nlcurl 0.6.0 → 0.7.0

package/dist/tls/session-cache.d.ts

@@ -0,0 +1,70 @@
+/**
+ * TLS session ticket cache for session resumption (RFC 5077 / RFC 8446 §4.6.1).
+ * Stores session tickets keyed by origin (`host:port`) and evicts expired
+ * entries automatically. Used by both {@link NodeTLSEngine} and
+ * {@link StealthTLSEngine} to enable 0-RTT and abbreviated handshakes.
+ */
+/**
+ * A cached TLS session ticket with its expiration metadata.
+ *
+ * @typedef  {Object} SessionTicketEntry
+ * @property {Buffer} ticket    - Opaque session ticket bytes.
+ * @property {number} expiresAt - Unix timestamp (ms) at which the ticket is no longer valid.
+ * @property {string} [alpn]    - ALPN protocol negotiated during the original handshake.
+ */
+export interface SessionTicketEntry {
+    ticket: Buffer;
+    expiresAt: number;
+    alpn?: string;
+}
+/**
+ * Options for constructing a {@link TLSSessionCache}.
+ *
+ * @typedef  {Object} SessionCacheOptions
+ * @property {number} [maxEntries=256]      - Maximum number of tickets to store.
+ * @property {number} [defaultLifetimeMs=7200000] - Default ticket lifetime in ms when server doesn't specify.
+ */
+export interface SessionCacheOptions {
+    maxEntries?: number;
+    defaultLifetimeMs?: number;
+}
+/**
+ * In-memory LRU cache for TLS session tickets. Thread-safe for single-threaded
+ * Node.js usage. Keys are `host:port` origin strings. Only valid (non-expired)
+ * tickets are returned on lookup.
+ */
+export declare class TLSSessionCache {
+    private readonly maxEntries;
+    private readonly defaultLifetimeMs;
+    private readonly entries;
+    constructor(options?: SessionCacheOptions);
+    /**
+     * Stores a session ticket for the given origin.
+     *
+     * @param {string} origin   - Origin key in `host:port` form.
+     * @param {Buffer} ticket   - Opaque session ticket bytes.
+     * @param {number} [lifetimeMs] - Ticket lifetime in ms; uses default if omitted.
+     * @param {string} [alpn]   - ALPN protocol from the original handshake.
+     */
+    set(origin: string, ticket: Buffer, lifetimeMs?: number, alpn?: string): void;
+    /**
+     * Retrieves a valid, non-expired session ticket for the given origin.
+     * Returns `undefined` if no ticket exists or the ticket has expired.
+     *
+     * @param {string} origin - Origin key in `host:port` form.
+     * @returns {SessionTicketEntry | undefined}
+     */
+    get(origin: string): SessionTicketEntry | undefined;
+    /**
+     * Removes a specific ticket from the cache.
+     *
+     * @param {string} origin - Origin key.
+     * @returns {boolean} Whether an entry was removed.
+     */
+    delete(origin: string): boolean;
+    /** Removes all entries from the cache. */
+    clear(): void;
+    /** Returns the number of entries currently cached. */
+    get size(): number;
+}
+//# sourceMappingURL=session-cache.d.ts.map

package/dist/tls/session-cache.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-cache.d.ts","sourceRoot":"","sources":["../../src/tls/session-cache.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;;;;;;GAOG;AACH,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAKD;;;;;;GAMG;AACH,MAAM,WAAW,mBAAmB;IAClC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED;;;;GAIG;AACH,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAS;IAC3C,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAyC;gBAErD,OAAO,GAAE,mBAAwB;IAK7C;;;;;;;OAOG;IACH,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI;IAc7E;;;;;;OAMG;IACH,GAAG,CAAC,MAAM,EAAE,MAAM,GAAG,kBAAkB,GAAG,SAAS;IAcnD;;;;;OAKG;IACH,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO;IAI/B,0CAA0C;IAC1C,KAAK,IAAI,IAAI;IAIb,sDAAsD;IACtD,IAAI,IAAI,IAAI,MAAM,CAEjB;CACF"}

package/dist/tls/session-cache.js

@@ -0,0 +1,80 @@
+/**
+ * TLS session ticket cache for session resumption (RFC 5077 / RFC 8446 §4.6.1).
+ * Stores session tickets keyed by origin (`host:port`) and evicts expired
+ * entries automatically. Used by both {@link NodeTLSEngine} and
+ * {@link StealthTLSEngine} to enable 0-RTT and abbreviated handshakes.
+ */
+const DEFAULT_MAX_ENTRIES = 256;
+const DEFAULT_LIFETIME_MS = 7200_000;
+/**
+ * In-memory LRU cache for TLS session tickets. Thread-safe for single-threaded
+ * Node.js usage. Keys are `host:port` origin strings. Only valid (non-expired)
+ * tickets are returned on lookup.
+ */
+export class TLSSessionCache {
+    maxEntries;
+    defaultLifetimeMs;
+    entries = new Map();
+    constructor(options = {}) {
+        this.maxEntries = options.maxEntries ?? DEFAULT_MAX_ENTRIES;
+        this.defaultLifetimeMs = options.defaultLifetimeMs ?? DEFAULT_LIFETIME_MS;
+    }
+    /**
+     * Stores a session ticket for the given origin.
+     *
+     * @param {string} origin   - Origin key in `host:port` form.
+     * @param {Buffer} ticket   - Opaque session ticket bytes.
+     * @param {number} [lifetimeMs] - Ticket lifetime in ms; uses default if omitted.
+     * @param {string} [alpn]   - ALPN protocol from the original handshake.
+     */
+    set(origin, ticket, lifetimeMs, alpn) {
+        if (this.entries.size >= this.maxEntries) {
+            const oldest = this.entries.keys().next().value;
+            if (oldest !== undefined)
+                this.entries.delete(oldest);
+        }
+        this.entries.delete(origin);
+        this.entries.set(origin, {
+            ticket,
+            expiresAt: Date.now() + (lifetimeMs ?? this.defaultLifetimeMs),
+            alpn,
+        });
+    }
+    /**
+     * Retrieves a valid, non-expired session ticket for the given origin.
+     * Returns `undefined` if no ticket exists or the ticket has expired.
+     *
+     * @param {string} origin - Origin key in `host:port` form.
+     * @returns {SessionTicketEntry | undefined}
+     */
+    get(origin) {
+        const entry = this.entries.get(origin);
+        if (!entry)
+            return undefined;
+        if (Date.now() >= entry.expiresAt) {
+            this.entries.delete(origin);
+            return undefined;
+        }
+        this.entries.delete(origin);
+        this.entries.set(origin, entry);
+        return entry;
+    }
+    /**
+     * Removes a specific ticket from the cache.
+     *
+     * @param {string} origin - Origin key.
+     * @returns {boolean} Whether an entry was removed.
+     */
+    delete(origin) {
+        return this.entries.delete(origin);
+    }
+    /** Removes all entries from the cache. */
+    clear() {
+        this.entries.clear();
+    }
+    /** Returns the number of entries currently cached. */
+    get size() {
+        return this.entries.size;
+    }
+}
+//# sourceMappingURL=session-cache.js.map

