@push.rocks/smartproxy 25.17.10 → 26.1.0

package/ts/protocols/tls/sni/sni-extraction.ts

@@ -1,353 +0,0 @@
-import { Buffer } from 'node:buffer';
-import { TlsExtensionType, TlsUtils } from '../utils/tls-utils.js';
-import {
-  ClientHelloParser,
-  type LoggerFunction
-} from './client-hello-parser.js';
-
-/**
- * Connection tracking information
- */
-export interface ConnectionInfo {
-  sourceIp: string;
-  sourcePort: number;
-  destIp: string;
-  destPort: number;
-  timestamp?: number;
-}
-
-/**
- * Utilities for extracting SNI information from TLS handshakes
- */
-export class SniExtraction {
-  /**
-   * Extracts the SNI (Server Name Indication) from a TLS ClientHello message.
-   * 
-   * @param buffer The buffer containing the TLS ClientHello message
-   * @param logger Optional logging function
-   * @returns The extracted server name or undefined if not found
-   */
-  public static extractSNI(buffer: Buffer, logger?: LoggerFunction): string | undefined {
-    const log = logger || (() => {});
-    
-    try {
-      // Parse the ClientHello
-      const parseResult = ClientHelloParser.parseClientHello(buffer, logger);
-      if (!parseResult.isValid) {
-        log(`Failed to parse ClientHello: ${parseResult.error}`);
-        return undefined;
-      }
-      
-      // Check if ServerName extension was found
-      if (parseResult.serverNameList && parseResult.serverNameList.length > 0) {
-        // Use the first hostname (most common case)
-        const serverName = parseResult.serverNameList[0];
-        log(`Found SNI: ${serverName}`);
-        return serverName;
-      }
-      
-      log('No SNI extension found in ClientHello');
-      return undefined;
-    } catch (error) {
-      log(`Error extracting SNI: ${error instanceof Error ? error.message : String(error)}`);
-      return undefined;
-    }
-  }
-  
-  /**
-   * Attempts to extract SNI from the PSK extension in a TLS 1.3 ClientHello.
-   * 
-   * In TLS 1.3, when a client attempts to resume a session, it may include
-   * the server name in the PSK identity hint rather than in the SNI extension.
-   * 
-   * @param buffer The buffer containing the TLS ClientHello message
-   * @param logger Optional logging function
-   * @returns The extracted server name or undefined if not found
-   */
-  public static extractSNIFromPSKExtension(
-    buffer: Buffer,
-    logger?: LoggerFunction
-  ): string | undefined {
-    const log = logger || (() => {});
-    
-    try {
-      // Ensure this is a ClientHello
-      if (!TlsUtils.isClientHello(buffer)) {
-        log('Not a ClientHello message');
-        return undefined;
-      }
-      
-      // Parse the ClientHello to find PSK extension
-      const parseResult = ClientHelloParser.parseClientHello(buffer, logger);
-      if (!parseResult.isValid || !parseResult.extensions) {
-        return undefined;
-      }
-      
-      // Find the PSK extension
-      const pskExtension = parseResult.extensions.find(ext => 
-        ext.type === TlsExtensionType.PRE_SHARED_KEY);
-      
-      if (!pskExtension) {
-        log('No PSK extension found');
-        return undefined;
-      }
-      
-      // Parse the PSK extension data
-      const data = pskExtension.data;
-      
-      // PSK extension structure:
-      // 2 bytes: identities list length
-      if (data.length < 2) return undefined;
-      
-      const identitiesLength = (data[0] << 8) + data[1];
-      let pos = 2;
-      
-      // End of identities list
-      const identitiesEnd = pos + identitiesLength;
-      if (identitiesEnd > data.length) return undefined;
-      
-      // Process each PSK identity
-      while (pos + 2 <= identitiesEnd) {
-        // Identity length (2 bytes)
-        if (pos + 2 > identitiesEnd) break;
-        
-        const identityLength = (data[pos] << 8) + data[pos + 1];
-        pos += 2;
-        
-        if (pos + identityLength > identitiesEnd) break;
-        
-        // Try to extract hostname from identity
-        // Chrome often embeds the hostname in the PSK identity
-        // This is a heuristic as there's no standard format
-        if (identityLength > 0) {
