@push.rocks/smartproxy 11.0.0 → 13.1.2

package/dist_ts/tls/sni/sni-extraction.js

@@ -0,0 +1,275 @@
+import { Buffer } from 'buffer';
+import { TlsExtensionType, TlsUtils } from '../utils/tls-utils.js';
+import { ClientHelloParser } from './client-hello-parser.js';
+/**
+ * Utilities for extracting SNI information from TLS handshakes
+ */
+export class SniExtraction {
+    /**
+     * Extracts the SNI (Server Name Indication) from a TLS ClientHello message.
+     *
+     * @param buffer The buffer containing the TLS ClientHello message
+     * @param logger Optional logging function
+     * @returns The extracted server name or undefined if not found
+     */
+    static extractSNI(buffer, logger) {
+        const log = logger || (() => { });
+        try {
+            // Parse the ClientHello
+            const parseResult = ClientHelloParser.parseClientHello(buffer, logger);
+            if (!parseResult.isValid) {
+                log(`Failed to parse ClientHello: ${parseResult.error}`);
+                return undefined;
+            }
+            // Check if ServerName extension was found
+            if (parseResult.serverNameList && parseResult.serverNameList.length > 0) {
+                // Use the first hostname (most common case)
+                const serverName = parseResult.serverNameList[0];
+                log(`Found SNI: ${serverName}`);
+                return serverName;
+            }
+            log('No SNI extension found in ClientHello');
+            return undefined;
+        }
+        catch (error) {
+            log(`Error extracting SNI: ${error instanceof Error ? error.message : String(error)}`);
+            return undefined;
+        }
+    }
+    /**
+     * Attempts to extract SNI from the PSK extension in a TLS 1.3 ClientHello.
+     *
+     * In TLS 1.3, when a client attempts to resume a session, it may include
+     * the server name in the PSK identity hint rather than in the SNI extension.
+     *
+     * @param buffer The buffer containing the TLS ClientHello message
+     * @param logger Optional logging function
+     * @returns The extracted server name or undefined if not found
+     */
+    static extractSNIFromPSKExtension(buffer, logger) {
+        const log = logger || (() => { });
+        try {
+            // Ensure this is a ClientHello
+            if (!TlsUtils.isClientHello(buffer)) {
+                log('Not a ClientHello message');
+                return undefined;
+            }
+            // Parse the ClientHello to find PSK extension
+            const parseResult = ClientHelloParser.parseClientHello(buffer, logger);
+            if (!parseResult.isValid || !parseResult.extensions) {
+                return undefined;
+            }
+            // Find the PSK extension
+            const pskExtension = parseResult.extensions.find(ext => ext.type === TlsExtensionType.PRE_SHARED_KEY);
+            if (!pskExtension) {
+                log('No PSK extension found');
+                return undefined;
+            }
+            // Parse the PSK extension data
+            const data = pskExtension.data;
+            // PSK extension structure:
+            // 2 bytes: identities list length
+            if (data.length < 2)
+                return undefined;
+            const identitiesLength = (data[0] << 8) + data[1];
+            let pos = 2;
+            // End of identities list
+            const identitiesEnd = pos + identitiesLength;
+            if (identitiesEnd > data.length)
+                return undefined;
+            // Process each PSK identity
+            while (pos + 2 <= identitiesEnd) {
+                // Identity length (2 bytes)
+                if (pos + 2 > identitiesEnd)
+                    break;
+                const identityLength = (data[pos] << 8) + data[pos + 1];
+                pos += 2;
+                if (pos + identityLength > identitiesEnd)
+                    break;
+                // Try to extract hostname from identity
+                // Chrome often embeds the hostname in the PSK identity
+                // This is a heuristic as there's no standard format
+                if (identityLength > 0) {
+                    const identity = data.slice(pos, pos + identityLength);
+                    // Skip identity bytes
+                    pos += identityLength;
+                    // Skip obfuscated ticket age (4 bytes)
+                    if (pos + 4 <= identitiesEnd) {
+                        pos += 4;
+                    }
+                    else {
+                        break;
+                    }
+                    // Try to parse the identity as UTF-8
+                    try {
+                        const identityStr = identity.toString('utf8');
+                        log(`PSK identity: ${identityStr}`);
+                        // Check if the identity contains hostname hints
+                        // Chrome often embeds the hostname in a known format
+                        // Try to extract using common patterns
+                        // Pattern 1: Look for domain name pattern
+                        const domainPattern = /([a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?/i;
+                        const domainMatch = identityStr.match(domainPattern);
+                        if (domainMatch && domainMatch[0]) {
+                            log(`Found domain in PSK identity: ${domainMatch[0]}`);
+                            return domainMatch[0];
+                        }
+                        // Pattern 2: Chrome sometimes uses a specific format with delimiters
+                        // This is a heuristic approach since the format isn't standardized
+                        const parts = identityStr.split('|');
+                        if (parts.length > 1) {
+                            for (const part of parts) {
+                                if (part.includes('.') && !part.includes('/')) {
+                                    const possibleDomain = part.trim();
+                                    if (/^[a-z0-9.-]+$/i.test(possibleDomain)) {
+                                        log(`Found possible domain in PSK delimiter format: ${possibleDomain}`);
+                                        return possibleDomain;
+                                    }
+                                }
+                            }
+                        }
+                    }
+                    catch (e) {
+                        log('Failed to parse PSK identity as UTF-8');
+                    }
+                }
+            }
+            log('No hostname found in PSK extension');
+            return undefined;
+        }
+        catch (error) {
+            log(`Error parsing PSK: ${error instanceof Error ? error.message : String(error)}`);
+            return undefined;
+        }
+    }
+    /**
+     * Main entry point for SNI extraction with support for fragmented messages
+     * and session resumption edge cases.
+     *
+     * @param buffer The buffer containing TLS data
+     * @param connectionInfo Connection tracking information
+     * @param logger Optional logging function
+     * @param cachedSni Optional previously cached SNI value
+     * @returns The extracted server name or undefined
+     */
+    static extractSNIWithResumptionSupport(buffer, connectionInfo, logger, cachedSni) {
+        const log = logger || (() => { });
+        // Log buffer details for debugging
+        if (logger) {
+            log(`Buffer size: ${buffer.length} bytes`);
+            log(`Buffer starts with: ${buffer.slice(0, Math.min(10, buffer.length)).toString('hex')}`);
+            if (buffer.length >= 5) {
+                const recordType = buffer[0];
+                const majorVersion = buffer[1];
+                const minorVersion = buffer[2];
+                const recordLength = (buffer[3] << 8) + buffer[4];
+                log(`TLS Record: type=${recordType}, version=${majorVersion}.${minorVersion}, length=${recordLength}`);
+            }
+        }
+        // Check if we need to handle fragmented packets
+        let processBuffer = buffer;
+        if (connectionInfo) {
+            const connectionId = TlsUtils.createConnectionId(connectionInfo);
+            const reassembledBuffer = ClientHelloParser.handleFragmentedClientHello(buffer, connectionId, logger);
+            if (!reassembledBuffer) {
+                log(`Waiting for more fragments on connection ${connectionId}`);
+                return undefined; // Need more fragments to complete ClientHello
+            }
+            processBuffer = reassembledBuffer;
+            log(`Using reassembled buffer of length ${processBuffer.length}`);
+        }
+        // First try the standard SNI extraction
+        const standardSni = this.extractSNI(processBuffer, logger);
+        if (standardSni) {
+            log(`Found standard SNI: ${standardSni}`);
+            return standardSni;
+        }
+        // Check for session resumption when standard SNI extraction fails
+        if (TlsUtils.isClientHello(processBuffer)) {
+            const resumptionInfo = ClientHelloParser.hasSessionResumption(processBuffer, logger);
+            if (resumptionInfo.isResumption) {
+                log(`Detected session resumption in ClientHello without standard SNI`);
+                // Try to extract SNI from PSK extension
+                const pskSni = this.extractSNIFromPSKExtension(processBuffer, logger);
+                if (pskSni) {
+                    log(`Extracted SNI from PSK extension: ${pskSni}`);
+                    return pskSni;
+                }
+            }
+        }
+        // If cached SNI was provided, use it for application data packets
+        if (cachedSni && TlsUtils.isTlsApplicationData(buffer)) {
+            log(`Using provided cached SNI for application data: ${cachedSni}`);
+            return cachedSni;
+        }
+        return undefined;
+    }
+    /**
+     * Unified method for processing a TLS packet and extracting SNI.
