fix(ext/node): preserve raw socket connect when wrapping TLS (#34093)

Fixes wrapping a still-connecting `net.Socket` with `tls.connect({
socket })`.

The TLS wrapper now leaves the raw socket as the TCP handle owner until
its pending `connect` event has fired, then transfers ownership to the
TLS socket if it was not destroyed by user code. This lets raw
`net.connect(..., cb)` callbacks run before TLS takes over, matching
Node behavior.

Also aligns custom DNS lookup options with Node by not passing `port`,
and ignores `test-tls-connect-keepalive-nodelay.js` because it requires
Node's unimplemented `internal/net` module.

Author: bartlomieju

ext/node/polyfills/_tls_wrap.js

@@ -526,7 +526,11 @@ TLSSocket.prototype._wrapHandle = function (wrap, handle) {
 
   // Set ownerSymbol on the parent handle so that connect callbacks
   // (which receive the TCP handle, not the TLSWrap) can find the socket.
-  handle[ownerSymbol] = this;
+  // If we are wrapping a net.Socket that still needs to emit its connect
+  // event, keep the raw socket as owner until that event has fired.
+  if (!(wrap instanceof net.Socket && !wrap.remoteAddress)) {
+    handle[ownerSymbol] = this;
+  }
 
   // Proxy methods from the parent TCP handle that callers expect on _handle.
   // In Node, TLSWrap is a StreamBase that delegates these to the underlying
@@ -783,15 +787,27 @@ TLSSocket.prototype._init = function (socket, wrap) {
 
     this.connecting = socket.connecting || !socket._handle;
     socket.once("connect", () => {
+      if (this.destroyed) {
+        return;
+      }
+
       this.connecting = false;
       // If the original socket created its own TCP handle during
       // connect() (because it had no handle when we wrapped it),
       // re-attach the TLS wrap to the socket's actual TCP handle.
-      if (ssl && socket._handle) {
+      if (ssl && socket._handle && ssl._nativeTcpHandle !== socket._handle) {
         const nativeHandle = socket._handle;
-        ssl.attach(nativeHandle);
+        ssl._attachNativeHandle(nativeHandle);
+        nativeHandle[ownerSymbol] = this;
+      } else if (ssl && socket._handle) {
+        socket._handle[ownerSymbol] = this;
+        ssl._installNativeOnread?.(socket._handle);
       }
-      this.emit("connect");
+      nextTick(() => {
+        if (!this.destroyed) {
+          this.emit("connect");
+        }
+      });
     });
   }
 

ext/node/polyfills/internal_binding/tls_wrap.ts

@@ -11,6 +11,40 @@ const { kReadBytesOrError, streamBaseState } = core.loadExtScript(
 const kJSStreamHandle = Symbol.for("kJSStreamHandle");
 const kOwner = Symbol.for("kJSStreamOwner");
 
+function installNativeOnread(res: TLSWrap, nativeHandle: any) {
+  nativeHandle.onread = function (
+    buf: ArrayBuffer | Uint8Array | undefined,
+  ) {
+    const nread = streamBaseState[kReadBytesOrError];
+    if (nread > 0 && buf) {
+      // LibUvStreamWrap passes an ArrayBuffer; convert to Uint8Array for receive()
+      const data = buf instanceof ArrayBuffer
+        ? new Uint8Array(buf, 0, nread)
+        : buf.subarray(0, nread);
+      res.receive(data);
+    } else if (nread < 0) {
+      // EOF or error - stop native TCP reads and unref the handle.
+      // Without this, the libuv handle keeps a ref on the event loop
+      // and prevents process exit after the TLS connection ends.
+      nativeHandle.readStop();
+      nativeHandle.unref();
+      res.emitEof();
+    }
+  };
+}
+
+function attachNativeHandle(res: TLSWrap, nativeHandle: any) {
+  const attachResult = nativeHandle instanceof PipeWrap
+    ? res.attachPipe(nativeHandle)
+    : res.attach(nativeHandle);
+  if (attachResult !== 0) {
+    throw new Error(`TLS wrap attach failed: ${attachResult}`);
+  }
+
+  installNativeOnread(res, nativeHandle);
+  res._nativeTcpHandle = nativeHandle;
+}
+
 /**
  * Create a TLSWrap that intercepts an underlying stream handle.
  * Mirrors Node's `internalBinding('tls_wrap').wrap(handle, context, isServer)`.
@@ -53,6 +87,10 @@ function wrap(
   }
 
   const nativeHandle = handle;
+  res._attachNativeHandle = (nativeHandle: any) =>
+    attachNativeHandle(res, nativeHandle);
+  res._installNativeOnread = (nativeHandle: any) =>
+    installNativeOnread(res, nativeHandle);
 
