC,aAAa,CAA0B;gBAE5C,OAAO,EAAE,oBAAoB;IAQzC,QAAQ,IAAI,SAAS;IAIrB,mBAAmB,IAAI;QAAE,SAAS,EAAE,SAAS,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE;IAI9D,eAAe,CAAC,EAAE,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,GAAG,IAAI;IAI3C,KAAK,IAAI,OAAO,CAAC,kBAAkB,CAAC;IAiB1C,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI;IAalC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,oBAAoB,CAAS;IAErD,IAAI,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI;IAkBxB,KAAK,IAAI,IAAI;IAYb,OAAO,CAAC,cAAc;IAStB,OAAO,CAAC,uBAAuB;IAgC/B,OAAO,CAAC,wBAAwB;IAUhC,OAAO,CAAC,gBAAgB;IA6DxB,OAAO,CAAC,gBAAgB;YA6CV,gBAAgB;YA4BhB,sBAAsB;IAkBpC;;;OAGG;IACH,OAAO,CAAC,2BAA2B;YAerB,iBAAiB;IA+D/B,OAAO,CAAC,WAAW;IA6BnB,OAAO,CAAC,qBAAqB;IAM7B,OAAO,CAAC,wBAAwB;IAOhC,OAAO,CAAC,gBAAgB;IASxB,OAAO,CAAC,oBAAoB;IAW5B,OAAO,CAAC,aAAa;IAQrB,OAAO,CAAC,sBAAsB;IAa9B,OAAO,CAAC,sBAAsB;IAqB9B,OAAO,CAAC,uBAAuB;IAU/B,OAAO,CAAC,aAAa;IASrB,OAAO,CAAC,cAAc;IAWtB,OAAO,CAAC,cAAc;IActB,OAAO,CAAC,sBAAsB;IAQ9B,OAAO,CAAC,kBAAkB;IAM1B,OAAO,CAAC,cAAc;IAQtB,OAAO,CAAC,eAAe;IAMvB,OAAO,CAAC,SAAS;IAIjB,OAAO,CAAC,KAAK;CAMd"}

package/dist/transport.js

@@ -0,0 +1,559 @@
+// DTLS 1.2 Transport (RFC 6347)
+// Implements client and server handshake state machines.
+import { EventEmitter } from 'node:events';
+import * as crypto from 'node:crypto';
+import { ContentType, DTLS_VERSION_1_2, } from './types.js';
+import { encodeRecord, decodeRecords, makeRecord } from './record.js';
+import { HandshakeType, CipherSuites, ExtensionType, NamedCurve, SrtpProtectionProfile, encodeHandshakeMessage, decodeHandshakeMessage, encodeClientHello, decodeClientHello, encodeServerHello, decodeServerHello, encodeHelloVerifyRequest, decodeHelloVerifyRequest, encodeCertificate, decodeCertificate, encodeServerKeyExchange, decodeServerKeyExchange, encodeClientKeyExchange, decodeClientKeyExchange, buildUseSrtpExtension, buildSupportedGroupsExtension, buildSignatureAlgorithmsExtension, parseSrtpProfiles, } from './handshake.js';
+import { prf, computeMasterSecret, expandKeyMaterial, exportKeyingMaterial, aesgcmEncrypt, aesgcmDecrypt, generateEcdhKeyPair, computeEcdhPreMasterSecret, encodeEcPublicKey, ecdsaSign, ecdsaVerify, hmacSha256, } from './crypto.js';
+import { generateSelfSignedCertificate, verifyFingerprint, extractPublicKeyFromCert, } from './certificate.js';
+import { DtlsState } from './state.js';
+export { DtlsState };
+// Signature algorithm identifiers (RFC 5246 Section 7.4.1.4.1)
+const SIG_HASH_SHA256 = 4;
+const SIG_ALG_ECDSA = 3;
+const NAMED_CURVE_P256 = 23;
+export class DtlsTransport extends EventEmitter {
+    localCertificate;
+    _state = DtlsState.New;
+    role;
+    remoteFingerprint;
+    _mtu;
+    sendCb;
+    _startResolve;
+    _startReject;
+    ctx = {
+        messages: [],
+        sendMessageSeq: 0,
+        recvMessageSeq: 0,
+    };
+    cipherState;
+    writeEpoch = 0;
+    writeSeq = 0n;
+    srtpKeys;
+    _cookieSecret = crypto.randomBytes(32);
+    constructor(options) {
+        super();
+        this.role = options.role;
+        this.remoteFingerprint = options.remoteFingerprint;
+        this._mtu = options.mtu ?? 1200;
+        this.localCertificate = options.certificate ?? generateSelfSignedCertificate();
+    }
+    getState() {
+        return this._state;
+    }
+    getLocalFingerprint() {
+        return this.localCertificate.fingerprint;
+    }
+    setSendCallback(cb) {
+        this.sendCb = cb;
+    }
+    async start() {
+        if (this._state !== DtlsState.New) {
+            throw new Error('DtlsTransport already started');
+        }
+        this._state = DtlsState.Connecting;
+        return new Promise((resolve, reject) => {
+            this._startResolve = resolve;
+            this._startReject = reject;
+            if (this.role === 'client') {
+                this._sendClientHello(Buffer.alloc(0)).catch((e) => this._fail(e instanceof Error ? e : new Error(String(e))));
+            }
+        });
+    }
+    handleIncoming(data) {