package/dist/tls/session-cache.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-cache.js","sourceRoot":"","sources":["../../src/tls/session-cache.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAgBH,MAAM,mBAAmB,GAAG,GAAG,CAAC;AAChC,MAAM,mBAAmB,GAAG,QAAQ,CAAC;AAcrC;;;;GAIG;AACH,MAAM,OAAO,eAAe;IACT,UAAU,CAAS;IACnB,iBAAiB,CAAS;IAC1B,OAAO,GAAG,IAAI,GAAG,EAA8B,CAAC;IAEjE,YAAY,UAA+B,EAAE;QAC3C,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,mBAAmB,CAAC;QAC5D,IAAI,CAAC,iBAAiB,GAAG,OAAO,CAAC,iBAAiB,IAAI,mBAAmB,CAAC;IAC5E,CAAC;IAED;;;;;;;OAOG;IACH,GAAG,CAAC,MAAc,EAAE,MAAc,EAAE,UAAmB,EAAE,IAAa;QACpE,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACzC,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC;YAChD,IAAI,MAAM,KAAK,SAAS;gBAAE,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACxD,CAAC;QAED,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC5B,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE;YACvB,MAAM;YACN,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,UAAU,IAAI,IAAI,CAAC,iBAAiB,CAAC;YAC9D,IAAI;SACL,CAAC,CAAC;IACL,CAAC;IAED;;;;;;OAMG;IACH,GAAG,CAAC,MAAc;QAChB,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACvC,IAAI,CAAC,KAAK;YAAE,OAAO,SAAS,CAAC;QAE7B,IAAI,IAAI,CAAC,GAAG,EAAE,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;YAClC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YAC5B,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC5B,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;QAChC,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;;;;OAKG;IACH,MAAM,CAAC,MAAc;QACnB,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACrC,CAAC;IAED,0CAA0C;IAC1C,KAAK;QACH,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;IACvB,CAAC;IAED,sDAAsD;IACtD,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC;IAC3B,CAAC;CACF"}

package/dist/tls/stealth/client-hello.d.ts

@@ -1,4 +1,5 @@
 import type { BrowserProfile } from "../../fingerprints/types.js";
+import type { ECHEncryptionParams } from "../ech.js";
 /**
  * An ephemeral key share generated for a specific named group, used during
  * TLS 1.3 key exchange. Contains both the public key to advertise in the
@@ -51,4 +52,24 @@ export interface ClientHelloResult {
  * @returns {ClientHelloResult} The encoded record alongside key material needed for the handshake.
  */
 export declare function buildClientHello(profile: BrowserProfile, hostname: string): ClientHelloResult;
+/**
+ * Result of building an ECH-encrypted ClientHello pair.
+ */
+export interface ClientHelloECHResult extends ClientHelloResult {
+    /** Inner ClientHello handshake message (used for transcript if ECH is accepted). */
+    innerHandshakeMessage: Buffer;
+    /** Inner client random (used for ECH accept confirmation check). */
+    innerRandom: Buffer;
+}
+/**
+ * Builds a ClientHello pair with ECH encryption: an outer ClientHello
+ * (with the encrypted inner ClientHello in the ECH extension) and the
+ * inner ClientHello needed for transcript computation upon acceptance.
+ *
+ * @param profile     Browser profile whose fingerprint to replicate.
+ * @param hostname    Real server hostname (used in the inner ClientHello SNI).
+ * @param echParams   ECH config and raw bytes for HPKE encryption.
+ * @returns The outer record to send plus the inner message for the transcript.
+ */
+export declare function buildClientHelloWithECH(profile: BrowserProfile, hostname: string, echParams: ECHEncryptionParams): ClientHelloECHResult;
 //# sourceMappingURL=client-hello.d.ts.map

package/dist/tls/stealth/client-hello.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"client-hello.d.ts","sourceRoot":"","sources":["../../../src/tls/stealth/client-hello.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,cAAc,EAAmB,MAAM,6BAA6B,CAAC;AAMnF;;;;;;;;;GASG;AACH,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;;;;;;GAOG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,aAAa,CAyB7D;AAiBD;;;;;;;;;;GAUG;AACH,MAAM,WAAW,iBAAiB;IAChC,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,aAAa,EAAE,CAAC;IAC3B,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,gBAAgB,EAAE,MAAM,CAAC;CAC1B;AAED;;;;;;;;GAQG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,MAAM,GAAG,iBAAiB,CA2E7F"}
+{"version":3,"file":"client-hello.d.ts","sourceRoot":"","sources":["../../../src/tls/stealth/client-hello.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,cAAc,EAAmB,MAAM,6BAA6B,CAAC;AACnF,OAAO,KAAK,EAAa,mBAAmB,EAAE,MAAM,WAAW,CAAC;AAOhE;;;;;;;;;GASG;AACH,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;;;;;;GAOG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,aAAa,CAyB7D;AAiBD;;;;;;;;;;GAUG;AACH,MAAM,WAAW,iBAAiB;IAChC,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,aAAa,EAAE,CAAC;IAC3B,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,gBAAgB,EAAE,MAAM,CAAC;CAC1B;AAED;;;;;;;;GAQG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,MAAM,GAAG,iBAAiB,CA2E7F;AA6CD;;GAEG;AACH,MAAM,WAAW,oBAAqB,SAAQ,iBAAiB;IAC7D,oFAAoF;IACpF,qBAAqB,EAAE,MAAM,CAAC;IAC9B,oEAAoE;IACpE,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;;;;;;;GASG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,mBAAmB,GAAG,oBAAoB,CA8DvI"}

