nlcurl 0.6.0 → 0.8.0

package/dist/tls/stealth/key-schedule.js

@@ -1,35 +1,33 @@
 import { createHmac, createHash as _createHash } from "node:crypto";
 /**
- * Returns the output length in bytes for the given hash algorithm.
+ * Return the digest output length for the given hash algorithm.
  *
- * @param {HashAlgorithm} alg - Hash algorithm identifier.
- * @returns {number} Output length: `32` for `sha256`, `48` for `sha384`.
+ * @param {HashAlgorithm} alg - Hash algorithm.
+ * @returns {number} Length in bytes.
  */
 export function hashLength(alg) {
     return alg === "sha256" ? 32 : 48;
 }
 /**
- * Performs the HKDF-Extract step (RFC 5869 §2.2): computes `HMAC-Hash(salt, IKM)`.
+ * HKDF-Extract as defined in RFC 5869.
  *
- * @param {HashAlgorithm} alg  - Hash algorithm for the HMAC computation.
- * @param {Buffer}        salt - Salt value (used as HMAC key).
- * @param {Buffer}        ikm  - Input keying material.
- * @returns {Buffer} Pseudorandom key (PRK) of length `hashLength(alg)`.
+ * @param {HashAlgorithm} alg - Hash algorithm.
+ * @param {Buffer} salt - Salt value.
+ * @param {Buffer} ikm - Input keying material.
+ * @returns {Buffer} Pseudorandom key.
  */
 export function hkdfExtract(alg, salt, ikm) {
     return Buffer.from(createHmac(alg, salt).update(ikm).digest());
 }
 /**
- * Performs the TLS 1.3 HKDF-Expand-Label operation (RFC 8446 §7.1),
- * deriving a key of `length` bytes from `secret` using the given label
- * and context hash.
+ * HKDF-Expand-Label as defined in TLS 1.3 (RFC 8446 §7.1).
  *
- * @param {HashAlgorithm} alg     - Hash algorithm for HKDF.
- * @param {Buffer}        secret  - Input secret (PRK from HKDF-Extract).
- * @param {string}        label   - TLS 1.3 label string (without the `"tls13 "` prefix).
- * @param {Buffer}        context - Transcript hash, or empty buffer for simple derivations.
- * @param {number}        length  - Desired output length in bytes.
- * @returns {Buffer} Derived key material of the specified length.
+ * @param {HashAlgorithm} alg - Hash algorithm.
+ * @param {Buffer} secret - Input secret.
+ * @param {string} label - Label string (without the "tls13 " prefix).
+ * @param {Buffer} context - Context hash.
+ * @param {number} length - Desired output length in bytes.
+ * @returns {Buffer} Derived key material.
  */
 export function hkdfExpandLabel(alg, secret, label, context, length) {
     const fullLabel = Buffer.from("tls13 " + label, "ascii");
@@ -60,36 +58,32 @@ function hkdfExpand(alg, prk, info, length) {
     return okm.subarray(0, length);
 }
 /**
- * Derives a secret with a transcript hash context using HKDF-Expand-Label
- * (RFC 8446 §7.1). This is the canonical `Derive-Secret` function of the
- * TLS 1.3 key schedule.
+ * Derive a TLS 1.3 secret from an intermediate secret and transcript hash.
  *
- * @param {HashAlgorithm} alg            - Hash algorithm for HKDF.
- * @param {Buffer}        secret         - Input PRK.
- * @param {string}        label          - TLS 1.3 label string.
- * @param {Buffer}        transcriptHash - Current transcript hash value.
- * @returns {Buffer} Derived secret of length `hashLength(alg)`.
+ * @param {HashAlgorithm} alg - Hash algorithm.
+ * @param {Buffer} secret - Base secret.
+ * @param {string} label - Derivation label.
+ * @param {Buffer} transcriptHash - Current transcript hash.
+ * @returns {Buffer} Derived secret.
  */
 export function deriveSecret(alg, secret, label, transcriptHash) {
     return hkdfExpandLabel(alg, secret, label, transcriptHash, hashLength(alg));
 }
 export { _createHash as createHash };
 /**
- * Returns a zero-filled `Buffer` whose length equals the output size of
- * `alg` — used as the IKM or salt argument in HKDF-Extract calls that
- * require a zero-length secret at the start of the TLS 1.3 key schedule.
+ * Return an all-zero key of the hash's digest length.
  *
- * @param {HashAlgorithm} alg - Hash algorithm that determines buffer length.
- * @returns {Buffer} Zero-filled buffer of `hashLength(alg)` bytes.
+ * @param {HashAlgorithm} alg - Hash algorithm.
+ * @returns {Buffer} Zero-filled buffer.
  */
 export function zeroKey(alg) {
     return Buffer.alloc(hashLength(alg));
 }
 /**
- * Returns the key and IV byte lengths for the given AEAD cipher name.
+ * Determine key and IV lengths for a TLS cipher suite.
  *
- * @param {string} cipherName - AEAD cipher name (e.g. `"TLS_AES_128_GCM_SHA256"`).
- * @returns {{ keyLen: number; ivLen: number }} Key length and IV length in bytes.
+ * @param {string} cipherName - Cipher suite name string.
+ * @returns {{ keyLen: number; ivLen: number }} Key and IV lengths in bytes.
  */
 export function keyIVLengths(cipherName) {
     if (cipherName.includes("AES_128")) {
@@ -101,16 +95,14 @@ export function keyIVLengths(cipherName) {
     return { keyLen: 16, ivLen: 12 };
 }
 /**
- * Derives TLS 1.3 handshake traffic keys from the ECDH shared secret and
- * the transcript hash of the ClientHello and ServerHello messages
- * (RFC 8446 §7.1).
+ * Derive TLS 1.3 handshake traffic keys from the shared secret.
  *
- * @param {HashAlgorithm} alg          - Hash algorithm specified by the negotiated cipher suite.
- * @param {Buffer}        sharedSecret - ECDH shared secret from key exchange.
- * @param {Buffer}        helloHash    - Transcript hash over ClientHello..ServerHello.
- * @param {number}        keyLen       - Required key byte length.
- * @param {number}        ivLen        - Required IV byte length.
- * @returns {HandshakeKeys} Derived handshake keys and intermediate secrets.
+ * @param {HashAlgorithm} alg - Hash algorithm.
+ * @param {Buffer} sharedSecret - ECDHE shared secret.
+ * @param {Buffer} helloHash - Transcript hash up to and including ServerHello.
+ * @param {number} keyLen - Desired key length in bytes.
+ * @param {number} ivLen - Desired IV length in bytes.
+ * @returns {HandshakeKeys} Handshake keys and intermediate secrets.
  */
 export function deriveHandshakeKeys(alg, sharedSecret, helloHash, keyLen, ivLen) {
     const earlySecret = hkdfExtract(alg, Buffer.alloc(hashLength(alg)), zeroKey(alg));
@@ -134,16 +126,14 @@ export function deriveHandshakeKeys(alg, sharedSecret, helloHash, keyLen, ivLen)
     };
 }
 /**
- * Derives TLS 1.3 application traffic keys from the master secret and the
- * full handshake transcript hash (RFC 8446 §7.1). These keys are used to
- * encrypt and decrypt all application data after the handshake completes.
+ * Derive TLS 1.3 application traffic keys from the master secret.
  *
- * @param {HashAlgorithm} alg           - Hash algorithm specified by the negotiated cipher suite.
- * @param {Buffer}        masterSecret  - TLS 1.3 master secret from {@link deriveHandshakeKeys}.