+        if (this._state === DtlsState.Closed || this._state === DtlsState.Failed)
+            return;
+        try {
+            const records = decodeRecords(data);
+            for (const record of records) {
+                this._processRecord(record);
+            }
+        }
+        catch (e) {
+            this._fail(e instanceof Error ? e : new Error(String(e)));
+        }
+    }
+    // Maximum plaintext payload per DTLS record (RFC 6347 §4.1.1 limits to 2^14-1)
+    static MAX_RECORD_PLAINTEXT = 16383;
+    send(data) {
+        if (this._state !== DtlsState.Connected || !this.cipherState) {
+            throw new Error('DTLS not connected');
+        }
+        // Fragment large payloads into individual DTLS records
+        const maxLen = DtlsTransport.MAX_RECORD_PLAINTEXT;
+        if (data.length <= maxLen) {
+            this._transmit(this._encryptRecord(ContentType.ApplicationData, data));
+        }
+        else {
+            let offset = 0;
+            while (offset < data.length) {
+                const end = Math.min(offset + maxLen, data.length);
+                this._transmit(this._encryptRecord(ContentType.ApplicationData, data.subarray(offset, end)));
+                offset = end;
+            }
+        }
+    }
+    close() {
+        if (this._state === DtlsState.Closed)
+            return;
+        try {
+            const alert = Buffer.from([0x01, 0x00]);
+            this._transmit(encodeRecord(makeRecord(ContentType.Alert, this.writeEpoch, this.writeSeq++, alert)));
+        }
+        catch { /* ignore */ }
+        this._state = DtlsState.Closed;
+        this.emit('close');
+    }
+    // ── Record dispatch ──────────────────────────────────────────────────────────
+    _processRecord(record) {
+        switch (record.contentType) {
+            case ContentType.Handshake:
+                this._processHandshakeRecord(record);
+                break;
+            case ContentType.ChangeCipherSpec:
+                this._processChangeCipherSpec();
+                break;
+            case ContentType.ApplicationData:
+                this._processApplicationData(record);
+                break;
+            case ContentType.Alert:
+                this._processAlert(record);
+                break;
+        }
+    }
+    _processHandshakeRecord(record) {
+        let fragment;
+        try {
+            fragment =
+                record.epoch > 0 && this.cipherState
+                    ? this._decryptRecord(record)
+                    : record.fragment;
+        }
+        catch {
+            return; // ignore undecryptable records
+        }
+        let off = 0;
+        while (off < fragment.length) {
+            if (fragment.length - off < 12)
+                break;
+            const preFragLen = (fragment[off + 9] << 16) |
+                (fragment[off + 10] << 8) |
+                fragment[off + 11];
+            if (off + 12 + preFragLen > fragment.length)
+                break;
+            const msg = decodeHandshakeMessage(fragment.subarray(off));
+            const msgSize = 12 + msg.fragmentLength;
+            // Add to transcript BEFORE processing (so peer's Finished is included)
+            this.ctx.messages.push(Buffer.from(fragment.subarray(off, off + msgSize)));
+            off += msgSize;
+            this._processHandshakeMessage(msg);
+            if (this._state === DtlsState.Failed)
+                return;
+        }
+    }
+    _processHandshakeMessage(msg) {
+        if (this.role === 'client') {
+            this._processAsClient(msg);
+        }
+        else {
+            this._processAsServer(msg);
+        }
+    }
+    // ── Client state machine ─────────────────────────────────────────────────────
+    _processAsClient(msg) {
+        switch (msg.msgType) {
+            case HandshakeType.HelloVerifyRequest: {
+                const hvr = decodeHelloVerifyRequest(msg.body);
+                // RFC 6347 §4.2.1: reset transcript/seqs before retrying
