[tls] add socket parameter, setServername and ALPNprotocols support (#3457)

* add socket parameter support

* refactor #socket

* add test and more fixs

* some fixes

* bump uws

* handlers fix

* more fixes

* fix node net and node tls tests

* fix duplicate port

* fix deinit on CallbackJobs

* cleanup

* add setImmediate repro

* add test to setImmediate

* this is necessary?

* fix prependOnce on native listener

* try to findout the error on nodemailer CI

* show error message

* Update bun.lockb

* prettier

* Use exact versions of packages

* add alpnProtocol support

* update

* emit error when connect fails on net.Socket

* format

* fix _write and cleanup

* fixup

* fix connect, add alpn test

* fix socket.io

* add socket parameter to TLSSocket

* add TLSSocket socket first parameter

* fixup and _start

* remove flask tests

* fmt

---------

Co-authored-by: Jarred Sumner <709451+Jarred-Sumner@users.noreply.github.com>

1 files changed, 164 insertions, 26 deletions

diff --git a/src/js/out/modules/node/tls.js b/src/js/out/modules/node/tls.js
index 4cceadc7f..ca8a13270 100644
--- a/src/js/out/modules/node/tls.js
+++ b/src/js/out/modules/node/tls.js
@@ -1,4 +1,4 @@
-import {isTypedArray} from "node:util/types";
+import {isArrayBufferView, isTypedArray} from "node:util/types";
 import net, {Server as NetServer} from "node:net";
 var parseCertString = function() {
   throwNotImplemented("Not implemented");
@@ -11,18 +11,127 @@ var parseCertString = function() {
         return !1;
     return !0;
   }
+}, unfqdn = function(host2) {
+  return RegExpPrototypeSymbolReplace(/[.]$/, host2, "");
+}, splitHost = function(host2) {
+  return StringPrototypeSplit.call(RegExpPrototypeSymbolReplace(/[A-Z]/g, unfqdn(host2), toLowerCase), ".");
+}, check = function(hostParts, pattern, wildcards) {
+  if (!pattern)
+    return !1;
+  const patternParts = splitHost(pattern);
+  if (hostParts.length !== patternParts.length)
+    return !1;
+  if (ArrayPrototypeIncludes.call(patternParts, ""))
+    return !1;
+  const isBad = (s) => RegExpPrototypeExec.call(/[^\u0021-\u007F]/u, s) !== null;
+  if (ArrayPrototypeSome.call(patternParts, isBad))
+    return !1;
+  for (let i = hostParts.length - 1;i > 0; i -= 1)
+    if (hostParts[i] !== patternParts[i])
+      return !1;
+  const hostSubdomain = hostParts[0], patternSubdomain = patternParts[0], patternSubdomainParts = StringPrototypeSplit.call(patternSubdomain, "*");
+  if (patternSubdomainParts.length === 1 || StringPrototypeIncludes.call(patternSubdomain, "xn--"))
+    return hostSubdomain === patternSubdomain;
+  if (!wildcards)
+    return !1;
+  if (patternSubdomainParts.length > 2)
+    return !1;
+  if (patternParts.length <= 2)
+    return !1;
+  const { 0: prefix, 1: suffix } = patternSubdomainParts;
+  if (prefix.length + suffix.length > hostSubdomain.length)
+    return !1;
+  if (!StringPrototypeStartsWith.call(hostSubdomain, prefix))
+    return !1;
+  if (!StringPrototypeEndsWith.call(hostSubdomain, suffix))
+    return !1;
+  return !0;
+}, splitEscapedAltNames = function(altNames) {
+  const result = [];
+  let currentToken = "", offset = 0;
+  while (offset !== altNames.length) {
+    const nextSep = StringPrototypeIndexOf.call(altNames, ", ", offset), nextQuote = StringPrototypeIndexOf.call(altNames, '"', offset);
+    if (nextQuote !== -1 && (nextSep === -1 || nextQuote < nextSep)) {
+      currentToken += StringPrototypeSubstring.call(altNames, offset, nextQuote);
+      const match = RegExpPrototypeExec.call(jsonStringPattern, StringPrototypeSubstring.call(altNames, nextQuote));
+      if (!match) {
+        let error = new SyntaxError("ERR_TLS_CERT_ALTNAME_FORMAT: Invalid subject alternative name string");
+        throw error.name = ERR_TLS_CERT_ALTNAME_FORMAT, error;
