lemon-tls 0.2.2 → 0.4.0

package/src/compat.js

@@ -1,12 +1,13 @@
 /**
  * compat.js — Node.js tls module API compatibility layer.
  *
- * Provides tls.connect(), tls.createServer(), and additional
+ * Provides tls.connect(), tls.createServer(), tls.Server, and additional
  * TLSSocket methods to match Node.js tls API conventions.
  */
 
 import net from 'node:net';
 import crypto from 'node:crypto';
+import { EventEmitter } from 'node:events';
 import { TLS_CIPHER_SUITES } from './crypto.js';
 import TLSSession from './tls_session.js';
 import TLSSocket from './tls_socket.js';
@@ -17,6 +18,20 @@ import createSecureContext from './secure_context.js';
 const DEFAULT_MIN_VERSION = 'TLSv1.2';
 const DEFAULT_MAX_VERSION = 'TLSv1.3';
 
+// Matches Node's default cipher list for TLS 1.3 and the modern-TLS 1.2 subset
+// we actually support. Apps can pass a `ciphers` option to override per-connection.
+const DEFAULT_CIPHERS = [
+  'TLS_AES_256_GCM_SHA384',
+  'TLS_CHACHA20_POLY1305_SHA256',
+  'TLS_AES_128_GCM_SHA256',
+  'ECDHE-RSA-AES256-GCM-SHA384',
+  'ECDHE-ECDSA-AES256-GCM-SHA384',
+  'ECDHE-RSA-AES128-GCM-SHA256',
+  'ECDHE-ECDSA-AES128-GCM-SHA256',
+].join(':');
+
+const DEFAULT_ECDH_CURVE = 'auto'; // Node default since v13
+
 // ===================== tls.getCiphers() =====================
 
 /** Returns array of supported cipher names (lowercase, OpenSSL-style). */
@@ -29,6 +44,90 @@ function getCiphers() {
   return out;
 }
 
+// ===================== tls.checkServerIdentity() =====================
+
+/**
+ * Verifies that the peer certificate matches the hostname per RFC 6125.
+ * Returns undefined on success, or an Error on mismatch.
+ *
+ * This is the default identity check Node uses when `rejectUnauthorized: true`
+ * (the default for tls.connect). Apps can override via the `checkServerIdentity`
+ * option in tls.connect to supply their own check.
+ *
+ * Matching rules:
+ *   1. If the cert has Subject Alternative Name (SAN) entries:
+ *      - For DNS SANs: compare against hostname (supports leftmost-label wildcards
+ *        like *.example.com). IP address in hostname only matches IP SAN, not DNS SAN.
+ *      - For IP SANs: compare against hostname as IP.
+ *      - CN is IGNORED (per RFC 6125 and modern browsers).
+ *   2. If no SAN entries exist, fall back to the cert's CN (common name)
+ *      with the same matching rules — legacy path, deprecated by RFC 6125
+ *      but still accepted by Node and common CAs.
+ *
+ * cert: the object returned by tlsSocket.getPeerCertificate() — must have
+ *       `subject` (with `CN`) and `subjectaltname` (OpenSSL-formatted string).
+ */
+function checkServerIdentity(hostname, cert) {
+  if (!cert) return new Error('checkServerIdentity: no certificate');
+  const host = String(hostname || '').toLowerCase();
+  if (!host) return new Error('checkServerIdentity: hostname required');
+
+  const isIp = /^(\d{1,3}\.){3}\d{1,3}$|^\[?[0-9a-fA-F:]+\]?$/.test(host);
+
+  // Parse subjectaltname (OpenSSL format: "DNS:a.com, DNS:*.b.com, IP Address:1.2.3.4")
+  const altnames = [];
+  if (cert.subjectaltname && typeof cert.subjectaltname === 'string') {
+    const parts = cert.subjectaltname.split(',');
+    for (let p of parts) {
+      p = p.trim();
+      if (p.startsWith('DNS:')) altnames.push({ type: 'DNS', value: p.slice(4).toLowerCase() });
+      else if (p.startsWith('IP Address:')) altnames.push({ type: 'IP', value: p.slice(11).trim() });
+      else if (p.startsWith('IP:')) altnames.push({ type: 'IP', value: p.slice(3).trim() });
+      // Other SAN types (URI, email, etc.) ignored
+    }
+  }
+
+  // DNS wildcard matcher: the wildcard must be the leftmost label only.
+  //   *.example.com  matches foo.example.com, NOT foo.bar.example.com, NOT example.com.
+  function dnsMatches(pattern, name) {
+    if (pattern === name) return true;
+    if (!pattern.startsWith('*.')) return false;
+    const dot = name.indexOf('.');
+    if (dot < 0) return false;
+    return pattern.slice(2) === name.slice(dot + 1);
+  }
+
+  // IP match: string-equal for IPv4; normalize brackets/case for IPv6.
+  function ipMatches(pattern, name) {
+    return pattern.replace(/^\[|\]$/g, '').toLowerCase()
+         === name.replace(/^\[|\]$/g, '').toLowerCase();
+  }
+
+  // RFC 6125: if SANs are present, do NOT fall back to CN.
+  if (altnames.length > 0) {
+    for (const s of altnames) {
+      if (isIp && s.type === 'IP' && ipMatches(s.value, host)) return undefined;
+      if (!isIp && s.type === 'DNS' && dnsMatches(s.value, host)) return undefined;
+    }
+    const details = altnames.map(s => `${s.type}:${s.value}`).join(', ');
+    return new Error(`Hostname/IP does not match certificate's altnames: Host: ${hostname}. is not in the cert's altnames: ${details}`);
+  }
+
+  // Legacy CN fallback (only when no SAN present)
+  const cn = cert.subject && cert.subject.CN;
+  if (cn) {
+    const cnLower = String(cn).toLowerCase();
+    if (isIp) {
+      if (ipMatches(cnLower, host)) return undefined;
+    } else {
+      if (dnsMatches(cnLower, host)) return undefined;
+    }
+    return new Error(`Hostname/IP does not match certificate's CN: Host: ${hostname}. is not cert's CN: ${cn}`);
+  }
+
+  return new Error(`Hostname/IP does not match any certificate identity`);
+}
+
 // ===================== tls.connect() =====================
 