+     * Main entry point for SNI extraction that handles all edge cases.
+     *
+     * @param buffer The buffer containing TLS data
+     * @param connectionInfo Connection tracking information
+     * @param logger Optional logging function
+     * @param cachedSni Optional previously cached SNI value
+     * @returns The extracted server name or undefined
+     */
+    static processTlsPacket(buffer, connectionInfo, logger, cachedSni) {
+        const log = logger || (() => { });
+        // Add timestamp if not provided
+        if (!connectionInfo.timestamp) {
+            connectionInfo.timestamp = Date.now();
+        }
+        // Check if this is a TLS handshake or application data
+        if (!TlsUtils.isTlsHandshake(buffer) && !TlsUtils.isTlsApplicationData(buffer)) {
+            log('Not a TLS handshake or application data packet');
+            return undefined;
+        }
+        // Create connection ID for tracking
+        const connectionId = TlsUtils.createConnectionId(connectionInfo);
+        log(`Processing TLS packet for connection ${connectionId}, buffer length: ${buffer.length}`);
+        // Handle application data with cached SNI (for connection racing)
+        if (TlsUtils.isTlsApplicationData(buffer)) {
+            // If explicit cachedSni was provided, use it
+            if (cachedSni) {
+                log(`Using provided cached SNI for application data: ${cachedSni}`);
+                return cachedSni;
+            }
+            log('Application data packet without cached SNI, cannot determine hostname');
+            return undefined;
+        }
+        // Enhanced session resumption detection
+        if (TlsUtils.isClientHello(buffer)) {
+            const resumptionInfo = ClientHelloParser.hasSessionResumption(buffer, logger);
+            if (resumptionInfo.isResumption) {
+                log(`Session resumption detected in TLS packet`);
+                // Always try standard SNI extraction first
+                const standardSni = this.extractSNI(buffer, logger);
+                if (standardSni) {
+                    log(`Found standard SNI in session resumption: ${standardSni}`);
+                    return standardSni;
+                }
+                // Enhanced session resumption SNI extraction
+                // Try extracting from PSK identity
+                const pskSni = this.extractSNIFromPSKExtension(buffer, logger);
+                if (pskSni) {
+                    log(`Extracted SNI from PSK extension: ${pskSni}`);
+                    return pskSni;
+                }
+                log(`Session resumption without extractable SNI`);
+            }
+        }
+        // For handshake messages, try the full extraction process
+        const sni = this.extractSNIWithResumptionSupport(buffer, connectionInfo, logger);
+        if (sni) {
+            log(`Successfully extracted SNI: ${sni}`);
+            return sni;
+        }
+        // If we couldn't extract an SNI, check if this is a valid ClientHello
+        if (TlsUtils.isClientHello(buffer)) {
+            log('Valid ClientHello detected, but no SNI extracted - might need more data');
+        }
+        return undefined;
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic25pLWV4dHJhY3Rpb24uanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi90cy90bHMvc25pL3NuaS1leHRyYWN0aW9uLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sRUFBRSxNQUFNLEVBQUUsTUFBTSxRQUFRLENBQUM7QUFDaEMsT0FBTyxFQUFFLGdCQUFnQixFQUFFLFFBQVEsRUFBRSxNQUFNLHVCQUF1QixDQUFDO0FBQ25FLE9BQU8sRUFDTCxpQkFBaUIsRUFFbEIsTUFBTSwwQkFBMEIsQ0FBQztBQWFsQzs7R0FFRztBQUNILE1BQU0sT0FBTyxhQUFhO0lBQ3hCOzs7Ozs7T0FNRztJQUNJLE1BQU0sQ0FBQyxVQUFVLENBQUMsTUFBYyxFQUFFLE1BQXVCO1FBQzlELE1BQU0sR0FBRyxHQUFHLE1BQU0sSUFBSSxDQUFDLEdBQUcsRUFBRSxHQUFFLENBQUMsQ0FBQyxDQUFDO1FBRWpDLElBQUksQ0FBQztZQUNILHdCQUF3QjtZQUN4QixNQUFNLFdBQVcsR0FBRyxpQkFBaUIsQ0FBQyxnQkFBZ0IsQ0FBQyxNQUFNLEVBQUUsTUFBTSxDQUFDLENBQUM7WUFDdkUsSUFBSSxDQUFDLFdBQVcsQ0FBQyxPQUFPLEVBQUUsQ0FBQztnQkFDekIsR0FBRyxDQUFDLGdDQUFnQyxXQUFXLENBQUMsS0FBSyxFQUFFLENBQUMsQ0FBQztnQkFDekQsT0FBTyxTQUFTLENBQUM7WUFDbkIsQ0FBQztZQUVELDBDQUEwQztZQUMxQyxJQUFJLFdBQVcsQ0FBQyxjQUFjLElBQUksV0FBVyxDQUFDLGNBQWMsQ0FBQyxNQUFNLEdBQUcsQ0FBQyxFQUFFLENBQUM7Z0JBQ3hFLDRDQUE0QztnQkFDNUMsTUFBTSxVQUFVLEdBQUcsV0FBVyxDQUFDLGNBQWMsQ0FBQyxDQUFDLENBQUMsQ0FBQztnQkFDakQsR0FBRyxDQUFDLGNBQWMsVUFBVSxFQUFFLENBQUMsQ0FBQztnQkFDaEMsT0FBTyxVQUFVLENBQUM7WUFDcEIsQ0FBQztZQUVELEdBQUcsQ0FBQyx1Q0FBdUMsQ0FBQyxDQUFDO1lBQzdDLE9BQU8sU0FBUyxDQUFDO1FBQ25CLENBQUM7UUFBQyxPQUFPLEtBQUssRUFBRSxDQUFDO1lBQ2YsR0FBRyxDQUFDLHlCQUF5QixLQUFLLFlBQVksS0FBSyxDQUFDLENBQUMsQ0FBQyxLQUFLLENBQUMsT0FBTyxDQUFDLENBQUMsQ0FBQyxNQUFNLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQyxDQUFDO1lBQ3ZGLE9BQU8sU0FBUyxDQUFDO1FBQ25CLENBQUM7SUFDSCxDQUFDO0lBRUQ7Ozs7Ozs7OztPQVNHO0lBQ0ksTUFBTSxDQUFDLDBCQUEwQixDQUN0QyxNQUFjLEVBQ2QsTUFBdUI7UUFFdkIsTUFBTSxHQUFHLEdBQUcsTUFBTSxJQUFJLENBQUMsR0FBRyxFQUFFLEdBQUUsQ0FBQyxDQUFDLENBQUM7UUFFakMsSUFBSSxDQUFDO1lBQ0gsK0JBQStCO1lBQy9CLElBQUksQ0FBQyxRQUFRLENBQUMsYUFBYSxDQUFDLE1BQU0sQ0FBQyxFQUFFLENBQUM7Z0JBQ3BDLEdBQUcsQ0FBQywyQkFBMkIsQ0FBQyxDQUFDO2dCQUNqQyxPQUFPLFNBQVMsQ0FBQztZQUNuQixDQUFDO1lBRUQsOENBQThDO1lBQzlDLE1BQU0sV0FBVyxHQUFHLGlCQUFpQixDQUFDLGdCQUFnQixDQUFDLE1BQU0sRUFBRSxNQUFNLENBQUMsQ0FBQztZQUN2RSxJQUFJLENBQUMsV0FBVyxDQUFDLE9BQU8sSUFBSSxDQUFDLFdBQVcsQ0FBQyxVQUFVLEVBQUUsQ0FBQztnQkFDcEQsT0FBTyxTQUFTLENBQUM7WUFDbkIsQ0FBQztZQUVELHlCQUF5QjtZQUN6QixNQUFNLFlBQVksR0FBRyxXQUFXLENBQUMsVUFBVSxDQUFDLElBQUksQ0FBQyxHQUFHLENBQUMsRUFBRSxDQUNyRCxHQUFHLENBQUMsSUFBSSxLQUFLLGdCQUFnQixDQUFDLGNBQWMsQ0FBQyxDQUFDO1lBRWhELElBQUksQ0FBQyxZQUFZLEVBQUUsQ0FBQztnQkFDbEIsR0FBRyxDQUFDLHdCQUF3QixDQUFDLENBQUM7Z0JBQzlCLE9BQU8sU0FBUyxDQUFDO1lBQ25CLENBQUM7WUFFRCwrQkFBK0I7WUFDL0IsTUFBTSxJQUFJLEdBQUcsWUFBWSxDQUFDLElBQUksQ0FBQztZQUUvQiwyQkFBMkI7WUFDM0Isa0NBQWtDO1lBQ2xDLElBQUksSUFBSSxDQUFDLE1BQU0sR0FBRyxDQUFDO2dCQUFFLE9BQU8sU0FBUyxDQUFDO1lBRXRDLE1BQU0sZ0JBQWdCLEdBQUcsQ0FBQyxJQUFJLENBQUMsQ0FBQyxDQUFDLElBQUksQ0FBQyxDQUFDLEdBQUcsSUFBSSxDQUFDLENBQUMsQ0FBQyxDQUFDO1lBQ2xELElBQUksR0FBRyxHQUFHLENBQUMsQ0FBQztZQUVaLHlCQUF5QjtZQUN6QixNQUFNLGFBQWEsR0FBRyxHQUFHLEdBQUcsZ0JBQWdCLENBQUM7WUFDN0MsSUFBSSxhQUFhLEdBQUcsSUFBSSxDQUFDLE1BQU07Z0JBQUUsT0FBTyxTQUFTLENBQUM7WUFFbEQsNEJBQTRCO1lBQzVCLE9BQU8sR0FBRyxHQUFHLENBQUMsSUFBSSxhQUFhLEVBQUUsQ0FBQztnQkFDaEMsNEJBQTRCO2dCQUM1QixJQUFJLEdBQUcsR0FBRyxDQUFDLEdBQUcsYUFBYTtvQkFBRSxNQUFNO2dCQUVuQyxNQUFNLGNBQWMsR0FBRyxDQUFDLElBQUksQ0FBQyxHQUFHLENBQUMsSUFBSSxDQUFDLENBQUMsR0FBRyxJQUFJLENBQUMsR0FBRyxHQUFHLENBQUMsQ0FBQyxDQUFDO2dCQUN4RCxHQUFHLElBQUksQ0FBQyxDQUFDO2dCQUVULElBQUksR0FBRyxHQUFHLGNBQWMsR0FBRyxhQUFhO29CQUFFLE1BQU07Z0JBRWhELHdDQUF3QztnQkFDeEMsdURBQXVEO2dCQUN2RCxvREFBb0Q7Z0JBQ3BELElBQUksY0FBYyxHQUFHLENBQUMsRUFBRSxDQUFDO29CQUN2QixNQUFNLFFBQVEsR0FBRyxJQUFJLENBQUMsS0FBSyxDQUFDLEdBQUcsRUFBRSxHQUFHLEdBQUcsY0FBYyxDQUFDLENBQUM7b0JBRXZELHNCQUFzQjtvQkFDdEIsR0FBRyxJQUFJLGNBQWMsQ0FBQztvQkFFdEIsdUNBQXVDO29CQUN2QyxJQUFJLEdBQUcsR0FBRyxDQUFDLElBQUksYUFBYSxFQUFFLENBQUM7d0JBQzdCLEdBQUcsSUFBSSxDQUFDLENBQUM7b0JBQ1gsQ0FBQzt5QkFBTSxDQUFDO3dCQUNOLE1BQU07b0JBQ1IsQ0FBQztvQkFFRCxxQ0FBcUM7b0JBQ3JDLElBQUksQ0FBQzt3QkFDSCxNQUFNLFdBQVcsR0FBRyxRQUFRLENBQUMsUUFBUSxDQUFDLE1BQU0sQ0FBQyxDQUFDO3dCQUM5QyxHQUFHLENBQUMsaUJBQWlCLFdBQVcsRUFBRSxDQUFDLENBQUM7d0JBRXBDLGdEQUFnRDt3QkFDaEQscURBQXFEO3dCQUNyRCx1Q0FBdUM7d0JBRXZDLDBDQUEwQzt3QkFDMUMsTUFBTSxhQUFhLEdBQ2pCLDRFQUE0RSxDQUFDO3dCQUMvRSxNQUFNLFdBQVcsR0FBRyxXQUFXLENBQUMsS0FBSyxDQUFDLGFBQWEsQ0FBQyxDQUFDO3dCQUNyRCxJQUFJLFdBQVcsSUFBSSxXQUFXLENBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FBQzs0QkFDbEMsR0FBRyxDQUFDLGlDQUFpQyxXQUFXLENBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FBQyxDQUFDOzRCQUN2RCxPQUFPLFdBQVcsQ0FBQyxDQUFDLENBQUMsQ0FBQzt3QkFDeEIsQ0FBQzt3QkFFRCxxRUFBcUU7d0JBQ3JFLG1FQUFtRTt3QkFDbkUsTUFBTSxLQUFLLEdBQUcsV0FBVyxDQUFDLEtBQUssQ0FBQyxHQUFHLENBQUMsQ0FBQzt3QkFDckMsSUFBSSxLQUFLLENBQUMsTUFBTSxHQUFHLENBQUMsRUFBRSxDQUFDOzRCQUNyQixLQUFLLE1BQU0sSUFBSSxJQUFJLEtBQUssRUFBRSxDQUFDO2dDQUN6QixJQUFJLElBQUksQ0FBQyxRQUFRLENBQUMsR0FBRyxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsUUFBUSxDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUM7b0NBQzlDLE1BQU0sY0FBYyxHQUFHLElBQUksQ0FBQyxJQUFJLEVBQUUsQ0FBQztvQ0FDbkMsSUFBSSxnQkFBZ0IsQ0FBQyxJQUFJLENBQUMsY0FBYyxDQUFDLEVBQUUsQ0FBQzt3Q0FDMUMsR0FBRyxDQUFDLGtEQUFrRCxjQUFjLEVBQUUsQ0FBQyxDQUFDO3dDQUN4RSxPQUFPLGNBQWMsQ0FBQztvQ0FDeEIsQ0FBQztnQ0FDSCxDQUFDOzRCQUNILENBQUM7d0JBQ0gsQ0FBQztvQkFDSCxDQUFDO29CQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7d0JBQ1gsR0FBRyxDQUFDLHVDQUF1QyxDQUFDLENBQUM7b0JBQy9DLENBQUM7Z0JBQ0gsQ0FBQztZQUNILENBQUM7WUFFRCxHQUFHLENBQUMsb0NBQW9DLENBQUMsQ0FBQztZQUMxQyxPQUFPLFNBQVMsQ0FBQztRQUNuQixDQUFDO1FBQUMsT0FBTyxLQUFLLEVBQUUsQ0FBQztZQUNmLEdBQUcsQ0FBQyxzQkFBc0IsS0FBSyxZQUFZLEtBQUssQ0FBQyxDQUFDLENBQUMsS0FBSyxDQUFDLE9BQU8sQ0FBQyxDQUFDLENBQUMsTUFBTSxDQUFDLEtBQUssQ0FBQyxFQUFFLENBQUMsQ0FBQztZQUNwRixPQUFPLFNBQVMsQ0FBQztRQUNuQixDQUFDO0lBQ0gsQ0FBQztJQUVEOzs7Ozs7Ozs7T0FTRztJQUNJLE1BQU0sQ0FBQywrQkFBK0IsQ0FDM0MsTUFBYyxFQUNkLGNBQStCLEVBQy9CLE1BQXVCLEVBQ3ZCLFNBQWtCO1FBRWxCLE1BQU0sR0FBRyxHQUFHLE1BQU0sSUFBSSxDQUFDLEdBQUcsRUFBRSxHQUFFLENBQUMsQ0FBQyxDQUFDO1FBRWpDLG1DQUFtQztRQUNuQyxJQUFJLE1BQU0sRUFBRSxDQUFDO1lBQ1gsR0FBRyxDQUFDLGdCQUFnQixNQUFNLENBQUMsTUFBTSxRQUFRLENBQUMsQ0FBQztZQUMzQyxHQUFHLENBQUMsdUJBQXVCLE1BQU0sQ0FBQyxLQUFLLENBQUMsQ0FBQyxFQUFFLElBQUksQ0FBQyxHQUFHLENBQUMsRUFBRSxFQUFFLE1BQU0sQ0FBQyxNQUFNLENBQUMsQ0FBQyxDQUFDLFFBQVEsQ0FBQyxLQUFLLENBQUMsRUFBRSxDQUFDLENBQUM7WUFFM0YsSUFBSSxNQUFNLENBQUMsTUFBTSxJQUFJLENBQUMsRUFBRSxDQUFDO2dCQUN2QixNQUFNLFVBQVUsR0FBRyxNQUFNLENBQUMsQ0FBQyxDQUFDLENBQUM7Z0JBQzdCLE1BQU0sWUFBWSxHQUFHLE1BQU0sQ0FBQyxDQUFDLENBQUMsQ0FBQztnQkFDL0IsTUFBTSxZQUFZLEdBQUcsTUFBTSxDQUFDLENBQUMsQ0FBQyxDQUFDO2dCQUMvQixNQUFNLFlBQVksR0FBRyxDQUFDLE1BQU0sQ0FBQyxDQUFDLENBQUMsSUFBSSxDQUFDLENBQUMsR0FBRyxNQUFNLENBQUMsQ0FBQyxDQUFDLENBQUM7Z0JBRWxELEdBQUcsQ0FDRCxvQkFBb0IsVUFBVSxhQUFhLFlBQVksSUFBSSxZQUFZLFlBQVksWUFBWSxFQUFFLENBQ2xHLENBQUM7WUFDSixDQUFDO1FBQ0gsQ0FBQztRQUVELGdEQUFnRDtRQUNoRCxJQUFJLGFBQWEsR0FBRyxNQUFNLENBQUM7UUFDM0IsSUFBSSxjQUFjLEVBQUUsQ0FBQztZQUNuQixNQUFNLFlBQVksR0FBRyxRQUFRLENBQUMsa0JBQWtCLENBQUMsY0FBYyxDQUFDLENBQUM7WUFDakUsTUFBTSxpQkFBaUIsR0FBRyxpQkFBaUIsQ0FBQywyQkFBMkIsQ0FDckUsTUFBTSxFQUNOLFlBQVksRUFDWixNQUFNLENBQ1AsQ0FBQztZQUVGLElBQUksQ0FBQyxpQkFBaUIsRUFBRSxDQUFDO2dCQUN2QixHQUFHLENBQUMsNENBQTRDLFlBQVksRUFBRSxDQUFDLENBQUM7Z0JBQ2hFLE9BQU8sU0FBUyxDQUFDLENBQUMsOENBQThDO1lBQ2xFLENBQUM7WUFFRCxhQUFhLEdBQUcsaUJBQWlCLENBQUM7WUFDbEMsR0FBRyxDQUFDLHNDQUFzQyxhQUFhLENBQUMsTUFBTSxFQUFFLENBQUMsQ0FBQztRQUNwRSxDQUFDO1FBRUQsd0NBQXdDO1FBQ3hDLE1BQU0sV0FBVyxHQUFHLElBQUksQ0FBQyxVQUFVLENBQUMsYUFBYSxFQUFFLE1BQU0sQ0FBQyxDQUFDO1FBQzNELElBQUksV0FBVyxFQUFFLENBQUM7WUFDaEIsR0FBRyxDQUFDLHVCQUF1QixXQUFXLEVBQUUsQ0FBQyxDQUFDO1lBQzFDLE9BQU8sV0FBVyxDQUFDO1FBQ3JCLENBQUM7UUFFRCxrRUFBa0U7UUFDbEUsSUFBSSxRQUFRLENBQUMsYUFBYSxDQUFDLGFBQWEsQ0FBQyxFQUFFLENBQUM7WUFDMUMsTUFBTSxjQUFjLEdBQUcsaUJBQWlCLENBQUMsb0JBQW9CLENBQUMsYUFBYSxFQUFFLE1BQU0sQ0FBQyxDQUFDO1lBRXJGLElBQUksY0FBYyxDQUFDLFlBQVksRUFBRSxDQUFDO2dCQUNoQyxHQUFHLENBQUMsaUVBQWlFLENBQUMsQ0FBQztnQkFFdkUsd0NBQXdDO2dCQUN4QyxNQUFNLE1BQU0sR0FBRyxJQUFJLENBQUMsMEJBQTBCLENBQUMsYUFBYSxFQUFFLE1BQU0sQ0FBQyxDQUFDO2dCQUN0RSxJQUFJLE1BQU0sRUFBRSxDQUFDO29CQUNYLEdBQUcsQ0FBQyxxQ0FBcUMsTUFBTSxFQUFFLENBQUMsQ0FBQztvQkFDbkQsT0FBTyxNQUFNLENBQUM7Z0JBQ2hCLENBQUM7WUFDSCxDQUFDO1FBQ0gsQ0FBQztRQUVELGtFQUFrRTtRQUNsRSxJQUFJLFNBQVMsSUFBSSxRQUFRLENBQUMsb0JBQW9CLENBQUMsTUFBTSxDQUFDLEVBQUUsQ0FBQztZQUN2RCxHQUFHLENBQUMsbURBQW1ELFNBQVMsRUFBRSxDQUFDLENBQUM7WUFDcEUsT0FBTyxTQUFTLENBQUM7UUFDbkIsQ0FBQztRQUVELE9BQU8sU0FBUyxDQUFDO0lBQ25CLENBQUM7SUFFRDs7Ozs7Ozs7O09BU0c7SUFDSSxNQUFNLENBQUMsZ0JBQWdCLENBQzVCLE1BQWMsRUFDZCxjQUE4QixFQUM5QixNQUF1QixFQUN2QixTQUFrQjtRQUVsQixNQUFNLEdBQUcsR0FBRyxNQUFNLElBQUksQ0FBQyxHQUFHLEVBQUUsR0FBRSxDQUFDLENBQUMsQ0FBQztRQUVqQyxnQ0FBZ0M7UUFDaEMsSUFBSSxDQUFDLGNBQWMsQ0FBQyxTQUFTLEVBQUUsQ0FBQztZQUM5QixjQUFjLENBQUMsU0FBUyxHQUFHLElBQUksQ0FBQyxHQUFHLEVBQUUsQ0FBQztRQUN4QyxDQUFDO1FBRUQsdURBQXVEO1FBQ3ZELElBQUksQ0FBQyxRQUFRLENBQUMsY0FBYyxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsUUFBUSxDQUFDLG9CQUFvQixDQUFDLE1BQU0sQ0FBQyxFQUFFLENBQUM7WUFDL0UsR0FBRyxDQUFDLGdEQUFnRCxDQUFDLENBQUM7WUFDdEQsT0FBTyxTQUFTLENBQUM7UUFDbkIsQ0FBQztRQUVELG9DQUFvQztRQUNwQyxNQUFNLFlBQVksR0FBRyxRQUFRLENBQUMsa0JBQWtCLENBQUMsY0FBYyxDQUFDLENBQUM7UUFDakUsR0FBRyxDQUFDLHdDQUF3QyxZQUFZLG9CQUFvQixNQUFNLENBQUMsTUFBTSxFQUFFLENBQUMsQ0FBQztRQUU3RixrRUFBa0U7UUFDbEUsSUFBSSxRQUFRLENBQUMsb0JBQW9CLENBQUMsTUFBTSxDQUFDLEVBQUUsQ0FBQztZQUMxQyw2Q0FBNkM7WUFDN0MsSUFBSSxTQUFTLEVBQUUsQ0FBQztnQkFDZCxHQUFHLENBQUMsbURBQW1ELFNBQVMsRUFBRSxDQUFDLENBQUM7Z0JBQ3BFLE9BQU8sU0FBUyxDQUFDO1lBQ25CLENBQUM7WUFFRCxHQUFHLENBQUMsdUVBQXVFLENBQUMsQ0FBQztZQUM3RSxPQUFPLFNBQVMsQ0FBQztRQUNuQixDQUFDO1FBRUQsd0NBQXdDO1FBQ3hDLElBQUksUUFBUSxDQUFDLGFBQWEsQ0FBQyxNQUFNLENBQUMsRUFBRSxDQUFDO1lBQ25DLE1BQU0sY0FBYyxHQUFHLGlCQUFpQixDQUFDLG9CQUFvQixDQUFDLE1BQU0sRUFBRSxNQUFNLENBQUMsQ0FBQztZQUU5RSxJQUFJLGNBQWMsQ0FBQyxZQUFZLEVBQUUsQ0FBQztnQkFDaEMsR0FBRyxDQUFDLDJDQUEyQyxDQUFDLENBQUM7Z0JBRWpELDJDQUEyQztnQkFDM0MsTUFBTSxXQUFXLEdBQUcsSUFBSSxDQUFDLFVBQVUsQ0FBQyxNQUFNLEVBQUUsTUFBTSxDQUFDLENBQUM7Z0JBQ3BELElBQUksV0FBVyxFQUFFLENBQUM7b0JBQ2hCLEdBQUcsQ0FBQyw2Q0FBNkMsV0FBVyxFQUFFLENBQUMsQ0FBQztvQkFDaEUsT0FBTyxXQUFXLENBQUM7Z0JBQ3JCLENBQUM7Z0JBRUQsNkNBQTZDO2dCQUM3QyxtQ0FBbUM7Z0JBQ25DLE1BQU0sTUFBTSxHQUFHLElBQUksQ0FBQywwQkFBMEIsQ0FBQyxNQUFNLEVBQUUsTUFBTSxDQUFDLENBQUM7Z0JBQy9ELElBQUksTUFBTSxFQUFFLENBQUM7b0JBQ1gsR0FBRyxDQUFDLHFDQUFxQyxNQUFNLEVBQUUsQ0FBQyxDQUFDO29CQUNuRCxPQUFPLE1BQU0sQ0FBQztnQkFDaEIsQ0FBQztnQkFFRCxHQUFHLENBQUMsNENBQTRDLENBQUMsQ0FBQztZQUNwRCxDQUFDO1FBQ0gsQ0FBQztRQUVELDBEQUEwRDtRQUMxRCxNQUFNLEdBQUcsR0FBRyxJQUFJLENBQUMsK0JBQStCLENBQUMsTUFBTSxFQUFFLGNBQWMsRUFBRSxNQUFNLENBQUMsQ0FBQztRQUVqRixJQUFJLEdBQUcsRUFBRSxDQUFDO1lBQ1IsR0FBRyxDQUFDLCtCQUErQixHQUFHLEVBQUUsQ0FBQyxDQUFDO1lBQzFDLE9BQU8sR0FBRyxDQUFDO1FBQ2IsQ0FBQztRQUVELHNFQUFzRTtRQUN0RSxJQUFJLFFBQVEsQ0FBQyxhQUFhLENBQUMsTUFBTSxDQUFDLEVBQUUsQ0FBQztZQUNuQyxHQUFHLENBQUMseUVBQXlFLENBQUMsQ0FBQztRQUNqRixDQUFDO1FBRUQsT0FBTyxTQUFTLENBQUM7SUFDbkIsQ0FBQztDQUNGIn0=

