@push.rocks/smartproxy 3.41.7 → 4.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist_ts/00_commitinfo_data.js +2 -2
- package/dist_ts/classes.portproxy.js +83 -69
- package/dist_ts/classes.pp.acmemanager.d.ts +34 -0
- package/dist_ts/classes.pp.acmemanager.js +123 -0
- package/dist_ts/classes.pp.connectionhandler.d.ts +39 -0
- package/dist_ts/classes.pp.connectionhandler.js +693 -0
- package/dist_ts/classes.pp.connectionmanager.d.ts +78 -0
- package/dist_ts/classes.pp.connectionmanager.js +378 -0
- package/dist_ts/classes.pp.domainconfigmanager.d.ts +55 -0
- package/dist_ts/classes.pp.domainconfigmanager.js +103 -0
- package/dist_ts/classes.pp.interfaces.d.ts +109 -0
- package/dist_ts/classes.pp.interfaces.js +2 -0
- package/dist_ts/classes.pp.networkproxybridge.d.ts +43 -0
- package/dist_ts/classes.pp.networkproxybridge.js +211 -0
- package/dist_ts/classes.pp.portproxy.d.ts +48 -0
- package/dist_ts/classes.pp.portproxy.js +268 -0
- package/dist_ts/classes.pp.portrangemanager.d.ts +56 -0
- package/dist_ts/classes.pp.portrangemanager.js +179 -0
- package/dist_ts/classes.pp.securitymanager.d.ts +47 -0
- package/dist_ts/classes.pp.securitymanager.js +126 -0
- package/dist_ts/classes.pp.snihandler.d.ts +160 -0
- package/dist_ts/classes.pp.snihandler.js +1073 -0
- package/dist_ts/classes.pp.timeoutmanager.d.ts +47 -0
- package/dist_ts/classes.pp.timeoutmanager.js +154 -0
- package/dist_ts/classes.pp.tlsmanager.d.ts +57 -0
- package/dist_ts/classes.pp.tlsmanager.js +132 -0
- package/dist_ts/index.d.ts +2 -2
- package/dist_ts/index.js +3 -3
- package/package.json +1 -1
- package/ts/00_commitinfo_data.ts +1 -1
- package/ts/classes.pp.acmemanager.ts +149 -0
- package/ts/classes.pp.connectionhandler.ts +982 -0
- package/ts/classes.pp.connectionmanager.ts +446 -0
- package/ts/classes.pp.domainconfigmanager.ts +123 -0
- package/ts/classes.pp.interfaces.ts +136 -0
- package/ts/classes.pp.networkproxybridge.ts +258 -0
- package/ts/classes.pp.portproxy.ts +344 -0
- package/ts/classes.pp.portrangemanager.ts +214 -0
- package/ts/classes.pp.securitymanager.ts +147 -0
- package/ts/{classes.snihandler.ts → classes.pp.snihandler.ts} +2 -169
- package/ts/classes.pp.timeoutmanager.ts +190 -0
- package/ts/classes.pp.tlsmanager.ts +206 -0
- package/ts/index.ts +2 -2
- package/ts/classes.portproxy.ts +0 -2496
|
@@ -0,0 +1,126 @@
|
|
|
1
|
+
import * as plugins from './plugins.js';
|
|
2
|
+
/**
|
|
3
|
+
* Handles security aspects like IP tracking, rate limiting, and authorization
