@push.rocks/smartproxy 12.0.0 → 13.1.2

package/ts/tls/sni/sni-extraction.ts

@@ -0,0 +1,353 @@
+import { Buffer } from 'buffer';
+import { TlsExtensionType, TlsUtils } from '../utils/tls-utils.js';
+import {
+  ClientHelloParser,
+  type LoggerFunction
+} from './client-hello-parser.js';
+
+/**
+ * Connection tracking information
+ */
+export interface ConnectionInfo {
+  sourceIp: string;
+  sourcePort: number;
+  destIp: string;
+  destPort: number;
+  timestamp?: number;
+}
+
+/**
+ * Utilities for extracting SNI information from TLS handshakes
+ */
+export class SniExtraction {
+  /**
+   * Extracts the SNI (Server Name Indication) from a TLS ClientHello message.
+   * 
+   * @param buffer The buffer containing the TLS ClientHello message
+   * @param logger Optional logging function
+   * @returns The extracted server name or undefined if not found
+   */
+  public static extractSNI(buffer: Buffer, logger?: LoggerFunction): string | undefined {
+    const log = logger || (() => {});
+    
+    try {
+      // Parse the ClientHello
+      const parseResult = ClientHelloParser.parseClientHello(buffer, logger);
+      if (!parseResult.isValid) {
+        log(`Failed to parse ClientHello: ${parseResult.error}`);
+        return undefined;
+      }
+      
+      // Check if ServerName extension was found
+      if (parseResult.serverNameList && parseResult.serverNameList.length > 0) {
+        // Use the first hostname (most common case)
+        const serverName = parseResult.serverNameList[0];
+        log(`Found SNI: ${serverName}`);
+        return serverName;
+      }
+      
+      log('No SNI extension found in ClientHello');
+      return undefined;
+    } catch (error) {
+      log(`Error extracting SNI: ${error instanceof Error ? error.message : String(error)}`);
+      return undefined;
+    }
+  }
+  
+  /**
+   * Attempts to extract SNI from the PSK extension in a TLS 1.3 ClientHello.
+   * 
+   * In TLS 1.3, when a client attempts to resume a session, it may include
+   * the server name in the PSK identity hint rather than in the SNI extension.
+   * 
+   * @param buffer The buffer containing the TLS ClientHello message
+   * @param logger Optional logging function
+   * @returns The extracted server name or undefined if not found
+   */
+  public static extractSNIFromPSKExtension(
+    buffer: Buffer,
+    logger?: LoggerFunction
+  ): string | undefined {
+    const log = logger || (() => {});
+    
+    try {
+      // Ensure this is a ClientHello
+      if (!TlsUtils.isClientHello(buffer)) {
+        log('Not a ClientHello message');
+        return undefined;
+      }
+      
+      // Parse the ClientHello to find PSK extension
+      const parseResult = ClientHelloParser.parseClientHello(buffer, logger);
+      if (!parseResult.isValid || !parseResult.extensions) {
+        return undefined;
+      }
+      
+      // Find the PSK extension
+      const pskExtension = parseResult.extensions.find(ext => 
+        ext.type === TlsExtensionType.PRE_SHARED_KEY);
+      
+      if (!pskExtension) {
+        log('No PSK extension found');
+        return undefined;
+      }
+      
+      // Parse the PSK extension data
+      const data = pskExtension.data;
+      
+      // PSK extension structure:
+      // 2 bytes: identities list length
+      if (data.length < 2) return undefined;
+      
+      const identitiesLength = (data[0] << 8) + data[1];
+      let pos = 2;
+      
+      // End of identities list
+      const identitiesEnd = pos + identitiesLength;
+      if (identitiesEnd > data.length) return undefined;
+      
+      // Process each PSK identity
+      while (pos + 2 <= identitiesEnd) {
+        // Identity length (2 bytes)
+        if (pos + 2 > identitiesEnd) break;
+        
+        const identityLength = (data[pos] << 8) + data[pos + 1];
+        pos += 2;
+        
