lemon-tls 0.2.2 → 0.3.0

package/src/record.js

@@ -42,46 +42,189 @@ function deriveKeys(trafficSecret, cipherSuite) {
   };
 }
 
-/** TLS 1.3 nonce: IV XOR zero-padded 64-bit sequence number. */
+/**
+ * TLS 1.3 nonce: IV XOR zero-padded 64-bit sequence number.
+ *
+ * Perf-critical: called on every encrypted record. Uses Number arithmetic
+ * (safe for seq < 2^53, vastly exceeds practical TLS limits) instead of BigInt,
+ * which is ~20x slower in V8. Single allocation, unrolled XOR loop.
+ */
 function getNonce(iv, seq) {
-  const seqBuf = new Uint8Array(12);
-  const view = new DataView(seqBuf.buffer);
-  view.setBigUint64(4, BigInt(seq));
   const nonce = new Uint8Array(12);
-  for (let i = 0; i < 12; i++) nonce[i] = iv[i] ^ seqBuf[i];
+  // High 4 bytes of IV are XOR'd with zeros (seq top bits) — just copy
+  nonce[0] = iv[0]; nonce[1] = iv[1]; nonce[2] = iv[2]; nonce[3] = iv[3];
+  // Split seq into hi/lo 32-bit halves (seq < 2^53 is safe)
+  const hi = (seq / 0x100000000) | 0;
+  const lo = seq >>> 0;
+  nonce[4]  = iv[4]  ^ ((hi >>> 24) & 0xff);
+  nonce[5]  = iv[5]  ^ ((hi >>> 16) & 0xff);
+  nonce[6]  = iv[6]  ^ ((hi >>> 8)  & 0xff);
+  nonce[7]  = iv[7]  ^ ( hi         & 0xff);
+  nonce[8]  = iv[8]  ^ ((lo >>> 24) & 0xff);
+  nonce[9]  = iv[9]  ^ ((lo >>> 16) & 0xff);
+  nonce[10] = iv[10] ^ ((lo >>> 8)  & 0xff);
+  nonce[11] = iv[11] ^ ( lo         & 0xff);
   return nonce;
 }
 
 /**
- * Encrypt a TLS 1.3 record (TLSInnerPlaintext).
+ * Same as getNonce but writes into a provided output buffer instead of
+ * allocating a fresh one. Returns the same buffer for chaining.
+ *
+ * Use this when you have a per-connection reusable nonce scratch buffer —
+ * TLS processing is synchronous per connection, and Node's crypto.createCipheriv
+ * copies the nonce into OpenSSL state, so we can safely reuse the same buffer
+ * across records.
+ *
+ * Saves 12 bytes × records of allocations. For a 10MB transfer (640 records)
+ * that's ~7.7KB of garbage eliminated.
+ */
+function getNonceInto(out, iv, seq) {
+  out[0] = iv[0]; out[1] = iv[1]; out[2] = iv[2]; out[3] = iv[3];
+  const hi = (seq / 0x100000000) | 0;
+  const lo = seq >>> 0;
+  out[4]  = iv[4]  ^ ((hi >>> 24) & 0xff);
+  out[5]  = iv[5]  ^ ((hi >>> 16) & 0xff);
+  out[6]  = iv[6]  ^ ((hi >>> 8)  & 0xff);
+  out[7]  = iv[7]  ^ ( hi         & 0xff);
+  out[8]  = iv[8]  ^ ((lo >>> 24) & 0xff);
+  out[9]  = iv[9]  ^ ((lo >>> 16) & 0xff);
+  out[10] = iv[10] ^ ((lo >>> 8)  & 0xff);
+  out[11] = iv[11] ^ ( lo         & 0xff);
+  return out;
+}
+
+/**
+ * Encrypt a TLS 1.3 record (TLSInnerPlaintext = plaintext || inner_content_type).
  * Returns ciphertext || tag (without record header).
+ *
+ * Perf: uses two cipher.update() calls (plaintext, then 1-byte inner type) instead
+ * of allocating and copying a +1-byte buffer. For 16KB records this saves ~16KB
+ * of allocation and copy per encrypted record.
  */
 function encryptRecord(innerType, plaintext, key, nonce, algo) {
-  const full = new Uint8Array(plaintext.length + 1);
-  full.set(plaintext);
-  full[plaintext.length] = innerType;
-
-  const recLen = full.length + 16;
-  const aad = new Uint8Array([0x17, 0x03, 0x03, (recLen >>> 8) & 0xff, recLen & 0xff]);
+  const ptLen = plaintext.length;
+  const recLen = ptLen + 1 + 16; // plaintext + inner_type + tag
+  const aad = new Uint8Array(5);
+  aad[0] = 0x17; aad[1] = 0x03; aad[2] = 0x03;
+  aad[3] = (recLen >>> 8) & 0xff;
+  aad[4] = recLen & 0xff;
 