 /**
@@ -43,7 +142,6 @@ function getCiphers() {
 function connect(/* ...args */) {
   let port, host, options, connectListener;
 
-  // Parse overloaded arguments
   let args = Array.from(arguments);
 
   if (typeof args[0] === 'object' && !Array.isArray(args[0])) {
@@ -88,7 +186,8 @@ function connect(/* ...args */) {
     groups: options.groups,
     prioritizeChaCha: options.prioritizeChaCha,
     maxRecordSize: options.maxRecordSize,
-    noTickets: options.noTickets,
+    sessionTickets: options.sessionTickets,
+    ticketLifetime: options.ticketLifetime,
     cert: options.cert,
     key: options.key,
     maxHandshakeSize: options.maxHandshakeSize,
@@ -111,33 +210,68 @@ function connect(/* ...args */) {
   return socket;
 }
 
-// ===================== tls.createServer() =====================
+// ===================== tls.Server =====================
 
 /**
- * Node.js compatible tls.createServer().
+ * Node.js compatible tls.Server class.
  *
- * Usage:
- *   tls.createServer(options, connectionListener)
+ * Wraps a net.Server and emits:
+ *   - 'secureConnection' (socket)              — after TLS handshake completes
+ *   - 'newSession' (id, data, callback)        — for TLS 1.2 Session ID storage
+ *   - 'resumeSession' (id, callback(err,data)) — for TLS 1.2 Session ID retrieval
+ *   - 'tlsClientError' (err, socket)           — handshake errors
+ *
+ * Provides:
+ *   - listen(), close(), address(), getConnections()
+ *   - getTicketKeys(), setTicketKeys(), setSecureContext()
  */
-function createServer(options, connectionListener) {
-  if (typeof options === 'function') {
-    connectionListener = options;
-    options = {};
-  }
+function Server(options, connectionListener) {
+  if (!(this instanceof Server)) return new Server(options, connectionListener);
+  EventEmitter.call(this);
+
+  let self = this;
   options = options || {};
 