|
|
4
|
+
*/
|
|
5
|
+
export class SecurityManager {
|
|
6
|
+
constructor(settings) {
|
|
7
|
+
this.settings = settings;
|
|
8
|
+
this.connectionsByIP = new Map();
|
|
9
|
+
this.connectionRateByIP = new Map();
|
|
10
|
+
}
|
|
11
|
+
/**
|
|
12
|
+
* Get connections count by IP
|
|
13
|
+
*/
|
|
14
|
+
getConnectionCountByIP(ip) {
|
|
15
|
+
return this.connectionsByIP.get(ip)?.size || 0;
|
|
16
|
+
}
|
|
17
|
+
/**
|
|
18
|
+
* Check and update connection rate for an IP
|
|
19
|
+
* @returns true if within rate limit, false if exceeding limit
|
|
20
|
+
*/
|
|
21
|
+
checkConnectionRate(ip) {
|
|
22
|
+
const now = Date.now();
|
|
23
|
+
const minute = 60 * 1000;
|
|
24
|
+
if (!this.connectionRateByIP.has(ip)) {
|
|
25
|
+
this.connectionRateByIP.set(ip, [now]);
|
|
26
|
+
return true;
|
|
27
|
+
}
|
|
28
|
+
// Get timestamps and filter out entries older than 1 minute
|
|
29
|
+
const timestamps = this.connectionRateByIP.get(ip).filter((time) => now - time < minute);
|
|
30
|
+
timestamps.push(now);
|
|
31
|
+
this.connectionRateByIP.set(ip, timestamps);
|
|
32
|
+
// Check if rate exceeds limit
|
|
33
|
+
return timestamps.length <= this.settings.connectionRateLimitPerMinute;
|
|
34
|
+
}
|
|
35
|
+
/**
|
|
36
|
+
* Track connection by IP
|
|
37
|
+
*/
|
|
38
|
+
trackConnectionByIP(ip, connectionId) {
|
|
39
|
+
if (!this.connectionsByIP.has(ip)) {
|
|
40
|
+
this.connectionsByIP.set(ip, new Set());
|
|
41
|
+
}
|
|
42
|
+
this.connectionsByIP.get(ip).add(connectionId);
|
|
43
|
+
}
|
|
44
|
+
/**
|
|
45
|
+
* Remove connection tracking for an IP
|
|
46
|
+
*/
|
|
47
|
+
removeConnectionByIP(ip, connectionId) {
|
|
48
|
+
if (this.connectionsByIP.has(ip)) {
|
|
49
|
+
const connections = this.connectionsByIP.get(ip);
|
|
50
|
+
connections.delete(connectionId);
|
|
51
|
+
if (connections.size === 0) {
|
|
52
|
+
this.connectionsByIP.delete(ip);
|
|
53
|
+
}
|
|
54
|
+
}
|
|
55
|
+
}
|
|
56
|
+
/**
|
|
57
|
+
* Check if an IP is allowed using glob patterns
|
|
58
|
+
*/
|
|
59
|
+
isIPAuthorized(ip, allowedIPs, blockedIPs = []) {
|
|
60
|
+
// Skip IP validation if allowedIPs is empty
|
|
61
|
+
if (!ip || (allowedIPs.length === 0 && blockedIPs.length === 0)) {
|
|
62
|
+
return true;
|
|
63
|
+
}
|
|
64
|
+
// First check if IP is blocked
|
|
65
|
+
if (blockedIPs.length > 0 && this.isGlobIPMatch(ip, blockedIPs)) {
|
|
66
|
+
return false;
|
|
67
|
+
}
|
|
68
|
+
// Then check if IP is allowed
|
|
69
|
+