   if (!algo) algo = key.length === 16 ? 'aes-128-gcm' : 'aes-256-gcm';
-  let isChaCha = algo === 'chacha20-poly1305';
-  let cipher = crypto.createCipheriv(algo, key, nonce, isChaCha ? { authTagLength: 16 } : undefined);
-  cipher.setAAD(aad, isChaCha ? { plaintextLength: full.length } : undefined);
-  let ct = cipher.update(full);
+  const isChaCha = algo === 'chacha20-poly1305';
+  const cipher = crypto.createCipheriv(algo, key, nonce, isChaCha ? { authTagLength: 16 } : undefined);
+  cipher.setAAD(aad, isChaCha ? { plaintextLength: ptLen + 1 } : undefined);
+
+  // Stream: plaintext first, then the 1-byte inner content type
+  const ct1 = cipher.update(plaintext);
+  // Reuse a single-byte scratch for inner type — tiny allocation, unavoidable
+  const innerBuf = new Uint8Array(1);
+  innerBuf[0] = innerType;
+  const ct2 = cipher.update(innerBuf);
   cipher.final();
-  let tag = cipher.getAuthTag();
+  const tag = cipher.getAuthTag();
 
-  let out = new Uint8Array(ct.length + tag.length);
-  out.set(ct, 0);
-  out.set(tag, ct.length);
+  // AES-GCM and ChaCha20-Poly1305 are stream ciphers → ct1.length + ct2.length === ptLen + 1
+  const out = new Uint8Array(ct1.length + ct2.length + tag.length);
+  out.set(ct1, 0);
+  if (ct2.length > 0) out.set(ct2, ct1.length);
+  out.set(tag, ct1.length + ct2.length);
   return out;
 }
 