-  let ctx = null;
+  // Shared ticketKeys across all connections
+  self._ticketKeys = options.ticketKeys ? Buffer.from(options.ticketKeys) : crypto.randomBytes(48);
+
+  // sessionTimeout: seconds to cache a TLS 1.2 Session ID (Node default: 300)
+  let sessionTimeoutSec = (typeof options.sessionTimeout === 'number' && options.sessionTimeout > 0)
+    ? (options.sessionTimeout >>> 0)
+    : 300;
+
+  // sessionIdContext: opaque tag. Sessions stored under one context cannot be resumed
+  // under another (matches Node/OpenSSL behavior — prevents cross-server leakage).
+  // Stored as a hex prefix on cache keys.
+  let sessionIdContextHex = '';
+  if (options.sessionIdContext != null) {
+    let sidCtxBuf = Buffer.isBuffer(options.sessionIdContext)
+      ? options.sessionIdContext
+      : Buffer.from(String(options.sessionIdContext));
+    sessionIdContextHex = sidCtxBuf.toString('hex');
+  }
+
+  // Pre-compiled default SecureContext if key+cert provided directly (no SNICallback)
+  let defaultCtx = null;
   if (options.key && options.cert) {
-    ctx = createSecureContext({ key: options.key, cert: options.cert });
+    defaultCtx = createSecureContext({ key: options.key, cert: options.cert });
   }
 
-  // Shared ticketKeys for all connections (enables PSK across connections)
-  let sharedTicketKeys = options.ticketKeys || crypto.randomBytes(48);
+  // In-memory fallback session store for TLS 1.2 Session IDs.
+  // Entry shape: { data: Buffer, expiresAt: ms }
+  // Only used when the user hasn't registered their own 'newSession'/'resumeSession' handlers.
+  // Keys are namespaced by sessionIdContext so multiple servers don't cross-pollinate.
+  let inMemoryStore = {};
 
-  let server = net.createServer(function(tcp) {
+  function storeKey(id) {
+    return sessionIdContextHex + ':' + toHex(id);
+  }
+
+  function buildSocketOpts() {
     let socketOpts = {
       isServer: true,
-      ticketKeys: sharedTicketKeys,
+      ticketKeys: self._ticketKeys,
+      ticketLifetime: options.ticketLifetime,
       ALPNProtocols: options.ALPNProtocols,
       minVersion: options.minVersion || DEFAULT_MIN_VERSION,
       maxVersion: options.maxVersion || DEFAULT_MAX_VERSION,
@@ -145,41 +279,161 @@ function createServer(options, connectionListener) {
       groups: options.groups,
       prioritizeChaCha: options.prioritizeChaCha,
       maxRecordSize: options.maxRecordSize,
-      noTickets: options.noTickets,
+      sessionTickets: options.sessionTickets,
       requestCert: options.requestCert,
       maxHandshakeSize: options.maxHandshakeSize,
       allowedCipherSuites: options.allowedCipherSuites,
+      handshakeTimeout: options.handshakeTimeout,
     };
 
     if (options.SNICallback) {
       socketOpts.SNICallback = options.SNICallback;
-    } else if (ctx) {
+    } else if (defaultCtx) {
       socketOpts.SNICallback = function(servername, cb) {
-        cb(null, ctx);
+        cb(null, defaultCtx);
       };
     }
 
-    let socket = new TLSSocket(tcp, socketOpts);
-    addCompatMethods(socket);
+    return socketOpts;
+  }
 
-    if (connectionListener) {
-      socket.on('secureConnect', function() {
-        connectionListener(socket);
-      });
+  self._tcpServer = net.createServer(function(tcp) {
+    let socket;
+    try {
+      socket = new TLSSocket(tcp, buildSocketOpts());
+    } catch (err) {
+      self.emit('tlsClientError', err, null);
+      try { tcp.destroy(); } catch(e){}
+      return;
     }
 
