aboutsummaryrefslogtreecommitdiff
path: root/src/js/node
diff options
context:
space:
mode:
authorGravatar Ciro Spaciari <ciro.spaciari@gmail.com> 2023-07-03 16:19:50 -0300
committerGravatar GitHub <noreply@github.com> 2023-07-03 12:19:50 -0700
commita7a01bd52f20e7908f06d4de9a1814902b838a4b (patch)
tree7c06354f17b98cb09eeb33c31dde70cb053bfa72 /src/js/node
parent48d726bfd0701f8e33442f2c7075dc8191a2ccb4 (diff)
downloadbun-a7a01bd52f20e7908f06d4de9a1814902b838a4b.tar.gz
bun-a7a01bd52f20e7908f06d4de9a1814902b838a4b.tar.zst
bun-a7a01bd52f20e7908f06d4de9a1814902b838a4b.zip
[tls] add socket parameter, setServername and ALPNprotocols support (#3457)
* add socket parameter support * refactor #socket * add test and more fixs * some fixes * bump uws * handlers fix * more fixes * fix node net and node tls tests * fix duplicate port * fix deinit on CallbackJobs * cleanup * add setImmediate repro * add test to setImmediate * this is necessary? * fix prependOnce on native listener * try to findout the error on nodemailer CI * show error message * Update bun.lockb * prettier * Use exact versions of packages * add alpnProtocol support * update * emit error when connect fails on net.Socket * format * fix _write and cleanup * fixup * fix connect, add alpn test * fix socket.io * add socket parameter to TLSSocket * add TLSSocket socket first parameter * fixup and _start * remove flask tests * fmt --------- Co-authored-by: Jarred Sumner <709451+Jarred-Sumner@users.noreply.github.com>
Diffstat (limited to 'src/js/node')
-rw-r--r--src/js/node/net.js151
-rw-r--r--src/js/node/tls.js351
2 files changed, 454 insertions, 48 deletions
diff --git a/src/js/node/net.js b/src/js/node/net.js
index 430a0dfa2..1b7742dd1 100644
--- a/src/js/node/net.js
+++ b/src/js/node/net.js
@@ -64,6 +64,7 @@ const bunTlsSymbol = Symbol.for("::buntls::");
const bunSocketServerHandlers = Symbol.for("::bunsocket_serverhandlers::");
const bunSocketServerConnections = Symbol.for("::bunnetserverconnections::");
const bunSocketServerOptions = Symbol.for("::bunnetserveroptions::");
+const bunSocketInternal = Symbol.for("::bunnetsocketinternal::");
var SocketClass;
const Socket = (function (InternalSocket) {
@@ -117,7 +118,7 @@ const Socket = (function (InternalSocket) {
const self = socket.data;
socket.timeout(self.timeout);
socket.ref();
- self.#socket = socket;
+ self[bunSocketInternal] = socket;
self.connecting = false;
self.emit("connect", self);
Socket.#Drain(socket);
@@ -164,7 +165,7 @@ const Socket = (function (InternalSocket) {
if (self.#closed) return;
self.#closed = true;
//socket cannot be used after close
- self.#socket = null;
+ self[bunSocketInternal] = null;
const queue = self.#readQueue;
if (queue.isEmpty()) {
if (self.push(null)) return;
@@ -289,23 +290,33 @@ const Socket = (function (InternalSocket) {
localAddress = "127.0.0.1";
#readQueue = createFIFO();
remotePort;
- #socket;
+ [bunSocketInternal] = null;
timeout = 0;
#writeCallback;
#writeChunk;
#pendingRead;
isServer = false;
+ _handle;
+ _parent;
+ _parentWrap;
+ #socket;
constructor(options) {
- const { signal, write, read, allowHalfOpen = false, ...opts } = options || {};
+ const { socket, signal, write, read, allowHalfOpen = false, ...opts } = options || {};
super({
...opts,
allowHalfOpen,
readable: true,
writable: true,
});
+ this._handle = this;
+ this._parent = this;
+ this._parentWrap = this;
this.#pendingRead = undefined;
+ if (socket instanceof Socket) {
+ this.#socket = socket;
+ }