+// Pre-allocated single-byte buffers for inner content type. Avoids allocating a
+// new 1-byte Uint8Array for every encrypted record (25 bytes × records adds up
+// in garbage — 640 records for 10MB = 16KB of pointless allocations).
+const _INNER_TYPE_BUFS = new Array(256);
+for (let i = 0; i < 256; i++) {
+  const b = new Uint8Array(1);
+  b[0] = i;
+  _INNER_TYPE_BUFS[i] = b;
+}
+
+/**
+ * Encrypt a TLS 1.3 record directly into a complete TLS record buffer (5-byte
+ * header + ciphertext + inner type + tag), ready to hand to transport.write().
+ *
+ * Single-allocation + single-update hot-path version — the biggest throughput
+ * optimization we have for TLS 1.3 bulk data.
+ *
+ * Strategy:
+ *   1. Allocate rec of the full final size upfront.
+ *   2. Write record header (5 bytes) — also serves as AAD (TLS 1.3 AAD == header).
+ *   3. Stage plaintext + inner_type byte into rec[5 .. 5+ptLen+1]. This is a
+ *      16KB copy we pay for up front but it lets us call cipher.update ONCE
+ *      with a single contiguous input.
+ *   4. cipher.setAAD(rec.subarray(0, 5)) — view, no alloc.
+ *   5. cipher.update(rec.subarray(5, 5+ptLen+1)) — one call, returns ct of
+ *      same size (AES-GCM is a stream cipher). We then copy ct back into rec,
+ *      overwriting the staged plaintext with ciphertext.
+ *   6. Write the 16-byte auth tag at the end.
+ *
+ * Why single-update beats two updates (plaintext then [inner_type]):
+ *   - Each cipher.update call crosses the JS↔C boundary (~1-3μs overhead).
+ *     For 640 records per 10MB transfer, skipping one call per record saves
+ *     ~0.6-2ms per transfer.
+ *   - Avoids the small Buffer object wrapper Node creates for the 1-byte ct2.
+ *
+ * Why the extra plaintext→rec copy is cheap:
+ *   - memcpy throughput is ~20GB/s → a 16KB copy is ~800ns.
+ *   - For 640 records, total extra copy time is ~500μs, dominated by the
+ *     2-4ms of cipher.update overhead we avoid.
+ *
+ * Net savings per record: ~1-2μs. Per 10MB transfer: ~1-2ms on encryption
+ * hot path — meaningful on top of the ~25ms actual AES work.
+ *
+ * Note: outer record type for encrypted TLS 1.3 records is ALWAYS 0x17
+ * (application_data) regardless of inner type — the real type is encrypted
+ * in the inner byte.
+ */
+function encryptCompleteRecord13(innerType, plaintext, key, nonce, algo, version) {
+  const ptLen = plaintext.length;
+  const payloadLen = ptLen + 1 + 16; // inner_type + tag
+  const ver = version || 0x0303;
+
+  const rec = Buffer.allocUnsafe(5 + payloadLen);
+  // Record header (also used as AAD)
+  rec[0] = 0x17; // outer type always application_data for encrypted records
+  rec[1] = (ver >>> 8) & 0xff;
+  rec[2] = ver & 0xff;
+  rec[3] = (payloadLen >>> 8) & 0xff;
+  rec[4] = payloadLen & 0xff;
+
+  // Stage plaintext + inner_type byte at rec[5 .. 5+ptLen+1].
+  // cipher.update will read from this view, and we'll overwrite it with
+  // ciphertext immediately after.
+  if (plaintext.length > 0) {
+    // Buffer.prototype.copy and Uint8Array.set both work; .set is faster for Uint8Array src.
+    if (plaintext.copy) plaintext.copy(rec, 5);
+    else rec.set(plaintext, 5);
+  }
+  rec[5 + ptLen] = innerType & 0xff;
+
+  if (!algo) algo = key.length === 16 ? 'aes-128-gcm' : 'aes-256-gcm';
+  const isChaCha = algo === 'chacha20-poly1305';
+  const cipher = crypto.createCipheriv(algo, key, nonce, isChaCha ? { authTagLength: 16 } : undefined);
+  cipher.setAAD(rec.subarray(0, 5), isChaCha ? { plaintextLength: ptLen + 1 } : undefined);
+
+  // Single update reading plaintext+innerType from rec, writing ciphertext
+  // back into rec (overwriting the staged plaintext). ct.length === ptLen + 1.
+  const ct = cipher.update(rec.subarray(5, 5 + ptLen + 1));
+  ct.copy(rec, 5);
+
+  cipher.final();
+  cipher.getAuthTag().copy(rec, 5 + ct.length);
+
+  return rec;
+}
+
 /**
  * Decrypt a TLS 1.3 record.
  * Input: raw ciphertext || tag (without record header).
  * Returns full TLSInnerPlaintext (content || content_type || padding).
+ *
+ * Perf: returns Node Buffer directly (which IS a Uint8Array subclass) — avoids
+ * a redundant copy into a plain Uint8Array.
  */
 function decryptRecord(ciphertext, key, nonce, algo) {
   const aad = new Uint8Array(5);
@@ -89,25 +232,59 @@ function decryptRecord(ciphertext, key, nonce, algo) {
   aad[3] = (ciphertext.length >> 8) & 0xff;
   aad[4] = ciphertext.length & 0xff;
 
-  let ct  = ciphertext.subarray(0, ciphertext.length - 16);
-  let tag = ciphertext.subarray(ciphertext.length - 16);
+  const ct  = ciphertext.subarray(0, ciphertext.length - 16);
+  const tag = ciphertext.subarray(ciphertext.length - 16);
 