-    server.emit('secureConnection', socket);
+    addCompatMethods(socket);
+
+    // Bridge TLS 1.2 Session ID events from socket → server.
+    // If the user has registered their own handlers, delegate to them. Otherwise,
+    // use the built-in in-memory cache (with sessionTimeout expiry and sessionIdContext
+    // isolation).
+    socket.on('newSession', function(id, data, cb) {
+      if (self.listenerCount('newSession') > 0) {
+        self.emit('newSession', Buffer.from(id), Buffer.from(data), cb);
+      } else {
+        inMemoryStore[storeKey(id)] = {
+          data: Buffer.from(data),
+          expiresAt: Date.now() + sessionTimeoutSec * 1000,
+        };
+        cb();
+      }
+    });
+
+    socket.on('resumeSession', function(id, cb) {
+      if (self.listenerCount('resumeSession') > 0) {
+        self.emit('resumeSession', Buffer.from(id), cb);
+      } else {
+        let key = storeKey(id);
+        let entry = inMemoryStore[key];
+        if (!entry) return cb(null, null);
+        if (entry.expiresAt < Date.now()) {
+          // Expired → evict and treat as cache miss
+          delete inMemoryStore[key];
+          return cb(null, null);
+        }
+        cb(null, entry.data);
+      }
+    });
+
+    // 'secureConnection' fires AFTER handshake completes (Node.js semantics)
+    socket.on('secureConnect', function() {
+      if (connectionListener) connectionListener(socket);
+      self.emit('secureConnection', socket);
+    });
+
+    // Forward keylog to server level with Node.js signature (line, tlsSocket)
+    socket.on('keylog', function(line) {
+      self.emit('keylog', line, socket);
+    });
+
+    // Surface pre-handshake errors as 'tlsClientError' (Node.js semantics)
+    socket.on('error', function(err) {
+      if (!socket.secureEstablished) {
+        self.emit('tlsClientError', err, socket);
+      }
+    });
   });
 
-  return server;
+  // Delegate net.Server methods
+  self.listen = function() {
+    return self._tcpServer.listen.apply(self._tcpServer, arguments);
+  };
+
+  self.close = function(cb) {
+    return self._tcpServer.close(cb);
+  };
+
+  self.address = function() {
+    return self._tcpServer.address();
+  };
+
+  self.getConnections = function(cb) {
+    return self._tcpServer.getConnections(cb);
+  };
+
+  // Ticket key management
+  self.getTicketKeys = function() {
+    return Buffer.from(self._ticketKeys);
+  };
+
+  self.setTicketKeys = function(keys) {
+    if (!Buffer.isBuffer(keys) && !(keys instanceof Uint8Array)) {
+      throw new TypeError('setTicketKeys requires a Buffer/Uint8Array');
+    }
+    if (keys.length !== 48) {
+      throw new RangeError('ticketKeys must be exactly 48 bytes');
+    }
+    self._ticketKeys = Buffer.from(keys);
+  };
+
+  // setSecureContext — replace cert/key without restart (Node.js compat)
+  self.setSecureContext = function(opts) {
+    if (opts && opts.key && opts.cert) {
+      defaultCtx = createSecureContext({ key: opts.key, cert: opts.cert });
+    }
+  };
+
+  return self;
+}
+
+// Inherit from EventEmitter
+Object.setPrototypeOf(Server.prototype, EventEmitter.prototype);
+Object.setPrototypeOf(Server, EventEmitter);
+
+// ===================== tls.createServer() =====================
+
+/**
+ * Node.js compatible tls.createServer().
+ *   tls.createServer([options][, connectionListener])
+ */
+function createServer(options, connectionListener) {
+  if (typeof options === 'function') {
+    connectionListener = options;
+    options = {};
+  }
+  return new Server(options, connectionListener);
+}
+
+// ===================== Helpers =====================
+
+function toHex(buf) {
+  if (!buf) return '';
+  let b = Buffer.isBuffer(buf) ? buf : Buffer.from(buf);
+  return b.toString('hex');
 }
 
 // ===================== Compat methods for TLSSocket =====================
 
 function addCompatMethods(socket) {
-  let session = socket.getSession();
+  let session = socket._getTLSSession();
 
