lemon-tls 0.2.0 → 0.2.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "lemon-tls",
-  "version": "0.2.0",
+  "version": "0.2.1",
   "description": "Zero-dependency TLS 1.3/1.2 implementation for Node.js — full control over cryptographic keys, record layer, and handshake. Drop-in replacement for node:tls with advanced options impossible in OpenSSL.",
   "main": "index.js",
   "type": "module",

package/src/session/ecdh.js

@@ -53,9 +53,33 @@ function p256_get_shared_secret(localPrivateRaw, remotePublicRaw) {
   return new Uint8Array(ecdh.computeSecret(Buffer.from(remotePublicRaw)));
 }
 
+/**
+ * Generate a P-384 keypair. Returns { private_key: Uint8Array(48), public_key: Uint8Array(97) }.
+ * Public key is uncompressed format (0x04 || x || y).
+ */
+function p384_generate_keypair() {
+  let ecdh = crypto.createECDH('secp384r1');
+  ecdh.generateKeys();
+  return {
+    private_key: new Uint8Array(ecdh.getPrivateKey()),
+    public_key: new Uint8Array(ecdh.getPublicKey(null, 'uncompressed'))
+  };
+}
+
+/**
+ * Compute P-384 shared secret (raw x-coordinate, 48 bytes).
+ */
+function p384_get_shared_secret(localPrivateRaw, remotePublicRaw) {
+  let ecdh = crypto.createECDH('secp384r1');
+  ecdh.setPrivateKey(Buffer.from(localPrivateRaw));
+  return new Uint8Array(ecdh.computeSecret(Buffer.from(remotePublicRaw)));
+}
+
 export {
   x25519_get_public_key,
   x25519_get_shared_secret,
   p256_generate_keypair,
-  p256_get_shared_secret
+  p256_get_shared_secret,
+  p384_generate_keypair,
+  p384_get_shared_secret
 };

package/src/tls_session.js

@@ -28,7 +28,7 @@ import * as wire from './wire.js';
 // Extracted modules
 import { pick_scheme, sign_with_scheme } from './session/signing.js';
 import createSecureContext from './secure_context.js';
-import { x25519_get_public_key, x25519_get_shared_secret, p256_generate_keypair, p256_get_shared_secret } from './session/ecdh.js';
+import { x25519_get_public_key, x25519_get_shared_secret, p256_generate_keypair, p256_get_shared_secret, p384_generate_keypair, p384_get_shared_secret } from './session/ecdh.js';
 import { build_tls_message, parse_tls_message } from './session/message.js';
 
 
@@ -57,7 +57,7 @@ function TLSSession(options){
 
     //local stuff...
     local_sni: options.servername || null,
-    local_session_id: null,
+    local_session_id: 'sessionId' in options ? options.sessionId : null,
 
     local_random: null,
     local_extensions: [],
@@ -267,19 +267,26 @@ function TLSSession(options){
         if (!hrrCipher) hrrCipher = 0x1301;
         let hashName = TLS_CIPHER_SUITES[hrrCipher] ? TLS_CIPHER_SUITES[hrrCipher].hash : 'sha256';
 
-        // Replace transcript: CH1 → message_hash
+        // Replace transcript: CH1 → message_hash (RFC 8446 §4.4.1)
+        // BUG FIX: The HRR was already pushed to transcript at the top of this block (line 195).
+        // We must remove it before hashing, since message_hash = Hash(ClientHello1) only.
+        let hrrData = context.transcript.pop(); // remove HRR
         let ch1_hash = getHashFn(hashName)(concatUint8Arrays(context.transcript));
         let message_hash = wire.build_message(wire.TLS_MESSAGE_TYPE.MESSAGE_HASH, ch1_hash);
-        context.transcript = [message_hash, data]; // message_hash + HRR
+        context.transcript = [message_hash, hrrData]; // message_hash + HRR
 
-        // Find the requested group from HRR extensions
+        // Find the requested group from HRR key_share extension
+        // After wire.js fix, key_groups contains [{group: N, key_exchange: empty}] for HRR
         let requestedGroup = null;
-        if (message.supported_groups && message.supported_groups.length > 0) {
-          requestedGroup = message.supported_groups[0];
-        } else if (message.key_groups && message.key_groups.length > 0) {
+        if (message.key_groups && message.key_groups.length > 0) {
           requestedGroup = message.key_groups[0].group;
+        } else if (message.supported_groups && message.supported_groups.length > 0) {
+          requestedGroup = message.supported_groups[0];
         }
 