   if (!algo) algo = key.length === 16 ? 'aes-128-gcm' : 'aes-256-gcm';
-  let isChaCha = algo === 'chacha20-poly1305';
-  let decipher = crypto.createDecipheriv(algo, key, nonce, isChaCha ? { authTagLength: 16 } : undefined);
+  const isChaCha = algo === 'chacha20-poly1305';
+  const decipher = crypto.createDecipheriv(algo, key, nonce, isChaCha ? { authTagLength: 16 } : undefined);
   decipher.setAAD(aad, isChaCha ? { plaintextLength: ct.length } : undefined);
   decipher.setAuthTag(tag);
-  let pt = decipher.update(ct);
+  const pt = decipher.update(ct);
   decipher.final();
-  return new Uint8Array(pt);
+  return pt;
+}
+
+/**
+ * Decrypt a TLS 1.3 record using an AAD view taken directly from the record
+ * buffer's header — no fresh AAD allocation. Use this when the caller has
+ * access to the original record header bytes (e.g., parseRecordsAndDispatch
+ * has the full readBuffer and knows the offset of the record).
+ *
+ * aadView must be the 5 bytes that precede `ciphertext` in the original record:
+ *   [type, version_hi, version_lo, length_hi, length_lo]
+ *
+ * Saves a 5-byte allocation per decrypt. For 640 records in a 10MB transfer,
+ * that's 3.2KB of avoided allocations — small on its own but part of the
+ * ongoing effort to reduce per-record GC pressure.
+ */
+function decryptRecordWithAadView(aadView, ciphertext, key, nonce, algo) {
+  const ct  = ciphertext.subarray(0, ciphertext.length - 16);
+  const tag = ciphertext.subarray(ciphertext.length - 16);
+
+  if (!algo) algo = key.length === 16 ? 'aes-128-gcm' : 'aes-256-gcm';
+  const isChaCha = algo === 'chacha20-poly1305';
+  const decipher = crypto.createDecipheriv(algo, key, nonce, isChaCha ? { authTagLength: 16 } : undefined);
+  decipher.setAAD(aadView, isChaCha ? { plaintextLength: ct.length } : undefined);
+  decipher.setAuthTag(tag);
+  const pt = decipher.update(ct);
+  decipher.final();
+  return pt;
 }
 
 /** Strip trailing zeros and extract content_type from TLSInnerPlaintext. */
+/**
+ * Strip trailing zeros and extract content_type from TLSInnerPlaintext.
+ *
+ * Perf: returns a `subarray` (zero-copy view) rather than `slice`. When `data` is
+ * a Node Buffer these are equivalent, but being explicit makes the behaviour
+ * uniform across Buffer / Uint8Array inputs and documents the intent.
+ */
 function parseInnerPlaintext(data) {
   let j = data.length - 1;
   while (j >= 0 && data[j] === 0) j--;
   if (j < 0) throw new Error('Malformed TLSInnerPlaintext');
-  return { type: data[j], content: data.slice(0, j) };
+  return { type: data[j], content: data.subarray(0, j) };
 }
 
 // ===================== TLS 1.2 primitives =====================
@@ -120,18 +297,41 @@ function getNonce12(salt4, explicit8) {
   return out;
 }
 
-/** Encode sequence number as 8-byte big-endian. */
+/**
+ * Encode sequence number as 8-byte big-endian.
+ * Perf: uses Number arithmetic (seq < 2^53 is always safe for TLS).
+ */
 function seqToBytes(seq) {
   const buf = new Uint8Array(8);
-  let bn = BigInt(seq);
-  for (let i = 0; i < 8; i++) buf[7 - i] = Number((bn >> BigInt(8 * i)) & 0xffn);
+  const hi = (seq / 0x100000000) | 0;
+  const lo = seq >>> 0;
+  buf[0] = (hi >>> 24) & 0xff;
+  buf[1] = (hi >>> 16) & 0xff;
+  buf[2] = (hi >>> 8)  & 0xff;
+  buf[3] =  hi         & 0xff;
+  buf[4] = (lo >>> 24) & 0xff;
+  buf[5] = (lo >>> 16) & 0xff;
+  buf[6] = (lo >>> 8)  & 0xff;
+  buf[7] =  lo         & 0xff;
   return buf;
 }
 
-/** TLS 1.2 AAD: seq(8) || type(1) || version(2) || length(2). */
+/**
+ * TLS 1.2 AAD: seq(8) || type(1) || version(2) || length(2).
+ * Perf: inlines seqToBytes to avoid an extra allocation + copy.
+ */
 function buildAad12(seqNum, recordType, plaintextLen) {
   const aad = new Uint8Array(13);
-  aad.set(seqToBytes(seqNum), 0);
+  const hi = (seqNum / 0x100000000) | 0;
+  const lo = seqNum >>> 0;
+  aad[0] = (hi >>> 24) & 0xff;
+  aad[1] = (hi >>> 16) & 0xff;
+  aad[2] = (hi >>> 8)  & 0xff;
+  aad[3] =  hi         & 0xff;
+  aad[4] = (lo >>> 24) & 0xff;
+  aad[5] = (lo >>> 16) & 0xff;
+  aad[6] = (lo >>> 8)  & 0xff;
+  aad[7] =  lo         & 0xff;
   aad[8]  = recordType & 0xff;
   aad[9]  = 0x03;
   aad[10] = 0x03;
@@ -140,44 +340,171 @@ function buildAad12(seqNum, recordType, plaintextLen) {
   return aad;
 }
 
