fix(ext/node): tls.connect socket upgrades

denoland · Nov 28, 2024 · 615d696 · 615d696
1 parent f161adf
commit 615d696
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 1 deletion.
diff --git a/ext/node/polyfills/_tls_wrap.ts b/ext/node/polyfills/_tls_wrap.ts
@@ -151,6 +151,8 @@ export class TLSSocket extends net.Socket {
       // Patches `afterConnect` hook to replace TCP conn with TLS conn
       const afterConnect = handle.afterConnect;
       handle.afterConnect = async (req: any, status: number) => {
+        options.hostname ??= undefined; // coerce to undefined if null, startTls expects hostname to be undefined
+
         try {
           const conn = await Deno.startTls(handle[kStreamBaseField], options);
           try {
@@ -164,15 +166,22 @@ export class TLSSocket extends net.Socket {
             // Don't interrupt "secure" event to let the first read/write
             // operation emit the error.
           }
+
+          // Assign the TLS connection to the handle and resume reading.
           handle[kStreamBaseField] = conn;
+          handle.upgrading = false;
+          handle.readStart();
+
           tlssock.emit("secure");
           tlssock.removeListener("end", onConnectEnd);
-        } catch (_) {
+        } catch (e) {
           // TODO(kt3k): Handle this
+          console.error(e);
         }
         return afterConnect.call(handle, req, status);
       };
 
+      handle.upgrading = true;
       (handle as any).verifyError = function () {
         return null; // Never fails, rejectUnauthorized is always true in Deno.
       };

diff --git a/ext/node/polyfills/internal_binding/stream_wrap.ts b/ext/node/polyfills/internal_binding/stream_wrap.ts
@@ -322,6 +322,13 @@ export class LibuvStreamWrap extends HandleWrap {
     let buf = this.#buf;
     let nread: number | null;
     const ridBefore = this[kStreamBaseField]![internalRidSymbol];
+
+    if (this.upgrading) {
+      // Starting an upgrade, stop reading. Upgrading will resume reading.
+      this.#reading = false;
+      return;
+    }
+
     try {
       nread = await this[kStreamBaseField]!.read(buf);
     } catch (e) {
@@ -382,6 +389,11 @@ export class LibuvStreamWrap extends HandleWrap {
 
     const ridBefore = this[kStreamBaseField]![internalRidSymbol];
 
+    if (this.upgrading) {
+      // Stop writes during an upgrade.
+      return;
+    }
+
     let nwritten = 0;
     try {
       // TODO(crowlKats): duplicate from runtime/js/13_buffer.js

diff --git a/tests/unit_node/tls_test.ts b/tests/unit_node/tls_test.ts
@@ -257,3 +257,16 @@ Deno.test("TLSSocket.alpnProtocol is set for client", async () => {
   listener.close();
   await new Promise((resolve) => outgoing.on("close", resolve));
 });
+
+Deno.test("tls connect upgrade tcp", async () => {
+  const { promise, resolve } = Promise.withResolvers<void>();
+
+  const socket = new net.Socket();
+  socket.connect(443, "google.com");
+  socket.on("connect", () => {
+    const secure = tls.connect({ socket });
+    secure.on("secureConnect", () => resolve());
+  });
+
+  await promise;
+});