+        // Extract cookie from HRR (if present, must be echoed in CH2)
+        let hrrCookie = message.cookie || null;
+
         if (requestedGroup) {
           // Generate key for the requested group
           let newKeyGroup = null;
@@ -292,21 +299,52 @@ function TLSSession(options){
             let kp = p256_generate_keypair();
             newKeyGroup = { group: requestedGroup, public_key: kp.public_key, private_key: kp.private_key };
             context.local_key_groups[requestedGroup] = { public_key: kp.public_key, private_key: kp.private_key };
+          } else if (requestedGroup === 0x0018) {
+            let kp = p384_generate_keypair();
+            newKeyGroup = { group: requestedGroup, public_key: kp.public_key, private_key: kp.private_key };
+            context.local_key_groups[requestedGroup] = { public_key: kp.public_key, private_key: kp.private_key };
           }
 
           if (newKeyGroup) {
-            // Build and send new ClientHello (CH2) with key_share for requested group
+            // Build and send new ClientHello (CH2) with:
+            // - key_share for requested group
+            // - cookie (if HRR included one)
+            // - ALPN (same as CH1)
+            // - custom extensions (QUIC transport params etc.)
+            // - same cipher_suites, session_id, random as CH1
             let extensions = [
               { type: 'SUPPORTED_VERSIONS', value: context.local_supported_versions },
               { type: 'SUPPORTED_GROUPS', value: context.local_supported_groups },
               { type: 'KEY_SHARE', value: [{ group: requestedGroup, key_exchange: newKeyGroup.public_key }] },
-              { type: 'SIGNATURE_ALGORITHMS', value: context.local_supported_signature_algorithms.length > 0 ?
-                  context.local_supported_signature_algorithms : [0x0804, 0x0805, 0x0806, 0x0403, 0x0503, 0x0603, 0x0401, 0x0501, 0x0601] },
+              { type: 'SIGNATURE_ALGORITHMS', value: [
+                  // Must match CH1 exactly (RFC 8446 §4.1.2)
+                  0x0804, 0x0805, 0x0806,
+                  0x0403, 0x0503, 0x0603,
+                  0x0807, 0x0808,
+                  0x0401, 0x0501, 0x0601
+              ] },
               { type: 'RENEGOTIATION_INFO', value: new Uint8Array(0) },
-              { type: 23, data: new Uint8Array(0) },
+              { type: 23, data: new Uint8Array(0) }, // extended_master_secret
             ];
+
+            // SNI (must be first)
             if (context.local_sni) extensions.unshift({ type: 'SERVER_NAME', value: context.local_sni });
 
+            // ALPN (same as CH1 — required for QUIC/h3)
+            if (context.local_supported_alpns && context.local_supported_alpns.length > 0) {
+              extensions.push({ type: 'ALPN', value: context.local_supported_alpns });
+            }
+
+            // Cookie from HRR (RFC 8446 §4.2.2 — MUST echo if present)
+            if (hrrCookie) {
+              extensions.push({ type: 'COOKIE', value: hrrCookie });
+            }
+
+            // Custom extensions (e.g. QUIC transport params 0x39)
+            for (let ci in context.local_extensions) {
+              extensions.push(context.local_extensions[ci]);
+            }
+
             let ch2 = build_tls_message({
               type: 'client_hello',
               version: 0x0303,
@@ -780,6 +818,9 @@ function TLSSession(options){
         if(context.remote_app_traffic_secret==null && options.remote_app_traffic_secret!==null){
           context.remote_app_traffic_secret=options.remote_app_traffic_secret;
           has_changed=true;
+          if(context.local_app_traffic_secret!==null){
+            ev.emit('appSecrets', context.local_app_traffic_secret, context.remote_app_traffic_secret);
+          }
         }
       }
 