+                this.ctx.messages = [];
+                this.ctx.sendMessageSeq = 0;
+                this.ctx.recvMessageSeq = 0;
+                this._sendClientHello(hvr.cookie).catch((e) => this._fail(e instanceof Error ? e : new Error(String(e))));
+                break;
+            }
+            case HandshakeType.ServerHello: {
+                this.ctx.selectedCipherSuite = decodeServerHello(msg.body).cipherSuite;
+                this.ctx.serverRandom = Buffer.from(msg.body.subarray(2, 34));
+                break;
+            }
+            case HandshakeType.Certificate: {
+                const certs = decodeCertificate(msg.body);
+                const first = certs[0];
+                if (!first) {
+                    this._fail(new Error('No certificate'));
+                    return;
+                }
+                this.ctx.peerCertDer = first;
+                if (this.remoteFingerprint && !verifyFingerprint(first, this.remoteFingerprint)) {
+                    this._fail(new Error('Certificate fingerprint mismatch'));
+                }
+                break;
+            }
+            case HandshakeType.ServerKeyExchange: {
+                const ske = decodeServerKeyExchange(msg.body);
+                if (this.ctx.peerCertDer) {
+                    const peerPk = extractPublicKeyFromCert(this.ctx.peerCertDer);
+                    const toVerify = Buffer.concat([
+                        this.ctx.clientRandom ?? Buffer.alloc(32),
+                        this.ctx.serverRandom ?? Buffer.alloc(32),
+                        Buffer.from([ske.curveType]),
+                        Buffer.from([(ske.namedCurve >> 8) & 0xff, ske.namedCurve & 0xff]),
+                        Buffer.from([ske.publicKey.length]),
+                        ske.publicKey,
+                    ]);
+                    if (!ecdsaVerify(peerPk, toVerify, ske.signature)) {
+                        this._fail(new Error('ServerKeyExchange signature verification failed'));
+                        return;
+                    }
+                }
+                this.ctx.peerEcPublicKeyBytes = ske.publicKey;
+                break;
+            }
+            case HandshakeType.ServerHelloDone:
+                this._sendClientKeyExchange().catch((e) => this._fail(e instanceof Error ? e : new Error(String(e))));
+                break;
+            case HandshakeType.Finished:
+                this._processServerFinished(msg.body);
+                break;
+        }
+    }
+    // ── Server state machine ─────────────────────────────────────────────────────
+    _processAsServer(msg) {
+        console.log(`[DTLS server] received msgType=${msg.msgType} seq=${msg.messageSeq}`);
+        switch (msg.msgType) {
+            case HandshakeType.ClientHello: {
+                const ch = decodeClientHello(msg.body);
+                if (ch.cookie.length === 0) {
+                    // First ClientHello: send HVR, reset transcript
+                    const cookie = this._generateCookie(ch.random);
+                    this.ctx.cookie = cookie;
+                    this.ctx.messages = [];
+                    this.ctx.sendMessageSeq = 0;
+                    this.ctx.recvMessageSeq = 0;
+                    this._transmitHelloVerifyRequest(cookie);
+                }
+                else {
+                    // Second ClientHello with cookie
+                    if (this.ctx.cookie && !ch.cookie.equals(this.ctx.cookie)) {
+                        this._fail(new Error('Invalid DTLS cookie'));
+                        return;
+                    }
+                    this.ctx.clientRandom = Buffer.from(ch.random);
+                    this._sendServerFlight(ch).catch((e) => this._fail(e instanceof Error ? e : new Error(String(e))));
+                }
+                break;
+            }
+            case HandshakeType.ClientKeyExchange: {
+                const cke = decodeClientKeyExchange(msg.body);