-          const identity = data.slice(pos, pos + identityLength);
-          
-          // Skip identity bytes
-          pos += identityLength;
-          
-          // Skip obfuscated ticket age (4 bytes)
-          if (pos + 4 <= identitiesEnd) {
-            pos += 4;
-          } else {
-            break;
-          }
-          
-          // Try to parse the identity as UTF-8
-          try {
-            const identityStr = identity.toString('utf8');
-            log(`PSK identity: ${identityStr}`);
-            
-            // Check if the identity contains hostname hints
-            // Chrome often embeds the hostname in a known format
-            // Try to extract using common patterns
-            
-            // Pattern 1: Look for domain name pattern
-            const domainPattern =
-              /([a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?/i;
-            const domainMatch = identityStr.match(domainPattern);
-            if (domainMatch && domainMatch[0]) {
-              log(`Found domain in PSK identity: ${domainMatch[0]}`);
-              return domainMatch[0];
-            }
-            
-            // Pattern 2: Chrome sometimes uses a specific format with delimiters
-            // This is a heuristic approach since the format isn't standardized
-            const parts = identityStr.split('|');
-            if (parts.length > 1) {
-              for (const part of parts) {
-                if (part.includes('.') && !part.includes('/')) {
-                  const possibleDomain = part.trim();
-                  if (/^[a-z0-9.-]+$/i.test(possibleDomain)) {
-                    log(`Found possible domain in PSK delimiter format: ${possibleDomain}`);
-                    return possibleDomain;
-                  }
-                }
-              }
-            }
-          } catch (e) {
-            log('Failed to parse PSK identity as UTF-8');
-          }
-        }
-      }
-      
-      log('No hostname found in PSK extension');
-      return undefined;
-    } catch (error) {
-      log(`Error parsing PSK: ${error instanceof Error ? error.message : String(error)}`);
-      return undefined;
-    }
-  }
-  
-  /**
-   * Main entry point for SNI extraction with support for fragmented messages
-   * and session resumption edge cases.
-   * 
-   * @param buffer The buffer containing TLS data
-   * @param connectionInfo Connection tracking information
-   * @param logger Optional logging function
-   * @param cachedSni Optional previously cached SNI value
-   * @returns The extracted server name or undefined
-   */
-  public static extractSNIWithResumptionSupport(
-    buffer: Buffer,
-    connectionInfo?: ConnectionInfo,
-    logger?: LoggerFunction,
-    cachedSni?: string
-  ): string | undefined {
-    const log = logger || (() => {});
-    
-    // Log buffer details for debugging
-    if (logger) {
-      log(`Buffer size: ${buffer.length} bytes`);
-      log(`Buffer starts with: ${buffer.slice(0, Math.min(10, buffer.length)).toString('hex')}`);
-      
-      if (buffer.length >= 5) {
-        const recordType = buffer[0];
-        const majorVersion = buffer[1];
-        const minorVersion = buffer[2];
-        const recordLength = (buffer[3] << 8) + buffer[4];
-        
-        log(
-          `TLS Record: type=${recordType}, version=${majorVersion}.${minorVersion}, length=${recordLength}`
-        );
-      }
-    }
-    
-    // Check if we need to handle fragmented packets
-    let processBuffer = buffer;
-    if (connectionInfo) {
-      const connectionId = TlsUtils.createConnectionId(connectionInfo);
-      const reassembledBuffer = ClientHelloParser.handleFragmentedClientHello(
-        buffer,
-        connectionId,
-        logger
-      );
-      
-      if (!reassembledBuffer) {
-        log(`Waiting for more fragments on connection ${connectionId}`);
-        return undefined; // Need more fragments to complete ClientHello
-      }
-      
-      processBuffer = reassembledBuffer;
-      log(`Using reassembled buffer of length ${processBuffer.length}`);
-    }
-    
-    // First try the standard SNI extraction
-    const standardSni = this.extractSNI(processBuffer, logger);