@@ -787,6 +828,9 @@ function TLSSession(options){
         if(context.local_app_traffic_secret==null && options.local_app_traffic_secret!==null){
           context.local_app_traffic_secret=options.local_app_traffic_secret;
           has_changed=true;
+          if(context.remote_app_traffic_secret!==null){
+            ev.emit('appSecrets', context.local_app_traffic_secret, context.remote_app_traffic_secret);
+          }
         }
       }
 
@@ -948,6 +992,20 @@ function TLSSession(options){
             }
           ];
 
+        } else if (context.selected_group === 0x0018) {
+
+          let kp = p384_generate_keypair();
+          let private_key = kp.private_key;
+          let public_key  = kp.public_key;
+
+          params_to_set['add_local_key_groups']=[
+            {
+              group: context.selected_group,
+              private_key: private_key,
+              public_key: public_key
+            }
+          ];
+
         }
 
         
@@ -974,6 +1032,12 @@ function TLSSession(options){
 
             params_to_set['ecdhe_shared_secret']=ecdhe_shared_secret;
 
+          } else if (context.selected_group === 0x0018) { // secp384r1 (P-384)
+
+            let ecdhe_shared_secret = p384_get_shared_secret(local_private_key, remote_public_key);
+
+            params_to_set['ecdhe_shared_secret']=ecdhe_shared_secret;
+
           }
 
         }
@@ -1003,6 +1067,7 @@ function TLSSession(options){
             cipher_suite: context.selected_cipher_suite,
             selected_version: wire.TLS_VERSION.TLS1_3,
             selected_group: context.selected_group,
+            session_id: context.remote_session_id,
           });
           let hrr_data = wire.build_message(wire.TLS_MESSAGE_TYPE.SERVER_HELLO, hrr_body);
           context.transcript.push(hrr_data);
@@ -1027,7 +1092,10 @@ function TLSSession(options){
           if(context.selected_version!==null && context.selected_cipher_suite!==null && context.selected_session_id!==null){
             if(context.selected_version === wire.TLS_VERSION.TLS1_3){
               if(context.selected_group in context.local_key_groups==true && context.local_key_groups[context.selected_group].public_key!==null){
-                can_send_hello=true;
+                // After HRR, don't send ServerHello until CH2 provides the requested key_share
+                if (!context.helloRetried || (context.selected_group in context.remote_key_groups)) {
+                  can_send_hello=true;
+                }
               }
             }else if(context.selected_version === wire.TLS_VERSION.TLS1_2){
               can_send_hello=true;
@@ -1926,6 +1994,16 @@ function TLSSession(options){
         extensions.unshift({ type: 'SERVER_NAME', value: context.local_sni });
       }
 
+      // Add ALPN if provided (e.g. 'h3' for QUIC)
+      if (context.local_supported_alpns && context.local_supported_alpns.length > 0) {
+        extensions.push({ type: 'ALPN', value: context.local_supported_alpns });
+      }
+
+      // Add custom extensions (e.g. QUIC transport params 0x39)
+      for (let i in context.local_extensions) {
+        extensions.push(context.local_extensions[i]);
+      }
+
       // PSK resumption: check if session/psk was provided
       let pskData = options.session || options.psk || null;
       let message_data;
@@ -2144,7 +2222,7 @@ function TLSSession(options){
         cipher: context.selected_cipher_suite,
         cipherName: cipherInfo ? cipherInfo.name : null,
         group: context.selected_group,
-        groupName: context.selected_group === 0x001d ? 'X25519' : context.selected_group === 0x0017 ? 'P-256' : null,
+        groupName: context.selected_group === 0x001d ? 'X25519' : context.selected_group === 0x0017 ? 'P-256' : context.selected_group === 0x0018 ? 'P-384' : null,
         signatureAlgorithm: context.selected_signature_algorithm,
         alpn: context.selected_alpn,
         sni: context.selected_sni || context.local_sni,

package/src/wire.js

@@ -220,6 +220,7 @@ exts.SIGNATURE_ALGORITHMS = { encode: null, decode: null };
 exts.PSK_KEY_EXCHANGE_MODES = { encode: null, decode: null };
 exts.KEY_SHARE = { encode: null, decode: null };
 exts.ALPN = { encode: null, decode: null };
+exts.COOKIE = { encode: null, decode: null };
 exts.RENEGOTIATION_INFO = { encode: null, decode: null };
 