+                this.ctx.peerEcPublicKeyBytes = cke.publicKey;
+                if (this.ctx.ecdhPrivateKey && cke.publicKey) {
+                    this.ctx.preMasterSecret = computeEcdhPreMasterSecret(this.ctx.ecdhPrivateKey, cke.publicKey);
+                }
+                break;
+            }
+            case HandshakeType.Finished:
+                this._processClientFinished(msg.body);
+                break;
+        }
+    }
+    // ── Client sends ─────────────────────────────────────────────────────────────
+    async _sendClientHello(cookie) {
+        const ecdh = generateEcdhKeyPair();
+        this.ctx.ecdhPrivateKey = ecdh.privateKey;
+        this.ctx.ecdhPublicKey = ecdh.publicKey;
+        const clientRandom = crypto.randomBytes(32);
+        this.ctx.clientRandom = clientRandom;
+        const hello = {
+            clientVersion: DTLS_VERSION_1_2,
+            random: clientRandom,
+            sessionId: Buffer.alloc(0),
+            cookie,
+            cipherSuites: [
+                CipherSuites.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+                CipherSuites.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+            ],
+            compressionMethods: [0],
+            extensions: [
+                { type: ExtensionType.UseSrtp, data: buildUseSrtpExtension([SrtpProtectionProfile.SRTP_AES128_CM_SHA1_80, SrtpProtectionProfile.SRTP_AES128_CM_SHA1_32]) },
+                { type: ExtensionType.SupportedGroups, data: buildSupportedGroupsExtension([NamedCurve.secp256r1]) },
+                { type: ExtensionType.SignatureAlgorithms, data: buildSignatureAlgorithmsExtension([{ hash: SIG_HASH_SHA256, sig: SIG_ALG_ECDSA }]) },
+            ],
+        };
+        const body = encodeClientHello(hello);
+        const seq = this.ctx.sendMessageSeq++;
+        this._sendHandshake({ msgType: HandshakeType.ClientHello, length: body.length, messageSeq: seq, fragmentOffset: 0, fragmentLength: body.length, body });
+    }
+    async _sendClientKeyExchange() {
+        if (!this.ctx.ecdhPrivateKey || !this.ctx.ecdhPublicKey || !this.ctx.peerEcPublicKeyBytes) {
+            this._fail(new Error('Missing ECDH keys for ClientKeyExchange'));
+            return;
+        }
+        this.ctx.preMasterSecret = computeEcdhPreMasterSecret(this.ctx.ecdhPrivateKey, this.ctx.peerEcPublicKeyBytes);
+        const myPkBytes = encodeEcPublicKey(this.ctx.ecdhPublicKey);
+        this._sendHandshakeBody(HandshakeType.ClientKeyExchange, encodeClientKeyExchange({ publicKey: myPkBytes }));
+        this._deriveKeys();
+        this._sendChangeCipherSpec();
+        this._sendFinished();
+    }
+    // ── Server sends ─────────────────────────────────────────────────────────────
+    /**
+     * Transmit HelloVerifyRequest WITHOUT adding it to the transcript.
+     * RFC 6347 §4.2.1: HVR is excluded from the handshake hash.
+     */
+    _transmitHelloVerifyRequest(cookie) {
+        const hvr = encodeHelloVerifyRequest({ serverVersion: DTLS_VERSION_1_2, cookie });
+        const seq = this.ctx.sendMessageSeq++;
+        const hsBuf = encodeHandshakeMessage({
+            msgType: HandshakeType.HelloVerifyRequest,
+            length: hvr.length,
+            messageSeq: seq,
+            fragmentOffset: 0,
+            fragmentLength: hvr.length,
+            body: hvr,
+        });
+        this._transmit(encodeRecord(makeRecord(ContentType.Handshake, this.writeEpoch, this.writeSeq++, hsBuf)));
+        // NOT added to this.ctx.messages
+    }
+    async _sendServerFlight(clientHello) {
+        const serverRandom = crypto.randomBytes(32);
+        this.ctx.serverRandom = serverRandom;
+        const supported = [
+            CipherSuites.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+            CipherSuites.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+        ];
+        const cipherSuite = clientHello.cipherSuites.find((cs) => supported.includes(cs)) ??