+        if (pos + identityLength > identitiesEnd) break;
+        
+        // Try to extract hostname from identity
+        // Chrome often embeds the hostname in the PSK identity
+        // This is a heuristic as there's no standard format
+        if (identityLength > 0) {
+          const identity = data.slice(pos, pos + identityLength);
+          
+          // Skip identity bytes
+          pos += identityLength;
+          
+          // Skip obfuscated ticket age (4 bytes)
+          if (pos + 4 <= identitiesEnd) {
+            pos += 4;
+          } else {
+            break;
+          }
+          
+          // Try to parse the identity as UTF-8
+          try {
+            const identityStr = identity.toString('utf8');
+            log(`PSK identity: ${identityStr}`);
+            
+            // Check if the identity contains hostname hints
+            // Chrome often embeds the hostname in a known format
+            // Try to extract using common patterns
+            
+            // Pattern 1: Look for domain name pattern
+            const domainPattern =
+              /([a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?/i;
+            const domainMatch = identityStr.match(domainPattern);
+            if (domainMatch && domainMatch[0]) {
+              log(`Found domain in PSK identity: ${domainMatch[0]}`);
+              return domainMatch[0];
+            }
+            
+            // Pattern 2: Chrome sometimes uses a specific format with delimiters
+            // This is a heuristic approach since the format isn't standardized
+            const parts = identityStr.split('|');
+            if (parts.length > 1) {
+              for (const part of parts) {
+                if (part.includes('.') && !part.includes('/')) {
+                  const possibleDomain = part.trim();
+                  if (/^[a-z0-9.-]+$/i.test(possibleDomain)) {
+                    log(`Found possible domain in PSK delimiter format: ${possibleDomain}`);
+                    return possibleDomain;
+                  }
+                }
+              }
+            }
+          } catch (e) {
+            log('Failed to parse PSK identity as UTF-8');
+          }
+        }
+      }
+      
+      log('No hostname found in PSK extension');
+      return undefined;
+    } catch (error) {
+      log(`Error parsing PSK: ${error instanceof Error ? error.message : String(error)}`);
+      return undefined;
+    }
+  }
+  
+  /**
+   * Main entry point for SNI extraction with support for fragmented messages
+   * and session resumption edge cases.
+   * 
+   * @param buffer The buffer containing TLS data
+   * @param connectionInfo Connection tracking information
+   * @param logger Optional logging function
+   * @param cachedSni Optional previously cached SNI value
+   * @returns The extracted server name or undefined
+   */
+  public static extractSNIWithResumptionSupport(
+    buffer: Buffer,
+    connectionInfo?: ConnectionInfo,
+    logger?: LoggerFunction,
+    cachedSni?: string
+  ): string | undefined {
+    const log = logger || (() => {});
+    
+    // Log buffer details for debugging
+    if (logger) {
+      log(`Buffer size: ${buffer.length} bytes`);
+      log(`Buffer starts with: ${buffer.slice(0, Math.min(10, buffer.length)).toString('hex')}`);
+      
+      if (buffer.length >= 5) {
+        const recordType = buffer[0];
+        const majorVersion = buffer[1];
+        const minorVersion = buffer[2];
+        const recordLength = (buffer[3] << 8) + buffer[4];
+        
+        log(
+          `TLS Record: type=${recordType}, version=${majorVersion}.${minorVersion}, length=${recordLength}`
+        );
+      }
+    }
+    
+    // Check if we need to handle fragmented packets
+    let processBuffer = buffer;
+    if (connectionInfo) {
+      const connectionId = TlsUtils.createConnectionId(connectionInfo);