-    if (standardSni) {
-      log(`Found standard SNI: ${standardSni}`);
-      return standardSni;
-    }
-    
-    // Check for session resumption when standard SNI extraction fails
-    if (TlsUtils.isClientHello(processBuffer)) {
-      const resumptionInfo = ClientHelloParser.hasSessionResumption(processBuffer, logger);
-      
-      if (resumptionInfo.isResumption) {
-        log(`Detected session resumption in ClientHello without standard SNI`);
-        
-        // Try to extract SNI from PSK extension
-        const pskSni = this.extractSNIFromPSKExtension(processBuffer, logger);
-        if (pskSni) {
-          log(`Extracted SNI from PSK extension: ${pskSni}`);
-          return pskSni;
-        }
-      }
-    }
-    
-    // If cached SNI was provided, use it for application data packets
-    if (cachedSni && TlsUtils.isTlsApplicationData(buffer)) {
-      log(`Using provided cached SNI for application data: ${cachedSni}`);
-      return cachedSni;
-    }
-    
-    return undefined;
-  }
-  
-  /**
-   * Unified method for processing a TLS packet and extracting SNI.
-   * Main entry point for SNI extraction that handles all edge cases.
-   * 
-   * @param buffer The buffer containing TLS data
-   * @param connectionInfo Connection tracking information
-   * @param logger Optional logging function
-   * @param cachedSni Optional previously cached SNI value
-   * @returns The extracted server name or undefined
-   */
-  public static processTlsPacket(
-    buffer: Buffer,
-    connectionInfo: ConnectionInfo,
-    logger?: LoggerFunction,
-    cachedSni?: string
-  ): string | undefined {
-    const log = logger || (() => {});
-    
-    // Add timestamp if not provided
-    if (!connectionInfo.timestamp) {
-      connectionInfo.timestamp = Date.now();
-    }
-    
-    // Check if this is a TLS handshake or application data
-    if (!TlsUtils.isTlsHandshake(buffer) && !TlsUtils.isTlsApplicationData(buffer)) {
-      log('Not a TLS handshake or application data packet');
-      return undefined;
-    }
-    
-    // Create connection ID for tracking
-    const connectionId = TlsUtils.createConnectionId(connectionInfo);
-    log(`Processing TLS packet for connection ${connectionId}, buffer length: ${buffer.length}`);
-    
-    // Handle application data with cached SNI (for connection racing)
-    if (TlsUtils.isTlsApplicationData(buffer)) {
-      // If explicit cachedSni was provided, use it
-      if (cachedSni) {
-        log(`Using provided cached SNI for application data: ${cachedSni}`);
-        return cachedSni;
-      }
-      
-      log('Application data packet without cached SNI, cannot determine hostname');
-      return undefined;
-    }
-    
-    // Enhanced session resumption detection
-    if (TlsUtils.isClientHello(buffer)) {
-      const resumptionInfo = ClientHelloParser.hasSessionResumption(buffer, logger);
-      
-      if (resumptionInfo.isResumption) {
-        log(`Session resumption detected in TLS packet`);
-        
-        // Always try standard SNI extraction first
-        const standardSni = this.extractSNI(buffer, logger);
-        if (standardSni) {
-          log(`Found standard SNI in session resumption: ${standardSni}`);
-          return standardSni;
-        }
-        
-        // Enhanced session resumption SNI extraction
-        // Try extracting from PSK identity
-        const pskSni = this.extractSNIFromPSKExtension(buffer, logger);
-        if (pskSni) {
-          log(`Extracted SNI from PSK extension: ${pskSni}`);
-          return pskSni;
-        }
-        
-        log(`Session resumption without extractable SNI`);
-      }
-    }
-    
-    // For handshake messages, try the full extraction process
-    const sni = this.extractSNIWithResumptionSupport(buffer, connectionInfo, logger);
-    
-    if (sni) {
-      log(`Successfully extracted SNI: ${sni}`);
-      return sni;
-    }
-    
-    // If we couldn't extract an SNI, check if this is a valid ClientHello
-    if (TlsUtils.isClientHello(buffer)) {
-      log('Valid ClientHello detected, but no SNI extracted - might need more data');
-    }
-    
-    return undefined;
-  }
-}