- * @param {Buffer}        handshakeHash - Transcript hash over the complete handshake.
- * @param {number}        keyLen        - Required key byte length.
- * @param {number}        ivLen         - Required IV byte length.
- * @returns {ApplicationKeys} Derived application traffic keys.
+ * @param {HashAlgorithm} alg - Hash algorithm.
+ * @param {Buffer} masterSecret - Master secret from the key schedule.
+ * @param {Buffer} handshakeHash - Transcript hash up to and including server Finished.
+ * @param {number} keyLen - Desired key length in bytes.
+ * @param {number} ivLen - Desired IV length in bytes.
+ * @returns {ApplicationKeys} Application traffic encryption keys.
  */
 export function deriveApplicationKeys(alg, masterSecret, handshakeHash, keyLen, ivLen) {
     const clientSecret = deriveSecret(alg, masterSecret, "c ap traffic", handshakeHash);
@@ -159,14 +149,12 @@ function emptyHash(alg) {
     return _createHash(alg).digest();
 }
 /**
- * Computes the `verify_data` for a TLS 1.3 Finished message (RFC 8446 §4.4.4)
- * as `HMAC(finished_key, transcript_hash)`, where `finished_key` is derived
- * from the base traffic secret using HKDF-Expand-Label.
+ * Compute the Finished verify_data for the TLS 1.3 handshake.
  *
- * @param {HashAlgorithm} alg            - Hash algorithm for HMAC.
- * @param {Buffer}        baseSecret     - Base traffic secret (client or server handshake secret).
- * @param {Buffer}        transcriptHash - Current transcript hash at the point of Finished.
- * @returns {Buffer} The `verify_data` bytes to include in or validate against the Finished message.
+ * @param {HashAlgorithm} alg - Hash algorithm.
+ * @param {Buffer} baseSecret - Handshake traffic secret.
+ * @param {Buffer} transcriptHash - Current transcript hash.
+ * @returns {Buffer} HMAC verify data bytes.
  */
 export function computeFinishedVerifyData(alg, baseSecret, transcriptHash) {
     const finishedKey = hkdfExpandLabel(alg, baseSecret, "finished", Buffer.alloc(0), hashLength(alg));

package/dist/tls/stealth/key-schedule.js.map

@@ -1 +1 @@
-{"version":3,"file":"key-schedule.js","sourceRoot":"","sources":["../../../src/tls/stealth/key-schedule.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,UAAU,IAAI,WAAW,EAAE,MAAM,aAAa,CAAC;AASpE;;;;;GAKG;AACH,MAAM,UAAU,UAAU,CAAC,GAAkB;IAC3C,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;AACpC,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,WAAW,CAAC,GAAkB,EAAE,IAAY,EAAE,GAAW;IACvE,OAAO,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;AACjE,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,eAAe,CAAC,GAAkB,EAAE,MAAc,EAAE,KAAa,EAAE,OAAe,EAAE,MAAc;IAChH,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,GAAG,KAAK,EAAE,OAAO,CAAC,CAAC;IACzD,MAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,GAAG,SAAS,CAAC,MAAM,GAAG,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC9E,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,SAAS,CAAC,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACxC,MAAM,IAAI,CAAC,CAAC;IACZ,SAAS,CAAC,MAAM,EAAE,CAAC,GAAG,SAAS,CAAC,MAAM,CAAC;IACvC,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IAClC,MAAM,IAAI,SAAS,CAAC,MAAM,CAAC;IAC3B,SAAS,CAAC,MAAM,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC;IACrC,OAAO,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IAEhC,OAAO,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;AACpD,CAAC;AAED,SAAS,UAAU,CAAC,GAAkB,EAAE,GAAW,EAAE,IAAY,EAAE,MAAc;IAC/E,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;IAChC,MAAM,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,CAAC;IACtC,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC;IACtC,IAAI,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACxB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC5B,MAAM,IAAI,GAAG,UAAU,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QAClC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACf,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAClB,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAC9B,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;QAC/B,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC;IACjC,CAAC;IACD,OAAO,GAAG,CAAC,QAAQ,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;AACjC,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,YAAY,CAAC,GAAkB,EAAE,MAAc,EAAE,KAAa,EAAE,cAAsB;IACpG,OAAO,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,cAAc,EAAE,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;AAC9E,CAAC;AAED,OAAO,EAAE,WAAW,IAAI,UAAU,EAAE,CAAC;AAErC;;;;;;;GAOG;AACH,MAAM,UAAU,OAAO,CAAC,GAAkB;IACxC,OAAO,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;AACvC,CAAC;AAyCD;;;;;GAKG;AACH,MAAM,UAAU,YAAY,CAAC,UAAkB;IAC7C,IAAI,UAAU,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QACnC,OAAO,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;IACnC,CAAC;IACD,IAAI,UAAU,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;QACtE,OAAO,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;IACnC,CAAC;IACD,OAAO,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;AACnC,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,mBAAmB,CAAC,GAAkB,EAAE,YAAoB,EAAE,SAAiB,EAAE,MAAc,EAAE,KAAa;IAC5H,MAAM,WAAW,GAAG,WAAW,CAAC,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;IAElF,MAAM,WAAW,GAAG,YAAY,CAAC,GAAG,EAAE,WAAW,EAAE,SAAS,EAAE,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC;IAE9E,MAAM,eAAe,GAAG,WAAW,CAAC,GAAG,EAAE,WAAW,EAAE,YAAY,CAAC,CAAC;IAEpE,MAAM,YAAY,GAAG,YAAY,CAAC,GAAG,EAAE,eAAe,EAAE,cAAc,EAAE,SAAS,CAAC,CAAC;IACnF,MAAM,YAAY,GAAG,YAAY,CAAC,GAAG,EAAE,eAAe,EAAE,cAAc,EAAE,SAAS,CAAC,CAAC;IAEnF,MAAM,kBAAkB,GAAG,eAAe,CAAC,GAAG,EAAE,YAAY,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;IAC9F,MAAM,iBAAiB,GAAG,eAAe,CAAC,GAAG,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IAC3F,MAAM,kBAAkB,GAAG,eAAe,CAAC,GAAG,EAAE,YAAY,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;IAC9F,MAAM,iBAAiB,GAAG,eAAe,CAAC,GAAG,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IAE3F,MAAM,iBAAiB,GAAG,YAAY,CAAC,GAAG,EAAE,eAAe,EAAE,SAAS,EAAE,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC;IACxF,MAAM,YAAY,GAAG,WAAW,CAAC,GAAG,EAAE,iBAAiB,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;IAEvE,OAAO;QACL,kBAAkB;QAClB,iBAAiB;QACjB,kBAAkB;QAClB,iBAAiB;QACjB,eAAe;QACf,YAAY;KACb,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,qBAAqB,CAAC,GAAkB,EAAE,YAAoB,EAAE,aAAqB,EAAE,MAAc,EAAE,KAAa;IAClI,MAAM,YAAY,GAAG,YAAY,CAAC,GAAG,EAAE,YAAY,EAAE,cAAc,EAAE,aAAa,CAAC,CAAC;IACpF,MAAM,YAAY,GAAG,YAAY,CAAC,GAAG,EAAE,YAAY,EAAE,cAAc,EAAE,aAAa,CAAC,CAAC;IAEpF,OAAO;QACL,SAAS,EAAE,eAAe,CAAC,GAAG,EAAE,YAAY,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC;QAC7E,QAAQ,EAAE,eAAe,CAAC,GAAG,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC;QAC1E,SAAS,EAAE,eAAe,CAAC,GAAG,EAAE,YAAY,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC;QAC7E,QAAQ,EAAE,eAAe,CAAC,GAAG,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC;KAC3E,CAAC;AACJ,CAAC;AAED,SAAS,SAAS,CAAC,GAAkB;IACnC,OAAO,WAAW,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC;AACnC,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,yBAAyB,CAAC,GAAkB,EAAE,UAAkB,EAAE,cAAsB;IACtG,MAAM,WAAW,GAAG,eAAe,CAAC,GAAG,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;IACnG,OAAO,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;AACnF,CAAC"}