+      }
+      currentToken += JSON.parse(match[0]), offset = nextQuote + match[0].length;
+    } else if (nextSep !== -1)
+      currentToken += StringPrototypeSubstring.call(altNames, offset, nextSep), ArrayPrototypePush.call(result, currentToken), currentToken = "", offset = nextSep + 2;
+    else
+      currentToken += StringPrototypeSubstring.call(altNames, offset), offset = altNames.length;
+  }
+  return ArrayPrototypePush.call(result, currentToken), result;
+}, checkServerIdentity = function(hostname, cert) {
+  const { subject, subjectaltname: altNames } = cert, dnsNames = [], ips = [];
+  if (hostname = "" + hostname, altNames) {
+    const splitAltNames = StringPrototypeIncludes.call(altNames, '"') ? splitEscapedAltNames(altNames) : StringPrototypeSplit.call(altNames, ", ");
+    ArrayPrototypeForEach.call(splitAltNames, (name) => {
+      if (StringPrototypeStartsWith.call(name, "DNS:"))
+        ArrayPrototypePush.call(dnsNames, StringPrototypeSlice.call(name, 4));
+      else if (StringPrototypeStartsWith.call(name, "IP Address:"))
+        ArrayPrototypePush.call(ips, canonicalizeIP(StringPrototypeSlice.call(name, 11)));
+    });
+  }
+  let valid = !1, reason = "Unknown reason";
+  if (hostname = unfqdn(hostname), net.isIP(hostname)) {
+    if (valid = ArrayPrototypeIncludes.call(ips, canonicalizeIP(hostname)), !valid)
+      reason = `IP: ${hostname} is not in the cert's list: ` + ArrayPrototypeJoin.call(ips, ", ");
+  } else if (dnsNames.length > 0 || subject?.CN) {
+    const hostParts = splitHost(hostname), wildcard = (pattern) => check(hostParts, pattern, !0);
+    if (dnsNames.length > 0) {
+      if (valid = ArrayPrototypeSome.call(dnsNames, wildcard), !valid)
+        reason = `Host: ${hostname}. is not in the cert's altnames: ${altNames}`;
+    } else {
+      const cn = subject.CN;
+      if (ArrayIsArray(cn))
+        valid = ArrayPrototypeSome.call(cn, wildcard);
+      else if (cn)
+        valid = wildcard(cn);
+      if (!valid)
+        reason = `Host: ${hostname}. is not cert's CN: ${cn}`;
+    }
+  } else
+    reason = "Cert does not contain a DNS name";
+  if (!valid) {
+    let error = new Error(`ERR_TLS_CERT_ALTNAME_INVALID: Hostname/IP does not match certificate's altnames: ${reason}`);
+    return error.name = "ERR_TLS_CERT_ALTNAME_INVALID", error.reason = reason, error.host = host, error.cert = cert, error;
+  }
 }, SecureContext = function(options) {
   return new InternalSecureContext(options);
 }, createSecureContext = function(options) {
   return new SecureContext(options);
-}, createServer = function(options, connectionListener) {
+};
+var createServer = function(options, connectionListener) {
   return new Server(options, connectionListener);
 }, getCiphers = function() {
   return DEFAULT_CIPHERS.split(":");
 }, getCurves = function() {
   return;
+}, convertProtocols = function(protocols) {
+  const lens = new Array(protocols.length), buff = Buffer.allocUnsafe(ArrayPrototypeReduce.call(protocols, (p, c, i) => {
+    const len = Buffer.byteLength(c);
+    if (len > 255)
+      throw new RangeError("The byte length of the protocol at index " + `${i} exceeds the maximum length.`, "<= 255", len, !0);
+    return lens[i] = len, p + 1 + len;
+  }, 0));
+  let offset = 0;
+  for (let i = 0, c = protocols.length;i < c; i++)
+    buff[offset++] = lens[i], buff.write(protocols[i], offset), offset += lens[i];
+  return buff;
 }, convertALPNProtocols = function(protocols, out) {
-}, InternalTCPSocket = net[Symbol.for("::bunternal::")], InternalSecureContext = class SecureContext2 {
+  if (Array.isArray(protocols))
+    out.ALPNProtocols = convertProtocols(protocols);
+  else if (isTypedArray(protocols))
+    out.ALPNProtocols = Buffer.from(protocols);
