nodejs · nodejs-github-bot · Apr 5, 2026
diff --git a/deps/ngtcp2/ngtcp2/crypto/boringssl/boringssl.c b/deps/ngtcp2/ngtcp2/crypto/boringssl/boringssl.c
@@ -402,7 +402,7 @@ int ngtcp2_crypto_decrypt(uint8_t *dest, const ngtcp2_crypto_aead *aead,
 int ngtcp2_crypto_hp_mask(uint8_t *dest, const ngtcp2_crypto_cipher *hp,
                           const ngtcp2_crypto_cipher_ctx *hp_ctx,
                           const uint8_t *sample) {
-  static const uint8_t PLAINTEXT[] = "\x00\x00\x00\x00\x00";
+  static const uint8_t PLAINTEXT[16] = {0};
   ngtcp2_crypto_boringssl_cipher_ctx *ctx = hp_ctx->native_handle;
   uint32_t counter;
 
@@ -420,7 +420,7 @@ int ngtcp2_crypto_hp_mask(uint8_t *dest, const ngtcp2_crypto_cipher *hp,
 #else  /* !defined(WORDS_BIGENDIAN) */
     memcpy(&counter, sample, sizeof(counter));
 #endif /* !defined(WORDS_BIGENDIAN) */
-    CRYPTO_chacha_20(dest, PLAINTEXT, ngtcp2_strlen_lit(PLAINTEXT), ctx->key,
+    CRYPTO_chacha_20(dest, PLAINTEXT, sizeof(PLAINTEXT), ctx->key,
                      sample + sizeof(counter), counter);
     return 0;
   default:
@@ -436,7 +436,8 @@ int ngtcp2_crypto_read_write_crypto_data(
   int rv;
   int err;
 
-  if (SSL_provide_quic_data(
+  if (datalen &&
+      SSL_provide_quic_data(
         ssl,
         ngtcp2_crypto_boringssl_from_ngtcp2_encryption_level(encryption_level),
         data, datalen) != 1) {
@@ -465,6 +466,16 @@ int ngtcp2_crypto_read_write_crypto_data(
         }
 
         goto retry;
+      case SSL_ERROR_WANT_X509_LOOKUP:
+      case SSL_ERROR_WANT_PRIVATE_KEY_OPERATION:
+      case SSL_ERROR_WANT_CERTIFICATE_VERIFY:
+        /* It might be better to return this error, but ngtcp2 does
+           not need to know whether handshake has been interrupted or
+           not.  We expect that necessary plumbing should be done by
+           application when handshake is interrupted (e.g., via
+           SSL_PRIVATE_KEY_METHOD).  If it does not work, we will
+           reconsider this. */
+        return 0;
       default:
         return -1;
       }
@@ -568,6 +579,19 @@ int ngtcp2_crypto_get_path_challenge_data_cb(ngtcp2_conn *conn, uint8_t *data,
   return 0;
 }
 
+int ngtcp2_crypto_get_path_challenge_data2_cb(ngtcp2_conn *conn,
+                                              ngtcp2_path_challenge_data *data,
+                                              void *user_data) {
+  (void)conn;
+  (void)user_data;
+
+  if (RAND_bytes(data->data, NGTCP2_PATH_CHALLENGE_DATALEN) != 1) {
+    return NGTCP2_ERR_CALLBACK_FAILURE;
+  }
+
+  return 0;
+}
+
 int ngtcp2_crypto_random(uint8_t *data, size_t datalen) {
   if (RAND_bytes(data, datalen) != 1) {
     return -1;