+{"version":3,"file":"key-schedule.js","sourceRoot":"","sources":["../../../src/tls/stealth/key-schedule.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,UAAU,IAAI,WAAW,EAAE,MAAM,aAAa,CAAC;AAKpE;;;;;GAKG;AACH,MAAM,UAAU,UAAU,CAAC,GAAkB;IAC3C,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;AACpC,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,WAAW,CAAC,GAAkB,EAAE,IAAY,EAAE,GAAW;IACvE,OAAO,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;AACjE,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,eAAe,CAAC,GAAkB,EAAE,MAAc,EAAE,KAAa,EAAE,OAAe,EAAE,MAAc;IAChH,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,GAAG,KAAK,EAAE,OAAO,CAAC,CAAC;IACzD,MAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,GAAG,SAAS,CAAC,MAAM,GAAG,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC9E,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,SAAS,CAAC,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACxC,MAAM,IAAI,CAAC,CAAC;IACZ,SAAS,CAAC,MAAM,EAAE,CAAC,GAAG,SAAS,CAAC,MAAM,CAAC;IACvC,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IAClC,MAAM,IAAI,SAAS,CAAC,MAAM,CAAC;IAC3B,SAAS,CAAC,MAAM,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC;IACrC,OAAO,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IAEhC,OAAO,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;AACpD,CAAC;AAED,SAAS,UAAU,CAAC,GAAkB,EAAE,GAAW,EAAE,IAAY,EAAE,MAAc;IAC/E,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;IAChC,MAAM,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,CAAC;IACtC,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC;IACtC,IAAI,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACxB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC5B,MAAM,IAAI,GAAG,UAAU,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QAClC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACf,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAClB,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAC9B,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;QAC/B,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC;IACjC,CAAC;IACD,OAAO,GAAG,CAAC,QAAQ,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;AACjC,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,YAAY,CAAC,GAAkB,EAAE,MAAc,EAAE,KAAa,EAAE,cAAsB;IACpG,OAAO,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,cAAc,EAAE,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;AAC9E,CAAC;AAED,OAAO,EAAE,WAAW,IAAI,UAAU,EAAE,CAAC;AAErC;;;;;GAKG;AACH,MAAM,UAAU,OAAO,CAAC,GAAkB;IACxC,OAAO,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;AACvC,CAAC;AA8BD;;;;;GAKG;AACH,MAAM,UAAU,YAAY,CAAC,UAAkB;IAC7C,IAAI,UAAU,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QACnC,OAAO,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;IACnC,CAAC;IACD,IAAI,UAAU,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;QACtE,OAAO,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;IACnC,CAAC;IACD,OAAO,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;AACnC,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,mBAAmB,CAAC,GAAkB,EAAE,YAAoB,EAAE,SAAiB,EAAE,MAAc,EAAE,KAAa;IAC5H,MAAM,WAAW,GAAG,WAAW,CAAC,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;IAElF,MAAM,WAAW,GAAG,YAAY,CAAC,GAAG,EAAE,WAAW,EAAE,SAAS,EAAE,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC;IAE9E,MAAM,eAAe,GAAG,WAAW,CAAC,GAAG,EAAE,WAAW,EAAE,YAAY,CAAC,CAAC;IAEpE,MAAM,YAAY,GAAG,YAAY,CAAC,GAAG,EAAE,eAAe,EAAE,cAAc,EAAE,SAAS,CAAC,CAAC;IACnF,MAAM,YAAY,GAAG,YAAY,CAAC,GAAG,EAAE,eAAe,EAAE,cAAc,EAAE,SAAS,CAAC,CAAC;IAEnF,MAAM,kBAAkB,GAAG,eAAe,CAAC,GAAG,EAAE,YAAY,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;IAC9F,MAAM,iBAAiB,GAAG,eAAe,CAAC,GAAG,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IAC3F,MAAM,kBAAkB,GAAG,eAAe,CAAC,GAAG,EAAE,YAAY,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;IAC9F,MAAM,iBAAiB,GAAG,eAAe,CAAC,GAAG,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IAE3F,MAAM,iBAAiB,GAAG,YAAY,CAAC,GAAG,EAAE,eAAe,EAAE,SAAS,EAAE,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC;IACxF,MAAM,YAAY,GAAG,WAAW,CAAC,GAAG,EAAE,iBAAiB,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;IAEvE,OAAO;QACL,kBAAkB;QAClB,iBAAiB;QACjB,kBAAkB;QAClB,iBAAiB;QACjB,eAAe;QACf,YAAY;KACb,CAAC;AACJ,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,qBAAqB,CAAC,GAAkB,EAAE,YAAoB,EAAE,aAAqB,EAAE,MAAc,EAAE,KAAa;IAClI,MAAM,YAAY,GAAG,YAAY,CAAC,GAAG,EAAE,YAAY,EAAE,cAAc,EAAE,aAAa,CAAC,CAAC;IACpF,MAAM,YAAY,GAAG,YAAY,CAAC,GAAG,EAAE,YAAY,EAAE,cAAc,EAAE,aAAa,CAAC,CAAC;IAEpF,OAAO;QACL,SAAS,EAAE,eAAe,CAAC,GAAG,EAAE,YAAY,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC;QAC7E,QAAQ,EAAE,eAAe,CAAC,GAAG,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC;QAC1E,SAAS,EAAE,eAAe,CAAC,GAAG,EAAE,YAAY,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC;QAC7E,QAAQ,EAAE,eAAe,CAAC,GAAG,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC;KAC3E,CAAC;AACJ,CAAC;AAED,SAAS,SAAS,CAAC,GAAkB;IACnC,OAAO,WAAW,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC;AACnC,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,yBAAyB,CAAC,GAAkB,EAAE,UAAkB,EAAE,cAAsB;IACtG,MAAM,WAAW,GAAG,eAAe,CAAC,GAAG,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;IACnG,OAAO,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;AACnF,CAAC"}

package/dist/tls/stealth/record-layer.d.ts

@@ -1,122 +1,99 @@
-/**
- * A single parsed TLS record as defined in RFC 8446 ¥5.1.
- *
- * @typedef  {Object} TLSRecord
- * @property {number} type     - Content type byte (see {@link RecordType}).
- * @property {number} version  - Legacy record version (e.g. `0x0303` for TLS 1.2 compatibility).
- * @property {Buffer} fragment - Raw payload bytes of the record.
- */
+/** Parsed TLS record with type, version, and payload fragment. */
 export interface TLSRecord {
+    /** Record content type. */
     type: number;
+    /** Protocol version from the record header. */
     version: number;
+    /** Record payload bytes. */
     fragment: Buffer;
 }
 /**
- * Attempts to parse a single TLS record from `data` beginning at `offset`.
- * Returns `null` without consuming the buffer if fewer than 5 bytes are
- * available or the payload has not been fully received yet.
+ * Read a single TLS record from a buffer at the given offset.
  *
- * @param {Buffer} data   - Buffer containing one or more TLS records.