signal?.once("abort", () => this.destroy());
this.once("connect", () => this.emit("ready"));
}
@@ -327,7 +338,7 @@ const Socket = (function (InternalSocket) {
socket.data = this;
socket.timeout(this.timeout);
socket.ref();
- this.#socket = socket;
+ this[bunSocketInternal] = socket;
this.connecting = false;
this.emit("connect", this);
Socket.#Drain(socket);
@@ -335,6 +346,7 @@ const Socket = (function (InternalSocket) {
connect(port, host, connectListener) {
var path;
+ var connection = this.#socket;
if (typeof port === "string") {
path = port;
port = undefined;
@@ -357,6 +369,7 @@ const Socket = (function (InternalSocket) {
port,
host,
path,
+ socket,
// TODOs
localAddress,
localPort,
@@ -371,7 +384,11 @@ const Socket = (function (InternalSocket) {
pauseOnConnect,
servername,
} = port;
+
this.servername = servername;
+ if (socket) {
+ connection = socket;
+ }
}
if (!pauseOnConnect) {
@@ -399,41 +416,117 @@ const Socket = (function (InternalSocket) {
} else {
tls.rejectUnauthorized = rejectUnauthorized;
tls.requestCert = true;
+ if (!connection && tls.socket) {
+ connection = tls.socket;
+ }
+ }
+ }
+ if (connection) {
+ if (
+ typeof connection !== "object" ||
+ !(connection instanceof Socket) ||
+ typeof connection[bunTlsSymbol] === "function"
+ ) {
+ throw new TypeError("socket must be an instance of net.Socket");
}
}
-
this.authorized = false;
this.secureConnecting = true;
this._secureEstablished = false;
this._securePending = true;
if (connectListener) this.on("secureConnect", connectListener);
} else if (connectListener) this.on("connect", connectListener);
- bunConnect(
- path
- ? {
+ // start using existing connection
+
+ if (connection) {
+ const socket = connection[bunSocketInternal];
+
+ if (socket) {
+ const result = socket.wrapTLS({
+ data: this,
+ tls,
+ socket: Socket.#Handlers,
+ });
+ if (result) {
+ const [raw, tls] = result;
+ // replace socket
+ connection[bunSocketInternal] = raw;
+ raw.timeout(raw.timeout);
+ raw.connecting = false;
+ // set new socket
+ this[bunSocketInternal] = tls;
+ tls.timeout(tls.timeout);
+ tls.connecting = true;
+ this[bunSocketInternal] = socket;
+ // start tls
+ tls.open();
+ } else {
+ this[bunSocketInternal] = null;
+ throw new Error("Invalid socket");
+ }
+ } else {
+ // wait to be connected
+ connection.once("connect", () => {
+ const socket = connection[bunSocketInternal];
+ if (!socket) return;
+
+ const result = socket.wrapTLS({
data: this,
- unix: path,
- socket: Socket.#Handlers,
tls,
- }
- : {
- data: this,
- hostname: host || "localhost",
- port: port,
socket: Socket.#Handlers,
- tls,
- },
- );
+ });
+
+ if (result) {
+ const [raw, tls] = result;
+ // replace socket
+ connection[bunSocketInternal] = raw;
+ raw.timeout(raw.timeout);
+ raw.connecting = false;
+ // set new socket
+ this[bunSocketInternal] = tls;
+ tls.timeout(tls.timeout);
+ tls.connecting = true;
+ this[bunSocketInternal] = socket;
+ // start tls
+ tls.open();
+ } else {
+ this[bunSocketInternal] = null;
+ throw new Error("Invalid socket");
+ }
+ });
+ }
+ } else if (path) {
+ // start using unix socket
+ bunConnect({
+ data: this,
+ unix: path,
+ socket: Socket.#Handlers,
+ tls,
+ }).catch(error => {
+ this.emit("error", error);
+ });
+ } else {
+ // default start
+ bunConnect({
+ data: this,
+ hostname: host || "localhost",
+ port: port,
+ socket: Socket.#Handlers,
+ tls,
+ }).catch(error => {
+ this.emit("error", error);
+ });
+ }
return this;
}
_destroy(err, callback) {
- this.#socket?.end();
+ this[bunSocketInternal]?.end();