package/dist/tls/stealth/client-hello.js

@@ -1,6 +1,7 @@
 import { randomBytes, createECDH, generateKeyPairSync } from "node:crypto";
 import { BufferWriter } from "../../utils/buffer-writer.js";
 import { RecordType, HandshakeType, ExtensionType, GREASE_VALUES, NamedGroup } from "../constants.js";
+import { echEncryptInner, buildECHOuterExtData, parseHpkeKeyConfig, getMaxNameLength } from "../ech.js";
 function randomGrease() {
     return GREASE_VALUES[Math.floor(Math.random() * GREASE_VALUES.length)];
 }
@@ -164,4 +165,119 @@ function writeExtension(w, extDef, hostname, keyShares, tlsProfile, grease) {
         w.writeUInt16(0);
     }
 }
+/**
+ * Builds a ClientHello pair with ECH encryption: an outer ClientHello
+ * (with the encrypted inner ClientHello in the ECH extension) and the
+ * inner ClientHello needed for transcript computation upon acceptance.
+ *
+ * @param profile     Browser profile whose fingerprint to replicate.
+ * @param hostname    Real server hostname (used in the inner ClientHello SNI).
+ * @param echParams   ECH config and raw bytes for HPKE encryption.
+ * @returns The outer record to send plus the inner message for the transcript.
+ */
+export function buildClientHelloWithECH(profile, hostname, echParams) {
+    const tlsProfile = profile.tls;
+    const innerRandom = randomBytes(32);
+    const outerRandom = randomBytes(32);
+    const outerSessionId = tlsProfile.randomSessionId ? randomBytes(32) : Buffer.alloc(0);
+    const keyShares = tlsProfile.keyShareGroups.map(generateKeyShare);
+    const greaseCipher = tlsProfile.grease ? randomGrease() : 0;
+    const greaseExt = tlsProfile.grease ? randomGrease() : 0;
+    const greaseGroup = tlsProfile.grease ? randomGrease() : 0;
+    const greaseVersion = tlsProfile.grease ? randomGrease() : 0;
+    const lastGreaseInner = tlsProfile.grease ? randomGrease() : 0;
+    const lastGreaseOuter = tlsProfile.grease ? randomGrease() : 0;
+    const greaseVals = { greaseGroup, greaseVersion };
+    const hpkeConfig = parseHpkeKeyConfig(echParams.config.contents);
+    if (!hpkeConfig || hpkeConfig.kemId !== 0x0020) {
+        throw new Error("Unsupported ECH config: requires DHKEM(X25519, HKDF-SHA256)");
+    }
+    const suite = hpkeConfig.cipherSuites.find((cs) => cs.kdfId === 0x0001 && (cs.aeadId === 0x0001 || cs.aeadId === 0x0003));
+    if (!suite)
+        throw new Error("No supported HPKE cipher suite in ECH config");
+    const innerCHBody = buildCHBodyCore(tlsProfile, hostname, innerRandom, Buffer.alloc(0), keyShares, greaseCipher, greaseExt, lastGreaseInner, greaseVals, Buffer.from([0x01]));
+    const innerHSMsg = wrapHandshakeMessage(innerCHBody);
+    const maxNameLen = getMaxNameLength(echParams.config.contents);
+    const hostLen = Buffer.byteLength(hostname, "ascii");
+    const paddingLen = Math.max(0, maxNameLen - hostLen);
+    const paddedInner = paddingLen > 0 ? Buffer.concat([innerCHBody, Buffer.alloc(paddingLen)]) : innerCHBody;
+    const expectedPayloadLen = paddedInner.length + 16;
+    const zeroEchExt = buildECHOuterExtData(suite.kdfId, suite.aeadId, hpkeConfig.configId, Buffer.alloc(32), Buffer.alloc(expectedPayloadLen));
+    const buildOuter = (echExtData) => buildCHBodyCore(tlsProfile, echParams.config.publicName, outerRandom, outerSessionId, keyShares, greaseCipher, greaseExt, lastGreaseOuter, greaseVals, echExtData);
+    const outerBodyZero = buildOuter(zeroEchExt);
+    const outerAAD = wrapHandshakeMessage(outerBodyZero);
+    const echResult = echEncryptInner(paddedInner, outerAAD, echParams.config, echParams.configRaw);
+    const finalOuterBody = buildOuter(echResult.extensionData);
+    const finalHandshakeMessage = wrapHandshakeMessage(finalOuterBody);
+    const record = new BufferWriter(5 + finalHandshakeMessage.length);
+    record.writeUInt8(RecordType.HANDSHAKE);
+    record.writeUInt16(tlsProfile.recordVersion);
+    record.writeUInt16(finalHandshakeMessage.length);
+    record.writeBytes(finalHandshakeMessage);
+    return {
+        record: record.toBuffer(),
+        keyShares,
+        clientRandom: outerRandom,
+        sessionId: outerSessionId,
+        handshakeMessage: finalHandshakeMessage,
+        innerHandshakeMessage: innerHSMsg,
+        innerRandom,
+    };
+}
+/**
+ * Core ClientHello body builder shared by both `buildClientHello` and
+ * `buildClientHelloWithECH`. Builds the ClientHello payload (after the
+ * handshake header) with deterministic GREASE values.
+ *
+ * @param echExtData When provided, replaces the profile's ECH extension
+ *                   with this data. For inner CH: `Buffer.from([0x01])`.
+ *                   For outer CH: the full outer ECH extension payload.
+ */
+function buildCHBodyCore(tlsProfile, hostname, clientRandom, sessionId, keyShares, greaseCipher, greaseExt, lastGrease, grease, echExtData) {
+    const body = new BufferWriter(4096);
+    body.writeUInt16(tlsProfile.clientVersion);
+    body.writeBytes(clientRandom);
+    body.writeUInt8(sessionId.length);
+    if (sessionId.length > 0)
+        body.writeBytes(sessionId);
+    const ciphers = tlsProfile.grease ? [greaseCipher, ...tlsProfile.cipherSuites] : [...tlsProfile.cipherSuites];
+    body.writeUInt16(ciphers.length * 2);
+    for (const c of ciphers)
+        body.writeUInt16(c);
+    body.writeUInt8(tlsProfile.compressionMethods.length);
+    for (const m of tlsProfile.compressionMethods)
+        body.writeUInt8(m);
+    const extWriter = new BufferWriter(4096);
+    if (tlsProfile.grease) {
+        extWriter.writeUInt16(greaseExt);
+        extWriter.writeUInt16(1);
+        extWriter.writeUInt8(0);
+    }
+    for (const extDef of tlsProfile.extensions) {
+        if (extDef.type === ExtensionType.ENCRYPTED_CLIENT_HELLO && echExtData) {
+            extWriter.writeUInt16(ExtensionType.ENCRYPTED_CLIENT_HELLO);
+            extWriter.writeUInt16(echExtData.length);
+            extWriter.writeBytes(echExtData);
+            continue;
+        }
+        writeExtension(extWriter, extDef, hostname, keyShares, tlsProfile, grease);
+    }
+    if (tlsProfile.grease) {
+        extWriter.writeUInt16(lastGrease);
+        extWriter.writeUInt16(1);
+        extWriter.writeUInt8(0);
+    }
+    const extBytes = extWriter.toBuffer();
+    body.writeUInt16(extBytes.length);
+    body.writeBytes(extBytes);
+    return body.toBuffer();
+}
+/** Wraps a ClientHello body in a handshake message (type + length + body). */
+function wrapHandshakeMessage(chBody) {
+    const w = new BufferWriter(4 + chBody.length);
+    w.writeUInt8(HandshakeType.CLIENT_HELLO);
+    w.writeUInt24(chBody.length);
+    w.writeBytes(chBody);
+    return w.toBuffer();
+}
 //# sourceMappingURL=client-hello.js.map

