From 33dc5d262288f4efae3077978f37f22338568b35 Mon Sep 17 00:00:00 2001
From: Divy Srivastava <dj.srivastava23@gmail.com>
Date: Fri, 11 Aug 2023 17:27:41 +0530
Subject: [PATCH] fix(node): implement TLSSocket._start (#20120)

Closes https://github.com/denoland/deno/issues/19983
Closes https://github.com/denoland/deno/issues/18303
Closes https://github.com/denoland/deno/issues/16681
Closes https://github.com/denoland/deno/issues/19978
---
 cli/tests/unit_node/tls_test.ts               | 32 +++++++++++++++++++
 ext/node/polyfills/_tls_wrap.ts               | 16 ++++++++--
 .../polyfills/internal_binding/stream_wrap.ts | 17 +++++++++-
 3 files changed, 62 insertions(+), 3 deletions(-)

diff --git a/cli/tests/unit_node/tls_test.ts b/cli/tests/unit_node/tls_test.ts
index 79c1e634ca0cb..7a270c60b3fa4 100644
--- a/cli/tests/unit_node/tls_test.ts
+++ b/cli/tests/unit_node/tls_test.ts
@@ -56,6 +56,38 @@ Connection: close
   await serve;
 });
 
+// https://github.com/denoland/deno/pull/20120
+Deno.test("tls.connect mid-read tcp->tls upgrade", async () => {
+  const ctl = new AbortController();
+  const serve = serveTls(() => new Response("hello"), {
+    port: 8443,
+    key,
+    cert,
+    signal: ctl.signal,
+  });
+
+  await delay(200);
+
+  const conn = tls.connect({
+    host: "localhost",
+    port: 8443,
+    secureContext: {
+      ca: rootCaCert,
+      // deno-lint-ignore no-explicit-any
+    } as any,
+  });
+
+  conn.setEncoding("utf8");
+  conn.write(`GET / HTTP/1.1\nHost: www.google.com\n\n`);
+
+  conn.on("data", (_) => {
+    conn.destroy();
+    ctl.abort();
+  });
+
+  await serve;
+});
+
 Deno.test("tls.createServer creates a TLS server", async () => {
   const p = deferred();
   const server = tls.createServer(
diff --git a/ext/node/polyfills/_tls_wrap.ts b/ext/node/polyfills/_tls_wrap.ts
index 39df239d0d286..416bd4136f8f3 100644
--- a/ext/node/polyfills/_tls_wrap.ts
+++ b/ext/node/polyfills/_tls_wrap.ts
@@ -26,6 +26,11 @@ import {
 import { EventEmitter } from "node:events";
 import { kEmptyObject } from "ext:deno_node/internal/util.mjs";
 import { nextTick } from "ext:deno_node/_next_tick.ts";
+import { kHandle } from "ext:deno_node/internal/stream_base_commons.ts";
+import {
+  isAnyArrayBuffer,
+  isArrayBufferView,
+} from "ext:deno_node/internal/util/types.ts";
 
 const kConnectOptions = Symbol("connect-options");
 const kIsVerified = Symbol("verified");
@@ -71,7 +76,11 @@ export class TLSSocket extends net.Socket {
   [kPendingSession]: any;
   [kConnectOptions]: any;
   ssl: any;
-  _start: any;
+
+  _start() {
+    this[kHandle].afterConnect();
+  }
+
   constructor(socket: any, opts: any = kEmptyObject) {
     const tlsOptions = { ...opts };
 
@@ -84,6 +93,9 @@ export class TLSSocket extends net.Socket {
 
     let caCerts = tlsOptions?.secureContext?.ca;
     if (typeof caCerts === "string") caCerts = [caCerts];
+    else if (isArrayBufferView(caCerts) || isAnyArrayBuffer(caCerts)) {
+      caCerts = [new TextDecoder().decode(caCerts)];
+    }
     tlsOptions.caCerts = caCerts;
 
     super({
@@ -139,9 +151,9 @@ export class TLSSocket extends net.Socket {
       handle.afterConnect = async (req: any, status: number) => {
         try {
           const conn = await Deno.startTls(handle[kStreamBaseField], options);
+          handle[kStreamBaseField] = conn;
           tlssock.emit("secure");
           tlssock.removeListener("end", onConnectEnd);
-          handle[kStreamBaseField] = conn;
         } catch {
           // TODO(kt3k): Handle this
         }
diff --git a/ext/node/polyfills/internal_binding/stream_wrap.ts b/ext/node/polyfills/internal_binding/stream_wrap.ts
index 528dd7c3f265a..66ebbe682dfad 100644
--- a/ext/node/polyfills/internal_binding/stream_wrap.ts
+++ b/ext/node/polyfills/internal_binding/stream_wrap.ts
@@ -314,9 +314,16 @@ export class LibuvStreamWrap extends HandleWrap {
     let buf = BUF;
 
     let nread: number | null;
+    const ridBefore = this[kStreamBaseField]!.rid;
     try {
       nread = await this[kStreamBaseField]!.read(buf);
     } catch (e) {
+      // Try to read again if the underlying stream resource
+      // changed. This can happen during TLS upgrades (eg. STARTTLS)
+      if (ridBefore != this[kStreamBaseField]!.rid) {
+        return this.#read();
+      }
+
       if (
         e instanceof Deno.errors.Interrupted ||
         e instanceof Deno.errors.BadResource
@@ -365,15 +372,23 @@ export class LibuvStreamWrap extends HandleWrap {
   async #write(req: WriteWrap<LibuvStreamWrap>, data: Uint8Array) {
     const { byteLength } = data;
 
+    const ridBefore = this[kStreamBaseField]!.rid;
+
+    let nwritten = 0;
     try {
       // TODO(crowlKats): duplicate from runtime/js/13_buffer.js
-      let nwritten = 0;
       while (nwritten < data.length) {
         nwritten += await this[kStreamBaseField]!.write(
           data.subarray(nwritten),
         );
       }
     } catch (e) {
+      // Try to read again if the underlying stream resource
+      // changed. This can happen during TLS upgrades (eg. STARTTLS)
+      if (ridBefore != this[kStreamBaseField]!.rid) {
+        return this.#write(req, data.subarray(nwritten));
+      }
+
       let status: number;
 
       // TODO(cmorten): map err to status codes