package/dist_ts/tls/sni/sni-handler.d.ts

@@ -0,0 +1,154 @@
+import { Buffer } from 'buffer';
+/**
+ * SNI (Server Name Indication) handler for TLS connections.
+ * Provides robust extraction of SNI values from TLS ClientHello messages
+ * with support for fragmented packets, TLS 1.3 resumption, Chrome-specific
+ * connection behaviors, and tab hibernation/reactivation scenarios.
+ *
+ * This class retains the original API but leverages the new modular implementation
+ * for better maintainability and testability.
+ */
+export declare class SniHandler {
+    private static readonly TLS_HANDSHAKE_RECORD_TYPE;
+    private static readonly TLS_APPLICATION_DATA_TYPE;
+    private static readonly TLS_CLIENT_HELLO_HANDSHAKE_TYPE;
+    private static readonly TLS_SNI_EXTENSION_TYPE;
+    private static readonly TLS_SESSION_TICKET_EXTENSION_TYPE;
+    private static readonly TLS_SNI_HOST_NAME_TYPE;
+    private static readonly TLS_PSK_EXTENSION_TYPE;
+    private static readonly TLS_PSK_KE_MODES_EXTENSION_TYPE;
+    private static readonly TLS_EARLY_DATA_EXTENSION_TYPE;
+    /**
+     * Checks if a buffer contains a TLS handshake message (record type 22)
+     * @param buffer - The buffer to check
+     * @returns true if the buffer starts with a TLS handshake record type
+     */
+    static isTlsHandshake(buffer: Buffer): boolean;
+    /**
+     * Checks if a buffer contains TLS application data (record type 23)
+     * @param buffer - The buffer to check
+     * @returns true if the buffer starts with a TLS application data record type
+     */
+    static isTlsApplicationData(buffer: Buffer): boolean;
+    /**
+     * Creates a connection ID based on source/destination information
+     * Used to track fragmented ClientHello messages across multiple packets
+     *
+     * @param connectionInfo - Object containing connection identifiers (IP/port)
+     * @returns A string ID for the connection
+     */
+    static createConnectionId(connectionInfo: {
+        sourceIp?: string;
+        sourcePort?: number;
+        destIp?: string;
+        destPort?: number;
+    }): string;
+    /**
+     * Handles potential fragmented ClientHello messages by buffering and reassembling
+     * TLS record fragments that might span multiple TCP packets.
+     *
+     * @param buffer - The current buffer fragment
+     * @param connectionId - Unique identifier for the connection
+     * @param enableLogging - Whether to enable logging
+     * @returns A complete buffer if reassembly is successful, or undefined if more fragments are needed
+     */
+    static handleFragmentedClientHello(buffer: Buffer, connectionId: string, enableLogging?: boolean): Buffer | undefined;
+    /**
+     * Checks if a buffer contains a TLS ClientHello message
+     * @param buffer - The buffer to check
+     * @returns true if the buffer appears to be a ClientHello message
+     */
+    static isClientHello(buffer: Buffer): boolean;
+    /**
+     * Checks if a ClientHello message contains session resumption indicators
+     * such as session tickets or PSK (Pre-Shared Key) extensions.
+     *
+     * @param buffer - The buffer containing a ClientHello message
+     * @param enableLogging - Whether to enable logging
+     * @returns Object containing details about session resumption and SNI presence
+     */
+    static hasSessionResumption(buffer: Buffer, enableLogging?: boolean): {
+        isResumption: boolean;
+        hasSNI: boolean;
+    };
+    /**
+     * Detects characteristics of a tab reactivation TLS handshake
+     * These often have specific patterns in Chrome and other browsers
+     *
+     * @param buffer - The buffer containing a ClientHello message
+     * @param enableLogging - Whether to enable logging
+     * @returns true if this appears to be a tab reactivation handshake
+     */
+    static isTabReactivationHandshake(buffer: Buffer, enableLogging?: boolean): boolean;
+    /**
+     * Extracts the SNI (Server Name Indication) from a TLS ClientHello message.