+  else if (isArrayBufferView(protocols))
+    out.ALPNProtocols = Buffer.from(protocols.buffer.slice(protocols.byteOffset, protocols.byteOffset + protocols.byteLength));
+  else if (Buffer.isBuffer(protocols))
+    out.ALPNProtocols = protocols;
+}, InternalTCPSocket = net[Symbol.for("::bunternal::")], bunSocketInternal = Symbol.for("::bunnetsocketinternal::"), { RegExp, Array, String } = globalThis[Symbol.for("Bun.lazy")]("primordials"), SymbolReplace = Symbol.replace, RegExpPrototypeSymbolReplace = RegExp.prototype[SymbolReplace], RegExpPrototypeExec = RegExp.prototype.exec, StringPrototypeStartsWith = String.prototype.startsWith, StringPrototypeSlice = String.prototype.slice, StringPrototypeIncludes = String.prototype.includes, StringPrototypeSplit = String.prototype.split, StringPrototypeIndexOf = String.prototype.indexOf, StringPrototypeSubstring = String.prototype.substring, StringPrototypeEndsWith = String.prototype.endsWith, ArrayPrototypeIncludes = Array.prototype.includes, ArrayPrototypeJoin = Array.prototype.join, ArrayPrototypeForEach = Array.prototype.forEach, ArrayPrototypePush = Array.prototype.push, ArrayPrototypeSome = Array.prototype.some, ArrayPrototypeReduce = Array.prototype.reduce, jsonStringPattern = /^"(?:[^"\\\u0000-\u001f]|\\(?:["\\/bfnrt]|u[0-9a-fA-F]{4}))*"/, InternalSecureContext = class SecureContext2 {
   context;
   constructor(options) {
     const context = {};
@@ -73,8 +182,17 @@ var parseCertString = function() {
   });
 }(class TLSSocket2 extends InternalTCPSocket {
   #secureContext;
-  constructor(options) {
-    super(options);
+  ALPNProtocols;
+  #socket;
+  constructor(socket, options) {
+    super(socket instanceof InternalTCPSocket ? options : options || socket);
+    if (options = options || socket || {}, typeof options === "object") {
+      const { ALPNProtocols } = options;
+      if (ALPNProtocols)
+        convertALPNProtocols(ALPNProtocols, this);
+      if (socket instanceof InternalTCPSocket)
+        this.#socket = socket;
+    }
     this.#secureContext = options.secureContext || createSecureContext(options), this.authorized = !1, this.secureConnecting = !0, this._secureEstablished = !1, this._securePending = !0;
   }
   _secureEstablished = !1;
@@ -84,19 +202,24 @@ var parseCertString = function() {
   secureConnecting = !1;
   _SNICallback;
   servername;
-  alpnProtocol;
   authorized = !1;
   authorizationError;
   encrypted = !0;
-  exportKeyingMaterial() {
-    throw Error("Not implented in Bun yet");
+  _start() {
   }
-  setMaxSendFragment() {
+  exportKeyingMaterial(length, label, context) {
     throw Error("Not implented in Bun yet");
   }
-  setServername() {
+  setMaxSendFragment(size) {
     throw Error("Not implented in Bun yet");
   }
+  setServername(name) {
+    if (this.isServer) {
+      let error = new Error("ERR_TLS_SNI_FROM_SERVER: Cannot issue SNI from a TLS server-side socket");
+      throw error.name = "ERR_TLS_SNI_FROM_SERVER", error;
+    }
+    this.servername = name, this[bunSocketInternal]?.setServername(name);
+  }
   setSession() {
     throw Error("Not implented in Bun yet");
   }
@@ -112,14 +235,16 @@ var parseCertString = function() {
   getX509Certificate() {
     throw Error("Not implented in Bun yet");
   }
-  [buntls](port, host) {
-    var { servername } = this;
-    if (servername)
-      return {
-        serverName: typeof servername === "string" ? servername : host,
-        ...this.#secureContext
-      };
-    return !0;
+  get alpnProtocol() {
+    return this[bunSocketInternal]?.alpnProtocol;
+  }
+  [buntls](port, host2) {
+    return {
+      socket: this.#socket,
+      ALPNProtocols: this.ALPNProtocols,
+      serverName: this.servername || host2 || "localhost",
+      ...this.#secureContext
+    };
   }
 });
 