-  /** Node.js compat: isSessionReused() */
+  /** Node.js compat: isSessionReused() — method form (same as isResumed getter) */
   socket.isSessionReused = function() {
     return socket.isResumed;
   };
@@ -204,6 +458,7 @@ function addCompatMethods(socket) {
     let group = session.context.selected_group;
     if (group === 0x001d) return { type: 'X25519', size: 253 };
     if (group === 0x0017) return { type: 'ECDH', name: 'prime256v1', size: 256 };
+    if (group === 0x0018) return { type: 'ECDH', name: 'secp384r1', size: 384 };
     return {};
   };
 
@@ -227,9 +482,13 @@ function addCompatMethods(socket) {
 export {
   connect,
   createServer,
+  Server,
   createSecureContext,
   getCiphers,
+  checkServerIdentity,
   addCompatMethods,
   DEFAULT_MIN_VERSION,
   DEFAULT_MAX_VERSION,
+  DEFAULT_CIPHERS,
+  DEFAULT_ECDH_CURVE,
 };

package/src/crypto.js

@@ -276,19 +276,22 @@ function hkdf_extract(hashName, saltU8, ikmU8) {
 function hkdf_expand(hashName, prkU8, infoU8, length) {
   let hashLen = getHashLen(hashName);
   let N = Math.ceil(length / hashLen);
-  let output = Buffer.alloc(N * hashLen);
+  // allocUnsafe is safe here: every byte is overwritten by prev.copy() below.
+  let output = Buffer.allocUnsafe(N * hashLen);
   let prev = Buffer.alloc(0);
+  let counter = Buffer.allocUnsafe(1);
 
   for (let i = 1; i <= N; i++) {
     let h = crypto.createHmac(hashName, prkU8);
     h.update(prev);
     h.update(infoU8);
-    h.update(Buffer.from([i]));
+    counter[0] = i;
+    h.update(counter);
     prev = h.digest();
     prev.copy(output, (i - 1) * hashLen);
   }
 
-  return new Uint8Array(output.subarray(0, length));
+  return new Uint8Array(output.buffer, output.byteOffset, length);
 }
 
 
@@ -296,10 +299,12 @@ function hkdf_expand(hashName, prkU8, infoU8, length) {
 //  TLS 1.3 HKDF-Expand-Label (RFC 8446 section 7.1)
 // ============================================================
 
+// Module-level TextEncoder — creating one per hkdf call added significant overhead
+// to handshakes (TextEncoder construction is not free in V8).
+const _TEXT_ENCODER = new TextEncoder();
+
 function build_hkdf_label(label, context, length) {
-  let prefix = 'tls13 ';
-  let enc = new TextEncoder();
-  let full = enc.encode(prefix + label);
+  const full = _TEXT_ENCODER.encode('tls13 ' + label);
   const info = new Uint8Array(2 + 1 + full.length + 1 + context.length);
 
   info[0] = (length >>> 8) & 0xff;
@@ -345,6 +350,31 @@ function derive_handshake_traffic_secrets(hashName, shared_secret, transcript) {
   };
 }
 
+/**
+ * Like derive_handshake_traffic_secrets but accepts a pre-computed transcript
+ * hash — skips the hashFn(transcript) step and its allocation. Use this when
+ * the caller has already computed the hash via an incremental running hash.
+ */
+function derive_handshake_traffic_secrets_with_hash(hashName, shared_secret, transcript_hash) {
+  let hashFn  = getHashFn(hashName);
+  let hashLen = hashFn.outputLen | 0;
+  const empty = new Uint8Array(0);
+  const zeros = new Uint8Array(hashLen);
+
+  let early_secret = hkdf_extract(hashName, empty, zeros);
+  let h_empty = hashFn(empty);
+  let derived_secret = hkdf_expand_label(hashName, early_secret, 'derived', h_empty, hashLen);
+  let handshake_secret = hkdf_extract(hashName, derived_secret, shared_secret);
+  let client_handshake_traffic_secret = hkdf_expand_label(hashName, handshake_secret, 'c hs traffic', transcript_hash, hashLen);
+  let server_handshake_traffic_secret = hkdf_expand_label(hashName, handshake_secret, 's hs traffic', transcript_hash, hashLen);
+
+  return {
+    handshake_secret: handshake_secret,
+    client_handshake_traffic_secret: client_handshake_traffic_secret,
+    server_handshake_traffic_secret: server_handshake_traffic_secret,
+  };
+}
+
 