package/ts/protocols/tls/utils/index.ts

@@ -1,3 +0,0 @@
-/**
- * TLS utilities
- */

package/ts/protocols/tls/utils/tls-utils.ts

@@ -1,201 +0,0 @@
-import * as plugins from '../../../plugins.js';
-
-/**
- * TLS record types as defined in various RFCs
- */
-export enum TlsRecordType {
-  CHANGE_CIPHER_SPEC = 20,
-  ALERT = 21,
-  HANDSHAKE = 22,
-  APPLICATION_DATA = 23,
-  HEARTBEAT = 24, // RFC 6520
-}
-
-/**
- * TLS handshake message types
- */
-export enum TlsHandshakeType {
-  HELLO_REQUEST = 0,
-  CLIENT_HELLO = 1,
-  SERVER_HELLO = 2,
-  NEW_SESSION_TICKET = 4,
-  ENCRYPTED_EXTENSIONS = 8, // TLS 1.3
-  CERTIFICATE = 11,
-  SERVER_KEY_EXCHANGE = 12,
-  CERTIFICATE_REQUEST = 13,
-  SERVER_HELLO_DONE = 14,
-  CERTIFICATE_VERIFY = 15,
-  CLIENT_KEY_EXCHANGE = 16,
-  FINISHED = 20,
-}
-
-/**
- * TLS extension types
- */
-export enum TlsExtensionType {
-  SERVER_NAME = 0, // SNI
-  MAX_FRAGMENT_LENGTH = 1,
-  CLIENT_CERTIFICATE_URL = 2,
-  TRUSTED_CA_KEYS = 3,
-  TRUNCATED_HMAC = 4,
-  STATUS_REQUEST = 5, // OCSP
-  SUPPORTED_GROUPS = 10, // Previously named "elliptic_curves"
-  EC_POINT_FORMATS = 11,
-  SIGNATURE_ALGORITHMS = 13,
-  APPLICATION_LAYER_PROTOCOL_NEGOTIATION = 16, // ALPN
-  SIGNED_CERTIFICATE_TIMESTAMP = 18, // Certificate Transparency
-  PADDING = 21,
-  SESSION_TICKET = 35,
-  PRE_SHARED_KEY = 41, // TLS 1.3
-  EARLY_DATA = 42, // TLS 1.3 0-RTT
-  SUPPORTED_VERSIONS = 43, // TLS 1.3
-  COOKIE = 44, // TLS 1.3
-  PSK_KEY_EXCHANGE_MODES = 45, // TLS 1.3
-  CERTIFICATE_AUTHORITIES = 47, // TLS 1.3
-  POST_HANDSHAKE_AUTH = 49, // TLS 1.3
-  SIGNATURE_ALGORITHMS_CERT = 50, // TLS 1.3
-  KEY_SHARE = 51, // TLS 1.3
-}
-
-/**
- * TLS alert levels
- */
-export enum TlsAlertLevel {
-  WARNING = 1,
-  FATAL = 2,
-}
-
-/**
- * TLS alert description codes
- */
-export enum TlsAlertDescription {
-  CLOSE_NOTIFY = 0,
-  UNEXPECTED_MESSAGE = 10,
-  BAD_RECORD_MAC = 20,
-  DECRYPTION_FAILED = 21, // TLS 1.0 only
-  RECORD_OVERFLOW = 22,
-  DECOMPRESSION_FAILURE = 30, // TLS 1.2 and below
-  HANDSHAKE_FAILURE = 40,
-  NO_CERTIFICATE = 41, // SSLv3 only
-  BAD_CERTIFICATE = 42,
-  UNSUPPORTED_CERTIFICATE = 43,
-  CERTIFICATE_REVOKED = 44,
-  CERTIFICATE_EXPIRED = 45,
-  CERTIFICATE_UNKNOWN = 46,
-  ILLEGAL_PARAMETER = 47,
-  UNKNOWN_CA = 48,
-  ACCESS_DENIED = 49,
-  DECODE_ERROR = 50,
-  DECRYPT_ERROR = 51,
-  EXPORT_RESTRICTION = 60, // TLS 1.0 only
-  PROTOCOL_VERSION = 70,
-  INSUFFICIENT_SECURITY = 71,
-  INTERNAL_ERROR = 80,
-  INAPPROPRIATE_FALLBACK = 86,
-  USER_CANCELED = 90,
-  NO_RENEGOTIATION = 100, // TLS 1.2 and below
-  MISSING_EXTENSION = 109, // TLS 1.3
-  UNSUPPORTED_EXTENSION = 110, // TLS 1.3
-  CERTIFICATE_REQUIRED = 111, // TLS 1.3
-  UNRECOGNIZED_NAME = 112,
-  BAD_CERTIFICATE_STATUS_RESPONSE = 113,
-  BAD_CERTIFICATE_HASH_VALUE = 114, // TLS 1.2 and below
-  UNKNOWN_PSK_IDENTITY = 115,
-  CERTIFICATE_REQUIRED_1_3 = 116, // TLS 1.3
-  NO_APPLICATION_PROTOCOL = 120,
-}
-
-/**