   if (nativeHandle[kJSStreamHandle]) {
     // JS-backed stream (e.g. JSStreamSocket wrapping a Duplex).
@@ -125,39 +163,7 @@ function wrap(
     res._flushEncOut = flushEncOut;
   } else {
     // Native stream (TCP or Pipe handle).
-    // attach/attachPipe stores the stream pointer for encrypted writes.
-    const attachResult = nativeHandle instanceof PipeWrap
-      ? res.attachPipe(nativeHandle)
-      : res.attach(nativeHandle);
-    if (attachResult !== 0) {
-      throw new Error(`TLS wrap attach failed: ${attachResult}`);
-    }
-
-    // Read interception at the JS layer: intercept the TCPWrap's onread
-    // callback to forward encrypted data from the TCP stream to the TLSWrap
-    // via receive().
-    // Note: LibUvStreamWrap's read callback uses (buf) signature with nread
-    // in streamBaseState, matching onStreamRead in stream_base_commons.ts.
-    nativeHandle.onread = function (buf: ArrayBuffer | Uint8Array | undefined) {
-      const nread = streamBaseState[kReadBytesOrError];
-      if (nread > 0 && buf) {
-        // LibUvStreamWrap passes an ArrayBuffer; convert to Uint8Array for receive()
-        const data = buf instanceof ArrayBuffer
-          ? new Uint8Array(buf, 0, nread)
-          : buf.subarray(0, nread);
-        res.receive(data);
-      } else if (nread < 0) {
-        // EOF or error - stop native TCP reads and unref the handle.
-        // Without this, the libuv handle keeps a ref on the event loop
-        // and prevents process exit after the TLS connection ends.
-        nativeHandle.readStop();
-        nativeHandle.unref();
-        res.emitEof();
-      }
-    };
-
-    // Store the native handle so readStart/readStop can delegate to it.
-    res._nativeTcpHandle = nativeHandle;
+    attachNativeHandle(res, nativeHandle);
   }
 
   // Store the JS handle reference so Rust can call JS callbacks (onhandshakedone, etc.)

ext/node/polyfills/net.ts

@@ -1047,7 +1047,6 @@ function _lookupAndConnect(self: Socket, options: TcpSocketConnectOptions) {
     family: options.family,
     hints: options.hints || 0,
     all: false,
-    port,
   };
 
   if (
@@ -1063,6 +1062,16 @@ function _lookupAndConnect(self: Socket, options: TcpSocketConnectOptions) {
   debug("connect: dns options", dnsOpts);
   self._host = host;
   const lookup = options.lookup || dnsLookup;
+  const getLookupDnsOpts = () => {
+    if (options.lookup === undefined) {
+      return { ...dnsOpts, port };
+    }
+    return {
+      family: dnsOpts.family,
+      hints: dnsOpts.hints,
+      all: dnsOpts.all,
+    };
+  };
 
   if (
     dnsOpts.family !== 4 &&
@@ -1073,19 +1082,14 @@ function _lookupAndConnect(self: Socket, options: TcpSocketConnectOptions) {
     debug("connect: autodetecting");
 
     dnsOpts.all = true;
-    const lookupOpts = options.lookup === undefined ? dnsOpts : {
-      family: dnsOpts.family,
-      hints: dnsOpts.hints,
-      all: dnsOpts.all,
-    };
     defaultTriggerAsyncIdScope(self[asyncIdSymbol], function () {
       _lookupAndConnectMultiple(
         self,
         asyncIdSymbol,
         lookup,
         host,
         options,
-        lookupOpts,
+        getLookupDnsOpts(),
         port,
         localAddress,
         localPort,
@@ -1097,14 +1101,9 @@ function _lookupAndConnect(self: Socket, options: TcpSocketConnectOptions) {
   }
 
   defaultTriggerAsyncIdScope(self[asyncIdSymbol], function () {
-    const lookupOpts = options.lookup === undefined ? dnsOpts : {
-      family: dnsOpts.family,
-      hints: dnsOpts.hints,
-      all: dnsOpts.all,
-    };
     lookup(
       host,
-      lookupOpts,
+      getLookupDnsOpts(),
       function emitLookup(
         err: ErrnoException | null,
         ip: string,

tests/node_compat/config.jsonc

@@ -3578,6 +3578,7 @@
     "parallel/test-tls-close-event-after-write.js": {},
     "parallel/test-tls-close-notify.js": {},
     "parallel/test-tls-connect-address-family.js": {},
+    "parallel/test-tls-connect-given-socket.js": {},
     "parallel/test-tls-connect-hints-option.js": {},
     "parallel/test-tls-connect-hwm-option.js": {},
     "parallel/test-tls-connect-keepalive-nodelay.js": {},