-/** Encrypt a TLS 1.2 GCM record fragment. Returns explicit_nonce(8) || ciphertext || tag(16). */
+/**
+ * Encrypt a TLS 1.2 GCM record fragment. Returns explicit_nonce(8) || ciphertext || tag(16).
+ * Perf: computes seq-bytes once for both explicit nonce and AAD (was computed twice).
+ */
 function encrypt12(pt, key, salt4, seqNum, recordType) {
-  let explicit = seqToBytes(seqNum);
-  let nonce = getNonce12(salt4, explicit);
-  let aad = buildAad12(seqNum, recordType, pt.length);
+  // Shared big-endian seq encoding (used as both explicit_nonce and AAD[0..8])
+  const hi = (seqNum / 0x100000000) | 0;
+  const lo = seqNum >>> 0;
 
-  let algo = key.length === 16 ? 'aes-128-gcm' : 'aes-256-gcm';
-  let cipher = crypto.createCipheriv(algo, key, nonce);
+  // Nonce = salt4(4) || seq(8)
+  const nonce = new Uint8Array(12);
+  nonce[0] = salt4[0]; nonce[1] = salt4[1]; nonce[2] = salt4[2]; nonce[3] = salt4[3];
+  nonce[4] = (hi >>> 24) & 0xff;
+  nonce[5] = (hi >>> 16) & 0xff;
+  nonce[6] = (hi >>> 8)  & 0xff;
+  nonce[7] =  hi         & 0xff;
+  nonce[8] = (lo >>> 24) & 0xff;
+  nonce[9] = (lo >>> 16) & 0xff;
+  nonce[10] = (lo >>> 8) & 0xff;
+  nonce[11] =  lo        & 0xff;
+
+  // AAD = seq(8) || type(1) || 03 03 || length(2)
+  const aad = new Uint8Array(13);
+  aad[0] = nonce[4]; aad[1] = nonce[5]; aad[2] = nonce[6]; aad[3] = nonce[7];
+  aad[4] = nonce[8]; aad[5] = nonce[9]; aad[6] = nonce[10]; aad[7] = nonce[11];
+  aad[8]  = recordType & 0xff;
+  aad[9]  = 0x03;
+  aad[10] = 0x03;
+  aad[11] = (pt.length >>> 8) & 0xff;
+  aad[12] = pt.length & 0xff;
+
+  const algo = key.length === 16 ? 'aes-128-gcm' : 'aes-256-gcm';
+  const cipher = crypto.createCipheriv(algo, key, nonce);
   cipher.setAAD(aad);
-  let ct = cipher.update(pt);
+  const ct = cipher.update(pt);
   cipher.final();
-  let tag = cipher.getAuthTag();
+  const tag = cipher.getAuthTag();
 
-  let out = new Uint8Array(8 + ct.length + tag.length);
-  out.set(explicit, 0);
+  // Output: explicit_nonce(8) || ct || tag(16)
+  const out = new Uint8Array(8 + ct.length + tag.length);
+  // explicit_nonce = seq bytes (nonce[4..12])
+  out[0] = nonce[4]; out[1] = nonce[5]; out[2] = nonce[6]; out[3] = nonce[7];
+  out[4] = nonce[8]; out[5] = nonce[9]; out[6] = nonce[10]; out[7] = nonce[11];
   out.set(ct, 8);
   out.set(tag, 8 + ct.length);
   return out;
 }
 