callback(err);
}
_final(callback) {
- this.#socket?.end();
+ this[bunSocketInternal]?.end();
callback();
}
@@ -446,7 +539,7 @@ const Socket = (function (InternalSocket) {
}
get localPort() {
- return this.#socket?.localPort;
+ return this[bunSocketInternal]?.localPort;
}
get pending() {
@@ -472,11 +565,11 @@ const Socket = (function (InternalSocket) {
}
ref() {
- this.#socket?.ref();
+ this[bunSocketInternal]?.ref();
}
get remoteAddress() {
- return this.#socket?.remoteAddress;
+ return this[bunSocketInternal]?.remoteAddress;
}
get remoteFamily() {
@@ -484,7 +577,7 @@ const Socket = (function (InternalSocket) {
}
resetAndDestroy() {
- this.#socket?.end();
+ this[bunSocketInternal]?.end();
}
setKeepAlive(enable = false, initialDelay = 0) {
@@ -498,19 +591,19 @@ const Socket = (function (InternalSocket) {
}
setTimeout(timeout, callback) {
- this.#socket?.timeout(timeout);
+ this[bunSocketInternal]?.timeout(timeout);
this.timeout = timeout;
if (callback) this.once("timeout", callback);
return this;
}
unref() {
- this.#socket?.unref();
+ this[bunSocketInternal]?.unref();
}
_write(chunk, encoding, callback) {
- if (typeof chunk == "string" && encoding !== "utf8") chunk = Buffer.from(chunk, encoding);
- var written = this.#socket?.write(chunk);
+ if (typeof chunk == "string" && encoding !== "ascii") chunk = Buffer.from(chunk, encoding);
+ var written = this[bunSocketInternal]?.write(chunk);
if (written == chunk.length) {
callback();
} else if (this.#writeCallback) {
diff --git a/src/js/node/tls.js b/src/js/node/tls.js
index 356c25cbd..310a36620 100644
--- a/src/js/node/tls.js
+++ b/src/js/node/tls.js
@@ -1,9 +1,30 @@
// Hardcoded module "node:tls"
-import { isTypedArray } from "util/types";
+import { isArrayBufferView, isTypedArray } from "util/types";
import net, { Server as NetServer } from "node:net";
const InternalTCPSocket = net[Symbol.for("::bunternal::")];
-
+const bunSocketInternal = Symbol.for("::bunnetsocketinternal::");
+
+const { RegExp, Array, String } = globalThis[Symbol.for("Bun.lazy")]("primordials");
+const SymbolReplace = Symbol.replace;
+const RegExpPrototypeSymbolReplace = RegExp.prototype[SymbolReplace];
+const RegExpPrototypeExec = RegExp.prototype.exec;
+
+const StringPrototypeStartsWith = String.prototype.startsWith;
+const StringPrototypeSlice = String.prototype.slice;
+const StringPrototypeIncludes = String.prototype.includes;
+const StringPrototypeSplit = String.prototype.split;
+const StringPrototypeIndexOf = String.prototype.indexOf;
+const StringPrototypeSubstring = String.prototype.substring;
+const StringPrototypeEndsWith = String.prototype.endsWith;
+
+const ArrayPrototypeIncludes = Array.prototype.includes;
+const ArrayPrototypeJoin = Array.prototype.join;
+const ArrayPrototypeForEach = Array.prototype.forEach;
+const ArrayPrototypePush = Array.prototype.push;
+const ArrayPrototypeSome = Array.prototype.some;
+const ArrayPrototypeReduce = Array.prototype.reduce;
function parseCertString() {
+ // Removed since JAN 2022 Node v18.0.0+ https://github.com/nodejs/node/pull/41479
throwNotImplemented("Not implemented");
}
@@ -18,6 +39,164 @@ function isValidTLSArray(obj) {
}
}
+function unfqdn(host) {
+ return RegExpPrototypeSymbolReplace(/[.]$/, host, "");
+}
+
+function splitHost(host) {
+ return StringPrototypeSplit.call(RegExpPrototypeSymbolReplace(/[A-Z]/g, unfqdn(host), toLowerCase), ".");
+}
+
+function check(hostParts, pattern, wildcards) {
+ // Empty strings, null, undefined, etc. never match.