diff --git a/deps/ngtcp2/ngtcp2/crypto/includes/ngtcp2/ngtcp2_crypto.h b/deps/ngtcp2/ngtcp2/crypto/includes/ngtcp2/ngtcp2_crypto.h
@@ -524,11 +524,14 @@ NGTCP2_EXTERN int ngtcp2_crypto_recv_client_initial_cb(ngtcp2_conn *conn,
  * completes.  It is allowed to call this function with |datalen| ==
  * 0.  In this case, no additional read operation is done.
  *
+ * This function is implemented per TLS backend.  See
+ * :ref:`tls-integration` for more details.
+ *
  * This function returns 0 if it succeeds, or a negative error code.
  * The generic error code is -1 if a specific error code is not
  * suitable.  The error codes less than -10000 are specific to
- * underlying TLS implementation.  For quictls, the error codes are
- * defined in *ngtcp2_crypto_quictls.h*.
+ * underlying TLS implementation.  Refer to the implementation
+ * specific header files for error codes.
  */
 NGTCP2_EXTERN int
 ngtcp2_crypto_read_write_crypto_data(ngtcp2_conn *conn,
@@ -542,11 +545,22 @@ ngtcp2_crypto_read_write_crypto_data(ngtcp2_conn *conn,
  * `ngtcp2_crypto_read_write_crypto_data`.  It can be directly passed
  * to :member:`ngtcp2_callbacks.recv_crypto_data` field.
  *
+ * For quictls and OpenSSL, the following error codes are treated as
+ * success:
+ *
+ * - -10001 (e.g., :macro:`NGTCP2_CRYPTO_QUICTLS_ERR_TLS_WANT_X509_LOOKUP`)
+ * - -10002 (e.g., :macro:`NGTCP2_CRYPTO_QUICTLS_ERR_TLS_WANT_CLIENT_HELLO_CB`)
+ *
+ * To continue the interrupted handshake, call
+ * `ngtcp2_conn_continue_handshake`.
+ *
+ * See :ref:`tls-integration` for more details.
+ *
  * If this function is used, the TLS implementation specific error
  * codes described in `ngtcp2_crypto_read_write_crypto_data` are
- * treated as if it returns -1.  Do not use this function if an
- * application wishes to use the TLS implementation specific error
- * codes.
+ * treated as if it returns -1 except for those that are listed above.
+ * Do not use this function if an application wishes to use the TLS
+ * implementation specific error codes.
  */
 NGTCP2_EXTERN int ngtcp2_crypto_recv_crypto_data_cb(
   ngtcp2_conn *conn, ngtcp2_encryption_level encryption_level, uint64_t offset,
@@ -583,15 +597,15 @@ NGTCP2_EXTERN int ngtcp2_crypto_generate_stateless_reset_token(
  * :macro:`NGTCP2_CRYPTO_TOKEN_MAGIC_RETRY` is the magic byte for
  * Retry token generated by `ngtcp2_crypto_generate_retry_token`.
  */
-#define NGTCP2_CRYPTO_TOKEN_MAGIC_RETRY 0xb6
+#define NGTCP2_CRYPTO_TOKEN_MAGIC_RETRY 0xB6
 
 /**
  * @macro
  *
  * :macro:`NGTCP2_CRYPTO_TOKEN_MAGIC_RETRY2` is the magic byte for
  * Retry token generated by `ngtcp2_crypto_generate_retry_token2`.
  */
-#define NGTCP2_CRYPTO_TOKEN_MAGIC_RETRY2 0xb7
+#define NGTCP2_CRYPTO_TOKEN_MAGIC_RETRY2 0xB7
 
 /**
  * @macro
@@ -978,11 +992,29 @@ NGTCP2_EXTERN void ngtcp2_crypto_delete_crypto_cipher_ctx_cb(
  *
  * This function can be directly passed to
  * :member:`ngtcp2_callbacks.get_path_challenge_data` field.
+ *
+ * Deprecated since v1.22.0.  Use
+ * `ngtcp2_crypto_get_path_challenge_data2_cb` instead.
  */
 NGTCP2_EXTERN int ngtcp2_crypto_get_path_challenge_data_cb(ngtcp2_conn *conn,
                                                            uint8_t *data,
                                                            void *user_data);
 
+/**
+ * @function
+ *
+ * `ngtcp2_crypto_get_path_challenge_data2_cb` writes unpredictable
+ * sequence of :macro:`NGTCP2_PATH_CHALLENGE_DATALEN` bytes to |data|
+ * which is sent with PATH_CHALLENGE frame.
+ *
+ * This function can be directly passed to
+ * :member:`ngtcp2_callbacks.get_path_challenge_data2` field.
+ *
+ * This function has been available since v1.22.0.
+ */
+NGTCP2_EXTERN int ngtcp2_crypto_get_path_challenge_data2_cb(
+  ngtcp2_conn *conn, ngtcp2_path_challenge_data *data, void *user_data);
+
 /**
  * @function
  *