-/** Decrypt a TLS 1.2 GCM record fragment. Input: explicit_nonce(8) || ciphertext || tag(16). */
+/**
+ * Encrypt a TLS 1.2 GCM record directly into a complete TLS record buffer
+ * (5-byte header + 8-byte explicit_iv + ciphertext + 16-byte tag).
+ *
+ * Same "single allocation, single bulk copy" principle as encryptCompleteRecord13,
+ * but TLS 1.2 has extra complications:
+ *   - AAD is NOT the record header (it's seq || type || version || length)
+ *   - Record body has an 8-byte explicit_iv prefix before the ciphertext
+ *
+ * The seq bytes used in nonce are the SAME bytes written as explicit_iv —
+ * so we write them once into rec[5..13] and reference them from there, and
+ * we copy them into the nonce inline. Old flow needed a separate 'out' buffer
+ * with explicit_iv || ct || tag plus an 8-byte out[0..7] copy; this eliminates
+ * both of those.
+ */
+function encryptCompleteRecord12(pt, key, salt4, seqNum, recordType, version) {
+  const ptLen = pt.length;
+  // Record body: 8 explicit_iv + ptLen ciphertext + 16 tag
+  const bodyLen = 8 + ptLen + 16;
+  const ver = version || 0x0303;
+
+  const rec = Buffer.allocUnsafe(5 + bodyLen);
+  // Record header
+  rec[0] = recordType & 0xff;
+  rec[1] = (ver >>> 8) & 0xff;
+  rec[2] = ver & 0xff;
+  rec[3] = (bodyLen >>> 8) & 0xff;
+  rec[4] = bodyLen & 0xff;
+
+  // Write explicit_iv (= seq bytes) into rec[5..13]
+  const hi = (seqNum / 0x100000000) | 0;
+  const lo = seqNum >>> 0;
+  rec[5]  = (hi >>> 24) & 0xff;
+  rec[6]  = (hi >>> 16) & 0xff;
+  rec[7]  = (hi >>> 8)  & 0xff;
+  rec[8]  =  hi         & 0xff;
+  rec[9]  = (lo >>> 24) & 0xff;
+  rec[10] = (lo >>> 16) & 0xff;
+  rec[11] = (lo >>> 8)  & 0xff;
+  rec[12] =  lo         & 0xff;
+
+  // Nonce = salt4(4) || seq(8) — use the seq bytes we just wrote
+  const nonce = new Uint8Array(12);
+  nonce[0] = salt4[0]; nonce[1] = salt4[1]; nonce[2] = salt4[2]; nonce[3] = salt4[3];
+  nonce[4] = rec[5]; nonce[5] = rec[6]; nonce[6] = rec[7]; nonce[7] = rec[8];
+  nonce[8] = rec[9]; nonce[9] = rec[10]; nonce[10] = rec[11]; nonce[11] = rec[12];
+
+  // AAD = seq(8) || type(1) || 03 03 || plaintextLen(2)
+  // Note: AAD uses the PLAINTEXT length, not the record body length.
+  const aad = new Uint8Array(13);
+  aad[0] = rec[5]; aad[1] = rec[6]; aad[2] = rec[7]; aad[3] = rec[8];
+  aad[4] = rec[9]; aad[5] = rec[10]; aad[6] = rec[11]; aad[7] = rec[12];
+  aad[8]  = recordType & 0xff;
+  aad[9]  = 0x03;
+  aad[10] = 0x03;
+  aad[11] = (ptLen >>> 8) & 0xff;
+  aad[12] = ptLen & 0xff;
+
+  const algo = key.length === 16 ? 'aes-128-gcm' : 'aes-256-gcm';
+  const cipher = crypto.createCipheriv(algo, key, nonce);
+  cipher.setAAD(aad);
+  const ct = cipher.update(pt);
+  cipher.final();
+
+  // Copy ciphertext into rec[13 : 13+ptLen]
+  ct.copy(rec, 13);
+  // Copy tag into rec[13+ptLen : 13+ptLen+16]
+  cipher.getAuthTag().copy(rec, 13 + ct.length);
+
+  return rec;
+}
+
+/**
+ * Decrypt a TLS 1.2 GCM record fragment. Input: explicit_nonce(8) || ciphertext || tag(16).
+ * Perf: subarray (zero-copy views) instead of slice (copies); returns Node Buffer
+ * (which IS a Uint8Array subclass) instead of re-copying to a plain Uint8Array.
+ */
 function decrypt12(fragment, key, salt4, seqNum, recordType) {
   if (fragment.length < 24) throw new Error('TLS 1.2 fragment too short');
 