 // ============================================================
 //  TLS 1.3: derive application traffic secrets
@@ -370,6 +400,28 @@ function derive_app_traffic_secrets(hashName, handshake_secret, transcript) {
   };
 }
 
+/**
+ * Like derive_app_traffic_secrets but accepts a pre-computed transcript hash.
+ */
+function derive_app_traffic_secrets_with_hash(hashName, handshake_secret, transcript_hash) {
+  let hashFn  = getHashFn(hashName);
+  let hashLen = hashFn.outputLen | 0;
+  const empty = new Uint8Array(0);
+  const zeros = new Uint8Array(hashLen);
+
+  let h_empty = hashFn(empty);
+  let derived_secret = hkdf_expand_label(hashName, handshake_secret, 'derived', h_empty, hashLen);
+  let master_secret = hkdf_extract(hashName, derived_secret, zeros);
+  let client_app_traffic_secret = hkdf_expand_label(hashName, master_secret, 'c ap traffic', transcript_hash, hashLen);
+  let server_app_traffic_secret = hkdf_expand_label(hashName, master_secret, 's ap traffic', transcript_hash, hashLen);
+
+  return {
+    client_app_traffic_secret: client_app_traffic_secret,
+    server_app_traffic_secret: server_app_traffic_secret,
+    master_secret: master_secret
+  };
+}
+
 
 // ============================================================
 //  TLS 1.3: resumption master secret (RFC 8446 §7.1)
@@ -386,6 +438,14 @@ function derive_resumption_master_secret(hashName, master_secret, transcript) {
   return hkdf_expand_label(hashName, master_secret, 'res master', transcript_hash, hashLen);
 }
 
+/**
+ * Like derive_resumption_master_secret but accepts a pre-computed transcript hash.
+ */
+function derive_resumption_master_secret_with_hash(hashName, master_secret, transcript_hash) {
+  let hashLen = getHashLen(hashName);
+  return hkdf_expand_label(hashName, master_secret, 'res master', transcript_hash, hashLen);
+}
+
 /**
  * Derive PSK from a resumption_master_secret + ticket_nonce.
  * Used by the server when creating a ticket, and by the client when resuming.
@@ -416,11 +476,21 @@ function derive_binder_key(hashName, psk, isExternal) {
  * Compute a PSK binder value.
  * binder_key = derive_binder_key(...)
  * transcript = ClientHello up to (but not including) the binders list.
+ *
+ * Per RFC 8446 §4.1.4: "PskBinderEntry is computed in the same way as the Finished
+ * message (Section 4.4.4) but with the BaseKey being the binder_key derived via
+ * the key schedule from the corresponding PSK."
+ *
+ * So we must derive a finished_key from binder_key (as in get_handshake_finished)
+ * before the HMAC, NOT use binder_key directly.
  */
 function compute_psk_binder(hashName, binder_key, truncated_transcript) {
   let hashFn = getHashFn(hashName);
+  let hashLen = hashFn.outputLen | 0;
+  const empty = new Uint8Array(0);
+  let finished_key = hkdf_expand_label(hashName, binder_key, 'finished', empty, hashLen);
   let transcript_hash = hashFn(truncated_transcript);
-  return hmac(hashName, binder_key, transcript_hash);
+  return hmac(hashName, finished_key, transcript_hash);
 }
 
 /**
@@ -447,6 +517,28 @@ function derive_handshake_traffic_secrets_psk(hashName, psk, shared_secret, tran
   };
 }
 