 /* ------------------------------ SERVER_NAME (0) ------------------------------ */
@@ -527,6 +528,13 @@ exts.KEY_SHARE.encode = function (value) {
 };
 
 exts.KEY_SHARE.decode = function (data) {
+  // HelloRetryRequest form: just NamedGroup (2 bytes, no key_exchange)
+  if (data.length === 2) {
+    let g, off = 0;
+    [g, off] = r_u16(data, off);
+    return [{ group: g, key_exchange: new Uint8Array(0) }];
+  }
+
   // Try ServerHello form: group(2) + len(2) + key
   if (data.length >= 4) {
     let g, off = 0;
@@ -627,6 +635,19 @@ exts.RENEGOTIATION_INFO.decode = function (data) {
   return v; // return raw bytes (Uint8Array)
 };
 
+/* -------------------------------- COOKIE (44) -------------------------------- */
+exts.COOKIE.encode = function (value) {
+  let v = toU8(value || new Uint8Array(0));
+  return veclen(2, v);
+};
+
+exts.COOKIE.decode = function (data) {
+  let off = 0;
+  let v;
+  [v, off] = readVec(data, off, 2);
+  return v; // Uint8Array — opaque cookie
+};
+
 /* ============================= Extensions helpers ============================= */
 function ext_name_by_code(code) {
   // best-effort pretty name
@@ -1204,21 +1225,23 @@ function parse_certificate_request(body) {
 
 /* ============================== TLS 1.3 HelloRetryRequest ============================== */
 function build_hello_retry_request(params) {
-  // params: { cipher_suite, selected_version, selected_group, cookie?: Uint8Array|string, other_exts?: list }
+  // params: { cipher_suite, selected_version, selected_group, session_id?, cookie?, other_exts? }
   let rnd = TLS13_HRR_RANDOM;
-  const sid = new Uint8Array(0);
+  let sid = (params && params.session_id) ? toU8(params.session_id) : new Uint8Array(0);
   let legacy_version = TLS_VERSION.TLS1_2;
 
   let extList = [];
   // supported_versions (selected)
   extList.push({ type: 'SUPPORTED_VERSIONS', value: (params && params.selected_version) || TLS_VERSION.TLS1_3 });
-  // key_share: only selected_group (no key)
+  // key_share: HRR format = just NamedGroup (2 bytes), NOT ServerHello format
   if (params && params.selected_group != null) {
-    extList.push({ type: 'KEY_SHARE', value: { selected_group: params.selected_group, key_exchange: new Uint8Array(0) } });
+    let ks_data = new Uint8Array(2);
+    ks_data[0] = (params.selected_group >> 8) & 0xff;
+    ks_data[1] = params.selected_group & 0xff;
+    extList.push({ type: 0x0033, data: ks_data });
   }
   // cookie if supplied
   if (params && params.cookie) {
-    if (!exts.COOKIE) { exts.COOKIE = { encode: function(v){ return veclen(2, toU8(v||'')); }, decode: function(d){ let off=0,v; [v,off]=readVec(d,0,2); return v; } }; }
     extList.push({ type: 'COOKIE', value: params.cookie });
   }
   // other extensions passthrough
@@ -1229,12 +1252,13 @@ function build_hello_retry_request(params) {
   let extsBuf = build_extensions(extList);
   let cipher_suite = (params && typeof params.cipher_suite==='number') ? params.cipher_suite : 0x1301;
 
-  // Wire = legacy_version + random + sid + cipher_suite + compression(0) + extensions
-  const out = new Uint8Array(2 + 32 + 1 + 0 + 2 + 1 + extsBuf.length);
+  // Wire = legacy_version + random + sid_len + sid + cipher_suite + compression(0) + extensions
+  const out = new Uint8Array(2 + 32 + 1 + sid.length + 2 + 1 + extsBuf.length);
   let off = 0;
   off = w_u16(out, off, legacy_version);
   off = w_bytes(out, off, rnd);
-  off = w_u8(out, off, 0);
+  off = w_u8(out, off, sid.length);
+  if (sid.length > 0) off = w_bytes(out, off, sid);
   off = w_u16(out, off, cipher_suite);
   off = w_u8(out, off, 0);
   off = w_bytes(out, off, extsBuf);