-  let explicit = fragment.slice(0, 8);
-  let tag      = fragment.slice(fragment.length - 16);
-  let ct       = fragment.slice(8, fragment.length - 16);
+  // Zero-copy views over the input
+  const explicit = fragment.subarray(0, 8);
+  const ct       = fragment.subarray(8, fragment.length - 16);
+  const tag      = fragment.subarray(fragment.length - 16);
+
+  // Nonce = salt4 || explicit
+  const nonce = new Uint8Array(12);
+  nonce[0] = salt4[0]; nonce[1] = salt4[1]; nonce[2] = salt4[2]; nonce[3] = salt4[3];
+  nonce[4] = explicit[0]; nonce[5] = explicit[1]; nonce[6] = explicit[2]; nonce[7] = explicit[3];
+  nonce[8] = explicit[4]; nonce[9] = explicit[5]; nonce[10] = explicit[6]; nonce[11] = explicit[7];
 
-  let nonce = getNonce12(salt4, explicit);
-  let aad = buildAad12(seqNum, recordType, ct.length);
+  // AAD = seq(8) || type(1) || 03 03 || ct.length(2)
+  const aad = new Uint8Array(13);
+  const hi = (seqNum / 0x100000000) | 0;
+  const lo = seqNum >>> 0;
+  aad[0] = (hi >>> 24) & 0xff;
+  aad[1] = (hi >>> 16) & 0xff;
+  aad[2] = (hi >>> 8)  & 0xff;
+  aad[3] =  hi         & 0xff;
+  aad[4] = (lo >>> 24) & 0xff;
+  aad[5] = (lo >>> 16) & 0xff;
+  aad[6] = (lo >>> 8)  & 0xff;
+  aad[7] =  lo         & 0xff;
+  aad[8]  = recordType & 0xff;
+  aad[9]  = 0x03;
+  aad[10] = 0x03;
+  aad[11] = (ct.length >>> 8) & 0xff;
+  aad[12] = ct.length & 0xff;
 
-  let algo = key.length === 16 ? 'aes-128-gcm' : 'aes-256-gcm';
-  let decipher = crypto.createDecipheriv(algo, key, nonce);
+  const algo = key.length === 16 ? 'aes-128-gcm' : 'aes-256-gcm';
+  const decipher = crypto.createDecipheriv(algo, key, nonce);
   decipher.setAAD(aad);
   decipher.setAuthTag(tag);
-  let pt = decipher.update(ct);
+  const pt = decipher.update(ct);
   decipher.final();
-  return new Uint8Array(pt);
+  // Node Buffer extends Uint8Array, so callers that expect Uint8Array work unmodified.
+  return pt;
 }
 
 // ===================== Shared: TLS 1.2 key_block =====================
@@ -198,16 +525,32 @@ function deriveKeys12(masterSecret, localRandom, remoteRandom, cipherSuite, isSe
 /** Content type constants. */
 const CT = { CHANGE_CIPHER_SPEC: 20, ALERT: 21, HANDSHAKE: 22, APPLICATION_DATA: 23, ACK: 26 };
 
-/** Write a raw TLS record to a writable stream. */
+/**
+ * Write a raw TLS record to a writable stream.
+ *
+ * Returns the transport's backpressure signal (true = ready for more, false = buffer
+ * full, wait for 'drain'). Callers should propagate this through the TLS write chain
+ * so user-level sock.write() can apply backpressure correctly.
+ *
+ * Perf: single-copy from payload into the allocated record buffer, using
+ * typed-array `.set()` (fast native memcpy) instead of
+ * `Buffer.from(payload).copy(rec, 5)` which allocates an intermediate Buffer
+ * and does two copies. Also writes the 5-byte header with direct byte
+ * assignments to avoid method call overhead.
+ */
 function writeRecord(transport, type, payload, version) {
-  if (!transport || typeof transport.write !== 'function') return;
-  let ver = version || 0x0303;
-  let rec = Buffer.allocUnsafe(5 + payload.length);
-  rec.writeUInt8(type, 0);
-  rec.writeUInt16BE(ver, 1);
-  rec.writeUInt16BE(payload.length, 3);
-  Buffer.from(payload).copy(rec, 5);
-  transport.write(rec);
+  if (!transport || typeof transport.write !== 'function') return false;
+  const ver = version || 0x0303;
+  const plen = payload.length;
+  const rec = Buffer.allocUnsafe(5 + plen);
+  rec[0] = type;
+  rec[1] = (ver >>> 8) & 0xff;
+  rec[2] = ver & 0xff;
+  rec[3] = (plen >>> 8) & 0xff;
+  rec[4] = plen & 0xff;
+  // Buffer extends Uint8Array → .set() copies in a single pass from any TypedArray/Buffer.
+  rec.set(payload, 5);
+  return transport.write(rec);
 }
 