+ if (!pattern) return false;
+
+ const patternParts = splitHost(pattern);
+
+ if (hostParts.length !== patternParts.length) return false;
+
+ // Pattern has empty components, e.g. "bad..example.com".
+ if (ArrayPrototypeIncludes.call(patternParts, "")) return false;
+
+ // RFC 6125 allows IDNA U-labels (Unicode) in names but we have no
+ // good way to detect their encoding or normalize them so we simply
+ // reject them. Control characters and blanks are rejected as well
+ // because nothing good can come from accepting them.
+ const isBad = s => RegExpPrototypeExec.call(/[^\u0021-\u007F]/u, s) !== null;
+ if (ArrayPrototypeSome.call(patternParts, isBad)) return false;
+
+ // Check host parts from right to left first.
+ for (let i = hostParts.length - 1; i > 0; i -= 1) {
+ if (hostParts[i] !== patternParts[i]) return false;
+ }
+
+ const hostSubdomain = hostParts[0];
+ const patternSubdomain = patternParts[0];
+ const patternSubdomainParts = StringPrototypeSplit.call(patternSubdomain, "*");
+
+ // Short-circuit when the subdomain does not contain a wildcard.
+ // RFC 6125 does not allow wildcard substitution for components
+ // containing IDNA A-labels (Punycode) so match those verbatim.
+ if (patternSubdomainParts.length === 1 || StringPrototypeIncludes.call(patternSubdomain, "xn--"))
+ return hostSubdomain === patternSubdomain;
+
+ if (!wildcards) return false;
+
+ // More than one wildcard is always wrong.
+ if (patternSubdomainParts.length > 2) return false;
+
+ // *.tld wildcards are not allowed.
+ if (patternParts.length <= 2) return false;
+
+ const { 0: prefix, 1: suffix } = patternSubdomainParts;
+
+ if (prefix.length + suffix.length > hostSubdomain.length) return false;
+
+ if (!StringPrototypeStartsWith.call(hostSubdomain, prefix)) return false;
+
+ if (!StringPrototypeEndsWith.call(hostSubdomain, suffix)) return false;
+
+ return true;
+}
+
+// This pattern is used to determine the length of escaped sequences within
+// the subject alt names string. It allows any valid JSON string literal.
+// This MUST match the JSON specification (ECMA-404 / RFC8259) exactly.
+const jsonStringPattern =
+ // eslint-disable-next-line no-control-regex
+ /^"(?:[^"\\\u0000-\u001f]|\\(?:["\\/bfnrt]|u[0-9a-fA-F]{4}))*"/;
+
+function splitEscapedAltNames(altNames) {
+ const result = [];
+ let currentToken = "";
+ let offset = 0;
+ while (offset !== altNames.length) {
+ const nextSep = StringPrototypeIndexOf.call(altNames, ", ", offset);
+ const nextQuote = StringPrototypeIndexOf.call(altNames, '"', offset);
+ if (nextQuote !== -1 && (nextSep === -1 || nextQuote < nextSep)) {
+ // There is a quote character and there is no separator before the quote.
+ currentToken += StringPrototypeSubstring.call(altNames, offset, nextQuote);
+ const match = RegExpPrototypeExec.call(jsonStringPattern, StringPrototypeSubstring.call(altNames, nextQuote));
+ if (!match) {
+ let error = new SyntaxError("ERR_TLS_CERT_ALTNAME_FORMAT: Invalid subject alternative name string");
+ error.name = ERR_TLS_CERT_ALTNAME_FORMAT;
+ throw error;
+ }
+ currentToken += JSON.parse(match[0]);
+ offset = nextQuote + match[0].length;
+ } else if (nextSep !== -1) {
+ // There is a separator and no quote before it.