return this.isGlobIPMatch(ip, allowedIPs);
|
|
70
|
+
}
|
|
71
|
+
/**
|
|
72
|
+
* Check if the IP matches any of the glob patterns
|
|
73
|
+
*/
|
|
74
|
+
isGlobIPMatch(ip, patterns) {
|
|
75
|
+
if (!ip || !patterns || patterns.length === 0)
|
|
76
|
+
return false;
|
|
77
|
+
const normalizeIP = (ip) => {
|
|
78
|
+
if (!ip)
|
|
79
|
+
return [];
|
|
80
|
+
if (ip.startsWith('::ffff:')) {
|
|
81
|
+
const ipv4 = ip.slice(7);
|
|
82
|
+
return [ip, ipv4];
|
|
83
|
+
}
|
|
84
|
+
if (/^\d{1,3}(\.\d{1,3}){3}$/.test(ip)) {
|
|
85
|
+
return [ip, `::ffff:${ip}`];
|
|
86
|
+
}
|
|
87
|
+
return [ip];
|
|
88
|
+
};
|
|
89
|
+
const normalizedIPVariants = normalizeIP(ip);
|
|
90
|
+
if (normalizedIPVariants.length === 0)
|
|
91
|
+
return false;
|
|
92
|
+
const expandedPatterns = patterns.flatMap(normalizeIP);
|
|
93
|
+
return normalizedIPVariants.some((ipVariant) => expandedPatterns.some((pattern) => plugins.minimatch(ipVariant, pattern)));
|
|
94
|
+
}
|
|
95
|
+
/**
|
|
96
|
+
* Check if IP should be allowed considering connection rate and max connections
|
|
97
|
+
* @returns Object with result and reason
|
|
98
|
+
*/
|
|
99
|
+
validateIP(ip) {
|
|
100
|
+
// Check connection count limit
|
|
101
|
+
if (this.settings.maxConnectionsPerIP &&
|
|
102
|
+
this.getConnectionCountByIP(ip) >= this.settings.maxConnectionsPerIP) {
|
|
103
|
+
return {
|
|
104
|
+
allowed: false,
|
|
105
|
+
reason: `Maximum connections per IP (${this.settings.maxConnectionsPerIP}) exceeded`
|
|
106
|
+
};
|
|
107
|
+
}
|
|
108
|
+
// Check connection rate limit
|
|
109
|
+
if (this.settings.connectionRateLimitPerMinute &&
|
|
110
|
+
!this.checkConnectionRate(ip)) {
|
|
111
|
+
return {
|
|
112
|
+
allowed: false,
|
|
113
|
+
reason: `Connection rate limit (${this.settings.connectionRateLimitPerMinute}/min) exceeded`
|
|
114
|
+
};
|
|
115
|
+
}
|
|
116
|
+
return { allowed: true };
|
|
117
|
+
}
|
|
118
|
+
/**
|
|
119
|
+
* Clears all IP tracking data (for shutdown)
|
|
120
|
+
*/
|
|
121
|
+
clearIPTracking() {
|
|
122
|
+
this.connectionsByIP.clear();
|
|
123
|
+
this.connectionRateByIP.clear();
|
|
124
|
+
}
|
|
125
|
+
}
|
|
126