+            CipherSuites.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256;
+        this.ctx.selectedCipherSuite = cipherSuite;
+        const serverHelloExts = [];
+        const srtpExt = clientHello.extensions.find((e) => e.type === ExtensionType.UseSrtp);
+        if (srtpExt) {
+            const profiles = parseSrtpProfiles(srtpExt.data);
+            const profile = profiles.find((p) => p === SrtpProtectionProfile.SRTP_AES128_CM_SHA1_80) ??
+                profiles[0] ??
+                SrtpProtectionProfile.SRTP_AES128_CM_SHA1_80;
+            serverHelloExts.push({ type: ExtensionType.UseSrtp, data: buildUseSrtpExtension([profile]) });
+        }
+        const sh = {
+            serverVersion: DTLS_VERSION_1_2,
+            random: serverRandom,
+            sessionId: Buffer.alloc(0),
+            cipherSuite,
+            compressionMethod: 0,
+            extensions: serverHelloExts,
+        };
+        this._sendHandshakeBody(HandshakeType.ServerHello, encodeServerHello(sh));
+        this._sendHandshakeBody(HandshakeType.Certificate, encodeCertificate(this.localCertificate.cert));
+        const ecdhPair = generateEcdhKeyPair();
+        this.ctx.ecdhPrivateKey = ecdhPair.privateKey;
+        this.ctx.ecdhPublicKey = ecdhPair.publicKey;
+        const serverEcPk = encodeEcPublicKey(ecdhPair.publicKey);
+        const clientRandom = this.ctx.clientRandom ?? Buffer.alloc(32);
+        const toSign = Buffer.concat([
+            clientRandom, serverRandom,
+            Buffer.from([3]),
+            Buffer.from([(NAMED_CURVE_P256 >> 8) & 0xff, NAMED_CURVE_P256 & 0xff]),
+            Buffer.from([serverEcPk.length]),
+            serverEcPk,
+        ]);
+        const sig = ecdsaSign(this.localCertificate.privateKey, toSign);
+        const ske = {
+            curveType: 3,
+            namedCurve: NAMED_CURVE_P256,
+            publicKey: serverEcPk,
+            signatureAlgorithm: { hash: SIG_HASH_SHA256, signature: SIG_ALG_ECDSA },
+            signature: sig,
+        };
+        this._sendHandshakeBody(HandshakeType.ServerKeyExchange, encodeServerKeyExchange(ske));
+        this._sendHandshakeBody(HandshakeType.ServerHelloDone, Buffer.alloc(0));
+    }
+    // ── Key derivation ───────────────────────────────────────────────────────────
+    _deriveKeys() {
+        const cr = this.ctx.clientRandom ?? Buffer.alloc(32);
+        const sr = this.ctx.serverRandom ?? Buffer.alloc(32);
+        if (!this.ctx.preMasterSecret)
+            throw new Error('No pre-master secret');
+        const ms = computeMasterSecret(this.ctx.preMasterSecret, cr, sr);
+        const kb = expandKeyMaterial(ms, cr, sr, 16, 4);
+        this.cipherState = {
+            writeKey: this.role === 'client' ? kb.clientWriteKey : kb.serverWriteKey,
+            writeIv: this.role === 'client' ? kb.clientWriteIv : kb.serverWriteIv,
+            readKey: this.role === 'client' ? kb.serverWriteKey : kb.clientWriteKey,
+            readIv: this.role === 'client' ? kb.serverWriteIv : kb.clientWriteIv,
+            writeEpoch: 1, writeSeq: 0n,
+            readEpoch: 1, readSeq: 0n,
+        };
+        const srtpMat = exportKeyingMaterial(ms, cr, sr, 'EXTRACTOR-dtls_srtp', 60);
+        this.srtpKeys = {
+            clientKey: Buffer.from(srtpMat.subarray(0, 16)),
+            serverKey: Buffer.from(srtpMat.subarray(16, 32)),
+            clientSalt: Buffer.from(srtpMat.subarray(32, 46)),
+            serverSalt: Buffer.from(srtpMat.subarray(46, 60)),
+            profile: SrtpProtectionProfile.SRTP_AES128_CM_SHA1_80,
+        };
+    }
+    // ── ChangeCipherSpec / Finished ──────────────────────────────────────────────