+ currentToken += StringPrototypeSubstring.call(altNames, offset, nextSep);
+ ArrayPrototypePush.call(result, currentToken);
+ currentToken = "";
+ offset = nextSep + 2;
+ } else {
+ currentToken += StringPrototypeSubstring.call(altNames, offset);
+ offset = altNames.length;
+ }
+ }
+ ArrayPrototypePush.call(result, currentToken);
+ return result;
+}
+function checkServerIdentity(hostname, cert) {
+ const subject = cert.subject;
+ const altNames = cert.subjectaltname;
+ const dnsNames = [];
+ const ips = [];
+
+ hostname = "" + hostname;
+
+ if (altNames) {
+ const splitAltNames = StringPrototypeIncludes.call(altNames, '"')
+ ? splitEscapedAltNames(altNames)
+ : StringPrototypeSplit.call(altNames, ", ");
+ ArrayPrototypeForEach.call(splitAltNames, name => {
+ if (StringPrototypeStartsWith.call(name, "DNS:")) {
+ ArrayPrototypePush.call(dnsNames, StringPrototypeSlice.call(name, 4));
+ } else if (StringPrototypeStartsWith.call(name, "IP Address:")) {
+ ArrayPrototypePush.call(ips, canonicalizeIP(StringPrototypeSlice.call(name, 11)));
+ }
+ });
+ }
+
+ let valid = false;
+ let reason = "Unknown reason";
+
+ hostname = unfqdn(hostname); // Remove trailing dot for error messages.
+
+ if (net.isIP(hostname)) {
+ valid = ArrayPrototypeIncludes.call(ips, canonicalizeIP(hostname));
+ if (!valid) reason = `IP: ${hostname} is not in the cert's list: ` + ArrayPrototypeJoin.call(ips, ", ");
+ } else if (dnsNames.length > 0 || subject?.CN) {
+ const hostParts = splitHost(hostname);
+ const wildcard = pattern => check(hostParts, pattern, true);
+
+ if (dnsNames.length > 0) {
+ valid = ArrayPrototypeSome.call(dnsNames, wildcard);
+ if (!valid) reason = `Host: ${hostname}. is not in the cert's altnames: ${altNames}`;
+ } else {
+ // Match against Common Name only if no supported identifiers exist.
+ const cn = subject.CN;
+
+ if (ArrayIsArray(cn)) valid = ArrayPrototypeSome.call(cn, wildcard);
+ else if (cn) valid = wildcard(cn);
+
+ if (!valid) reason = `Host: ${hostname}. is not cert's CN: ${cn}`;
+ }
+ } else {
+ reason = "Cert does not contain a DNS name";
+ }
+
+ if (!valid) {
+ let error = new Error(`ERR_TLS_CERT_ALTNAME_INVALID: Hostname/IP does not match certificate's altnames: ${reason}`);
+ error.name = "ERR_TLS_CERT_ALTNAME_INVALID";
+ error.reason = reason;
+ error.host = host;
+ error.cert = cert;
+ return error;
+ }
+}
+
var InternalSecureContext = class SecureContext {
context;
@@ -83,6 +262,36 @@ function createSecureContext(options) {
return new SecureContext(options);
}
+// Translate some fields from the handle's C-friendly format into more idiomatic
+// javascript object representations before passing them back to the user. Can
+// be used on any cert object, but changing the name would be semver-major.
+function translatePeerCertificate(c) {
+ if (!c) return null;
+
+ if (c.issuerCertificate != null && c.issuerCertificate !== c) {
+ c.issuerCertificate = translatePeerCertificate(c.issuerCertificate);
+ }
+ if (c.infoAccess != null) {
+ const info = c.infoAccess;
+ c.infoAccess = { __proto__: null };
+
+ // XXX: More key validation?