diff --git a/deps/ngtcp2/ngtcp2/crypto/ossl/ossl.c b/deps/ngtcp2/ngtcp2/crypto/ossl/ossl.c
@@ -49,8 +49,8 @@
 static EVP_CIPHER *crypto_aes_128_gcm;
 static EVP_CIPHER *crypto_aes_256_gcm;
 static EVP_CIPHER *crypto_aes_128_ccm;
-static EVP_CIPHER *crypto_aes_128_ctr;
-static EVP_CIPHER *crypto_aes_256_ctr;
+static EVP_CIPHER *crypto_aes_128_ecb;
+static EVP_CIPHER *crypto_aes_256_ecb;
 #ifndef NGTCP2_NO_CHACHA_POLY1305
 static EVP_CIPHER *crypto_chacha20_poly1305;
 static EVP_CIPHER *crypto_chacha20;
@@ -66,8 +66,8 @@ int ngtcp2_crypto_ossl_init(void) {
   crypto_aes_128_gcm = EVP_CIPHER_fetch(NULL, "AES-128-GCM", NULL);
   crypto_aes_256_gcm = EVP_CIPHER_fetch(NULL, "AES-256-GCM", NULL);
   crypto_aes_128_ccm = EVP_CIPHER_fetch(NULL, "AES-128-CCM", NULL);
-  crypto_aes_128_ctr = EVP_CIPHER_fetch(NULL, "AES-128-CTR", NULL);
-  crypto_aes_256_ctr = EVP_CIPHER_fetch(NULL, "AES-256-CTR", NULL);
+  crypto_aes_128_ecb = EVP_CIPHER_fetch(NULL, "AES-128-ECB", NULL);
+  crypto_aes_256_ecb = EVP_CIPHER_fetch(NULL, "AES-256-ECB", NULL);
 #ifndef NGTCP2_NO_CHACHA_POLY1305
   crypto_chacha20_poly1305 = EVP_CIPHER_fetch(NULL, "ChaCha20-Poly1305", NULL);
   crypto_chacha20 = EVP_CIPHER_fetch(NULL, "ChaCha20", NULL);
@@ -113,20 +113,20 @@ static const EVP_CIPHER *crypto_aead_aes_128_ccm(void) {
   return EVP_aes_128_ccm();
 }
 
-static const EVP_CIPHER *crypto_cipher_aes_128_ctr(void) {
-  if (crypto_aes_128_ctr) {
-    return crypto_aes_128_ctr;
+static const EVP_CIPHER *crypto_cipher_aes_128_ecb(void) {
+  if (crypto_aes_128_ecb) {
+    return crypto_aes_128_ecb;
   }
 
-  return EVP_aes_128_ctr();
+  return EVP_aes_128_ecb();
 }
 
-static const EVP_CIPHER *crypto_cipher_aes_256_ctr(void) {
-  if (crypto_aes_256_ctr) {
-    return crypto_aes_256_ctr;
+static const EVP_CIPHER *crypto_cipher_aes_256_ecb(void) {
+  if (crypto_aes_256_ecb) {
+    return crypto_aes_256_ecb;
   }
 