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2xhc3Nlcy5wcC5zZWN1cml0eW1hbmFnZXIuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi90cy9jbGFzc2VzLnBwLnNlY3VyaXR5bWFuYWdlci50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLEtBQUssT0FBTyxNQUFNLGNBQWMsQ0FBQztBQUd4Qzs7R0FFRztBQUNILE1BQU0sT0FBTyxlQUFlO0lBSTFCLFlBQW9CLFFBQTRCO1FBQTVCLGFBQVEsR0FBUixRQUFRLENBQW9CO1FBSHhDLG9CQUFlLEdBQTZCLElBQUksR0FBRyxFQUFFLENBQUM7UUFDdEQsdUJBQWtCLEdBQTBCLElBQUksR0FBRyxFQUFFLENBQUM7SUFFWCxDQUFDO0lBRXBEOztPQUVHO0lBQ0ksc0JBQXNCLENBQUMsRUFBVTtRQUN0QyxPQUFPLElBQUksQ0FBQyxlQUFlLENBQUMsR0FBRyxDQUFDLEVBQUUsQ0FBQyxFQUFFLElBQUksSUFBSSxDQUFDLENBQUM7SUFDakQsQ0FBQztJQUVEOzs7T0FHRztJQUNJLG1CQUFtQixDQUFDLEVBQVU7UUFDbkMsTUFBTSxHQUFHLEdBQUcsSUFBSSxDQUFDLEdBQUcsRUFBRSxDQUFDO1FBQ3ZCLE1BQU0sTUFBTSxHQUFHLEVBQUUsR0FBRyxJQUFJLENBQUM7UUFFekIsSUFBSSxDQUFDLElBQUksQ0FBQyxrQkFBa0IsQ0FBQyxHQUFHLENBQUMsRUFBRSxDQUFDLEVBQUUsQ0FBQztZQUNyQyxJQUFJLENBQUMsa0JBQWtCLENBQUMsR0FBRyxDQUFDLEVBQUUsRUFBRSxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUM7WUFDdkMsT0FBTyxJQUFJLENBQUM7UUFDZCxDQUFDO1FBRUQsNERBQTREO1FBQzVELE1BQU0sVUFBVSxHQUFHLElBQUksQ0FBQyxrQkFBa0IsQ0FBQyxHQUFHLENBQUMsRUFBRSxDQUFFLENBQUMsTUFBTSxDQUFDLENBQUMsSUFBSSxFQUFFLEVBQUUsQ0FBQyxHQUFHLEdBQUcsSUFBSSxHQUFHLE1BQU0sQ0FBQyxDQUFDO1FBQzFGLFVBQVUsQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDLENBQUM7UUFDckIsSUFBSSxDQUFDLGtCQUFrQixDQUFDLEdBQUcsQ0FBQyxFQUFFLEVBQUUsVUFBVSxDQUFDLENBQUM7UUFFNUMsOEJBQThCO1FBQzlCLE9BQU8sVUFBVSxDQUFDLE1BQU0sSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLDRCQUE2QixDQUFDO0lBQzFFLENBQUM7SUFFRDs7T0FFRztJQUNJLG1CQUFtQixDQUFDLEVBQVUsRUFBRSxZQUFvQjtRQUN6RCxJQUFJLENBQUMsSUFBSSxDQUFDLGVBQWUsQ0FBQyxHQUFHLENBQUMsRUFBRSxDQUFDLEVBQUUsQ0FBQztZQUNsQyxJQUFJLENBQUMsZUFBZSxDQUFDLEdBQUcsQ0FBQyxFQUFFLEVBQUUsSUFBSSxHQUFHLEVBQUUsQ0FBQyxDQUFDO1FBQzFDLENBQUM7UUFDRCxJQUFJLENBQUMsZUFBZSxDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUUsQ0FBQyxHQUFHLENBQUMsWUFBWSxDQUFDLENBQUM7SUFDbEQsQ0FBQztJQUVEOztPQUVHO0lBQ0ksb0JBQW9CLENBQUMsRUFBVSxFQUFFLFlBQW9CO1FBQzFELElBQUksSUFBSSxDQUFDLGVBQWUsQ0FBQyxHQUFHLENBQUMsRUFBRSxDQUFDLEVBQUUsQ0FBQztZQUNqQyxNQUFNLFdBQVcsR0FBRyxJQUFJLENBQUMsZUFBZSxDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUUsQ0FBQztZQUNsRCxXQUFXLENBQUMsTUFBTSxDQUFDLFlBQVksQ0FBQyxDQUFDO1lBQ2pDLElBQUksV0FBVyxDQUFDLElBQUksS0FBSyxDQUFDLEVBQUUsQ0FBQztnQkFDM0IsSUFBSSxDQUFDLGVBQWUsQ0FBQyxNQUFNLENBQUMsRUFBRSxDQUFDLENBQUM7WUFDbEMsQ0FBQztRQUNILENBQUM7SUFDSCxDQUFDO0lBRUQ7O09BRUc7SUFDSSxjQUFjLENBQUMsRUFBVSxFQUFFLFVBQW9CLEVBQUUsYUFBdUIsRUFBRTtRQUMvRSw0Q0FBNEM7UUFDNUMsSUFBSSxDQUFDLEVBQUUsSUFBSSxDQUFDLFVBQVUsQ0FBQyxNQUFNLEtBQUssQ0FBQyxJQUFJLFVBQVUsQ0FBQyxNQUFNLEtBQUssQ0FBQyxDQUFDLEVBQUUsQ0FBQztZQUNoRSxPQUFPLElBQUksQ0FBQztRQUNkLENBQUM7UUFFRCwrQkFBK0I7UUFDL0IsSUFBSSxVQUFVLENBQUMsTUFBTSxHQUFHLENBQUMsSUFBSSxJQUFJLENBQUMsYUFBYSxDQUFDLEVBQUUsRUFBRSxVQUFVLENBQUMsRUFBRSxDQUFDO1lBQ2hFLE9BQU8sS0FBSyxDQUFDO1FBQ2YsQ0FBQztRQUVELDhCQUE4QjtRQUM5QixPQUFPLElBQUksQ0FBQyxhQUFhLENBQUMsRUFBRSxFQUFFLFVBQVUsQ0FBQyxDQUFDO0lBQzVDLENBQUM7SUFFRDs7T0FFRztJQUNLLGFBQWEsQ0FBQyxFQUFVLEVBQUUsUUFBa0I7UUFDbEQsSUFBSSxDQUFDLEVBQUUsSUFBSSxDQUFDLFFBQVEsSUFBSSxRQUFRLENBQUMsTUFBTSxLQUFLLENBQUM7WUFBRSxPQUFPLEtBQUssQ0FBQztRQUU1RCxNQUFNLFdBQVcsR0FBRyxDQUFDLEVBQVUsRUFBWSxFQUFFO1lBQzNDLElBQUksQ0FBQyxFQUFFO2dCQUFFLE9BQU8sRUFBRSxDQUFDO1lBQ25CLElBQUksRUFBRSxDQUFDLFVBQVUsQ0FBQyxTQUFTLENBQUMsRUFBRSxDQUFDO2dCQUM3QixNQUFNLElBQUksR0FBRyxFQUFFLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxDQUFDO2dCQUN6QixPQUFPLENBQUMsRUFBRSxFQUFFLElBQUksQ0FBQyxDQUFDO1lBQ3BCLENBQUM7WUFDRCxJQUFJLHlCQUF5QixDQUFDLElBQUksQ0FBQyxFQUFFLENBQUMsRUFBRSxDQUFDO2dCQUN2QyxPQUFPLENBQUMsRUFBRSxFQUFFLFVBQVUsRUFBRSxFQUFFLENBQUMsQ0FBQztZQUM5QixDQUFDO1lBQ0QsT0FBTyxDQUFDLEVBQUUsQ0FBQyxDQUFDO1FBQ2QsQ0FBQyxDQUFDO1FBRUYsTUFBTSxvQkFBb0IsR0FBRyxXQUFXLENBQUMsRUFBRSxDQUFDLENBQUM7UUFDN0MsSUFBSSxvQkFBb0IsQ0FBQyxNQUFNLEtBQUssQ0FBQztZQUFFLE9BQU8sS0FBSyxDQUFDO1FBRXBELE1BQU0sZ0JBQWdCLEdBQUcsUUFBUSxDQUFDLE9BQU8sQ0FBQyxXQUFXLENBQUMsQ0FBQztRQUN2RCxPQUFPLG9CQUFvQixDQUFDLElBQUksQ0FBQyxDQUFDLFNBQVMsRUFBRSxFQUFFLENBQzdDLGdCQUFnQixDQUFDLElBQUksQ0FBQyxDQUFDLE9BQU8sRUFBRSxFQUFFLENBQUMsT0FBTyxDQUFDLFNBQVMsQ0FBQyxTQUFTLEVBQUUsT0FBTyxDQUFDLENBQUMsQ0FDMUUsQ0FBQztJQUNKLENBQUM7SUFFRDs7O09BR0c7SUFDSSxVQUFVLENBQUMsRUFBVTtRQUMxQiwrQkFBK0I7UUFDL0IsSUFDRSxJQUFJLENBQUMsUUFBUSxDQUFDLG1CQUFtQjtZQUNqQyxJQUFJLENBQUMsc0JBQXNCLENBQUMsRUFBRSxDQUFDLElBQUksSUFBSSxDQUFDLFFBQVEsQ0FBQyxtQkFBbUIsRUFDcEUsQ0FBQztZQUNELE9BQU87Z0JBQ0wsT0FBTyxFQUFFLEtBQUs7Z0JBQ2QsTUFBTSxFQUFFLCtCQUErQixJQUFJLENBQUMsUUFBUSxDQUFDLG1CQUFtQixZQUFZO2FBQ3JGLENBQUM7UUFDSixDQUFDO1FBRUQsOEJBQThCO1FBQzlCLElBQ0UsSUFBSSxDQUFDLFFBQVEsQ0FBQyw0QkFBNEI7WUFDMUMsQ0FBQyxJQUFJLENBQUMsbUJBQW1CLENBQUMsRUFBRSxDQUFDLEVBQzdCLENBQUM7WUFDRCxPQUFPO2dCQUNMLE9BQU8sRUFBRSxLQUFLO2dCQUNkLE1BQU0sRUFBRSwwQkFBMEIsSUFBSSxDQUFDLFFBQVEsQ0FBQyw0QkFBNEIsZ0JBQWdCO2FBQzdGLENBQUM7UUFDSixDQUFDO1FBRUQsT0FBTyxFQUFFLE9BQU8sRUFBRSxJQUFJLEVBQUUsQ0FBQztJQUMzQixDQUFDO0lBRUQ7O09BRUc7SUFDSSxlQUFlO1FBQ3BCLElBQUksQ0FBQyxlQUFlLENBQUMsS0FBSyxFQUFFLENBQUM7UUFDN0IsSUFBSSxDQUFDLGtCQUFrQixDQUFDLEtBQUssRUFBRSxDQUFDO0lBQ2xDLENBQUM7Q0FDRiJ9
|
|
@@ -0,0 +1,160 @@
|
|
|
1
|
+
import { Buffer } from 'buffer';
|
|
2
|
+
/**
|
|
3
|
+
* SNI (Server Name Indication) handler for TLS connections.
|
|
4
|
+
* Provides robust extraction of SNI values from TLS ClientHello messages
|
|
5
|
+