+ RegExpPrototypeSymbolReplace(/([^\n:]*):([^\n]*)(?:\n|$)/g, info, (all, key, val) => {
+ if (val.charCodeAt(0) === 0x22) {
+ // The translatePeerCertificate function is only
+ // used on internally created legacy certificate
+ // objects, and any value that contains a quote
+ // will always be a valid JSON string literal,
+ // so this should never throw.
+ val = JSONParse(val);
+ }
+ if (key in c.infoAccess) ArrayPrototypePush.call(c.infoAccess[key], val);
+ else c.infoAccess[key] = [val];
+ });
+ }
+ return c;
+}
+
const buntls = Symbol.for("::buntls::");
var SocketClass;
@@ -107,8 +316,22 @@ const TLSSocket = (function (InternalTLSSocket) {
})(
class TLSSocket extends InternalTCPSocket {
#secureContext;
- constructor(options) {
- super(options);
+ ALPNProtocols;
+ #socket;
+
+ constructor(socket, options) {
+ super(socket instanceof InternalTCPSocket ? options : options || socket);
+ options = options || socket || {};
+ if (typeof options === "object") {
+ const { ALPNProtocols } = options;
+ if (ALPNProtocols) {
+ convertALPNProtocols(ALPNProtocols, this);
+ }
+ if (socket instanceof InternalTCPSocket) {
+ this.#socket = socket;
+ }
+ }
+
this.#secureContext = options.secureContext || createSecureContext(options);
this.authorized = false;
this.secureConnecting = true;
@@ -123,28 +346,52 @@ const TLSSocket = (function (InternalTLSSocket) {
secureConnecting = false;
_SNICallback;
servername;
- alpnProtocol;
authorized = false;
authorizationError;
encrypted = true;
- exportKeyingMaterial() {
- throw Error("Not implented in Bun yet");
+ _start() {
+ // some frameworks uses this _start internal implementation is suposed to start TLS handshake
+ // on Bun we auto start this after on_open callback and when wrapping we start it after the socket is attached to the net.Socket/tls.Socket
}
- setMaxSendFragment() {
+
+ exportKeyingMaterial(length, label, context) {
+ //SSL_export_keying_material
throw Error("Not implented in Bun yet");
}
- setServername() {
+ setMaxSendFragment(size) {
+ // SSL_set_max_send_fragment
throw Error("Not implented in Bun yet");
}
+ setServername(name) {
+ if (this.isServer) {
+ let error = new Error("ERR_TLS_SNI_FROM_SERVER: Cannot issue SNI from a TLS server-side socket");
+ error.name = "ERR_TLS_SNI_FROM_SERVER";
+ throw error;
+ }
+ // if the socket is detached we can't set the servername but we set this property so when open will auto set to it
+ this.servername = name;
+ this[bunSocketInternal]?.setServername(name);
+ }
setSession() {
throw Error("Not implented in Bun yet");
}
getPeerCertificate() {
+ // need to implement peerCertificate on socket.zig
+ // const cert = this[bunSocketInternal]?.peerCertificate;
+ // if(cert) {
+ // return translatePeerCertificate(cert);
+ // }
throw Error("Not implented in Bun yet");
}
getCertificate() {
+ // need to implement certificate on socket.zig
+ // const cert = this[bunSocketInternal]?.certificate;
+ // if(cert) {
+ // It's not a peer cert, but the formatting is identical.