+     * Implements robust parsing with support for session resumption edge cases.
+     *
+     * @param buffer - The buffer containing the TLS ClientHello message
+     * @param enableLogging - Whether to enable detailed debug logging
+     * @returns The extracted server name or undefined if not found
+     */
+    static extractSNI(buffer: Buffer, enableLogging?: boolean): string | undefined;
+    /**
+     * Attempts to extract SNI from the PSK extension in a TLS 1.3 ClientHello.
+     *
+     * In TLS 1.3, when a client attempts to resume a session, it may include
+     * the server name in the PSK identity hint rather than in the SNI extension.
+     *
+     * @param buffer - The buffer containing the TLS ClientHello message
+     * @param enableLogging - Whether to enable detailed debug logging
+     * @returns The extracted server name or undefined if not found
+     */
+    static extractSNIFromPSKExtension(buffer: Buffer, enableLogging?: boolean): string | undefined;
+    /**
+     * Checks if the buffer contains TLS 1.3 early data (0-RTT)
+     * @param buffer - The buffer to check
+     * @param enableLogging - Whether to enable logging
+     * @returns true if early data is detected
+     */
+    static hasEarlyData(buffer: Buffer, enableLogging?: boolean): boolean;
+    /**
+     * Attempts to extract SNI from an initial ClientHello packet and handles
+     * session resumption edge cases more robustly than the standard extraction.
+     *
+     * This method handles:
+     * 1. Standard SNI extraction
+     * 2. TLS 1.3 PSK-based resumption (Chrome, Firefox, etc.)
+     * 3. Session ticket-based resumption
+     * 4. Fragmented ClientHello messages
+     * 5. TLS 1.3 Early Data (0-RTT)
+     * 6. Chrome's connection racing behaviors
+     *
+     * @param buffer - The buffer containing the TLS ClientHello message
+     * @param connectionInfo - Optional connection information for fragment handling
+     * @param enableLogging - Whether to enable detailed debug logging
+     * @returns The extracted server name or undefined if not found or more data needed
+     */
+    static extractSNIWithResumptionSupport(buffer: Buffer, connectionInfo?: {
+        sourceIp?: string;
+        sourcePort?: number;
+        destIp?: string;
+        destPort?: number;
+    }, enableLogging?: boolean): string | undefined;
+    /**
+     * Main entry point for SNI extraction that handles all edge cases.
+     * This should be called for each TLS packet received from a client.
+     *
+     * The method uses connection tracking to handle fragmented ClientHello
+     * messages and various TLS 1.3 behaviors, including Chrome's connection
+     * racing patterns and tab reactivation behaviors.
+     *
+     * @param buffer - The buffer containing TLS data
+     * @param connectionInfo - Connection metadata (IPs and ports)
+     * @param enableLogging - Whether to enable detailed debug logging
+     * @param cachedSni - Optional cached SNI from previous connections (for racing detection)
+     * @returns The extracted server name or undefined if not found or more data needed
+     */
+    static processTlsPacket(buffer: Buffer, connectionInfo: {
+        sourceIp: string;
+        sourcePort: number;
+        destIp: string;
+        destPort: number;
+        timestamp?: number;
+    }, enableLogging?: boolean, cachedSni?: string): string | undefined;
+}

package/dist_ts/tls/sni/sni-handler.js

@@ -0,0 +1,191 @@
+import { Buffer } from 'buffer';
+import { TlsRecordType, TlsHandshakeType, TlsExtensionType, TlsUtils } from '../utils/tls-utils.js';
+import { ClientHelloParser } from './client-hello-parser.js';
+import { SniExtraction } from './sni-extraction.js';
+/**
+ * SNI (Server Name Indication) handler for TLS connections.
+ * Provides robust extraction of SNI values from TLS ClientHello messages
+ * with support for fragmented packets, TLS 1.3 resumption, Chrome-specific
+ * connection behaviors, and tab hibernation/reactivation scenarios.
+ *
+ * This class retains the original API but leverages the new modular implementation
+ * for better maintainability and testability.
+ */
+export class SniHandler {
+    // Re-export constants for backward compatibility
+    static { this.TLS_HANDSHAKE_RECORD_TYPE = TlsRecordType.HANDSHAKE; }
+    static { this.TLS_APPLICATION_DATA_TYPE = TlsRecordType.APPLICATION_DATA; }
+    static { this.TLS_CLIENT_HELLO_HANDSHAKE_TYPE = TlsHandshakeType.CLIENT_HELLO; }
+    static { this.TLS_SNI_EXTENSION_TYPE = TlsExtensionType.SERVER_NAME; }
+    static { this.TLS_SESSION_TICKET_EXTENSION_TYPE = TlsExtensionType.SESSION_TICKET; }
+    static { this.TLS_SNI_HOST_NAME_TYPE = 0; } // NameType.HOST_NAME in RFC 6066
+    static { this.TLS_PSK_EXTENSION_TYPE = TlsExtensionType.PRE_SHARED_KEY; }
+    static { this.TLS_PSK_KE_MODES_EXTENSION_TYPE = TlsExtensionType.PSK_KEY_EXCHANGE_MODES; }
+    static { this.TLS_EARLY_DATA_EXTENSION_TYPE = TlsExtensionType.EARLY_DATA; }
+    /**
+     * Checks if a buffer contains a TLS handshake message (record type 22)
+     * @param buffer - The buffer to check
+     * @returns true if the buffer starts with a TLS handshake record type
+     */
+    static isTlsHandshake(buffer) {
+        return TlsUtils.isTlsHandshake(buffer);
+    }
+    /**
+     * Checks if a buffer contains TLS application data (record type 23)
+     * @param buffer - The buffer to check
+     * @returns true if the buffer starts with a TLS application data record type
+     */
+    static isTlsApplicationData(buffer) {
+        return TlsUtils.isTlsApplicationData(buffer);
+    }
+    /**
+     * Creates a connection ID based on source/destination information
+     * Used to track fragmented ClientHello messages across multiple packets
+     *
+     * @param connectionInfo - Object containing connection identifiers (IP/port)
+     * @returns A string ID for the connection
+     */
+    static createConnectionId(connectionInfo) {
+        return TlsUtils.createConnectionId(connectionInfo);
+    }
+    /**
+     * Handles potential fragmented ClientHello messages by buffering and reassembling
+     * TLS record fragments that might span multiple TCP packets.
+     *
+     * @param buffer - The current buffer fragment
+     * @param connectionId - Unique identifier for the connection
+     * @param enableLogging - Whether to enable logging
+     * @returns A complete buffer if reassembly is successful, or undefined if more fragments are needed
+     */
+    static handleFragmentedClientHello(buffer, connectionId, enableLogging = false) {
+        const logger = enableLogging ?
+            (message) => console.log(`[SNI Fragment] ${message}`) :
+            undefined;
+        return ClientHelloParser.handleFragmentedClientHello(buffer, connectionId, logger);
+    }
+    /**
+     * Checks if a buffer contains a TLS ClientHello message
+     * @param buffer - The buffer to check
+     * @returns true if the buffer appears to be a ClientHello message
+     */
+    static isClientHello(buffer) {
+        return TlsUtils.isClientHello(buffer);
+    }
+    /**
+     * Checks if a ClientHello message contains session resumption indicators
+     * such as session tickets or PSK (Pre-Shared Key) extensions.
+     *
+     * @param buffer - The buffer containing a ClientHello message
+     * @param enableLogging - Whether to enable logging
+     * @returns Object containing details about session resumption and SNI presence
+     */
+    static hasSessionResumption(buffer, enableLogging = false) {
+        const logger = enableLogging ?
+            (message) => console.log(`[Session Resumption] ${message}`) :
+            undefined;
+        return ClientHelloParser.hasSessionResumption(buffer, logger);
+    }
+    /**
+     * Detects characteristics of a tab reactivation TLS handshake
+     * These often have specific patterns in Chrome and other browsers
+     *
+     * @param buffer - The buffer containing a ClientHello message
+     * @param enableLogging - Whether to enable logging
+     * @returns true if this appears to be a tab reactivation handshake
+     */
+    static isTabReactivationHandshake(buffer, enableLogging = false) {
+        const logger = enableLogging ?