+      const reassembledBuffer = ClientHelloParser.handleFragmentedClientHello(
+        buffer,
+        connectionId,
+        logger
+      );
+      
+      if (!reassembledBuffer) {
+        log(`Waiting for more fragments on connection ${connectionId}`);
+        return undefined; // Need more fragments to complete ClientHello
+      }
+      
+      processBuffer = reassembledBuffer;
+      log(`Using reassembled buffer of length ${processBuffer.length}`);
+    }
+    
+    // First try the standard SNI extraction
+    const standardSni = this.extractSNI(processBuffer, logger);
+    if (standardSni) {
+      log(`Found standard SNI: ${standardSni}`);
+      return standardSni;
+    }
+    
+    // Check for session resumption when standard SNI extraction fails
+    if (TlsUtils.isClientHello(processBuffer)) {
+      const resumptionInfo = ClientHelloParser.hasSessionResumption(processBuffer, logger);
+      
+      if (resumptionInfo.isResumption) {
+        log(`Detected session resumption in ClientHello without standard SNI`);
+        
+        // Try to extract SNI from PSK extension
+        const pskSni = this.extractSNIFromPSKExtension(processBuffer, logger);
+        if (pskSni) {
+          log(`Extracted SNI from PSK extension: ${pskSni}`);
+          return pskSni;
+        }
+      }
+    }
+    
+    // If cached SNI was provided, use it for application data packets
+    if (cachedSni && TlsUtils.isTlsApplicationData(buffer)) {
+      log(`Using provided cached SNI for application data: ${cachedSni}`);
+      return cachedSni;
+    }
+    
+    return undefined;
+  }
+  
+  /**
+   * Unified method for processing a TLS packet and extracting SNI.
+   * Main entry point for SNI extraction that handles all edge cases.
+   * 
+   * @param buffer The buffer containing TLS data
+   * @param connectionInfo Connection tracking information
+   * @param logger Optional logging function
+   * @param cachedSni Optional previously cached SNI value
+   * @returns The extracted server name or undefined
+   */
+  public static processTlsPacket(
+    buffer: Buffer,
+    connectionInfo: ConnectionInfo,
+    logger?: LoggerFunction,
+    cachedSni?: string
+  ): string | undefined {
+    const log = logger || (() => {});
+    
+    // Add timestamp if not provided
+    if (!connectionInfo.timestamp) {
+      connectionInfo.timestamp = Date.now();
+    }
+    
+    // Check if this is a TLS handshake or application data
+    if (!TlsUtils.isTlsHandshake(buffer) && !TlsUtils.isTlsApplicationData(buffer)) {
+      log('Not a TLS handshake or application data packet');
+      return undefined;
+    }
+    
+    // Create connection ID for tracking
+    const connectionId = TlsUtils.createConnectionId(connectionInfo);
+    log(`Processing TLS packet for connection ${connectionId}, buffer length: ${buffer.length}`);
+    
+    // Handle application data with cached SNI (for connection racing)
+    if (TlsUtils.isTlsApplicationData(buffer)) {
+      // If explicit cachedSni was provided, use it
+      if (cachedSni) {
+        log(`Using provided cached SNI for application data: ${cachedSni}`);
+        return cachedSni;
+      }
+      
+      log('Application data packet without cached SNI, cannot determine hostname');
+      return undefined;
+    }
+    
+    // Enhanced session resumption detection
+    if (TlsUtils.isClientHello(buffer)) {
+      const resumptionInfo = ClientHelloParser.hasSessionResumption(buffer, logger);
+      
+      if (resumptionInfo.isResumption) {
+        log(`Session resumption detected in TLS packet`);
+        
+        // Always try standard SNI extraction first
+        const standardSni = this.extractSNI(buffer, logger);
+        if (standardSni) {
+          log(`Found standard SNI in session resumption: ${standardSni}`);
+          return standardSni;
+        }
+        