- * @param {number} offset - Byte offset within `data` to begin parsing.
- * @returns {{ record: TLSRecord; bytesRead: number } | null} Parsed record and byte count, or `null` if more data is needed.
+ * @param {Buffer} data - Buffer containing one or more TLS records.
+ * @param {number} offset - Byte offset to start reading from.
+ * @returns {{ record: TLSRecord; bytesRead: number } | null} Parsed record and bytes consumed, or `null` if incomplete.
  */
 export declare function readRecord(data: Buffer, offset: number): {
     record: TLSRecord;
     bytesRead: number;
 } | null;
 /**
- * Serializes a TLS record into its 5-byte header plus payload binary form.
+ * Write a TLS record with the given type, version, and payload.
  *
- * @param {number} type    - TLS content type byte.
- * @param {number} version - TLS record version (e.g. `0x0303`).
- * @param {Buffer} payload - Record payload bytes.
- * @returns {Buffer} The complete serialized TLS record.
+ * @param {number} type - Record content type.
+ * @param {number} version - Protocol version.
+ * @param {Buffer} payload - Record payload.
+ * @returns {Buffer} Serialized TLS record buffer.
  */
 export declare function writeRecord(type: number, version: number, payload: Buffer): Buffer;
-/**
- * AEAD algorithm identifiers supported by the record layer. Corresponds to
- * the TLS 1.3 mandatory cipher suites.
- *
- * @typedef {'aes-128-gcm'|'aes-256-gcm'|'chacha20-poly1305'} AEADAlgorithm
- */
+/** AEAD algorithm identifiers for TLS record encryption. */
 export type AEADAlgorithm = "aes-128-gcm" | "aes-256-gcm" | "chacha20-poly1305";
 /**
- * Maps a cipher suite name string to the corresponding AEAD algorithm
- * identifier used by the record layer.
+ * Determine the AEAD algorithm from a cipher suite name.
  *
- * @param {string} cipherName - Cipher suite name from {@link TLSConnectionInfo} (e.g. `"TLS_AES_128_GCM_SHA256"`).
- * @returns {AEADAlgorithm} The corresponding AEAD algorithm identifier.
- * @throws {TLSError} If the cipher name does not correspond to a supported AEAD algorithm.
+ * @param {string} cipherName - Cipher suite or algorithm name.
+ * @returns {AEADAlgorithm} Corresponding AEAD algorithm identifier.
  */
 export declare function aeadFromCipher(cipherName: string): AEADAlgorithm;
 /**
- * Constructs the per-record nonce by XOR-ing the static IV with the
- * big-endian 64-bit sequence number (RFC 8446 ¥5.3).
+ * Build a per-record nonce by XORing the IV with a sequence number.
  *
- * @param {Buffer} iv             - Static IV of length matching the AEAD algorithm.
- * @param {bigint} sequenceNumber - Record sequence number (starts at 0, increments by 1).
- * @returns {Buffer} The per-record nonce.
+ * @param {Buffer} iv - Base initialization vector.
+ * @param {bigint} sequenceNumber - Record sequence number.
+ * @returns {Buffer} Nonce buffer for AEAD encryption.
  */
 export declare function buildNonce(iv: Buffer, sequenceNumber: bigint): Buffer;
 /**
- * Encrypts `plaintext` using the specified AEAD algorithm and returns the
- * ciphertext with an appended 16-byte authentication tag.
+ * Encrypt a TLS record payload using AEAD.
  *
- * @param {AEADAlgorithm} algorithm      - AEAD algorithm identifier.
- * @param {Buffer}        key            - Encryption key.
- * @param {Buffer}        nonce          - Per-record nonce.
- * @param {Buffer}        plaintext      - Data to encrypt.
- * @param {Buffer}        additionalData - Additional authenticated data (AAD).
- * @returns {Buffer} Ciphertext followed by the 16-byte authentication tag.
+ * @param {AEADAlgorithm} algorithm - AEAD algorithm.
+ * @param {Buffer} key - Encryption key.
+ * @param {Buffer} nonce - Per-record nonce.
+ * @param {Buffer} plaintext - Plaintext payload.
+ * @param {Buffer} additionalData - Associated data for authentication.
+ * @returns {Buffer} Ciphertext with appended authentication tag.
  */
 export declare function encryptRecord(algorithm: AEADAlgorithm, key: Buffer, nonce: Buffer, plaintext: Buffer, additionalData: Buffer): Buffer;
 /**
- * Decrypts and authenticates `ciphertext` using the specified AEAD algorithm.
- * The last 16 bytes of `ciphertext` are treated as the authentication tag.
+ * Decrypt a TLS record payload using AEAD.
  *
- * @param {AEADAlgorithm} algorithm      - AEAD algorithm identifier.
- * @param {Buffer}        key            - Decryption key.
- * @param {Buffer}        nonce          - Per-record nonce.
- * @param {Buffer}        ciphertext     - Ciphertext including the 16-byte authentication tag.
- * @param {Buffer}        additionalData - Additional authenticated data (AAD) for tag verification.
- * @returns {Buffer} Decrypted plaintext bytes.
- * @throws {TLSError} If the ciphertext is too short or authentication fails.
+ * @param {AEADAlgorithm} algorithm - AEAD algorithm.
+ * @param {Buffer} key - Decryption key.
+ * @param {Buffer} nonce - Per-record nonce.
+ * @param {Buffer} ciphertext - Ciphertext with authentication tag.
+ * @param {Buffer} additionalData - Associated data for verification.
+ * @returns {Buffer} Decrypted plaintext.
  */
 export declare function decryptRecord(algorithm: AEADAlgorithm, key: Buffer, nonce: Buffer, ciphertext: Buffer, additionalData: Buffer): Buffer;
 /**
- * Builds the additional authenticated data (AAD) for a TLS 1.3 application
- * data record, encoded as a 5-byte pseudo-record header per RFC 8446 ¥5.2.
+ * Build the additional authenticated data (AAD) for a TLS 1.3 record.
  *
- * @param {number} ciphertextLength - Total length of the ciphertext including the AEAD tag.
+ * @param {number} ciphertextLength - Length of the ciphertext including the tag.
  * @returns {Buffer} 5-byte AAD buffer.
  */
 export declare function buildAdditionalData(ciphertextLength: number): Buffer;
 /**
- * Encodes a TLS 1.3 inner plaintext (content bytes + content type byte) and
- * wraps it in an encrypted TLS record with the appropriate AAD, following
- * RFC 8446 ¥5.2.
+ * Encrypt and wrap a plaintext payload into a TLS 1.3 application data record.
  *
- * @param {AEADAlgorithm} algorithm     - AEAD algorithm identifier.
- * @param {Buffer}        key           - Application traffic key.
- * @param {Buffer}        iv            - Application traffic IV.
- * @param {bigint}        sequenceNumber - Sequence number for nonce derivation.
- * @param {number}        contentType   - True content type byte to embed in the inner plaintext.
- * @param {Buffer}        plaintext     - Application data to encrypt.
- * @returns {Buffer} The complete TLS application_data record ready to send.
+ * @param {AEADAlgorithm} algorithm - AEAD algorithm.
+ * @param {Buffer} key - Client write key.
+ * @param {Buffer} iv - Client write IV.
+ * @param {bigint} sequenceNumber - Current sequence number.
+ * @param {number} contentType - Inner record content type.
+ * @param {Buffer} plaintext - Plaintext payload.
+ * @returns {Buffer} Serialized encrypted TLS record.