package/dist/tls/stealth/client-hello.js.map

@@ -1 +1 @@
-{"version":3,"file":"client-hello.js","sourceRoot":"","sources":["../../../src/tls/stealth/client-hello.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAC3E,OAAO,EAAE,YAAY,EAAE,MAAM,8BAA8B,CAAC;AAC5D,OAAO,EAAE,UAAU,EAAE,aAAa,EAAE,aAAa,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAGtG,SAAS,YAAY;IACnB,OAAO,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,aAAa,CAAC,MAAM,CAAC,CAAE,CAAC;AAC1E,CAAC;AAkBD;;;;;;;GAOG;AACH,MAAM,UAAU,gBAAgB,CAAC,KAAa;IAC5C,QAAQ,KAAK,EAAE,CAAC;QACd,KAAK,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;YACvB,MAAM,EAAE,GAAG,mBAAmB,CAAC,QAAQ,CAAC,CAAC;YACzC,MAAM,GAAG,GAAG,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;YACjE,MAAM,IAAI,GAAG,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;YACpE,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC;YAC7D,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC;YAChE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,UAAU,EAAE,CAAC;QAC1C,CAAC;QACD,KAAK,UAAU,CAAC,SAAS,CAAC;QAC1B,KAAK,UAAU,CAAC,SAAS,CAAC;QAC1B,KAAK,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC;YAC1B,MAAM,SAAS,GAAG,KAAK,KAAK,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,KAAK,KAAK,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC;YAC7H,MAAM,IAAI,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC;YACnC,IAAI,CAAC,YAAY,EAAE,CAAC;YACpB,OAAO;gBACL,KAAK;gBACL,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;gBAC3C,UAAU,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;aAC9C,CAAC;QACJ,CAAC;QACD;YACE,MAAM,IAAI,KAAK,CAAC,kCAAkC,KAAK,CAAC,QAAQ,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;IAC5E,CAAC;AACH,CAAC;AAED,SAAS,0BAA0B,CAAC,SAA0B;IAC5D,MAAM,CAAC,GAAG,IAAI,YAAY,CAAC,GAAG,CAAC,CAAC;IAChC,MAAM,UAAU,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;IAChC,MAAM,QAAQ,GAAG,CAAC,CAAC,QAAQ,CAAC;IAE5B,KAAK,MAAM,EAAE,IAAI,SAAS,EAAE,CAAC;QAC3B,CAAC,CAAC,WAAW,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC;QACxB,CAAC,CAAC,WAAW,CAAC,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QACnC,CAAC,CAAC,UAAU,CAAC,EAAE,CAAC,SAAS,CAAC,CAAC;IAC7B,CAAC;IAED,CAAC,CAAC,WAAW,CAAC,UAAU,EAAE,CAAC,CAAC,QAAQ,GAAG,QAAQ,CAAC,CAAC;IACjD,OAAO,CAAC,CAAC,QAAQ,EAAE,CAAC;AACtB,CAAC;AAqBD;;;;;;;;GAQG;AACH,MAAM,UAAU,gBAAgB,CAAC,OAAuB,EAAE,QAAgB;IACxE,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC;IAE/B,MAAM,YAAY,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IACrC,MAAM,SAAS,GAAG,UAAU,CAAC,eAAe,CAAC,CAAC,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACjF,MAAM,SAAS,GAAG,UAAU,CAAC,cAAc,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;IAElE,MAAM,YAAY,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAC5D,MAAM,SAAS,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IACzD,MAAM,WAAW,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3D,MAAM,aAAa,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAE7D,MAAM,IAAI,GAAG,IAAI,YAAY,CAAC,IAAI,CAAC,CAAC;IAEpC,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;IAE3C,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC;IAE9B,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAClC,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC;QAAE,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;IAErD,MAAM,OAAO,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,YAAY,EAAE,GAAG,UAAU,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,UAAU,CAAC,YAAY,CAAC,CAAC;IAC9G,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACrC,KAAK,MAAM,CAAC,IAAI,OAAO;QAAE,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC;IAE7C,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC;IACtD,KAAK,MAAM,CAAC,IAAI,UAAU,CAAC,kBAAkB;QAAE,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAElE,MAAM,SAAS,GAAG,IAAI,YAAY,CAAC,IAAI,CAAC,CAAC;IAEzC,IAAI,UAAU,CAAC,MAAM,EAAE,CAAC;QACtB,SAAS,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC;QACjC,SAAS,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC;QACzB,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAC1B,CAAC;IAED,KAAK,MAAM,MAAM,IAAI,UAAU,CAAC,UAAU,EAAE,CAAC;QAC3C,cAAc,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE;YACjE,WAAW;YACX,aAAa;SACd,CAAC,CAAC;IACL,CAAC;IAED,IAAI,UAAU,CAAC,MAAM,EAAE,CAAC;QACtB,MAAM,UAAU,GAAG,YAAY,EAAE,CAAC;QAClC,SAAS,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;QAClC,SAAS,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC;QACzB,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAC1B,CAAC;IAED,MAAM,QAAQ,GAAG,SAAS,CAAC,QAAQ,EAAE,CAAC;IACtC,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAClC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;IAE1B,MAAM,eAAe,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;IAExC,MAAM,SAAS,GAAG,IAAI,YAAY,CAAC,CAAC,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;IAC/D,SAAS,CAAC,UAAU,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC;IACjD,SAAS,CAAC,WAAW,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;IAC9C,SAAS,CAAC,UAAU,CAAC,eAAe,CAAC,CAAC;IACtC,MAAM,gBAAgB,GAAG,SAAS,CAAC,QAAQ,EAAE,CAAC;IAE9C,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,CAAC,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAC7D,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;IACxC,MAAM,CAAC,WAAW,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;IAC7C,MAAM,CAAC,WAAW,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAC5C,MAAM,CAAC,UAAU,CAAC,gBAAgB,CAAC,CAAC;IAEpC,OAAO;QACL,MAAM,EAAE,MAAM,CAAC,QAAQ,EAAE;QACzB,SAAS;QACT,YAAY;QACZ,SAAS;QACT,gBAAgB;KACjB,CAAC;AACJ,CAAC;AAED,SAAS,cAAc,CAAC,CAAe,EAAE,MAAuB,EAAE,QAAgB,EAAE,SAA0B,EAAE,UAA4D,EAAE,MAAsD;IAClO,IAAI,MAAM,CAAC,IAAI,KAAK,aAAa,CAAC,SAAS,EAAE,CAAC;QAC5C,MAAM,IAAI,GAAG,0BAA0B,CAAC,SAAS,CAAC,CAAC;QACnD,CAAC,CAAC,WAAW,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC;QACvC,CAAC,CAAC,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC3B,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QACnB,OAAO;IACT,CAAC;IAED,IAAI,MAAM,CAAC,IAAI,KAAK,aAAa,CAAC,gBAAgB,IAAI,UAAU,CAAC,MAAM,EAAE,CAAC;QACxE,MAAM,MAAM,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE,GAAG,UAAU,CAAC,eAAe,CAAC,CAAC;QACnE,MAAM,KAAK,GAAG,IAAI,YAAY,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QACtD,KAAK,CAAC,WAAW,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QACrC,KAAK,MAAM,CAAC,IAAI,MAAM;YAAE,KAAK,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC;QAC7C,MAAM,IAAI,GAAG,KAAK,CAAC,QAAQ,EAAE,CAAC;QAC9B,CAAC,CAAC,WAAW,CAAC,aAAa,CAAC,gBAAgB,CAAC,CAAC;QAC9C,CAAC,CAAC,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC3B,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QACnB,OAAO;IACT,CAAC;IAED,IAAI,MAAM,CAAC,IAAI,KAAK,aAAa,CAAC,kBAAkB,IAAI,UAAU,CAAC,MAAM,EAAE,CAAC;QAC1E,MAAM,QAAQ,GAAG,CAAC,MAAM,CAAC,aAAa,EAAE,GAAG,UAAU,CAAC,iBAAiB,CAAC,CAAC;QACzE,MAAM,KAAK,GAAG,IAAI,YAAY,CAAC,CAAC,GAAG,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QACxD,KAAK,CAAC,UAAU,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QACtC,KAAK,MAAM,CAAC,IAAI,QAAQ;YAAE,KAAK,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC;QAC/C,MAAM,IAAI,GAAG,KAAK,CAAC,QAAQ,EAAE,CAAC;QAC9B,CAAC,CAAC,WAAW,CAAC,aAAa,CAAC,kBAAkB,CAAC,CAAC;QAChD,CAAC,CAAC,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC3B,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QACnB,OAAO;IACT,CAAC;IAED,CAAC,CAAC,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAC3B,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;QAChB,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACnC,CAAC,CAAC,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC3B,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC;YAAE,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;IAC1C,CAAC;SAAM,CAAC;QACN,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC;IACnB,CAAC;AACH,CAAC"}