+/**
+ * Like derive_handshake_traffic_secrets_psk but accepts a pre-computed transcript hash.
+ */
+function derive_handshake_traffic_secrets_psk_with_hash(hashName, psk, shared_secret, transcript_hash) {
+  let hashFn = getHashFn(hashName);
+  let hashLen = hashFn.outputLen | 0;
+  const empty = new Uint8Array(0);
+
+  let early_secret = hkdf_extract(hashName, empty, psk);
+  let h_empty = hashFn(empty);
+  let derived_secret = hkdf_expand_label(hashName, early_secret, 'derived', h_empty, hashLen);
+  let handshake_secret = hkdf_extract(hashName, derived_secret, shared_secret);
+  let client_handshake_traffic_secret = hkdf_expand_label(hashName, handshake_secret, 'c hs traffic', transcript_hash, hashLen);
+  let server_handshake_traffic_secret = hkdf_expand_label(hashName, handshake_secret, 's hs traffic', transcript_hash, hashLen);
+
+  return {
+    handshake_secret: handshake_secret,
+    client_handshake_traffic_secret: client_handshake_traffic_secret,
+    server_handshake_traffic_secret: server_handshake_traffic_secret,
+  };
+}
+
 
 // ============================================================
 //  TLS 1.2 PRF (RFC 5246 section 5)
@@ -539,6 +631,18 @@ function build_cert_verify_tbs(hashName, isServer, transcript) {
   return concatUint8Arrays([padding, label, separator, transcript_hash]);
 }
 
+/**
+ * Like build_cert_verify_tbs but accepts a pre-computed transcript hash.
+ */
+function build_cert_verify_tbs_with_hash(hashName, isServer, transcript_hash) {
+  let label = new TextEncoder().encode(
+    isServer ? "TLS 1.3, server CertificateVerify" : "TLS 1.3, client CertificateVerify"
+  );
+  const separator = new Uint8Array([0x00]);
+  const padding = new Uint8Array(64).fill(0x20);
+  return concatUint8Arrays([padding, label, separator, transcript_hash]);
+}
+
 
 // ============================================================
 //  TLS 1.3 Finished verify_data
@@ -552,6 +656,16 @@ function get_handshake_finished(hashName, traffic_secret, transcript) {
   return hmac(hashName, finished_key, transcript_hash);
 }
 
+/**
+ * Like get_handshake_finished but accepts a pre-computed transcript hash.
+ */
+function get_handshake_finished_with_hash(hashName, traffic_secret, transcript_hash) {
+  let hashLen = getHashLen(hashName);
+  const empty = new Uint8Array(0);
+  let finished_key = hkdf_expand_label(hashName, traffic_secret, 'finished', empty, hashLen);
+  return hmac(hashName, finished_key, transcript_hash);
+}
+
 
 // ============================================================
 //  DTLS 1.3: record number encryption key (RFC 9147 §5.9)
@@ -579,13 +693,19 @@ export {
   tls_derive_from_master_secret_tls12,
   tls12_prf,
   derive_handshake_traffic_secrets,
+  derive_handshake_traffic_secrets_with_hash,
   derive_app_traffic_secrets,
+  derive_app_traffic_secrets_with_hash,
   derive_resumption_master_secret,
+  derive_resumption_master_secret_with_hash,
   derive_psk,
   derive_binder_key,
   compute_psk_binder,
   derive_handshake_traffic_secrets_psk,
+  derive_handshake_traffic_secrets_psk_with_hash,
   build_cert_verify_tbs,
+  build_cert_verify_tbs_with_hash,
   get_handshake_finished,
+  get_handshake_finished_with_hash,
   derive_sn_key,
 };

package/src/dtls_socket.js

@@ -44,6 +44,7 @@ function DTLSSocket(udpSocket, options) {
     cert: options.cert,
     key: options.key,
     rejectUnauthorized: options.rejectUnauthorized,
+    requestCert: options.requestCert,
     ca: options.ca,
     alpnProtocols: options.alpnProtocols,
     minVersion: options.minVersion,
@@ -159,6 +160,7 @@ function createDTLSServer(options, connectionListener) {
           remotePort: rinfo.port,
           cert: options.cert,
           key: options.key,
+          requestCert: options.requestCert,
           SNICallback: options.SNICallback,
           alpnProtocols: options.alpnProtocols,
           minVersion: options.minVersion,
@@ -239,6 +241,7 @@ function connectDTLS(options, callback) {
     remotePort: port,
     servername: options.servername || host,
     rejectUnauthorized: options.rejectUnauthorized,
+    requestCert: options.requestCert,
     ca: options.ca,
     alpnProtocols: options.alpnProtocols,
     minVersion: options.minVersion,