  */
 export declare function wrapEncryptedRecord(algorithm: AEADAlgorithm, key: Buffer, iv: Buffer, sequenceNumber: bigint, contentType: number, plaintext: Buffer): Buffer;
 /**
- * Decrypts a TLS 1.3 application_data record, strips the zero-padding, and
- * recovers the true content type embedded as the last non-zero byte of the
- * inner plaintext (RFC 8446 ¥5.2).
+ * Decrypt and unwrap a TLS 1.3 encrypted record.
  *
- * @param {AEADAlgorithm} algorithm     - AEAD algorithm identifier.
- * @param {Buffer}        key           - Application traffic key.
- * @param {Buffer}        iv            - Application traffic IV.
- * @param {bigint}        sequenceNumber - Sequence number for nonce derivation.
- * @param {TLSRecord}     record        - Encrypted TLS record received from the remote party.
- * @returns {{ contentType: number; plaintext: Buffer }} Recovered content type and decrypted payload.
- * @throws {TLSError} If decryption or authentication fails, or the record is empty after unpadding.
+ * @param {AEADAlgorithm} algorithm - AEAD algorithm.
+ * @param {Buffer} key - Server write key.
+ * @param {Buffer} iv - Server write IV.
+ * @param {bigint} sequenceNumber - Current sequence number.
+ * @param {TLSRecord} record - Encrypted TLS record.
+ * @returns {{ contentType: number; plaintext: Buffer }} Decrypted content type and plaintext.
  */
 export declare function unwrapEncryptedRecord(algorithm: AEADAlgorithm, key: Buffer, iv: Buffer, sequenceNumber: bigint, record: TLSRecord): {
     contentType: number;

package/dist/tls/stealth/record-layer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"record-layer.d.ts","sourceRoot":"","sources":["../../../src/tls/stealth/record-layer.ts"],"names":[],"mappings":"AAUA;;;;;;;GAOG;AACH,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;;;;;;GAQG;AACH,wBAAgB,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG;IAAE,MAAM,EAAE,SAAS,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAexG;AAED;;;;;;;GAOG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,CAOlF;AAED;;;;;GAKG;AACH,MAAM,MAAM,aAAa,GAAG,aAAa,GAAG,aAAa,GAAG,mBAAmB,CAAC;AAEhF;;;;;;;GAOG;AACH,wBAAgB,cAAc,CAAC,UAAU,EAAE,MAAM,GAAG,aAAa,CAWhE;AAID;;;;;;;GAOG;AACH,wBAAgB,UAAU,CAAC,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,MAAM,CAQrE;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,aAAa,CAAC,SAAS,EAAE,aAAa,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,MAAM,CAOrI;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,aAAa,CAAC,SAAS,EAAE,aAAa,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,MAAM,CAkBtI;AAED;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,gBAAgB,EAAE,MAAM,GAAG,MAAM,CAMpE;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,mBAAmB,CAAC,SAAS,EAAE,aAAa,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,MAAM,CAW7J;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,qBAAqB,CAAC,SAAS,EAAE,aAAa,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,GAAG;IAAE,WAAW,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAe9K"}
+{"version":3,"file":"record-layer.d.ts","sourceRoot":"","sources":["../../../src/tls/stealth/record-layer.ts"],"names":[],"mappings":"AAKA,kEAAkE;AAClE,MAAM,WAAW,SAAS;IACxB,2BAA2B;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,+CAA+C;IAC/C,OAAO,EAAE,MAAM,CAAC;IAChB,4BAA4B;IAC5B,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;;;;GAMG;AACH,wBAAgB,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG;IAAE,MAAM,EAAE,SAAS,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAexG;AAED;;;;;;;GAOG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,CAOlF;AAED,4DAA4D;AAC5D,MAAM,MAAM,aAAa,GAAG,aAAa,GAAG,aAAa,GAAG,mBAAmB,CAAC;AAEhF;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,UAAU,EAAE,MAAM,GAAG,aAAa,CAWhE;AAID;;;;;;GAMG;AACH,wBAAgB,UAAU,CAAC,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,MAAM,CAQrE;AAED;;;;;;;;;GASG;AACH,wBAAgB,aAAa,CAAC,SAAS,EAAE,aAAa,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,MAAM,CAOrI;AAED;;;;;;;;;GASG;AACH,wBAAgB,aAAa,CAAC,SAAS,EAAE,aAAa,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,MAAM,CAkBtI;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,gBAAgB,EAAE,MAAM,GAAG,MAAM,CAMpE;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,mBAAmB,CAAC,SAAS,EAAE,aAAa,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,MAAM,CAW7J;AAED;;;;;;;;;GASG;AACH,wBAAgB,qBAAqB,CAAC,SAAS,EAAE,aAAa,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,GAAG;IAAE,WAAW,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAe9K"}

package/dist/tls/stealth/record-layer.js

@@ -2,16 +2,12 @@ import { createCipheriv, createDecipheriv } from "node:crypto";
 import { BufferWriter } from "../../utils/buffer-writer.js";
 import { RecordType, ProtocolVersion } from "../constants.js";
 import { TLSError } from "../../core/errors.js";
-const MAX_RECORD_PAYLOAD = 16384;
-const MAX_CIPHERTEXT_OVERHEAD = 256;
 /**
- * Attempts to parse a single TLS record from `data` beginning at `offset`.
- * Returns `null` without consuming the buffer if fewer than 5 bytes are
- * available or the payload has not been fully received yet.
+ * Read a single TLS record from a buffer at the given offset.
  *
- * @param {Buffer} data   - Buffer containing one or more TLS records.
- * @param {number} offset - Byte offset within `data` to begin parsing.
- * @returns {{ record: TLSRecord; bytesRead: number } | null} Parsed record and byte count, or `null` if more data is needed.
+ * @param {Buffer} data - Buffer containing one or more TLS records.
+ * @param {number} offset - Byte offset to start reading from.
+ * @returns {{ record: TLSRecord; bytesRead: number } | null} Parsed record and bytes consumed, or `null` if incomplete.
  */
 export function readRecord(data, offset) {
     if (data.length - offset < 5)
@@ -28,12 +24,12 @@ export function readRecord(data, offset) {
     };
 }
 /**
- * Serializes a TLS record into its 5-byte header plus payload binary form.
+ * Write a TLS record with the given type, version, and payload.
  *
- * @param {number} type    - TLS content type byte.
- * @param {number} version - TLS record version (e.g. `0x0303`).
- * @param {Buffer} payload - Record payload bytes.
- * @returns {Buffer} The complete serialized TLS record.
+ * @param {number} type - Record content type.
+ * @param {number} version - Protocol version.
+ * @param {Buffer} payload - Record payload.
+ * @returns {Buffer} Serialized TLS record buffer.
  */
 export function writeRecord(type, version, payload) {
     const w = new BufferWriter(5 + payload.length);
@@ -44,12 +40,10 @@ export function writeRecord(type, version, payload) {
     return w.toBuffer();
 }
 /**
- * Maps a cipher suite name string to the corresponding AEAD algorithm
- * identifier used by the record layer.
+ * Determine the AEAD algorithm from a cipher suite name.
  *
- * @param {string} cipherName - Cipher suite name from {@link TLSConnectionInfo} (e.g. `"TLS_AES_128_GCM_SHA256"`).
- * @returns {AEADAlgorithm} The corresponding AEAD algorithm identifier.
- * @throws {TLSError} If the cipher name does not correspond to a supported AEAD algorithm.
+ * @param {string} cipherName - Cipher suite or algorithm name.