- * TLS version codes (major.minor)
- */
-export const TlsVersion = {
-  SSL3: [0x03, 0x00],
-  TLS1_0: [0x03, 0x01],
-  TLS1_1: [0x03, 0x02],
-  TLS1_2: [0x03, 0x03],
-  TLS1_3: [0x03, 0x04],
-};
-
-/**
- * Utility functions for TLS protocol operations
- */
-export class TlsUtils {
-  /**
-   * Checks if a buffer contains a TLS handshake record
-   * @param buffer The buffer to check
-   * @returns true if the buffer starts with a TLS handshake record
-   */
-  public static isTlsHandshake(buffer: Buffer): boolean {
-    return buffer.length > 0 && buffer[0] === TlsRecordType.HANDSHAKE;
-  }
-  
-  /**
-   * Checks if a buffer contains TLS application data
-   * @param buffer The buffer to check
-   * @returns true if the buffer starts with a TLS application data record
-   */
-  public static isTlsApplicationData(buffer: Buffer): boolean {
-    return buffer.length > 0 && buffer[0] === TlsRecordType.APPLICATION_DATA;
-  }
-  
-  /**
-   * Checks if a buffer contains a TLS alert record
-   * @param buffer The buffer to check
-   * @returns true if the buffer starts with a TLS alert record
-   */
-  public static isTlsAlert(buffer: Buffer): boolean {
-    return buffer.length > 0 && buffer[0] === TlsRecordType.ALERT;
-  }
-  
-  /**
-   * Checks if a buffer contains a TLS ClientHello message
-   * @param buffer The buffer to check
-   * @returns true if the buffer appears to be a ClientHello message
-   */
-  public static isClientHello(buffer: Buffer): boolean {
-    // Minimum ClientHello size (TLS record header + handshake header)
-    if (buffer.length < 9) {
-      return false;
-    }
-    
-    // Check record type (must be TLS_HANDSHAKE_RECORD_TYPE)
-    if (buffer[0] !== TlsRecordType.HANDSHAKE) {
-      return false;
-    }
-    
-    // Skip version and length in TLS record header (5 bytes total)
-    // Check handshake type at byte 5 (must be CLIENT_HELLO)
-    return buffer[5] === TlsHandshakeType.CLIENT_HELLO;
-  }
-  
-  /**
-   * Gets the record length from a TLS record header
-   * @param buffer Buffer containing a TLS record
-   * @returns The record length if the buffer is valid, -1 otherwise
-   */
-  public static getTlsRecordLength(buffer: Buffer): number {
-    if (buffer.length < 5) {
-      return -1;
-    }
-    
-    // Bytes 3-4 contain the record length (big-endian)
-    return (buffer[3] << 8) + buffer[4];
-  }
-  
-  /**
-   * Creates a connection ID based on source/destination information
-   * Used to track fragmented ClientHello messages across multiple packets
-   *
-   * @param connectionInfo Object containing connection identifiers
-   * @returns A string ID for the connection
-   */
-  public static createConnectionId(connectionInfo: {
-    sourceIp?: string;
-    sourcePort?: number;
-    destIp?: string;
-    destPort?: number;
-  }): string {
-    const { sourceIp, sourcePort, destIp, destPort } = connectionInfo;
-    return `${sourceIp}:${sourcePort}-${destIp}:${destPort}`;
-  }
-}