+            (message) => console.log(`[Tab Reactivation] ${message}`) :
+            undefined;
+        return ClientHelloParser.isTabReactivationHandshake(buffer, logger);
+    }
+    /**
+     * Extracts the SNI (Server Name Indication) from a TLS ClientHello message.
+     * Implements robust parsing with support for session resumption edge cases.
+     *
+     * @param buffer - The buffer containing the TLS ClientHello message
+     * @param enableLogging - Whether to enable detailed debug logging
+     * @returns The extracted server name or undefined if not found
+     */
+    static extractSNI(buffer, enableLogging = false) {
+        const logger = enableLogging ?
+            (message) => console.log(`[SNI Extraction] ${message}`) :
+            undefined;
+        return SniExtraction.extractSNI(buffer, logger);
+    }
+    /**
+     * Attempts to extract SNI from the PSK extension in a TLS 1.3 ClientHello.
+     *
+     * In TLS 1.3, when a client attempts to resume a session, it may include
+     * the server name in the PSK identity hint rather than in the SNI extension.
+     *
+     * @param buffer - The buffer containing the TLS ClientHello message
+     * @param enableLogging - Whether to enable detailed debug logging
+     * @returns The extracted server name or undefined if not found
+     */
+    static extractSNIFromPSKExtension(buffer, enableLogging = false) {
+        const logger = enableLogging ?
+            (message) => console.log(`[PSK-SNI Extraction] ${message}`) :
+            undefined;
+        return SniExtraction.extractSNIFromPSKExtension(buffer, logger);
+    }
+    /**
+     * Checks if the buffer contains TLS 1.3 early data (0-RTT)
+     * @param buffer - The buffer to check
+     * @param enableLogging - Whether to enable logging
+     * @returns true if early data is detected
+     */
+    static hasEarlyData(buffer, enableLogging = false) {
+        // This functionality has been moved to ClientHelloParser
+        // We can implement it in terms of the parse result if needed
+        const logger = enableLogging ?
+            (message) => console.log(`[Early Data] ${message}`) :
+            undefined;
+        const parseResult = ClientHelloParser.parseClientHello(buffer, logger);
+        return parseResult.isValid && parseResult.hasEarlyData;
+    }
+    /**
+     * Attempts to extract SNI from an initial ClientHello packet and handles
+     * session resumption edge cases more robustly than the standard extraction.
+     *
+     * This method handles:
+     * 1. Standard SNI extraction
+     * 2. TLS 1.3 PSK-based resumption (Chrome, Firefox, etc.)
+     * 3. Session ticket-based resumption
+     * 4. Fragmented ClientHello messages
+     * 5. TLS 1.3 Early Data (0-RTT)
+     * 6. Chrome's connection racing behaviors
+     *
+     * @param buffer - The buffer containing the TLS ClientHello message
+     * @param connectionInfo - Optional connection information for fragment handling
+     * @param enableLogging - Whether to enable detailed debug logging
+     * @returns The extracted server name or undefined if not found or more data needed
+     */
+    static extractSNIWithResumptionSupport(buffer, connectionInfo, enableLogging = false) {
+        const logger = enableLogging ?
+            (message) => console.log(`[SNI Extraction] ${message}`) :
+            undefined;
+        return SniExtraction.extractSNIWithResumptionSupport(buffer, connectionInfo, logger);
+    }
+    /**
+     * Main entry point for SNI extraction that handles all edge cases.
+     * This should be called for each TLS packet received from a client.
+     *
+     * The method uses connection tracking to handle fragmented ClientHello
+     * messages and various TLS 1.3 behaviors, including Chrome's connection
+     * racing patterns and tab reactivation behaviors.
+     *
+     * @param buffer - The buffer containing TLS data
+     * @param connectionInfo - Connection metadata (IPs and ports)
+     * @param enableLogging - Whether to enable detailed debug logging
+     * @param cachedSni - Optional cached SNI from previous connections (for racing detection)
+     * @returns The extracted server name or undefined if not found or more data needed
+     */
+    static processTlsPacket(buffer, connectionInfo, enableLogging = false, cachedSni) {
+        const logger = enableLogging ?
+            (message) => console.log(`[TLS Packet] ${message}`) :
+            undefined;
+        return SniExtraction.processTlsPacket(buffer, connectionInfo, logger, cachedSni);