+ * @returns {AEADAlgorithm} Corresponding AEAD algorithm identifier.
  */
 export function aeadFromCipher(cipherName) {
     if (cipherName.includes("AES_128_GCM") || cipherName.includes("aes-128-gcm")) {
@@ -65,12 +59,11 @@ export function aeadFromCipher(cipherName) {
 }
 const TAG_SIZE = 16;
 /**
- * Constructs the per-record nonce by XOR-ing the static IV with the
- * big-endian 64-bit sequence number (RFC 8446 ¥5.3).
+ * Build a per-record nonce by XORing the IV with a sequence number.
  *
- * @param {Buffer} iv             - Static IV of length matching the AEAD algorithm.
- * @param {bigint} sequenceNumber - Record sequence number (starts at 0, increments by 1).
- * @returns {Buffer} The per-record nonce.
+ * @param {Buffer} iv - Base initialization vector.
+ * @param {bigint} sequenceNumber - Record sequence number.
+ * @returns {Buffer} Nonce buffer for AEAD encryption.
  */
 export function buildNonce(iv, sequenceNumber) {
     const nonce = Buffer.from(iv);
@@ -82,15 +75,14 @@ export function buildNonce(iv, sequenceNumber) {
     return nonce;
 }
 /**
- * Encrypts `plaintext` using the specified AEAD algorithm and returns the
- * ciphertext with an appended 16-byte authentication tag.
+ * Encrypt a TLS record payload using AEAD.
  *
- * @param {AEADAlgorithm} algorithm      - AEAD algorithm identifier.
- * @param {Buffer}        key            - Encryption key.
- * @param {Buffer}        nonce          - Per-record nonce.
- * @param {Buffer}        plaintext      - Data to encrypt.
- * @param {Buffer}        additionalData - Additional authenticated data (AAD).
- * @returns {Buffer} Ciphertext followed by the 16-byte authentication tag.
+ * @param {AEADAlgorithm} algorithm - AEAD algorithm.
+ * @param {Buffer} key - Encryption key.
+ * @param {Buffer} nonce - Per-record nonce.
+ * @param {Buffer} plaintext - Plaintext payload.
+ * @param {Buffer} additionalData - Associated data for authentication.
+ * @returns {Buffer} Ciphertext with appended authentication tag.
  */
 export function encryptRecord(algorithm, key, nonce, plaintext, additionalData) {
     const cipher = createCipheriv(algorithm, key, nonce, { authTagLength: TAG_SIZE });
@@ -101,16 +93,14 @@ export function encryptRecord(algorithm, key, nonce, plaintext, additionalData)
     return Buffer.concat([encrypted, final, tag]);
 }
 /**
- * Decrypts and authenticates `ciphertext` using the specified AEAD algorithm.
- * The last 16 bytes of `ciphertext` are treated as the authentication tag.
+ * Decrypt a TLS record payload using AEAD.
  *
- * @param {AEADAlgorithm} algorithm      - AEAD algorithm identifier.
- * @param {Buffer}        key            - Decryption key.
- * @param {Buffer}        nonce          - Per-record nonce.
- * @param {Buffer}        ciphertext     - Ciphertext including the 16-byte authentication tag.
- * @param {Buffer}        additionalData - Additional authenticated data (AAD) for tag verification.
- * @returns {Buffer} Decrypted plaintext bytes.
- * @throws {TLSError} If the ciphertext is too short or authentication fails.
+ * @param {AEADAlgorithm} algorithm - AEAD algorithm.
+ * @param {Buffer} key - Decryption key.
+ * @param {Buffer} nonce - Per-record nonce.
+ * @param {Buffer} ciphertext - Ciphertext with authentication tag.
+ * @param {Buffer} additionalData - Associated data for verification.
+ * @returns {Buffer} Decrypted plaintext.
  */
 export function decryptRecord(algorithm, key, nonce, ciphertext, additionalData) {
     if (ciphertext.length < TAG_SIZE) {
@@ -131,10 +121,9 @@ export function decryptRecord(algorithm, key, nonce, ciphertext, additionalData)
     }
 }
 /**
- * Builds the additional authenticated data (AAD) for a TLS 1.3 application
- * data record, encoded as a 5-byte pseudo-record header per RFC 8446 ¥5.2.
+ * Build the additional authenticated data (AAD) for a TLS 1.3 record.
  *
- * @param {number} ciphertextLength - Total length of the ciphertext including the AEAD tag.
+ * @param {number} ciphertextLength - Length of the ciphertext including the tag.
  * @returns {Buffer} 5-byte AAD buffer.
  */
 export function buildAdditionalData(ciphertextLength) {
@@ -145,17 +134,15 @@ export function buildAdditionalData(ciphertextLength) {
     return w.toBuffer();
 }
 /**
- * Encodes a TLS 1.3 inner plaintext (content bytes + content type byte) and
- * wraps it in an encrypted TLS record with the appropriate AAD, following
- * RFC 8446 ¥5.2.
+ * Encrypt and wrap a plaintext payload into a TLS 1.3 application data record.
  *
- * @param {AEADAlgorithm} algorithm     - AEAD algorithm identifier.
- * @param {Buffer}        key           - Application traffic key.
- * @param {Buffer}        iv            - Application traffic IV.
- * @param {bigint}        sequenceNumber - Sequence number for nonce derivation.
- * @param {number}        contentType   - True content type byte to embed in the inner plaintext.
- * @param {Buffer}        plaintext     - Application data to encrypt.
- * @returns {Buffer} The complete TLS application_data record ready to send.
+ * @param {AEADAlgorithm} algorithm - AEAD algorithm.
+ * @param {Buffer} key - Client write key.
+ * @param {Buffer} iv - Client write IV.
+ * @param {bigint} sequenceNumber - Current sequence number.
+ * @param {number} contentType - Inner record content type.
+ * @param {Buffer} plaintext - Plaintext payload.
+ * @returns {Buffer} Serialized encrypted TLS record.
  */
 export function wrapEncryptedRecord(algorithm, key, iv, sequenceNumber, contentType, plaintext) {
     const inner = Buffer.alloc(plaintext.length + 1);
@@ -168,17 +155,14 @@ export function wrapEncryptedRecord(algorithm, key, iv, sequenceNumber, contentT
     return writeRecord(RecordType.APPLICATION_DATA, ProtocolVersion.TLS_1_2, ciphertext);
 }
 /**
- * Decrypts a TLS 1.3 application_data record, strips the zero-padding, and
- * recovers the true content type embedded as the last non-zero byte of the
- * inner plaintext (RFC 8446 ¥5.2).
+ * Decrypt and unwrap a TLS 1.3 encrypted record.
  *
- * @param {AEADAlgorithm} algorithm     - AEAD algorithm identifier.
- * @param {Buffer}        key           - Application traffic key.
- * @param {Buffer}        iv            - Application traffic IV.
- * @param {bigint}        sequenceNumber - Sequence number for nonce derivation.
- * @param {TLSRecord}     record        - Encrypted TLS record received from the remote party.
- * @returns {{ contentType: number; plaintext: Buffer }} Recovered content type and decrypted payload.
- * @throws {TLSError} If decryption or authentication fails, or the record is empty after unpadding.
+ * @param {AEADAlgorithm} algorithm - AEAD algorithm.
+ * @param {Buffer} key - Server write key.
+ * @param {Buffer} iv - Server write IV.
+ * @param {bigint} sequenceNumber - Current sequence number.
+ * @param {TLSRecord} record - Encrypted TLS record.
+ * @returns {{ contentType: number; plaintext: Buffer }} Decrypted content type and plaintext.