+        // Enhanced session resumption SNI extraction
+        // Try extracting from PSK identity
+        const pskSni = this.extractSNIFromPSKExtension(buffer, logger);
+        if (pskSni) {
+          log(`Extracted SNI from PSK extension: ${pskSni}`);
+          return pskSni;
+        }
+        
+        log(`Session resumption without extractable SNI`);
+      }
+    }
+    
+    // For handshake messages, try the full extraction process
+    const sni = this.extractSNIWithResumptionSupport(buffer, connectionInfo, logger);
+    
+    if (sni) {
+      log(`Successfully extracted SNI: ${sni}`);
+      return sni;
+    }
+    
+    // If we couldn't extract an SNI, check if this is a valid ClientHello
+    if (TlsUtils.isClientHello(buffer)) {
+      log('Valid ClientHello detected, but no SNI extracted - might need more data');
+    }
+    
+    return undefined;
+  }
+}

package/ts/tls/sni/sni-handler.ts

@@ -0,0 +1,264 @@
+import { Buffer } from 'buffer';
+import { 
+  TlsRecordType,
+  TlsHandshakeType,
+  TlsExtensionType,
+  TlsUtils
+} from '../utils/tls-utils.js';
+import {
+  ClientHelloParser,
+  type LoggerFunction
+} from './client-hello-parser.js';
+import {
+  SniExtraction,
+  type ConnectionInfo
+} from './sni-extraction.js';
+
+/**
+ * SNI (Server Name Indication) handler for TLS connections.
+ * Provides robust extraction of SNI values from TLS ClientHello messages
+ * with support for fragmented packets, TLS 1.3 resumption, Chrome-specific
+ * connection behaviors, and tab hibernation/reactivation scenarios.
+ * 
+ * This class retains the original API but leverages the new modular implementation
+ * for better maintainability and testability.
+ */
+export class SniHandler {
+  // Re-export constants for backward compatibility
+  private static readonly TLS_HANDSHAKE_RECORD_TYPE = TlsRecordType.HANDSHAKE;
+  private static readonly TLS_APPLICATION_DATA_TYPE = TlsRecordType.APPLICATION_DATA;
+  private static readonly TLS_CLIENT_HELLO_HANDSHAKE_TYPE = TlsHandshakeType.CLIENT_HELLO;
+  private static readonly TLS_SNI_EXTENSION_TYPE = TlsExtensionType.SERVER_NAME;
+  private static readonly TLS_SESSION_TICKET_EXTENSION_TYPE = TlsExtensionType.SESSION_TICKET;
+  private static readonly TLS_SNI_HOST_NAME_TYPE = 0; // NameType.HOST_NAME in RFC 6066
+  private static readonly TLS_PSK_EXTENSION_TYPE = TlsExtensionType.PRE_SHARED_KEY;
+  private static readonly TLS_PSK_KE_MODES_EXTENSION_TYPE = TlsExtensionType.PSK_KEY_EXCHANGE_MODES;
+  private static readonly TLS_EARLY_DATA_EXTENSION_TYPE = TlsExtensionType.EARLY_DATA;
+
+  /**
+   * Checks if a buffer contains a TLS handshake message (record type 22)
+   * @param buffer - The buffer to check
+   * @returns true if the buffer starts with a TLS handshake record type
+   */
+  public static isTlsHandshake(buffer: Buffer): boolean {
+    return TlsUtils.isTlsHandshake(buffer);
+  }
+
+  /**
+   * Checks if a buffer contains TLS application data (record type 23)
+   * @param buffer - The buffer to check
+   * @returns true if the buffer starts with a TLS application data record type
+   */
+  public static isTlsApplicationData(buffer: Buffer): boolean {
+    return TlsUtils.isTlsApplicationData(buffer);
+  }
+
+  /**
+   * Creates a connection ID based on source/destination information
+   * Used to track fragmented ClientHello messages across multiple packets
+   *
+   * @param connectionInfo - Object containing connection identifiers (IP/port)
+   * @returns A string ID for the connection
+   */
+  public static createConnectionId(connectionInfo: {
+    sourceIp?: string;
+    sourcePort?: number;
+    destIp?: string;
+    destPort?: number;
+  }): string {
+    return TlsUtils.createConnectionId(connectionInfo);
+  }
+
+  /**
+   * Handles potential fragmented ClientHello messages by buffering and reassembling
+   * TLS record fragments that might span multiple TCP packets.