@@ -132,9 +257,11 @@ class Server extends NetServer {
   _rejectUnauthorized;
   _requestCert;
   servername;
+  ALPNProtocols;
+  #checkServerIdentity;
   constructor(options, secureConnectionListener) {
     super(options, secureConnectionListener);
-    this.setSecureContext(options);
+    this.#checkServerIdentity = options?.checkServerIdentity || checkServerIdentity, this.setSecureContext(options);
   }
   emit(event, args) {
     if (super.emit(event, args), event === "connection")
@@ -146,6 +273,9 @@ class Server extends NetServer {
     if (options instanceof InternalSecureContext)
       options = options.context;
     if (options) {
+      const { ALPNProtocols } = options;
+      if (ALPNProtocols)
+        convertALPNProtocols(ALPNProtocols, this);
       let key = options.key;
       if (key) {
         if (!isValidTLSArray(key))
@@ -194,26 +324,33 @@ class Server extends NetServer {
   setTicketKeys() {
     throw Error("Not implented in Bun yet");
   }
-  [buntls](port, host, isClient) {
+  [buntls](port, host2, isClient) {
     return [
       {
-        serverName: this.servername || host || "localhost",
+        serverName: this.servername || host2 || "localhost",
         key: this.key,
         cert: this.cert,
         ca: this.ca,
         passphrase: this.passphrase,
         secureOptions: this.secureOptions,
         rejectUnauthorized: isClient ? !1 : this._rejectUnauthorized,
-        requestCert: isClient ? !1 : this._requestCert
+        requestCert: isClient ? !1 : this._requestCert,
+        ALPNProtocols: this.ALPNProtocols,
+        checkServerIdentity: this.#checkServerIdentity
       },
       SocketClass
     ];
   }
 }
-var CLIENT_RENEG_LIMIT = 3, CLIENT_RENEG_WINDOW = 600, DEFAULT_ECDH_CURVE = "auto", DEFAULT_CIPHERS = "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256", DEFAULT_MIN_VERSION = "TLSv1.2", DEFAULT_MAX_VERSION = "TLSv1.3", createConnection = (port, host, connectListener) => {
-  if (typeof port === "object")
-    return new TLSSocket(port).connect(port, host, connectListener);
-  return new TLSSocket().connect(port, host, connectListener);
+var CLIENT_RENEG_LIMIT = 3, CLIENT_RENEG_WINDOW = 600, DEFAULT_ECDH_CURVE = "auto", DEFAULT_CIPHERS = "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256", DEFAULT_MIN_VERSION = "TLSv1.2", DEFAULT_MAX_VERSION = "TLSv1.3", createConnection = (port, host2, connectListener) => {
+  if (typeof port === "object") {
+    port.checkServerIdentity;
+    const { ALPNProtocols } = port;
+    if (ALPNProtocols)
+      convertALPNProtocols(ALPNProtocols, port);
+    return new TLSSocket(port).connect(port, host2, connectListener);
+  }
+  return new TLSSocket().connect(port, host2, connectListener);
 }, connect = createConnection, exports = {
   [Symbol.for("CommonJS")]: 0,
   CLIENT_RENEG_LIMIT,
@@ -244,6 +381,7 @@ export {
   createConnection,
   convertALPNProtocols,
   connect,
+  checkServerIdentity,
   TLSSocket,
   Server,
   SecureContext,