  */
 export function unwrapEncryptedRecord(algorithm, key, iv, sequenceNumber, record) {
     const nonce = buildNonce(iv, sequenceNumber);

package/dist/tls/stealth/record-layer.js.map

@@ -1 +1 @@
-{"version":3,"file":"record-layer.js","sourceRoot":"","sources":["../../../src/tls/stealth/record-layer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAuB,MAAM,aAAa,CAAC;AAEpF,OAAO,EAAE,YAAY,EAAE,MAAM,8BAA8B,CAAC;AAC5D,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAC9D,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAEhD,MAAM,kBAAkB,GAAG,KAAK,CAAC;AAEjC,MAAM,uBAAuB,GAAG,GAAG,CAAC;AAgBpC;;;;;;;;GAQG;AACH,MAAM,UAAU,UAAU,CAAC,IAAY,EAAE,MAAc;IACrD,IAAI,IAAI,CAAC,MAAM,GAAG,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAE1C,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAE,CAAC;IAC3B,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC9C,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAE7C,IAAI,IAAI,CAAC,MAAM,GAAG,MAAM,GAAG,CAAC,GAAG,MAAM;QAAE,OAAO,IAAI,CAAC;IAEnD,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,MAAM,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC;IAEhE,OAAO;QACL,MAAM,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE;QACnC,SAAS,EAAE,CAAC,GAAG,MAAM;KACtB,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,WAAW,CAAC,IAAY,EAAE,OAAe,EAAE,OAAe;IACxE,MAAM,CAAC,GAAG,IAAI,YAAY,CAAC,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC/C,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;IACnB,CAAC,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;IACvB,CAAC,CAAC,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAC9B,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;IACtB,OAAO,CAAC,CAAC,QAAQ,EAAE,CAAC;AACtB,CAAC;AAUD;;;;;;;GAOG;AACH,MAAM,UAAU,cAAc,CAAC,UAAkB;IAC/C,IAAI,UAAU,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;QAC7E,OAAO,aAAa,CAAC;IACvB,CAAC;IACD,IAAI,UAAU,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;QAC7E,OAAO,aAAa,CAAC;IACvB,CAAC;IACD,IAAI,UAAU,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;QACvE,OAAO,mBAAmB,CAAC;IAC7B,CAAC;IACD,MAAM,IAAI,QAAQ,CAAC,uBAAuB,UAAU,EAAE,CAAC,CAAC;AAC1D,CAAC;AAED,MAAM,QAAQ,GAAG,EAAE,CAAC;AAEpB;;;;;;;GAOG;AACH,MAAM,UAAU,UAAU,CAAC,EAAU,EAAE,cAAsB;IAC3D,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC9B,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC/B,MAAM,CAAC,gBAAgB,CAAC,cAAc,CAAC,CAAC;IACxC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3B,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,GAAG,CAAC,CAAE,IAAI,MAAM,CAAC,CAAC,CAAE,CAAC;IAC7C,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,aAAa,CAAC,SAAwB,EAAE,GAAW,EAAE,KAAa,EAAE,SAAiB,EAAE,cAAsB;IAC3H,MAAM,MAAM,GAAG,cAAc,CAAC,SAA2B,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE,aAAa,EAAE,QAAQ,EAAE,CAAC,CAAC;IACpG,MAAM,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;IAC9B,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAC3C,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,EAAE,CAAC;IAC7B,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAChC,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC,CAAC;AAChD,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,aAAa,CAAC,SAAwB,EAAE,GAAW,EAAE,KAAa,EAAE,UAAkB,EAAE,cAAsB;IAC5H,IAAI,UAAU,CAAC,MAAM,GAAG,QAAQ,EAAE,CAAC;QACjC,MAAM,IAAI,QAAQ,CAAC,+BAA+B,CAAC,CAAC;IACtD,CAAC;IACD,MAAM,aAAa,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,EAAE,UAAU,CAAC,MAAM,GAAG,QAAQ,CAAC,CAAC;IAC3E,MAAM,GAAG,GAAG,UAAU,CAAC,QAAQ,CAAC,UAAU,CAAC,MAAM,GAAG,QAAQ,CAAC,CAAC;IAE9D,MAAM,QAAQ,GAAG,gBAAgB,CAAC,SAA2B,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE,aAAa,EAAE,QAAQ,EAAE,CAAC,CAAC;IACxG,QAAQ,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;IAChC,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IAEzB,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,QAAQ,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;QACjD,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,EAAE,CAAC;QAC/B,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC,CAAC;IAC3C,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,QAAQ,CAAC,wBAAwB,CAAC,CAAC;IAC/C,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,mBAAmB,CAAC,gBAAwB;IAC1D,MAAM,CAAC,GAAG,IAAI,YAAY,CAAC,CAAC,CAAC,CAAC;IAC9B,CAAC,CAAC,UAAU,CAAC,UAAU,CAAC,gBAAgB,CAAC,CAAC;IAC1C,CAAC,CAAC,WAAW,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;IACvC,CAAC,CAAC,WAAW,CAAC,gBAAgB,CAAC,CAAC;IAChC,OAAO,CAAC,CAAC,QAAQ,EAAE,CAAC;AACtB,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,mBAAmB,CAAC,SAAwB,EAAE,GAAW,EAAE,EAAU,EAAE,cAAsB,EAAE,WAAmB,EAAE,SAAiB;IACnJ,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACjD,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACtB,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,GAAG,WAAW,CAAC;IAEtC,MAAM,KAAK,GAAG,UAAU,CAAC,EAAE,EAAE,cAAc,CAAC,CAAC;IAC7C,MAAM,gBAAgB,GAAG,KAAK,CAAC,MAAM,GAAG,QAAQ,CAAC;IACjD,MAAM,GAAG,GAAG,mBAAmB,CAAC,gBAAgB,CAAC,CAAC;IAClD,MAAM,UAAU,GAAG,aAAa,CAAC,SAAS,EAAE,GAAG,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC;IAEpE,OAAO,WAAW,CAAC,UAAU,CAAC,gBAAgB,EAAE,eAAe,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;AACvF,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,qBAAqB,CAAC,SAAwB,EAAE,GAAW,EAAE,EAAU,EAAE,cAAsB,EAAE,MAAiB;IAChI,MAAM,KAAK,GAAG,UAAU,CAAC,EAAE,EAAE,cAAc,CAAC,CAAC;IAC7C,MAAM,GAAG,GAAG,mBAAmB,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACxD,MAAM,KAAK,GAAG,aAAa,CAAC,SAAS,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IAEzE,IAAI,CAAC,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;IACzB,OAAO,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC;QAAE,CAAC,EAAE,CAAC;IACrC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACV,MAAM,IAAI,QAAQ,CAAC,wBAAwB,CAAC,CAAC;IAC/C,CAAC;IAED,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAE,CAAC;IAC9B,MAAM,SAAS,GAAG,KAAK,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAEvC,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,CAAC;AACpC,CAAC"}