package/ts/protocols/websocket/constants.ts

@@ -1,60 +0,0 @@
-/**
- * WebSocket Protocol Constants
- * Based on RFC 6455
- */
-
-/**
- * WebSocket opcode types
- */
-export enum WebSocketOpcode {
-  CONTINUATION = 0x0,
-  TEXT = 0x1,
-  BINARY = 0x2,
-  CLOSE = 0x8,
-  PING = 0x9,
-  PONG = 0xa,
-}
-
-/**
- * WebSocket close codes
- */
-export enum WebSocketCloseCode {
-  NORMAL_CLOSURE = 1000,
-  GOING_AWAY = 1001,
-  PROTOCOL_ERROR = 1002,
-  UNSUPPORTED_DATA = 1003,
-  NO_STATUS_RECEIVED = 1005,
-  ABNORMAL_CLOSURE = 1006,
-  INVALID_FRAME_PAYLOAD_DATA = 1007,
-  POLICY_VIOLATION = 1008,
-  MESSAGE_TOO_BIG = 1009,
-  MISSING_EXTENSION = 1010,
-  INTERNAL_ERROR = 1011,
-  SERVICE_RESTART = 1012,
-  TRY_AGAIN_LATER = 1013,
-  BAD_GATEWAY = 1014,
-  TLS_HANDSHAKE = 1015,
-}
-
-/**
- * WebSocket protocol version
- */
-export const WEBSOCKET_VERSION = 13;
-
-/**
- * WebSocket magic string for handshake
- */
-export const WEBSOCKET_MAGIC_STRING = '258EAFA5-E914-47DA-95CA-C5AB0DC85B11';
-
-/**
- * WebSocket headers
- */
-export const WEBSOCKET_HEADERS = {
-  UPGRADE: 'upgrade',
-  CONNECTION: 'connection',
-  SEC_WEBSOCKET_KEY: 'sec-websocket-key',
-  SEC_WEBSOCKET_VERSION: 'sec-websocket-version',
-  SEC_WEBSOCKET_ACCEPT: 'sec-websocket-accept',
-  SEC_WEBSOCKET_PROTOCOL: 'sec-websocket-protocol',
-  SEC_WEBSOCKET_EXTENSIONS: 'sec-websocket-extensions',
-} as const;

package/ts/protocols/websocket/index.ts

@@ -1,8 +0,0 @@
-/**
- * WebSocket Protocol Module
- * WebSocket protocol utilities and constants
- */
-
-export * from './constants.js';
-export * from './types.js';
-export * from './utils.js';

package/ts/protocols/websocket/types.ts

@@ -1,53 +0,0 @@
-/**
- * WebSocket Protocol Type Definitions
- */
-
-import type { WebSocketOpcode, WebSocketCloseCode } from './constants.js';
-
-/**
- * WebSocket frame header
- */
-export interface IWebSocketFrameHeader {
-  fin: boolean;
-  rsv1: boolean;
-  rsv2: boolean;
-  rsv3: boolean;
-  opcode: WebSocketOpcode;
-  masked: boolean;
-  payloadLength: number;
-  maskingKey?: Buffer;
-}
-
-/**
- * WebSocket frame
- */
-export interface IWebSocketFrame {
-  header: IWebSocketFrameHeader;
-  payload: Buffer;
-}
-
-/**
- * WebSocket close frame payload
- */
-export interface IWebSocketClosePayload {
-  code: WebSocketCloseCode;
-  reason?: string;
-}
-
-/**
- * WebSocket handshake request headers
- */
-export interface IWebSocketHandshakeHeaders {
-  upgrade: string;
-  connection: string;
-  'sec-websocket-key': string;
-  'sec-websocket-version': string;
-  'sec-websocket-protocol'?: string;
-  'sec-websocket-extensions'?: string;
-  [key: string]: string | undefined;
-}
-
-/**
- * Type for WebSocket raw data (matching ws library)
- */
-export type RawData = Buffer | ArrayBuffer | Buffer[] | any;