-  return EVP_aes_256_ctr();
+  return EVP_aes_256_ecb();
 }
 
 #ifndef NGTCP2_NO_CHACHA_POLY1305
@@ -198,7 +198,7 @@ ngtcp2_crypto_md *ngtcp2_crypto_md_sha256(ngtcp2_crypto_md *md) {
 ngtcp2_crypto_ctx *ngtcp2_crypto_ctx_initial(ngtcp2_crypto_ctx *ctx) {
   ngtcp2_crypto_aead_init(&ctx->aead, (void *)crypto_aead_aes_128_gcm());
   ctx->md.native_handle = (void *)crypto_md_sha256();
-  ctx->hp.native_handle = (void *)crypto_cipher_aes_128_ctr();
+  ctx->hp.native_handle = (void *)crypto_cipher_aes_128_ecb();
   ctx->max_encryption = 0;
   ctx->max_decryption_failure = 0;
   return ctx;
@@ -269,9 +269,9 @@ static const EVP_CIPHER *crypto_cipher_id_get_hp(uint32_t cipher_id) {
   switch (cipher_id) {
   case TLS1_3_CK_AES_128_GCM_SHA256:
   case TLS1_3_CK_AES_128_CCM_SHA256:
-    return crypto_cipher_aes_128_ctr();
+    return crypto_cipher_aes_128_ecb();
   case TLS1_3_CK_AES_256_GCM_SHA384:
-    return crypto_cipher_aes_256_ctr();
+    return crypto_cipher_aes_256_ecb();
 #ifndef NGTCP2_NO_CHACHA_POLY1305
   case TLS1_3_CK_CHACHA20_POLY1305_SHA256:
     return crypto_cipher_chacha20();
@@ -838,17 +838,31 @@ int ngtcp2_crypto_decrypt(uint8_t *dest, const ngtcp2_crypto_aead *aead,
 int ngtcp2_crypto_hp_mask(uint8_t *dest, const ngtcp2_crypto_cipher *hp,
                           const ngtcp2_crypto_cipher_ctx *hp_ctx,
                           const uint8_t *sample) {
-  static const uint8_t PLAINTEXT[] = "\x00\x00\x00\x00\x00";
+  static const uint8_t PLAINTEXT[16] = {0};
   EVP_CIPHER_CTX *actx = hp_ctx->native_handle;
   int len;
 
   (void)hp;
 
-  if (!EVP_EncryptInit_ex(actx, NULL, NULL, NULL, sample) ||
-      !EVP_EncryptUpdate(actx, dest, &len, PLAINTEXT,
-                         ngtcp2_strlen_lit(PLAINTEXT)) ||
-      !EVP_EncryptFinal_ex(actx, dest + ngtcp2_strlen_lit(PLAINTEXT), &len)) {
-    return -1;
+  switch (EVP_CIPHER_CTX_nid(actx)) {
+  case NID_aes_128_ecb:
+  case NID_aes_256_ecb:
+    if (!EVP_EncryptUpdate(actx, dest, &len, sample, NGTCP2_HP_SAMPLELEN)) {
+      return -1;
+    }
+
+    break;
+  case NID_chacha20:
+    if (!EVP_EncryptInit_ex(actx, NULL, NULL, NULL, sample) ||
+        !EVP_EncryptUpdate(actx, dest, &len, PLAINTEXT, sizeof(PLAINTEXT)) ||
+        !EVP_EncryptFinal_ex(actx, dest + sizeof(PLAINTEXT), &len)) {
+      return -1;
+    }
+
+    break;
+  default:
+    assert(0);
+    abort();
   }
 
   return 0;
@@ -983,6 +997,19 @@ int ngtcp2_crypto_get_path_challenge_data_cb(ngtcp2_conn *conn, uint8_t *data,
   return 0;
 }
 
+int ngtcp2_crypto_get_path_challenge_data2_cb(ngtcp2_conn *conn,
+                                              ngtcp2_path_challenge_data *data,
+                                              void *user_data) {
+  (void)conn;
+  (void)user_data;
+
+  if (RAND_bytes(data->data, NGTCP2_PATH_CHALLENGE_DATALEN) != 1) {
+    return NGTCP2_ERR_CALLBACK_FAILURE;
+  }
+
+  return 0;
+}
+
 int ngtcp2_crypto_random(uint8_t *data, size_t datalen) {
   if (RAND_bytes(data, (int)datalen) != 1) {
     return -1;

diff --git a/deps/ngtcp2/ngtcp2/crypto/picotls/picotls.c b/deps/ngtcp2/ngtcp2/crypto/picotls/picotls.c
@@ -50,7 +50,7 @@ ngtcp2_crypto_md *ngtcp2_crypto_md_sha256(ngtcp2_crypto_md *md) {
 ngtcp2_crypto_ctx *ngtcp2_crypto_ctx_initial(ngtcp2_crypto_ctx *ctx) {
   ngtcp2_crypto_aead_init(&ctx->aead, (void *)&ptls_openssl_aes128gcm);
   ctx->md.native_handle = (void *)&ptls_openssl_sha256;
-  ctx->hp.native_handle = (void *)&ptls_openssl_aes128ctr;
+  ctx->hp.native_handle = (void *)&ptls_openssl_aes128ecb;
   ctx->max_encryption = 0;
   ctx->max_decryption_failure = 0;
   return ctx;
@@ -104,11 +104,11 @@ crypto_cipher_suite_get_aead_max_decryption_failure(ptls_cipher_suite_t *cs) {
 static const ptls_cipher_algorithm_t *
 crypto_cipher_suite_get_hp(ptls_cipher_suite_t *cs) {
   if (cs->aead == &ptls_openssl_aes128gcm) {
-    return &ptls_openssl_aes128ctr;
+    return &ptls_openssl_aes128ecb;
   }
 
