http2, tls: check content-length, fix RST and GOAWAY logic

[szmarczak]

Fixes #35209
Closes #35378

Time spent: 90h

Caution

These bug fixes are potentially semver-major!

1. Fixed stream.close(NGHTTP2_CANCEL) closing with 0 aka NGHTTP2_NO_ERROR.
2. serverStream.destroy() closed with 0, now NGHTTP2_INTERNAL_ERROR.
3. clientStream.destroy() closed with 0, now NGHTTP2_CANCEL.
4. Mismatched content-length now throws NGHTTP2_PROTOCOL_ERROR as according to the spec.
5. Fixed GOAWAY (server -> client) being greeted with GOAWAY (client -> server) as it's against the spec.
6. Fixed streams being always closed with NGHTTP2_CANCEL on socket close, now respects goawayCode and destroyCode. The default is NGHTTP2_INTERNAL_ERROR for premature TCP FIN and TCP RST.
7. Fixed stream.rstCode being 0 while active - docs say it should be undefined.
8. Fixed preferring sessionCode over rstCode when destroying a stream with an error.
9. Fixed streams being closed with NO_ERROR if session received GOAWAY with NO_ERROR and remote closed connection.
10. Fixed streams being closed with NO_ERROR if session sent GOAWAY with NO_ERROR and destroyed.
11. Fixed GOAWAY preventing RST_STREAM from being sent before GOAWAY.
    nghttp2 correctly assumes that it should prevent RST_STREAM from being sent but incorretly applies it to all frames in a packet instead of frames defined after GOAWAY. This is not the only thing that nghttp2 does wrong:
    • GOAWAY is sent instead of stream RST when receiving DATA frame after receiving RST_STREAM nghttp2/nghttp2#1166
    • nghttp2_submit_rst_stream after nghttp2_submit_response causes response headers to be dropped nghttp2/nghttp2#692
12. Fixed benchmark/http2/headers.js calling client.destroy() (resulting in dropped requests).
    Now calls client.close() which closes gracefully.
13. connectStreamSocket.destroy() now closes with NGHTTP2_CONNECT_ERROR.
14. Fixed double GOAWAY on session.close().
15. Fixed queued RST_STREAM and GOAWAY being dropped if Http2Session::Close() and previous writes weren't finished yet.
16. Fixed stream frame errors closing the entire session instead of just the stream.
17. Fixed stream frame errors sending RST_STREAM on idle streams (to reproduce 16. needs to be fixed).
18. Fixed resetAndDestroy can not be called on tlssocket? #49484
19. Fixed server close not being emitted if TLS socket RSTs
20. Fixed deadlock when sending GOAWAY before receiving server's GOAWAY. It won't gracefully close because the server may never ACK our GOAWAY. Now it sends TCP RST after terminating GOAWAY.

Sorry so many bugs are fixed in a single PR but it's impossible to fix one without fixing them all!

Best if nghttp2/nghttp2#1508 got merged before this, but it has been open for years 😢
Hence the patch for nghttp2_session.c

---

/cc @jasnell

[nodejs-github-bot]

Review requested:

• @nodejs/http
• @nodejs/http2
• @nodejs/net
• @nodejs/security-wg

[mcollina]

Wow. congrats! It would really be better if the patch was landed, yes.

[mcollina]

The linter and commit validator are failing, could you check?

[mcollina]

@jasnell could you reach out to the nghttp2 maintainers and ask about the status of that PR? I would sincerely hope we wouldn't have to maintain a floating patch.

[mcollina]

Therefore the best change - although breaking - is to make it emit an error by default.

The reason why .destroy() does not emit an error by default is that it's a Stream API. .destroy() without error is supposed to be "safe" to call.

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/59515/

[szmarczak]

I don't think this should be removed

[szmarczak]

@mcollina This is a result of the fix for making .destroy() not throw when sending RST. It throws only when receiving RST. This means that stream.close(1) won't emit error. Are you okay with this change? By looking at the original code for close() it looks like the author didn't mean to emit error on close().

Otherwise I would have to make stream.close() set stream[kState].rstCode and then call this.destroy(error).

[szmarczak]

Actually my understanding was wrong. It shouldn't be removed indeed.

It should error via onStreamClose (so pipeline fails etc.) but fails to do so because

node/lib/internal/http2/core.js

Line 2400 in 56dea47

this.destroy();

gets called first.

[szmarczak]

I'm not fluent in stream internals but setImmediate seems to work here (in afterShutdown), so I went with that.

Looks like the main cause is that writable shutdown is delayed by single tick in order to attach the END_STREAM flag. It's a pity nghttp2 has no API to amend the last queued DATA frame.

[mcollina]

Have you tried pinging nghttp2?

[mcollina]

lgtm

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/59539/

[szmarczak]

@mcollina Can you trigger CI again? Thanks 🙏

The lint errors and test failures on GitHub Actions seem to be unrelated to this PR.

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/63062/

[szmarczak]

session.close() (with this PR) calls session.destroy() if state.streams and state.pendingStreams are empty. Therefore it could obstruct session[kMaybeDestroy](err). Now it just marks the session as closed, hopefully fixing Windows: test-http2-server-sessionerror.js and test-http2-too-many-settings.js that do not create any streams.

[szmarczak]

Indeed it fixed that!

[szmarczak]

@mcollina Can you trigger CI again? Hopefully Windows passes this time 🙏🏼

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/63162/

[szmarczak]

Windows passes now.

test-http2-large-file is flaky and I couldn't reproduce:

test-http-server-request-timeouts-mixed is also flaky.

test-http2-session-unref fails on aix. Why do we even support aix? I can't even work on this because it's so exclusive.

IMO this PR is good to go. I'd prefer if this landed first in v23, then backport to v22 if necessary.

[mcollina]

test-http2-session-unref fails on aix. Why do we even support aix? I can't even work on this because it's so exclusive.

@mhdawson can you help with this?