* with support for fragmented packets, TLS 1.3 resumption, Chrome-specific
|
|
6
|
+
* connection behaviors, and tab hibernation/reactivation scenarios.
|
|
7
|
+
*/
|
|
8
|
+
export declare class SniHandler {
|
|
9
|
+
private static readonly TLS_HANDSHAKE_RECORD_TYPE;
|
|
10
|
+
private static readonly TLS_APPLICATION_DATA_TYPE;
|
|
11
|
+
private static readonly TLS_CLIENT_HELLO_HANDSHAKE_TYPE;
|
|
12
|
+
private static readonly TLS_SNI_EXTENSION_TYPE;
|
|
13
|
+
private static readonly TLS_SESSION_TICKET_EXTENSION_TYPE;
|
|
14
|
+
private static readonly TLS_SNI_HOST_NAME_TYPE;
|
|
15
|
+
private static readonly TLS_PSK_EXTENSION_TYPE;
|
|
16
|
+
private static readonly TLS_PSK_KE_MODES_EXTENSION_TYPE;
|
|
17
|
+
private static readonly TLS_EARLY_DATA_EXTENSION_TYPE;
|
|
18
|
+
private static fragmentedBuffers;
|
|
19
|
+
private static fragmentTimeout;
|
|
20
|
+
/**
|
|
21
|
+
* Extract the client random value from a ClientHello message
|
|
22
|
+
*
|
|
23
|
+
* @param buffer - The buffer containing the ClientHello
|
|
24
|
+
* @returns The 32-byte client random or undefined if extraction fails
|
|
25
|
+
*/
|
|
26
|
+
private static extractClientRandom;
|
|
27
|
+
/**
|
|
28
|
+
* Checks if a buffer contains a TLS handshake message (record type 22)
|
|
29
|
+
* @param buffer - The buffer to check
|
|
30
|
+
* @returns true if the buffer starts with a TLS handshake record type
|
|
31
|
+
*/
|
|
32
|
+
static isTlsHandshake(buffer: Buffer): boolean;
|
|
33
|
+
/**
|
|
34
|
+
* Checks if a buffer contains TLS application data (record type 23)
|
|
35
|
+
* @param buffer - The buffer to check
|
|
36
|
+
* @returns true if the buffer starts with a TLS application data record type
|
|
37
|
+
*/
|
|
38
|
+
static isTlsApplicationData(buffer: Buffer): boolean;
|
|
39
|
+
/**
|
|
40
|
+
* Creates a connection ID based on source/destination information
|
|
41
|
+
* Used to track fragmented ClientHello messages across multiple packets
|
|
42
|
+
*
|
|
43
|
+
* @param connectionInfo - Object containing connection identifiers (IP/port)
|
|
44
|
+
* @returns A string ID for the connection
|
|
45
|
+
*/
|
|
46
|
+
static createConnectionId(connectionInfo: {
|
|
47
|
+
sourceIp?: string;
|
|
48
|
+
sourcePort?: number;
|
|
49
|
+
destIp?: string;
|
|
50
|
+
destPort?: number;
|
|
51
|
+
}): string;
|
|
52
|
+
/**
|
|
53
|
+
* Handles potential fragmented ClientHello messages by buffering and reassembling
|
|
54
|
+
* TLS record fragments that might span multiple TCP packets.