+{"version":3,"file":"client-hello.js","sourceRoot":"","sources":["../../../src/tls/stealth/client-hello.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAC3E,OAAO,EAAE,YAAY,EAAE,MAAM,8BAA8B,CAAC;AAC5D,OAAO,EAAE,UAAU,EAAE,aAAa,EAAE,aAAa,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAGtG,OAAO,EAAE,eAAe,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,MAAM,WAAW,CAAC;AAExG,SAAS,YAAY;IACnB,OAAO,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,aAAa,CAAC,MAAM,CAAC,CAAE,CAAC;AAC1E,CAAC;AAkBD;;;;;;;GAOG;AACH,MAAM,UAAU,gBAAgB,CAAC,KAAa;IAC5C,QAAQ,KAAK,EAAE,CAAC;QACd,KAAK,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;YACvB,MAAM,EAAE,GAAG,mBAAmB,CAAC,QAAQ,CAAC,CAAC;YACzC,MAAM,GAAG,GAAG,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;YACjE,MAAM,IAAI,GAAG,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;YACpE,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC;YAC7D,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC;YAChE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,UAAU,EAAE,CAAC;QAC1C,CAAC;QACD,KAAK,UAAU,CAAC,SAAS,CAAC;QAC1B,KAAK,UAAU,CAAC,SAAS,CAAC;QAC1B,KAAK,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC;YAC1B,MAAM,SAAS,GAAG,KAAK,KAAK,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,KAAK,KAAK,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC;YAC7H,MAAM,IAAI,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC;YACnC,IAAI,CAAC,YAAY,EAAE,CAAC;YACpB,OAAO;gBACL,KAAK;gBACL,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;gBAC3C,UAAU,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;aAC9C,CAAC;QACJ,CAAC;QACD;YACE,MAAM,IAAI,KAAK,CAAC,kCAAkC,KAAK,CAAC,QAAQ,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;IAC5E,CAAC;AACH,CAAC;AAED,SAAS,0BAA0B,CAAC,SAA0B;IAC5D,MAAM,CAAC,GAAG,IAAI,YAAY,CAAC,GAAG,CAAC,CAAC;IAChC,MAAM,UAAU,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;IAChC,MAAM,QAAQ,GAAG,CAAC,CAAC,QAAQ,CAAC;IAE5B,KAAK,MAAM,EAAE,IAAI,SAAS,EAAE,CAAC;QAC3B,CAAC,CAAC,WAAW,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC;QACxB,CAAC,CAAC,WAAW,CAAC,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QACnC,CAAC,CAAC,UAAU,CAAC,EAAE,CAAC,SAAS,CAAC,CAAC;IAC7B,CAAC;IAED,CAAC,CAAC,WAAW,CAAC,UAAU,EAAE,CAAC,CAAC,QAAQ,GAAG,QAAQ,CAAC,CAAC;IACjD,OAAO,CAAC,CAAC,QAAQ,EAAE,CAAC;AACtB,CAAC;AAqBD;;;;;;;;GAQG;AACH,MAAM,UAAU,gBAAgB,CAAC,OAAuB,EAAE,QAAgB;IACxE,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC;IAE/B,MAAM,YAAY,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IACrC,MAAM,SAAS,GAAG,UAAU,CAAC,eAAe,CAAC,CAAC,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACjF,MAAM,SAAS,GAAG,UAAU,CAAC,cAAc,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;IAElE,MAAM,YAAY,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAC5D,MAAM,SAAS,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IACzD,MAAM,WAAW,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3D,MAAM,aAAa,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAE7D,MAAM,IAAI,GAAG,IAAI,YAAY,CAAC,IAAI,CAAC,CAAC;IAEpC,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;IAE3C,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC;IAE9B,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAClC,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC;QAAE,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;IAErD,MAAM,OAAO,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,YAAY,EAAE,GAAG,UAAU,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,UAAU,CAAC,YAAY,CAAC,CAAC;IAC9G,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACrC,KAAK,MAAM,CAAC,IAAI,OAAO;QAAE,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC;IAE7C,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC;IACtD,KAAK,MAAM,CAAC,IAAI,UAAU,CAAC,kBAAkB;QAAE,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAElE,MAAM,SAAS,GAAG,IAAI,YAAY,CAAC,IAAI,CAAC,CAAC;IAEzC,IAAI,UAAU,CAAC,MAAM,EAAE,CAAC;QACtB,SAAS,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC;QACjC,SAAS,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC;QACzB,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAC1B,CAAC;IAED,KAAK,MAAM,MAAM,IAAI,UAAU,CAAC,UAAU,EAAE,CAAC;QAC3C,cAAc,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE;YACjE,WAAW;YACX,aAAa;SACd,CAAC,CAAC;IACL,CAAC;IAED,IAAI,UAAU,CAAC,MAAM,EAAE,CAAC;QACtB,MAAM,UAAU,GAAG,YAAY,EAAE,CAAC;QAClC,SAAS,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;QAClC,SAAS,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC;QACzB,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAC1B,CAAC;IAED,MAAM,QAAQ,GAAG,SAAS,CAAC,QAAQ,EAAE,CAAC;IACtC,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAClC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;IAE1B,MAAM,eAAe,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;IAExC,MAAM,SAAS,GAAG,IAAI,YAAY,CAAC,CAAC,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;IAC/D,SAAS,CAAC,UAAU,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC;IACjD,SAAS,CAAC,WAAW,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;IAC9C,SAAS,CAAC,UAAU,CAAC,eAAe,CAAC,CAAC;IACtC,MAAM,gBAAgB,GAAG,SAAS,CAAC,QAAQ,EAAE,CAAC;IAE9C,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,CAAC,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAC7D,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;IACxC,MAAM,CAAC,WAAW,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;IAC7C,MAAM,CAAC,WAAW,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAC5C,MAAM,CAAC,UAAU,CAAC,gBAAgB,CAAC,CAAC;IAEpC,OAAO;QACL,MAAM,EAAE,MAAM,CAAC,QAAQ,EAAE;QACzB,SAAS;QACT,YAAY;QACZ,SAAS;QACT,gBAAgB;KACjB,CAAC;AACJ,CAAC;AAED,SAAS,cAAc,CAAC,CAAe,EAAE,MAAuB,EAAE,QAAgB,EAAE,SAA0B,EAAE,UAA4D,EAAE,MAAsD;IAClO,IAAI,MAAM,CAAC,IAAI,KAAK,aAAa,CAAC,SAAS,EAAE,CAAC;QAC5C,MAAM,IAAI,GAAG,0BAA0B,CAAC,SAAS,CAAC,CAAC;QACnD,CAAC,CAAC,WAAW,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC;QACvC,CAAC,CAAC,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC3B,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QACnB,OAAO;IACT,CAAC;IAED,IAAI,MAAM,CAAC,IAAI,KAAK,aAAa,CAAC,gBAAgB,IAAI,UAAU,CAAC,MAAM,EAAE,CAAC;QACxE,MAAM,MAAM,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE,GAAG,UAAU,CAAC,eAAe,CAAC,CAAC;QACnE,MAAM,KAAK,GAAG,IAAI,YAAY,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QACtD,KAAK,CAAC,WAAW,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QACrC,KAAK,MAAM,CAAC,IAAI,MAAM;YAAE,KAAK,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC;QAC7C,MAAM,IAAI,GAAG,KAAK,CAAC,QAAQ,EAAE,CAAC;QAC9B,CAAC,CAAC,WAAW,CAAC,aAAa,CAAC,gBAAgB,CAAC,CAAC;QAC9C,CAAC,CAAC,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC3B,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QACnB,OAAO;IACT,CAAC;IAED,IAAI,MAAM,CAAC,IAAI,KAAK,aAAa,CAAC,kBAAkB,IAAI,UAAU,CAAC,MAAM,EAAE,CAAC;QAC1E,MAAM,QAAQ,GAAG,CAAC,MAAM,CAAC,aAAa,EAAE,GAAG,UAAU,CAAC,iBAAiB,CAAC,CAAC;QACzE,MAAM,KAAK,GAAG,IAAI,YAAY,CAAC,CAAC,GAAG,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QACxD,KAAK,CAAC,UAAU,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QACtC,KAAK,MAAM,CAAC,IAAI,QAAQ;YAAE,KAAK,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC;QAC/C,MAAM,IAAI,GAAG,KAAK,CAAC,QAAQ,EAAE,CAAC;QAC9B,CAAC,CAAC,WAAW,CAAC,aAAa,CAAC,kBAAkB,CAAC,CAAC;QAChD,CAAC,CAAC,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC3B,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QACnB,OAAO;IACT,CAAC;IAED,CAAC,CAAC,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAC3B,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;QAChB,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACnC,CAAC,CAAC,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC3B,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC;YAAE,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;IAC1C,CAAC;SAAM,CAAC;QACN,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC;IACnB,CAAC;AACH,CAAC;AAYD;;;;;;;;;GASG;AACH,MAAM,UAAU,uBAAuB,CAAC,OAAuB,EAAE,QAAgB,EAAE,SAA8B;IAC/G,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC;IAE/B,MAAM,WAAW,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IACpC,MAAM,WAAW,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IACpC,MAAM,cAAc,GAAG,UAAU,CAAC,eAAe,CAAC,CAAC,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACtF,MAAM,SAAS,GAAG,UAAU,CAAC,cAAc,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;IAElE,MAAM,YAAY,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAC5D,MAAM,SAAS,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IACzD,MAAM,WAAW,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3D,MAAM,aAAa,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAC7D,MAAM,eAAe,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/D,MAAM,eAAe,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAE/D,MAAM,UAAU,GAAG,EAAE,WAAW,EAAE,aAAa,EAAE,CAAC;IAElD,MAAM,UAAU,GAAG,kBAAkB,CAAC,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IACjE,IAAI,CAAC,UAAU,IAAI,UAAU,CAAC,KAAK,KAAK,MAAM,EAAE,CAAC;QAC/C,MAAM,IAAI,KAAK,CAAC,6DAA6D,CAAC,CAAC;IACjF,CAAC;IACD,MAAM,KAAK,GAAG,UAAU,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,KAAK,KAAK,MAAM,IAAI,CAAC,EAAE,CAAC,MAAM,KAAK,MAAM,IAAI,EAAE,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC;IAC1H,IAAI,CAAC,KAAK;QAAE,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAE5E,MAAM,WAAW,GAAG,eAAe,CAAC,UAAU,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,YAAY,EAAE,SAAS,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAE9K,MAAM,UAAU,GAAG,oBAAoB,CAAC,WAAW,CAAC,CAAC;IAErD,MAAM,UAAU,GAAG,gBAAgB,CAAC,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAC/D,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACrD,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,UAAU,GAAG,OAAO,CAAC,CAAC;IACrD,MAAM,WAAW,GAAG,UAAU,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,WAAW,EAAE,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC;IAE1G,MAAM,kBAAkB,GAAG,WAAW,CAAC,MAAM,GAAG,EAAE,CAAC;IAEnD,MAAM,UAAU,GAAG,oBAAoB,CAAC,KAAK,CAAC,KAAK,EAAE,KAAK,CAAC,MAAM,EAAE,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,MAAM,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC,CAAC;IAE5I,MAAM,UAAU,GAAG,CAAC,UAAkB,EAAU,EAAE,CAAC,eAAe,CAAC,UAAU,EAAE,SAAS,CAAC,MAAM,CAAC,UAAU,EAAE,WAAW,EAAE,cAAc,EAAE,SAAS,EAAE,YAAY,EAAE,SAAS,EAAE,eAAe,EAAE,UAAU,EAAE,UAAU,CAAC,CAAC;IAEtN,MAAM,aAAa,GAAG,UAAU,CAAC,UAAU,CAAC,CAAC;IAC7C,MAAM,QAAQ,GAAG,oBAAoB,CAAC,aAAa,CAAC,CAAC;IAErD,MAAM,SAAS,GAAG,eAAe,CAAC,WAAW,EAAE,QAAQ,EAAE,SAAS,CAAC,MAAM,EAAE,SAAS,CAAC,SAAS,CAAC,CAAC;IAEhG,MAAM,cAAc,GAAG,UAAU,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC;IAC3D,MAAM,qBAAqB,GAAG,oBAAoB,CAAC,cAAc,CAAC,CAAC;IAEnE,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,CAAC,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC;IAClE,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;IACxC,MAAM,CAAC,WAAW,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;IAC7C,MAAM,CAAC,WAAW,CAAC,qBAAqB,CAAC,MAAM,CAAC,CAAC;IACjD,MAAM,CAAC,UAAU,CAAC,qBAAqB,CAAC,CAAC;IAEzC,OAAO;QACL,MAAM,EAAE,MAAM,CAAC,QAAQ,EAAE;QACzB,SAAS;QACT,YAAY,EAAE,WAAW;QACzB,SAAS,EAAE,cAAc;QACzB,gBAAgB,EAAE,qBAAqB;QACvC,qBAAqB,EAAE,UAAU;QACjC,WAAW;KACZ,CAAC;AACJ,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,eAAe,CAAC,UAA4D,EAAE,QAAgB,EAAE,YAAoB,EAAE,SAAiB,EAAE,SAA0B,EAAE,YAAoB,EAAE,SAAiB,EAAE,UAAkB,EAAE,MAAsD,EAAE,UAAmB;IACpT,MAAM,IAAI,GAAG,IAAI,YAAY,CAAC,IAAI,CAAC,CAAC;IAEpC,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;IAC3C,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC;IAE9B,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAClC,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC;QAAE,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;IAErD,MAAM,OAAO,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,YAAY,EAAE,GAAG,UAAU,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,UAAU,CAAC,YAAY,CAAC,CAAC;IAC9G,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACrC,KAAK,MAAM,CAAC,IAAI,OAAO;QAAE,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC;IAE7C,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC;IACtD,KAAK,MAAM,CAAC,IAAI,UAAU,CAAC,kBAAkB;QAAE,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAElE,MAAM,SAAS,GAAG,IAAI,YAAY,CAAC,IAAI,CAAC,CAAC;IAEzC,IAAI,UAAU,CAAC,MAAM,EAAE,CAAC;QACtB,SAAS,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC;QACjC,SAAS,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC;QACzB,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAC1B,CAAC;IAED,KAAK,MAAM,MAAM,IAAI,UAAU,CAAC,UAAU,EAAE,CAAC;QAC3C,IAAI,MAAM,CAAC,IAAI,KAAK,aAAa,CAAC,sBAAsB,IAAI,UAAU,EAAE,CAAC;YACvE,SAAS,CAAC,WAAW,CAAC,aAAa,CAAC,sBAAsB,CAAC,CAAC;YAC5D,SAAS,CAAC,WAAW,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;YACzC,SAAS,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;YACjC,SAAS;QACX,CAAC;QAED,cAAc,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC;IAC7E,CAAC;IAED,IAAI,UAAU,CAAC,MAAM,EAAE,CAAC;QACtB,SAAS,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;QAClC,SAAS,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC;QACzB,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAC1B,CAAC;IAED,MAAM,QAAQ,GAAG,SAAS,CAAC,QAAQ,EAAE,CAAC;IACtC,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAClC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;IAE1B,OAAO,IAAI,CAAC,QAAQ,EAAE,CAAC;AACzB,CAAC;AAED,8EAA8E;AAC9E,SAAS,oBAAoB,CAAC,MAAc;IAC1C,MAAM,CAAC,GAAG,IAAI,YAAY,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC;IAC9C,CAAC,CAAC,UAAU,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC;IACzC,CAAC,CAAC,WAAW,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC7B,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;IACrB,OAAO,CAAC,CAAC,QAAQ,EAAE,CAAC;AACtB,CAAC"}