+   *
+   * @param buffer - The current buffer fragment
+   * @param connectionId - Unique identifier for the connection
+   * @param enableLogging - Whether to enable logging
+   * @returns A complete buffer if reassembly is successful, or undefined if more fragments are needed
+   */
+  public static handleFragmentedClientHello(
+    buffer: Buffer,
+    connectionId: string,
+    enableLogging: boolean = false
+  ): Buffer | undefined {
+    const logger = enableLogging ? 
+      (message: string) => console.log(`[SNI Fragment] ${message}`) : 
+      undefined;
+    
+    return ClientHelloParser.handleFragmentedClientHello(buffer, connectionId, logger);
+  }
+
+  /**
+   * Checks if a buffer contains a TLS ClientHello message
+   * @param buffer - The buffer to check
+   * @returns true if the buffer appears to be a ClientHello message
+   */
+  public static isClientHello(buffer: Buffer): boolean {
+    return TlsUtils.isClientHello(buffer);
+  }
+
+  /**
+   * Checks if a ClientHello message contains session resumption indicators
+   * such as session tickets or PSK (Pre-Shared Key) extensions.
+   *
+   * @param buffer - The buffer containing a ClientHello message
+   * @param enableLogging - Whether to enable logging
+   * @returns Object containing details about session resumption and SNI presence
+   */
+  public static hasSessionResumption(
+    buffer: Buffer,
+    enableLogging: boolean = false
+  ): { isResumption: boolean; hasSNI: boolean } {
+    const logger = enableLogging ? 
+      (message: string) => console.log(`[Session Resumption] ${message}`) : 
+      undefined;
+    
+    return ClientHelloParser.hasSessionResumption(buffer, logger);
+  }
+
+  /**
+   * Detects characteristics of a tab reactivation TLS handshake
+   * These often have specific patterns in Chrome and other browsers
+   *
+   * @param buffer - The buffer containing a ClientHello message
+   * @param enableLogging - Whether to enable logging
+   * @returns true if this appears to be a tab reactivation handshake
+   */
+  public static isTabReactivationHandshake(
+    buffer: Buffer,
+    enableLogging: boolean = false
+  ): boolean {
+    const logger = enableLogging ? 
+      (message: string) => console.log(`[Tab Reactivation] ${message}`) : 
+      undefined;
+    
+    return ClientHelloParser.isTabReactivationHandshake(buffer, logger);
+  }
+
+  /**
+   * Extracts the SNI (Server Name Indication) from a TLS ClientHello message.
+   * Implements robust parsing with support for session resumption edge cases.
+   *
+   * @param buffer - The buffer containing the TLS ClientHello message
+   * @param enableLogging - Whether to enable detailed debug logging
+   * @returns The extracted server name or undefined if not found
+   */
+  public static extractSNI(buffer: Buffer, enableLogging: boolean = false): string | undefined {
+    const logger = enableLogging ? 
+      (message: string) => console.log(`[SNI Extraction] ${message}`) : 
+      undefined;
+    
+    return SniExtraction.extractSNI(buffer, logger);
+  }
+
+  /**
+   * Attempts to extract SNI from the PSK extension in a TLS 1.3 ClientHello.
+   *
+   * In TLS 1.3, when a client attempts to resume a session, it may include
+   * the server name in the PSK identity hint rather than in the SNI extension.
+   *
+   * @param buffer - The buffer containing the TLS ClientHello message
+   * @param enableLogging - Whether to enable detailed debug logging
+   * @returns The extracted server name or undefined if not found
+   */
+  public static extractSNIFromPSKExtension(
+    buffer: Buffer,
+    enableLogging: boolean = false
+  ): string | undefined {
+    const logger = enableLogging ? 