|
|
55
|
+
*
|
|
56
|
+
* @param buffer - The current buffer fragment
|
|
57
|
+
* @param connectionId - Unique identifier for the connection
|
|
58
|
+
* @param enableLogging - Whether to enable logging
|
|
59
|
+
* @returns A complete buffer if reassembly is successful, or undefined if more fragments are needed
|
|
60
|
+
*/
|
|
61
|
+
static handleFragmentedClientHello(buffer: Buffer, connectionId: string, enableLogging?: boolean): Buffer | undefined;
|
|
62
|
+
/**
|
|
63
|
+
* Checks if a buffer contains a TLS ClientHello message
|
|
64
|
+
* @param buffer - The buffer to check
|
|
65
|
+
* @returns true if the buffer appears to be a ClientHello message
|
|
66
|
+
*/
|
|
67
|
+
static isClientHello(buffer: Buffer): boolean;
|
|
68
|
+
/**
|
|
69
|
+
* Checks if a ClientHello message contains session resumption indicators
|
|
70
|
+
* such as session tickets or PSK (Pre-Shared Key) extensions.
|
|
71
|
+
*
|
|
72
|
+
* @param buffer - The buffer containing a ClientHello message
|
|
73
|
+
* @param enableLogging - Whether to enable logging
|
|
74
|
+
* @returns Object containing details about session resumption and SNI presence
|
|
75
|
+
*/
|
|
76
|
+
static hasSessionResumption(buffer: Buffer, enableLogging?: boolean): {
|
|
77
|
+
isResumption: boolean;
|
|
78
|
+
hasSNI: boolean;
|
|
79
|
+
};
|
|
80
|
+
/**
|
|
81
|
+
* Detects characteristics of a tab reactivation TLS handshake
|
|
82
|
+
* These often have specific patterns in Chrome and other browsers
|
|
83
|
+
*
|
|
84
|
+
* @param buffer - The buffer containing a ClientHello message
|
|
85
|
+
* @param enableLogging - Whether to enable logging
|
|
86
|
+
* @returns true if this appears to be a tab reactivation handshake
|
|
87
|
+
*/
|
|
88
|
+
static isTabReactivationHandshake(buffer: Buffer, enableLogging?: boolean): boolean;
|
|
89
|
+
/**
|
|
90
|
+
* Extracts the SNI (Server Name Indication) from a TLS ClientHello message.
|
|
91
|
+
* Implements robust parsing with support for session resumption edge cases.
|
|
92
|
+
*
|
|
93
|
+
* @param buffer - The buffer containing the TLS ClientHello message
|
|
94
|
+
* @param enableLogging - Whether to enable detailed debug logging
|
|
95
|
+
* @returns The extracted server name or undefined if not found
|
|
96
|
+
*/
|
|
97
|
+
static extractSNI(buffer: Buffer, enableLogging?: boolean): string | undefined;
|
|
98
|
+
/**
|
|
99
|
+
* Attempts to extract SNI from the PSK extension in a TLS 1.3 ClientHello.