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic25pLWhhbmRsZXIuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi90cy90bHMvc25pL3NuaS1oYW5kbGVyLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sRUFBRSxNQUFNLEVBQUUsTUFBTSxRQUFRLENBQUM7QUFDaEMsT0FBTyxFQUNMLGFBQWEsRUFDYixnQkFBZ0IsRUFDaEIsZ0JBQWdCLEVBQ2hCLFFBQVEsRUFDVCxNQUFNLHVCQUF1QixDQUFDO0FBQy9CLE9BQU8sRUFDTCxpQkFBaUIsRUFFbEIsTUFBTSwwQkFBMEIsQ0FBQztBQUNsQyxPQUFPLEVBQ0wsYUFBYSxFQUVkLE1BQU0scUJBQXFCLENBQUM7QUFFN0I7Ozs7Ozs7O0dBUUc7QUFDSCxNQUFNLE9BQU8sVUFBVTtJQUNyQixpREFBaUQ7YUFDekIsOEJBQXlCLEdBQUcsYUFBYSxDQUFDLFNBQVMsQ0FBQzthQUNwRCw4QkFBeUIsR0FBRyxhQUFhLENBQUMsZ0JBQWdCLENBQUM7YUFDM0Qsb0NBQStCLEdBQUcsZ0JBQWdCLENBQUMsWUFBWSxDQUFDO2FBQ2hFLDJCQUFzQixHQUFHLGdCQUFnQixDQUFDLFdBQVcsQ0FBQzthQUN0RCxzQ0FBaUMsR0FBRyxnQkFBZ0IsQ0FBQyxjQUFjLENBQUM7YUFDcEUsMkJBQXNCLEdBQUcsQ0FBQyxDQUFDLEdBQUMsaUNBQWlDO2FBQzdELDJCQUFzQixHQUFHLGdCQUFnQixDQUFDLGNBQWMsQ0FBQzthQUN6RCxvQ0FBK0IsR0FBRyxnQkFBZ0IsQ0FBQyxzQkFBc0IsQ0FBQzthQUMxRSxrQ0FBNkIsR0FBRyxnQkFBZ0IsQ0FBQyxVQUFVLENBQUM7SUFFcEY7Ozs7T0FJRztJQUNJLE1BQU0sQ0FBQyxjQUFjLENBQUMsTUFBYztRQUN6QyxPQUFPLFFBQVEsQ0FBQyxjQUFjLENBQUMsTUFBTSxDQUFDLENBQUM7SUFDekMsQ0FBQztJQUVEOzs7O09BSUc7SUFDSSxNQUFNLENBQUMsb0JBQW9CLENBQUMsTUFBYztRQUMvQyxPQUFPLFFBQVEsQ0FBQyxvQkFBb0IsQ0FBQyxNQUFNLENBQUMsQ0FBQztJQUMvQyxDQUFDO0lBRUQ7Ozs7OztPQU1HO0lBQ0ksTUFBTSxDQUFDLGtCQUFrQixDQUFDLGNBS2hDO1FBQ0MsT0FBTyxRQUFRLENBQUMsa0JBQWtCLENBQUMsY0FBYyxDQUFDLENBQUM7SUFDckQsQ0FBQztJQUVEOzs7Ozs7OztPQVFHO0lBQ0ksTUFBTSxDQUFDLDJCQUEyQixDQUN2QyxNQUFjLEVBQ2QsWUFBb0IsRUFDcEIsZ0JBQXlCLEtBQUs7UUFFOUIsTUFBTSxNQUFNLEdBQUcsYUFBYSxDQUFDLENBQUM7WUFDNUIsQ0FBQyxPQUFlLEVBQUUsRUFBRSxDQUFDLE9BQU8sQ0FBQyxHQUFHLENBQUMsa0JBQWtCLE9BQU8sRUFBRSxDQUFDLENBQUMsQ0FBQztZQUMvRCxTQUFTLENBQUM7UUFFWixPQUFPLGlCQUFpQixDQUFDLDJCQUEyQixDQUFDLE1BQU0sRUFBRSxZQUFZLEVBQUUsTUFBTSxDQUFDLENBQUM7SUFDckYsQ0FBQztJQUVEOzs7O09BSUc7SUFDSSxNQUFNLENBQUMsYUFBYSxDQUFDLE1BQWM7UUFDeEMsT0FBTyxRQUFRLENBQUMsYUFBYSxDQUFDLE1BQU0sQ0FBQyxDQUFDO0lBQ3hDLENBQUM7SUFFRDs7Ozs7OztPQU9HO0lBQ0ksTUFBTSxDQUFDLG9CQUFvQixDQUNoQyxNQUFjLEVBQ2QsZ0JBQXlCLEtBQUs7UUFFOUIsTUFBTSxNQUFNLEdBQUcsYUFBYSxDQUFDLENBQUM7WUFDNUIsQ0FBQyxPQUFlLEVBQUUsRUFBRSxDQUFDLE9BQU8sQ0FBQyxHQUFHLENBQUMsd0JBQXdCLE9BQU8sRUFBRSxDQUFDLENBQUMsQ0FBQztZQUNyRSxTQUFTLENBQUM7UUFFWixPQUFPLGlCQUFpQixDQUFDLG9CQUFvQixDQUFDLE1BQU0sRUFBRSxNQUFNLENBQUMsQ0FBQztJQUNoRSxDQUFDO0lBRUQ7Ozs7Ozs7T0FPRztJQUNJLE1BQU0sQ0FBQywwQkFBMEIsQ0FDdEMsTUFBYyxFQUNkLGdCQUF5QixLQUFLO1FBRTlCLE1BQU0sTUFBTSxHQUFHLGFBQWEsQ0FBQyxDQUFDO1lBQzVCLENBQUMsT0FBZSxFQUFFLEVBQUUsQ0FBQyxPQUFPLENBQUMsR0FBRyxDQUFDLHNCQUFzQixPQUFPLEVBQUUsQ0FBQyxDQUFDLENBQUM7WUFDbkUsU0FBUyxDQUFDO1FBRVosT0FBTyxpQkFBaUIsQ0FBQywwQkFBMEIsQ0FBQyxNQUFNLEVBQUUsTUFBTSxDQUFDLENBQUM7SUFDdEUsQ0FBQztJQUVEOzs7Ozs7O09BT0c7SUFDSSxNQUFNLENBQUMsVUFBVSxDQUFDLE1BQWMsRUFBRSxnQkFBeUIsS0FBSztRQUNyRSxNQUFNLE1BQU0sR0FBRyxhQUFhLENBQUMsQ0FBQztZQUM1QixDQUFDLE9BQWUsRUFBRSxFQUFFLENBQUMsT0FBTyxDQUFDLEdBQUcsQ0FBQyxvQkFBb0IsT0FBTyxFQUFFLENBQUMsQ0FBQyxDQUFDO1lBQ2pFLFNBQVMsQ0FBQztRQUVaLE9BQU8sYUFBYSxDQUFDLFVBQVUsQ0FBQyxNQUFNLEVBQUUsTUFBTSxDQUFDLENBQUM7SUFDbEQsQ0FBQztJQUVEOzs7Ozs7Ozs7T0FTRztJQUNJLE1BQU0sQ0FBQywwQkFBMEIsQ0FDdEMsTUFBYyxFQUNkLGdCQUF5QixLQUFLO1FBRTlCLE1BQU0sTUFBTSxHQUFHLGFBQWEsQ0FBQyxDQUFDO1lBQzVCLENBQUMsT0FBZSxFQUFFLEVBQUUsQ0FBQyxPQUFPLENBQUMsR0FBRyxDQUFDLHdCQUF3QixPQUFPLEVBQUUsQ0FBQyxDQUFDLENBQUM7WUFDckUsU0FBUyxDQUFDO1FBRVosT0FBTyxhQUFhLENBQUMsMEJBQTBCLENBQUMsTUFBTSxFQUFFLE1BQU0sQ0FBQyxDQUFDO0lBQ2xFLENBQUM7SUFFRDs7Ozs7T0FLRztJQUNJLE1BQU0sQ0FBQyxZQUFZLENBQUMsTUFBYyxFQUFFLGdCQUF5QixLQUFLO1FBQ3ZFLHlEQUF5RDtRQUN6RCw2REFBNkQ7UUFDN0QsTUFBTSxNQUFNLEdBQUcsYUFBYSxDQUFDLENBQUM7WUFDNUIsQ0FBQyxPQUFlLEVBQUUsRUFBRSxDQUFDLE9BQU8sQ0FBQyxHQUFHLENBQUMsZ0JBQWdCLE9BQU8sRUFBRSxDQUFDLENBQUMsQ0FBQztZQUM3RCxTQUFTLENBQUM7UUFFWixNQUFNLFdBQVcsR0FBRyxpQkFBaUIsQ0FBQyxnQkFBZ0IsQ0FBQyxNQUFNLEVBQUUsTUFBTSxDQUFDLENBQUM7UUFDdkUsT0FBTyxXQUFXLENBQUMsT0FBTyxJQUFJLFdBQVcsQ0FBQyxZQUFZLENBQUM7SUFDekQsQ0FBQztJQUVEOzs7Ozs7Ozs7Ozs7Ozs7O09BZ0JHO0lBQ0ksTUFBTSxDQUFDLCtCQUErQixDQUMzQyxNQUFjLEVBQ2QsY0FLQyxFQUNELGdCQUF5QixLQUFLO1FBRTlCLE1BQU0sTUFBTSxHQUFHLGFBQWEsQ0FBQyxDQUFDO1lBQzVCLENBQUMsT0FBZSxFQUFFLEVBQUUsQ0FBQyxPQUFPLENBQUMsR0FBRyxDQUFDLG9CQUFvQixPQUFPLEVBQUUsQ0FBQyxDQUFDLENBQUM7WUFDakUsU0FBUyxDQUFDO1FBRVosT0FBTyxhQUFhLENBQUMsK0JBQStCLENBQ2xELE1BQU0sRUFDTixjQUFnQyxFQUNoQyxNQUFNLENBQ1AsQ0FBQztJQUNKLENBQUM7SUFFRDs7Ozs7Ozs7Ozs7OztPQWFHO0lBQ0ksTUFBTSxDQUFDLGdCQUFnQixDQUM1QixNQUFjLEVBQ2QsY0FNQyxFQUNELGdCQUF5QixLQUFLLEVBQzlCLFNBQWtCO1FBRWxCLE1BQU0sTUFBTSxHQUFHLGFBQWEsQ0FBQyxDQUFDO1lBQzVCLENBQUMsT0FBZSxFQUFFLEVBQUUsQ0FBQyxPQUFPLENBQUMsR0FBRyxDQUFDLGdCQUFnQixPQUFPLEVBQUUsQ0FBQyxDQUFDLENBQUM7WUFDN0QsU0FBUyxDQUFDO1FBRVosT0FBTyxhQUFhLENBQUMsZ0JBQWdCLENBQUMsTUFBTSxFQUFFLGNBQWMsRUFBRSxNQUFNLEVBQUUsU0FBUyxDQUFDLENBQUM7SUFDbkYsQ0FBQyJ9

package/dist_ts/tls/utils/index.d.ts

@@ -0,0 +1,4 @@
+export {};
+/**
+ * TLS utilities
+ */

package/dist_ts/tls/utils/index.js

@@ -0,0 +1,5 @@
+export {};
+/**
+ * TLS utilities
+ */
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi90cy90bHMvdXRpbHMvaW5kZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IjtBQUFBOztHQUVHIn0=