 // ===================== DTLS binary helpers =====================
@@ -666,8 +1009,11 @@ export {
   // TLS 1.3
   deriveKeys,
   getNonce,
+  getNonceInto, // write nonce into a caller-provided buffer (avoid alloc per record)
   encryptRecord,
+  encryptCompleteRecord13, // fused encrypt + header → single allocation hot path
   decryptRecord,
+  decryptRecordWithAadView, // decrypt using caller-provided header view as AAD (no alloc)
   parseInnerPlaintext,
 
   // TLS 1.2
@@ -675,6 +1021,7 @@ export {
   seqToBytes,
   buildAad12,
   encrypt12,
+  encryptCompleteRecord12, // fused encrypt + header → single allocation hot path
   decrypt12,
   deriveKeys12,
 

package/src/session/message.js

@@ -68,6 +68,15 @@ function normalize_hello(hello) {
         out.heartbeat = value;
       } else if (name === 'USE_SRTP') {
         out.use_srtp = value;
+      } else if (name === 'SESSION_TICKET') {
+        // RFC 5077: opaque ticket bytes (TLS 1.2)
+        // Empty in ClientHello = client supports tickets / non-empty = resume using this ticket
+        // Empty in ServerHello = server will send NewSessionTicket
+        out.session_ticket = value;
+        out.session_ticket_supported = true;
+      } else if (name === 'EXTENDED_MASTER_SECRET') {
+        // RFC 7627: presence signals EMS support
+        out.extended_master_secret = true;
       } else {
         if (!('unknown' in out)) out.unknown = [];
         out.unknown.push(e);
@@ -133,6 +142,12 @@ function build_tls_message(params) {
   } else if (params.type == 'hello_retry_request') {
     type = wire.TLS_MESSAGE_TYPE.SERVER_HELLO; // HRR uses ServerHello type with magic random
     body = wire.build_hello_retry_request(params);
+  } else if (params.type == 'new_session_ticket_tls12') {
+    type = wire.TLS_MESSAGE_TYPE.NEW_SESSION_TICKET;
+    body = wire.build_new_session_ticket_tls12(params);
+  } else if (params.type == 'new_session_ticket') {
+    type = wire.TLS_MESSAGE_TYPE.NEW_SESSION_TICKET;
+    body = wire.build_new_session_ticket(params);
   }
 
   return wire.build_message(type, body);
@@ -141,8 +156,11 @@ function build_tls_message(params) {
 
 /**
  * Parse a raw TLS handshake message into a typed object.
+ * @param {Uint8Array} data            — handshake message bytes
+ * @param {number}     [negotiatedVersion] — optional; 0x0303 for TLS 1.2, 0x0304 for TLS 1.3.
+ *                                           Needed to disambiguate NewSessionTicket wire format.
  */
-function parse_tls_message(data) {
+function parse_tls_message(data, negotiatedVersion) {
   let out = {};
   let message = wire.parse_message(data);
 
@@ -183,7 +201,14 @@ function parse_tls_message(data) {
     out.body = message.body;
 
   } else if (message.type == wire.TLS_MESSAGE_TYPE.NEW_SESSION_TICKET) {
-    out = wire.parse_new_session_ticket(message.body);
+    // TLS 1.2 and 1.3 have different wire formats for this message.
+    // TLS 1.3: ticket_lifetime | ticket_age_add | ticket_nonce | ticket | extensions
+    // TLS 1.2: ticket_lifetime_hint | ticket                     (RFC 5077)
+    if (negotiatedVersion === 0x0303) {
+      out = wire.parse_new_session_ticket_tls12(message.body);
+    } else {
+      out = wire.parse_new_session_ticket(message.body);
+    }
     out.type = 'new_session_ticket';
 
   } else if (message.type == wire.TLS_MESSAGE_TYPE.KEY_UPDATE) {