|
|
100
|
+
*
|
|
101
|
+
* In TLS 1.3, when a client attempts to resume a session, it may include
|
|
102
|
+
* the server name in the PSK identity hint rather than in the SNI extension.
|
|
103
|
+
*
|
|
104
|
+
* @param buffer - The buffer containing the TLS ClientHello message
|
|
105
|
+
* @param enableLogging - Whether to enable detailed debug logging
|
|
106
|
+
* @returns The extracted server name or undefined if not found
|
|
107
|
+
*/
|
|
108
|
+
static extractSNIFromPSKExtension(buffer: Buffer, enableLogging?: boolean): string | undefined;
|
|
109
|
+
/**
|
|
110
|
+
* Checks if the buffer contains TLS 1.3 early data (0-RTT)
|
|
111
|
+
* @param buffer - The buffer to check
|
|
112
|
+
* @param enableLogging - Whether to enable logging
|
|
113
|
+
* @returns true if early data is detected
|
|
114
|
+
*/
|
|
115
|
+
static hasEarlyData(buffer: Buffer, enableLogging?: boolean): boolean;
|
|
116
|
+
/**
|
|
117
|
+
* Attempts to extract SNI from an initial ClientHello packet and handles
|
|
118
|
+
* session resumption edge cases more robustly than the standard extraction.
|
|
119
|
+
*
|
|
120
|
+
* This method handles:
|
|
121
|
+
* 1. Standard SNI extraction
|
|
122
|
+
* 2. TLS 1.3 PSK-based resumption (Chrome, Firefox, etc.)
|
|
123
|
+
* 3. Session ticket-based resumption
|
|
124
|
+
* 4. Fragmented ClientHello messages
|
|
125
|
+
* 5. TLS 1.3 Early Data (0-RTT)
|
|
126
|
+
* 6. Chrome's connection racing behaviors
|
|
127
|
+
*
|
|
128
|
+
* @param buffer - The buffer containing the TLS ClientHello message
|
|
129
|
+
* @param connectionInfo - Optional connection information for fragment handling
|
|
130
|
+
* @param enableLogging - Whether to enable detailed debug logging
|
|
131
|
+
* @returns The extracted server name or undefined if not found
|
|
132
|
+
*/
|
|
133
|
+
static extractSNIWithResumptionSupport(buffer: Buffer, connectionInfo?: {
|
|
134
|
+
sourceIp?: string;
|
|
135
|
+
sourcePort?: number;
|
|
136
|
+
destIp?: string;
|
|
137
|
+
destPort?: number;
|
|
138
|
+
}, enableLogging?: boolean): string | undefined;
|
|
139
|
+
/**
|
|
140
|
+
* Main entry point for SNI extraction that handles all edge cases.
|
|
141
|
+
* This should be called for each TLS packet received from a client.
|
|
142
|
+
*
|
|
143
|
+
* The method uses connection tracking to handle fragmented ClientHello
|
|
144
|
+
* messages and various TLS 1.3 behaviors, including Chrome's connection
|
|
145
|
+
* racing patterns.
|
|
146
|
+
*
|
|
147
|
+
* @param buffer - The buffer containing TLS data
|
|
148
|
+
* @param connectionInfo - Connection metadata (IPs and ports)
|
|
149
|
+
* @param enableLogging - Whether to enable detailed debug logging
|
|
150
|
+
* @param cachedSni - Optional cached SNI from previous connections (for racing detection)
|
|
151
|
+
* @returns The extracted server name or undefined if not found or more data needed
|
|
152
|
+
*/
|
|
153
|
+
static processTlsPacket(buffer: Buffer, connectionInfo: {
|
|
154
|
+
sourceIp: string;
|
|
155
|
+
sourcePort: number;
|
|
156
|
+
destIp: string;
|
|
157
|
+
destPort: number;
|
|
158
|
+
timestamp?: number;
|
|
159
|
+
}, enableLogging?: boolean, cachedSni?: string): string | undefined;
|
|
160
|
+
}
|