package/dist/tls/stealth/engine.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"engine.d.ts","sourceRoot":"","sources":["../../../src/tls/stealth/engine.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,UAAU,EAAE,iBAAiB,EAAqB,SAAS,EAAE,MAAM,aAAa,CAAC;AAC/F,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AA4GlE;;;;;;GAMG;AACH,qBAAa,gBAAiB,YAAW,UAAU;IACjD;;;;;;;;;;OAUG;IACG,OAAO,CAAC,OAAO,EAAE,iBAAiB,EAAE,OAAO,CAAC,EAAE,cAAc,GAAG,OAAO,CAAC,SAAS,CAAC;CAiBxF"}
+{"version":3,"file":"engine.d.ts","sourceRoot":"","sources":["../../../src/tls/stealth/engine.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,UAAU,EAAE,iBAAiB,EAAqB,SAAS,EAAE,MAAM,aAAa,CAAC;AAC/F,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AA4NlE;;;;;;GAMG;AACH,qBAAa,gBAAiB,YAAW,UAAU;IACjD;;;;;;;;;;OAUG;IACG,OAAO,CAAC,OAAO,EAAE,iBAAiB,EAAE,OAAO,CAAC,EAAE,cAAc,GAAG,OAAO,CAAC,SAAS,CAAC;CA4BxF"}