+ // return translatePeerCertificate(cert);
+ // }
throw Error("Not implented in Bun yet");
}
getPeerX509Certificate() {
@@ -154,16 +401,17 @@ const TLSSocket = (function (InternalTLSSocket) {
throw Error("Not implented in Bun yet");
}
- [buntls](port, host) {
- var { servername } = this;
- if (servername) {
- return {
- serverName: typeof servername === "string" ? servername : host,
- ...this.#secureContext,
- };
- }
+ get alpnProtocol() {
+ return this[bunSocketInternal]?.alpnProtocol;
+ }
- return true;
+ [buntls](port, host) {
+ return {
+ socket: this.#socket,
+ ALPNProtocols: this.ALPNProtocols,
+ serverName: this.servername || host || "localhost",
+ ...this.#secureContext,
+ };
}
},
);
@@ -177,9 +425,12 @@ class Server extends NetServer {
_rejectUnauthorized;
_requestCert;
servername;
+ ALPNProtocols;
+ #checkServerIdentity;
constructor(options, secureConnectionListener) {
super(options, secureConnectionListener);
+ this.#checkServerIdentity = options?.checkServerIdentity || checkServerIdentity;
this.setSecureContext(options);
}
emit(event, args) {
@@ -197,6 +448,12 @@ class Server extends NetServer {
options = options.context;
}
if (options) {
+ const { ALPNProtocols } = options;
+
+ if (ALPNProtocols) {
+ convertALPNProtocols(ALPNProtocols, this);
+ }
+
let key = options.key;
if (key) {
if (!isValidTLSArray(key)) {
@@ -277,6 +534,8 @@ class Server extends NetServer {
// Client always is NONE on set_verify
rejectUnauthorized: isClient ? false : this._rejectUnauthorized,
requestCert: isClient ? false : this._requestCert,
+ ALPNProtocols: this.ALPNProtocols,
+ checkServerIdentity: this.#checkServerIdentity,
},
SocketClass,
];
@@ -296,6 +555,11 @@ const CLIENT_RENEG_LIMIT = 3,
DEFAULT_MAX_VERSION = "TLSv1.3",
createConnection = (port, host, connectListener) => {
if (typeof port === "object") {
+ port.checkServerIdentity || checkServerIdentity;
+ const { ALPNProtocols } = port;
+ if (ALPNProtocols) {
+ convertALPNProtocols(ALPNProtocols, port);
+ }
// port is option pass Socket options and let connect handle connection options
return new TLSSocket(port).connect(port, host, connectListener);
}
@@ -312,7 +576,55 @@ function getCurves() {
return;
}
-function convertALPNProtocols(protocols, out) {}
+// Convert protocols array into valid OpenSSL protocols list
+// ("\x06spdy/2\x08http/1.1\x08http/1.0")
+function convertProtocols(protocols) {
+ const lens = new Array(protocols.length);
+ const buff = Buffer.allocUnsafe(
+ ArrayPrototypeReduce.call(
+ protocols,
+ (p, c, i) => {
+ const len = Buffer.byteLength(c);
+ if (len > 255) {
+ throw new RangeError(
+ "The byte length of the protocol at index " + `${i} exceeds the maximum length.`,
+ "<= 255",
+ len,
+ true,
+ );
+ }
+ lens[i] = len;
+ return p + 1 + len;
+ },
+ 0,
+ ),
+ );
+
+ let offset = 0;
+ for (let i = 0, c = protocols.length; i < c; i++) {
+ buff[offset++] = lens[i];
+ buff.write(protocols[i], offset);
+ offset += lens[i];
+ }
+
+ return buff;
+}
+
+function convertALPNProtocols(protocols, out) {
+ // If protocols is Array - translate it into buffer
+ if (Array.isArray(protocols)) {
+ out.ALPNProtocols = convertProtocols(protocols);
+ } else if (isTypedArray(protocols)) {
+ // Copy new buffer not to be modified by user.
+ out.ALPNProtocols = Buffer.from(protocols);
+ } else if (isArrayBufferView(protocols)) {
+ out.ALPNProtocols = Buffer.from(
+ protocols.buffer.slice(protocols.byteOffset, protocols.byteOffset + protocols.byteLength),
+ );
+ } else if (Buffer.isBuffer(protocols)) {
+ out.ALPNProtocols = protocols;
+ }
+}
var exports = {
[Symbol.for("CommonJS")]: 0,
@@ -351,6 +663,7 @@ export {
getCurves,
parseCertString,
SecureContext,
+ checkServerIdentity,
Server,
TLSSocket,
exports as default,