   if (cs->aead == &ptls_openssl_aes256gcm) {
-    return &ptls_openssl_aes256ctr;
+    return &ptls_openssl_aes256ecb;
   }
 
 #ifdef PTLS_OPENSSL_HAVE_CHACHA20_POLY1305
@@ -238,6 +238,11 @@ int ngtcp2_crypto_cipher_ctx_encrypt_init(ngtcp2_crypto_cipher_ctx *cipher_ctx,
     return -1;
   }
 
+  if (cipher->native_handle == &ptls_openssl_aes128ecb ||
+      cipher->native_handle == &ptls_openssl_aes256ecb) {
+    ptls_cipher_init(actx, NULL);
+  }
+
   cipher_ctx->native_handle = actx;
 
   return 0;
@@ -352,13 +357,20 @@ int ngtcp2_crypto_decrypt(uint8_t *dest, const ngtcp2_crypto_aead *aead,
 int ngtcp2_crypto_hp_mask(uint8_t *dest, const ngtcp2_crypto_cipher *hp,
                           const ngtcp2_crypto_cipher_ctx *hp_ctx,
                           const uint8_t *sample) {
+  static const uint8_t PLAINTEXT[16] = {0};
   ptls_cipher_context_t *actx = hp_ctx->native_handle;
-  static const uint8_t PLAINTEXT[] = "\x00\x00\x00\x00\x00";
 
   (void)hp;
 
+  if (hp->native_handle == &ptls_openssl_aes128ecb ||
+      hp->native_handle == &ptls_openssl_aes256ecb) {
+    ptls_cipher_encrypt(actx, dest, sample, NGTCP2_HP_SAMPLELEN);
+
+    return 0;
+  }
+
   ptls_cipher_init(actx, sample);
-  ptls_cipher_encrypt(actx, dest, PLAINTEXT, ngtcp2_strlen_lit(PLAINTEXT));
+  ptls_cipher_encrypt(actx, dest, PLAINTEXT, sizeof(PLAINTEXT));
 
   return 0;
 }
@@ -377,7 +389,7 @@ int ngtcp2_crypto_read_write_crypto_data(
 
   ptls_buffer_init(&sendbuf, (void *)"", 0);
 
-  assert(epoch == ptls_get_read_epoch(cptls->ptls));
+  assert(datalen == 0 || epoch == ptls_get_read_epoch(cptls->ptls));
 
   rv = ptls_handle_message(cptls->ptls, &sendbuf, epoch_offsets, epoch, data,
                            datalen, &cptls->handshake_properties);
@@ -493,15 +505,25 @@ int ngtcp2_crypto_get_path_challenge_data_cb(ngtcp2_conn *conn, uint8_t *data,
   return 0;
 }
 
+int ngtcp2_crypto_get_path_challenge_data2_cb(ngtcp2_conn *conn,
+                                              ngtcp2_path_challenge_data *data,
+                                              void *user_data) {
+  (void)conn;
+  (void)user_data;
+
+  ptls_openssl_random_bytes(data->data, NGTCP2_PATH_CHALLENGE_DATALEN);
+
+  return 0;
+}
+
 int ngtcp2_crypto_random(uint8_t *data, size_t datalen) {
   ptls_openssl_random_bytes(data, datalen);
 
   return 0;
 }
 
 void ngtcp2_crypto_picotls_ctx_init(ngtcp2_crypto_picotls_ctx *cptls) {
-  cptls->ptls = NULL;
-  memset(&cptls->handshake_properties, 0, sizeof(cptls->handshake_properties));
+  *cptls = (ngtcp2_crypto_picotls_ctx){0};
 }
 
 static int set_additional_extensions(ptls_handshake_properties_t *hsprops,