+      (message: string) => console.log(`[PSK-SNI Extraction] ${message}`) : 
+      undefined;
+    
+    return SniExtraction.extractSNIFromPSKExtension(buffer, logger);
+  }
+
+  /**
+   * Checks if the buffer contains TLS 1.3 early data (0-RTT)
+   * @param buffer - The buffer to check
+   * @param enableLogging - Whether to enable logging
+   * @returns true if early data is detected
+   */
+  public static hasEarlyData(buffer: Buffer, enableLogging: boolean = false): boolean {
+    // This functionality has been moved to ClientHelloParser
+    // We can implement it in terms of the parse result if needed
+    const logger = enableLogging ? 
+      (message: string) => console.log(`[Early Data] ${message}`) : 
+      undefined;
+    
+    const parseResult = ClientHelloParser.parseClientHello(buffer, logger);
+    return parseResult.isValid && parseResult.hasEarlyData;
+  }
+
+  /**
+   * Attempts to extract SNI from an initial ClientHello packet and handles
+   * session resumption edge cases more robustly than the standard extraction.
+   *
+   * This method handles:
+   * 1. Standard SNI extraction
+   * 2. TLS 1.3 PSK-based resumption (Chrome, Firefox, etc.)
+   * 3. Session ticket-based resumption
+   * 4. Fragmented ClientHello messages
+   * 5. TLS 1.3 Early Data (0-RTT)
+   * 6. Chrome's connection racing behaviors
+   *
+   * @param buffer - The buffer containing the TLS ClientHello message
+   * @param connectionInfo - Optional connection information for fragment handling
+   * @param enableLogging - Whether to enable detailed debug logging
+   * @returns The extracted server name or undefined if not found or more data needed
+   */
+  public static extractSNIWithResumptionSupport(
+    buffer: Buffer,
+    connectionInfo?: {
+      sourceIp?: string;
+      sourcePort?: number;
+      destIp?: string;
+      destPort?: number;
+    },
+    enableLogging: boolean = false
+  ): string | undefined {
+    const logger = enableLogging ? 
+      (message: string) => console.log(`[SNI Extraction] ${message}`) : 
+      undefined;
+    
+    return SniExtraction.extractSNIWithResumptionSupport(
+      buffer, 
+      connectionInfo as ConnectionInfo, 
+      logger
+    );
+  }
+
+  /**
+   * Main entry point for SNI extraction that handles all edge cases.
+   * This should be called for each TLS packet received from a client.
+   *
+   * The method uses connection tracking to handle fragmented ClientHello
+   * messages and various TLS 1.3 behaviors, including Chrome's connection
+   * racing patterns and tab reactivation behaviors.
+   *
+   * @param buffer - The buffer containing TLS data
+   * @param connectionInfo - Connection metadata (IPs and ports)
+   * @param enableLogging - Whether to enable detailed debug logging
+   * @param cachedSni - Optional cached SNI from previous connections (for racing detection)
+   * @returns The extracted server name or undefined if not found or more data needed
+   */
+  public static processTlsPacket(
+    buffer: Buffer,
+    connectionInfo: {
+      sourceIp: string;
+      sourcePort: number;
+      destIp: string;
+      destPort: number;
+      timestamp?: number;
+    },
+    enableLogging: boolean = false,
+    cachedSni?: string
+  ): string | undefined {
+    const logger = enableLogging ? 
+      (message: string) => console.log(`[TLS Packet] ${message}`) : 
+      undefined;
+    
+    return SniExtraction.processTlsPacket(buffer, connectionInfo, logger, cachedSni);
+  }
+}

package/ts/tls/utils/index.ts

@@ -0,0 +1,3 @@
+/**
+ * TLS utilities
+ */