+    _sendChangeCipherSpec() {
+        this._transmit(encodeRecord(makeRecord(ContentType.ChangeCipherSpec, this.writeEpoch, this.writeSeq++, Buffer.from([1]))));
+        this.writeEpoch = 1;
+        this.writeSeq = 0n;
+    }
+    _processChangeCipherSpec() {
+        // When server receives client's CCS, derive keys if not done yet
+        if (!this.cipherState && this.ctx.preMasterSecret) {
+            this._deriveKeys();
+        }
+    }
+    _computeFinished(role) {
+        const cr = this.ctx.clientRandom ?? Buffer.alloc(32);
+        const sr = this.ctx.serverRandom ?? Buffer.alloc(32);
+        if (!this.ctx.preMasterSecret)
+            throw new Error('No pre-master secret');
+        const ms = computeMasterSecret(this.ctx.preMasterSecret, cr, sr);
+        const hash = crypto.createHash('sha256').update(Buffer.concat(this.ctx.messages)).digest();
+        return prf(ms, role === 'client' ? 'client finished' : 'server finished', hash, 12);
+    }
+    _computePeerFinished(peerRole) {
+        const cr = this.ctx.clientRandom ?? Buffer.alloc(32);
+        const sr = this.ctx.serverRandom ?? Buffer.alloc(32);
+        if (!this.ctx.preMasterSecret)
+            throw new Error('No pre-master secret');
+        const ms = computeMasterSecret(this.ctx.preMasterSecret, cr, sr);
+        // Exclude the peer's Finished message (the last one added) from the transcript
+        const msgs = this.ctx.messages.slice(0, -1);
+        const hash = crypto.createHash('sha256').update(Buffer.concat(msgs)).digest();
+        return prf(ms, peerRole === 'client' ? 'client finished' : 'server finished', hash, 12);
+    }
+    _sendFinished() {
+        const verifyData = this._computeFinished(this.role);
+        const hsBuf = this._buildHandshakeMessage(HandshakeType.Finished, verifyData);
+        this._transmit(this._encryptRecord(ContentType.Handshake, hsBuf));
+        // Add our own Finished to transcript AFTER computing verify_data
+        this.ctx.messages.push(hsBuf);
+    }
+    _processServerFinished(body) {
+        const expected = this._computePeerFinished('server');
+        if (!body.equals(expected)) {
+            this._fail(new Error('Server Finished verification failed'));
+            return;
+        }
+        this._state = DtlsState.Connected;
+        if (this.srtpKeys) {
+            this._startResolve?.(this.srtpKeys);
+            this.emit('connected', this.srtpKeys);
+        }
+    }
+    _processClientFinished(body) {
+        // Derive keys if CCS was not received first
+        if (!this.cipherState && this.ctx.preMasterSecret) {
+            this._deriveKeys();
+        }
+        const expected = this._computePeerFinished('client');
+        if (!body.equals(expected)) {
+            this._fail(new Error('Client Finished verification failed'));
+            return;
+        }
+        this._sendChangeCipherSpec();
+        this._sendFinished();
+        this._state = DtlsState.Connected;
+        if (this.srtpKeys) {
+            this._startResolve?.(this.srtpKeys);
+            this.emit('connected', this.srtpKeys);
+        }
+    }
+    // ── Application data / Alerts ────────────────────────────────────────────────
+    _processApplicationData(record) {
+        if (!this.cipherState)
+            return;
+        try {
+            const decrypted = this._decryptRecord(record);
+            this.emit('data', decrypted);
+        }
+        catch (e) {
+            this.emit('error', e instanceof Error ? e : new Error(String(e)));
+        }
+    }
+    _processAlert(record) {
+        if (record.fragment.length >= 2 && record.fragment[1] === 0) {