package/dist/tls/stealth/engine.js

@@ -1,10 +1,13 @@
 import * as net from "node:net";
+import { createCipheriv, createDecipheriv } from "node:crypto";
 import { Duplex } from "node:stream";
 import { TLSError } from "../../core/errors.js";
 import { performHandshake } from "./handshake.js";
-import { wrapEncryptedRecord, unwrapEncryptedRecord, readRecord } from "./record-layer.js";
-import { RecordType } from "../constants.js";
+import { wrapEncryptedRecord, unwrapEncryptedRecord, readRecord, writeRecord } from "./record-layer.js";
+import { RecordType, ProtocolVersion } from "../constants.js";
 import { DEFAULT_PROFILE } from "../../fingerprints/database.js";
+import { parseECHConfigList, extractFirstECHConfigRaw } from "../ech.js";
+const AEAD_TAG_SIZE = 16;
 class StealthTLSStream extends Duplex {
     rawSocket;
     aead;
@@ -12,6 +15,7 @@ class StealthTLSStream extends Duplex {
     clientIV;
     serverKey;
     serverIV;
+    isTLS12;
     clientSeq = 0n;
     serverSeq = 0n;
     readBuffer = Buffer.alloc(0);
@@ -25,6 +29,7 @@ class StealthTLSStream extends Duplex {
         this.clientIV = handshake.clientIV;
         this.serverKey = handshake.serverKey;
         this.serverIV = handshake.serverIV;
+        this.isTLS12 = handshake.version === "TLSv1.2";
         this.connectionInfo = {
             version: handshake.version,
             alpnProtocol: handshake.alpnProtocol,
@@ -40,7 +45,13 @@ class StealthTLSStream extends Duplex {
     _read() { }
     _write(chunk, _encoding, callback) {
         try {
-            const encrypted = wrapEncryptedRecord(this.aead, this.clientKey, this.clientIV, this.clientSeq++, RecordType.APPLICATION_DATA, chunk);
+            let encrypted;
+            if (this.isTLS12) {
+                encrypted = this.tls12EncryptRecord(RecordType.APPLICATION_DATA, chunk);
+            }
+            else {
+                encrypted = wrapEncryptedRecord(this.aead, this.clientKey, this.clientIV, this.clientSeq++, RecordType.APPLICATION_DATA, chunk);
+            }
             this.rawSocket.write(encrypted, callback);
         }
         catch (err) {
@@ -55,6 +66,79 @@ class StealthTLSStream extends Duplex {
     destroyTLS() {
         this.destroy();
     }
+    tls12EncryptRecord(contentType, plaintext) {
+        const isChaCha = this.aead === "chacha20-poly1305";
+        let nonce;
+        let prefix;
+        if (isChaCha) {
+            nonce = Buffer.from(this.clientIV);
+            const seqBuf = Buffer.alloc(8);
+            seqBuf.writeBigUInt64BE(this.clientSeq);
+            for (let i = 0; i < 8; i++)
+                nonce[nonce.length - 8 + i] ^= seqBuf[i];
+            prefix = Buffer.alloc(0);
+        }
+        else {
+            const explicitNonce = Buffer.alloc(8);
+            explicitNonce.writeBigUInt64BE(this.clientSeq);
+            nonce = Buffer.concat([this.clientIV, explicitNonce]);
+            prefix = explicitNonce;
+        }
+        const aad = Buffer.alloc(13);
+        aad.writeBigUInt64BE(this.clientSeq, 0);
+        aad[8] = contentType;
+        aad.writeUInt16BE(ProtocolVersion.TLS_1_2, 9);
+        aad.writeUInt16BE(plaintext.length, 11);
+        const cipher = createCipheriv(this.aead, this.clientKey, nonce, { authTagLength: AEAD_TAG_SIZE });
+        cipher.setAAD(aad);
+        const enc = cipher.update(plaintext);
+        const final = cipher.final();
+        const tag = cipher.getAuthTag();
+        const payload = Buffer.concat([prefix, enc, final, tag]);
+        this.clientSeq++;
+        return writeRecord(contentType, ProtocolVersion.TLS_1_2, payload);
+    }
+    tls12DecryptRecord(record) {
+        const isChaCha = this.aead === "chacha20-poly1305";
+        let nonce;
+        let encData;
+        if (isChaCha) {
+            nonce = Buffer.from(this.serverIV);
+            const seqBuf = Buffer.alloc(8);
+            seqBuf.writeBigUInt64BE(this.serverSeq);
+            for (let i = 0; i < 8; i++)
+                nonce[nonce.length - 8 + i] ^= seqBuf[i];
+            encData = record.fragment;
+        }
+        else {
+            if (record.fragment.length < 8 + AEAD_TAG_SIZE)
+                throw new TLSError("TLS 1.2 record too short");
+            const explicitNonce = record.fragment.subarray(0, 8);
+            nonce = Buffer.concat([this.serverIV, explicitNonce]);
+            encData = record.fragment.subarray(8);
+        }
+        if (encData.length < AEAD_TAG_SIZE)
+            throw new TLSError("TLS 1.2 record too short for tag");
+        const encryptedData = encData.subarray(0, encData.length - AEAD_TAG_SIZE);
+        const tag = encData.subarray(encData.length - AEAD_TAG_SIZE);
+        const aad = Buffer.alloc(13);
+        aad.writeBigUInt64BE(this.serverSeq, 0);
+        aad[8] = record.type;
+        aad.writeUInt16BE(ProtocolVersion.TLS_1_2, 9);
+        aad.writeUInt16BE(encryptedData.length, 11);
+        const decipher = createDecipheriv(this.aead, this.serverKey, nonce, { authTagLength: AEAD_TAG_SIZE });
+        decipher.setAAD(aad);
+        decipher.setAuthTag(tag);
+        try {
+            const decrypted = decipher.update(encryptedData);
+            const final = decipher.final();
+            this.serverSeq++;
+            return Buffer.concat([decrypted, final]);
+        }
+        catch {
+            throw new TLSError("TLS 1.2 AEAD decryption failed");
+        }
+    }
     handleRawData(chunk) {
         this.readBuffer = Buffer.concat([this.readBuffer, chunk]);
         this.processReadBuffer();
@@ -66,36 +150,64 @@ class StealthTLSStream extends Duplex {
                 break;
             this.readBuffer = this.readBuffer.subarray(result.bytesRead);
             const { record } = result;
-            if (record.type === RecordType.APPLICATION_DATA) {
-                try {
-                    const decrypted = unwrapEncryptedRecord(this.aead, this.serverKey, this.serverIV, this.serverSeq++, record);
-                    if (decrypted.contentType === RecordType.APPLICATION_DATA) {
-                        this.push(decrypted.plaintext);
+            if (this.isTLS12) {
+                this.processRecordTLS12(record);
+            }
+            else {
+                this.processRecordTLS13(record);
+            }
+        }
+    }
+    processRecordTLS12(record) {
+        if (record.type === RecordType.APPLICATION_DATA) {
+            try {
+                const plaintext = this.tls12DecryptRecord(record);
+                this.push(plaintext);
+            }
+            catch (err) {
+                this.destroy(err instanceof Error ? err : new Error(String(err)));
+            }
+        }
+        else if (record.type === RecordType.ALERT) {
+            const desc = record.fragment.length >= 2 ? record.fragment[1] : 0;
+            if (desc === 0) {
+                this.push(null);
+            }
+            else {
+                this.destroy(new TLSError(`TLS alert: desc=${desc}`, desc));
+            }
+        }
+    }
+    processRecordTLS13(record) {
+        if (record.type === RecordType.APPLICATION_DATA) {
+            try {
+                const decrypted = unwrapEncryptedRecord(this.aead, this.serverKey, this.serverIV, this.serverSeq++, record);
+                if (decrypted.contentType === RecordType.APPLICATION_DATA) {
+                    this.push(decrypted.plaintext);
+                }
+                else if (decrypted.contentType === RecordType.ALERT) {
+                    const level = decrypted.plaintext[0];
+                    const desc = decrypted.plaintext[1];
+                    if (desc === 0) {
+                        this.push(null);
                     }
-                    else if (decrypted.contentType === RecordType.ALERT) {
-                        const level = decrypted.plaintext[0];
-                        const desc = decrypted.plaintext[1];
-                        if (desc === 0) {
-                            this.push(null);
-                        }
-                        else {
-                            this.destroy(new TLSError(`TLS alert: level=${level} desc=${desc}`, desc));
-                        }
+                    else {
+                        this.destroy(new TLSError(`TLS alert: level=${level} desc=${desc}`, desc));
                     }
                 }
-                catch (err) {
-                    this.destroy(err instanceof Error ? err : new Error(String(err)));
-                    return;
-                }
             }
-            else if (record.type === RecordType.ALERT) {
-                const desc = record.fragment.length >= 2 ? record.fragment[1] : 0;
-                if (desc === 0) {
-                    this.push(null);
-                }
-                else {
-                    this.destroy(new TLSError(`Unencrypted alert: desc=${desc}`, desc));
-                }
+            catch (err) {
+                this.destroy(err instanceof Error ? err : new Error(String(err)));
+                return;
+            }
+        }
+        else if (record.type === RecordType.ALERT) {
+            const desc = record.fragment.length >= 2 ? record.fragment[1] : 0;
+            if (desc === 0) {
+                this.push(null);
+            }
+            else {
+                this.destroy(new TLSError(`Unencrypted alert: desc=${desc}`, desc));
             }
         }
     }
@@ -124,7 +236,17 @@ export class StealthTLSEngine {
         const hostname = options.servername ?? options.host;
         const rawSocket = options.socket ? options.socket : await tcpConnect(options.host, options.port, options.timeout, options.signal);
         try {
-            const handshake = await performHandshake(rawSocket, effectiveProfile, hostname, options.insecure ?? false);
+            let echParams;
+            if (options.echConfigList) {
+                const parsed = parseECHConfigList(options.echConfigList);
+                if (parsed && parsed.configs.length > 0) {
+                    const configRaw = extractFirstECHConfigRaw(options.echConfigList);
+                    if (configRaw) {
+                        echParams = { config: parsed.configs[0], configRaw };
+                    }
+                }
+            }
+            const handshake = await performHandshake(rawSocket, effectiveProfile, hostname, options.insecure ?? false, options.pinnedPublicKey, echParams);
             const stream = new StealthTLSStream(rawSocket, handshake);
             return stream;
         }