+{"version":3,"file":"record-layer.js","sourceRoot":"","sources":["../../../src/tls/stealth/record-layer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAuB,MAAM,aAAa,CAAC;AACpF,OAAO,EAAE,YAAY,EAAE,MAAM,8BAA8B,CAAC;AAC5D,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAC9D,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAYhD;;;;;;GAMG;AACH,MAAM,UAAU,UAAU,CAAC,IAAY,EAAE,MAAc;IACrD,IAAI,IAAI,CAAC,MAAM,GAAG,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAE1C,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAE,CAAC;IAC3B,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC9C,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAE7C,IAAI,IAAI,CAAC,MAAM,GAAG,MAAM,GAAG,CAAC,GAAG,MAAM;QAAE,OAAO,IAAI,CAAC;IAEnD,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,MAAM,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC;IAEhE,OAAO;QACL,MAAM,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE;QACnC,SAAS,EAAE,CAAC,GAAG,MAAM;KACtB,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,WAAW,CAAC,IAAY,EAAE,OAAe,EAAE,OAAe;IACxE,MAAM,CAAC,GAAG,IAAI,YAAY,CAAC,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC/C,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;IACnB,CAAC,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;IACvB,CAAC,CAAC,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAC9B,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;IACtB,OAAO,CAAC,CAAC,QAAQ,EAAE,CAAC;AACtB,CAAC;AAKD;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAAC,UAAkB;IAC/C,IAAI,UAAU,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;QAC7E,OAAO,aAAa,CAAC;IACvB,CAAC;IACD,IAAI,UAAU,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;QAC7E,OAAO,aAAa,CAAC;IACvB,CAAC;IACD,IAAI,UAAU,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;QACvE,OAAO,mBAAmB,CAAC;IAC7B,CAAC;IACD,MAAM,IAAI,QAAQ,CAAC,uBAAuB,UAAU,EAAE,CAAC,CAAC;AAC1D,CAAC;AAED,MAAM,QAAQ,GAAG,EAAE,CAAC;AAEpB;;;;;;GAMG;AACH,MAAM,UAAU,UAAU,CAAC,EAAU,EAAE,cAAsB;IAC3D,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC9B,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC/B,MAAM,CAAC,gBAAgB,CAAC,cAAc,CAAC,CAAC;IACxC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3B,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,GAAG,CAAC,CAAE,IAAI,MAAM,CAAC,CAAC,CAAE,CAAC;IAC7C,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,aAAa,CAAC,SAAwB,EAAE,GAAW,EAAE,KAAa,EAAE,SAAiB,EAAE,cAAsB;IAC3H,MAAM,MAAM,GAAG,cAAc,CAAC,SAA2B,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE,aAAa,EAAE,QAAQ,EAAE,CAAC,CAAC;IACpG,MAAM,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;IAC9B,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAC3C,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,EAAE,CAAC;IAC7B,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAChC,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC,CAAC;AAChD,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,aAAa,CAAC,SAAwB,EAAE,GAAW,EAAE,KAAa,EAAE,UAAkB,EAAE,cAAsB;IAC5H,IAAI,UAAU,CAAC,MAAM,GAAG,QAAQ,EAAE,CAAC;QACjC,MAAM,IAAI,QAAQ,CAAC,+BAA+B,CAAC,CAAC;IACtD,CAAC;IACD,MAAM,aAAa,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,EAAE,UAAU,CAAC,MAAM,GAAG,QAAQ,CAAC,CAAC;IAC3E,MAAM,GAAG,GAAG,UAAU,CAAC,QAAQ,CAAC,UAAU,CAAC,MAAM,GAAG,QAAQ,CAAC,CAAC;IAE9D,MAAM,QAAQ,GAAG,gBAAgB,CAAC,SAA2B,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE,aAAa,EAAE,QAAQ,EAAE,CAAC,CAAC;IACxG,QAAQ,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;IAChC,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IAEzB,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,QAAQ,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;QACjD,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,EAAE,CAAC;QAC/B,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC,CAAC;IAC3C,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,QAAQ,CAAC,wBAAwB,CAAC,CAAC;IAC/C,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,mBAAmB,CAAC,gBAAwB;IAC1D,MAAM,CAAC,GAAG,IAAI,YAAY,CAAC,CAAC,CAAC,CAAC;IAC9B,CAAC,CAAC,UAAU,CAAC,UAAU,CAAC,gBAAgB,CAAC,CAAC;IAC1C,CAAC,CAAC,WAAW,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;IACvC,CAAC,CAAC,WAAW,CAAC,gBAAgB,CAAC,CAAC;IAChC,OAAO,CAAC,CAAC,QAAQ,EAAE,CAAC;AACtB,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,mBAAmB,CAAC,SAAwB,EAAE,GAAW,EAAE,EAAU,EAAE,cAAsB,EAAE,WAAmB,EAAE,SAAiB;IACnJ,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACjD,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACtB,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,GAAG,WAAW,CAAC;IAEtC,MAAM,KAAK,GAAG,UAAU,CAAC,EAAE,EAAE,cAAc,CAAC,CAAC;IAC7C,MAAM,gBAAgB,GAAG,KAAK,CAAC,MAAM,GAAG,QAAQ,CAAC;IACjD,MAAM,GAAG,GAAG,mBAAmB,CAAC,gBAAgB,CAAC,CAAC;IAClD,MAAM,UAAU,GAAG,aAAa,CAAC,SAAS,EAAE,GAAG,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC;IAEpE,OAAO,WAAW,CAAC,UAAU,CAAC,gBAAgB,EAAE,eAAe,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;AACvF,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,qBAAqB,CAAC,SAAwB,EAAE,GAAW,EAAE,EAAU,EAAE,cAAsB,EAAE,MAAiB;IAChI,MAAM,KAAK,GAAG,UAAU,CAAC,EAAE,EAAE,cAAc,CAAC,CAAC;IAC7C,MAAM,GAAG,GAAG,mBAAmB,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACxD,MAAM,KAAK,GAAG,aAAa,CAAC,SAAS,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IAEzE,IAAI,CAAC,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;IACzB,OAAO,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC;QAAE,CAAC,EAAE,CAAC;IACrC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACV,MAAM,IAAI,QAAQ,CAAC,wBAAwB,CAAC,CAAC;IAC/C,CAAC;IAED,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAE,CAAC;IAC9B,MAAM,SAAS,GAAG,KAAK,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAEvC,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,CAAC;AACpC,CAAC"}

package/dist/tls/stealth/tls12-handshake.d.ts

@@ -0,0 +1,30 @@
+import * as net from "node:net";
+import type { KeyShareEntry } from "./client-hello.js";
+import type { HandshakeResult } from "./handshake.js";
+/** Context state for a TLS 1.2 handshake. */
+export interface TLS12HandshakeContext {
+    /** Client random bytes from the ClientHello. */
+    clientRandom: Buffer;
+    /** Server random bytes from the ServerHello. */
+    serverRandom: Buffer;
+    /** Negotiated cipher suite identifier. */
+    cipherSuite: number;
+    /** Key share entries generated during ClientHello construction. */
+    keyShares: KeyShareEntry[];
+    /** Server hostname for SNI and certificate verification. */
+    hostname: string;
+    /** Skip certificate chain validation. */
+    insecure: boolean;
+    /** Optional SPKI pin(s) for public-key pinning. */
+    pinnedPublicKey?: string | string[];
+}
+/**
+ * Complete a TLS 1.2 handshake using ECDHE key exchange.
+ *
+ * @param {net.Socket} socket - Connected TCP socket.
+ * @param {TLS12HandshakeContext} ctx - Handshake context from the ServerHello.
+ * @param {Buffer[]} handshakeMessages - Accumulated handshake messages so far.
+ * @returns {Promise<HandshakeResult>} Handshake result with negotiated keys and metadata.
+ */
+export declare function performTLS12Handshake(socket: net.Socket, ctx: TLS12HandshakeContext, handshakeMessages: Buffer[]): Promise<HandshakeResult>;
+//# sourceMappingURL=tls12-handshake.d.ts.map