+            this._state = DtlsState.Closed;
+            this.emit('close');
+        }
+    }
+    // ── AES-128-GCM ──────────────────────────────────────────────────────────────
+    _encryptRecord(contentType, plaintext) {
+        if (!this.cipherState)
+            throw new Error('No cipher state');
+        const epoch = this.cipherState.writeEpoch;
+        const seq = this.cipherState.writeSeq++;
+        const explicit = seqBuf8(seq);
+        const nonce = Buffer.concat([this.cipherState.writeIv, explicit]);
+        const aad = buildAad(epoch, seq, contentType, plaintext.length);
+        const { ciphertext, tag } = aesgcmEncrypt(this.cipherState.writeKey, nonce, plaintext, aad);
+        return encodeRecord(makeRecord(contentType, epoch, seq, Buffer.concat([explicit, ciphertext, tag])));
+    }
+    _decryptRecord(record) {
+        if (!this.cipherState)
+            throw new Error('No cipher state');
+        const f = record.fragment;
+        if (f.length < 24)
+            throw new Error('Encrypted record too short');
+        const explicit = f.subarray(0, 8);
+        const ciphertext = f.subarray(8, f.length - 16);
+        const tag = f.subarray(f.length - 16);
+        const nonce = Buffer.concat([this.cipherState.readIv, explicit]);
+        const aad = buildAad(record.epoch, record.sequenceNumber, record.contentType, ciphertext.length);
+        return aesgcmDecrypt(this.cipherState.readKey, nonce, ciphertext, tag, aad);
+    }
+    // ── Handshake helpers ────────────────────────────────────────────────────────
+    _buildHandshakeMessage(msgType, body) {
+        return encodeHandshakeMessage({
+            msgType, length: body.length,
+            messageSeq: this.ctx.sendMessageSeq++,
+            fragmentOffset: 0, fragmentLength: body.length, body,
+        });
+    }
+    _sendHandshakeBody(msgType, body) {
+        const hsBuf = this._buildHandshakeMessage(msgType, body);
+        this.ctx.messages.push(hsBuf);
+        this._transmit(encodeRecord(makeRecord(ContentType.Handshake, this.writeEpoch, this.writeSeq++, hsBuf)));
+    }
+    _sendHandshake(msg) {
+        const hsBuf = encodeHandshakeMessage(msg);
+        this.ctx.messages.push(hsBuf);
+        this._transmit(encodeRecord(makeRecord(ContentType.Handshake, this.writeEpoch, this.writeSeq++, hsBuf)));
+    }
+    // ── Cookie ───────────────────────────────────────────────────────────────────
+    _generateCookie(clientRandom) {
+        return hmacSha256(this._cookieSecret, clientRandom).subarray(0, 20);
+    }
+    // ── Transmit / Fail ──────────────────────────────────────────────────────────
+    _transmit(data) {
+        this.sendCb?.(data);
+    }
+    _fail(err) {
+        if (this._state === DtlsState.Failed || this._state === DtlsState.Closed)
+            return;
+        this._state = DtlsState.Failed;
+        this._startReject?.(err);
+        this.emit('error', err);
+    }
+}
+// ── Utilities ────────────────────────────────────────────────────────────────
+function seqBuf8(seq) {
+    const b = Buffer.allocUnsafe(8);
+    b.writeUInt32BE(Number((seq >> 32n) & 0xffffffffn), 0);
+    b.writeUInt32BE(Number(seq & 0xffffffffn), 4);
+    return b;
+}
+function buildAad(epoch, seq, ct, len) {
+    const aad = Buffer.allocUnsafe(13);
+    aad.writeUInt16BE(epoch, 0);
+    aad.writeUInt16BE(Number((seq >> 32n) & 0xffffn), 2);
+    aad.writeUInt32BE(Number(seq & 0xffffffffn), 4);
+    aad.writeUInt8(ct, 8);
+    aad.writeUInt8(DTLS_VERSION_1_2.major, 9);
+    aad.writeUInt8(DTLS_VERSION_1_2.minor, 10);
+    aad.writeUInt16BE(len, 11);
+    return aad;
+}
+//# sourceMappingURL=transport.js.map