nodejs · nodejs-github-bot · Jun 7, 2026
diff --git a/deps/ngtcp2/ngtcp2/crypto/boringssl/boringssl.c b/deps/ngtcp2/ngtcp2/crypto/boringssl/boringssl.c
@@ -432,7 +432,7 @@ int ngtcp2_crypto_hp_mask(uint8_t *dest, const ngtcp2_crypto_cipher *hp,
 int ngtcp2_crypto_read_write_crypto_data(
   ngtcp2_conn *conn, ngtcp2_encryption_level encryption_level,
   const uint8_t *data, size_t datalen) {
-  SSL *ssl = ngtcp2_conn_get_tls_native_handle(conn);
+  SSL *ssl = ngtcp2_conn_get_tls_native_handle2(conn);
   int rv;
   int err;
 
@@ -444,7 +444,7 @@ int ngtcp2_crypto_read_write_crypto_data(
     return -1;
   }
 
-  if (!ngtcp2_conn_get_handshake_completed(conn)) {
+  if (!ngtcp2_conn_get_handshake_completed2(conn)) {
   retry:
     rv = SSL_do_handshake(ssl);
     if (rv <= 0) {
@@ -456,7 +456,7 @@ int ngtcp2_crypto_read_write_crypto_data(
       case SSL_ERROR_SSL:
         return -1;
       case SSL_ERROR_EARLY_DATA_REJECTED:
-        assert(!ngtcp2_conn_is_server(conn));
+        assert(!ngtcp2_conn_is_server2(conn));
 
         SSL_reset_early_data_reject(ssl);
 

diff --git a/deps/ngtcp2/ngtcp2/crypto/cryptotest.c b/deps/ngtcp2/ngtcp2/crypto/cryptotest.c
@@ -0,0 +1,46 @@
+/*
+ * ngtcp2
+ *
+ * Copyright (c) 2026 ngtcp2 contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining
+ * a copy of this software and associated documentation files (the
+ * "Software"), to deal in the Software without restriction, including
+ * without limitation the rights to use, copy, modify, merge, publish,
+ * distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to
+ * the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+#ifdef HAVE_CONFIG_H
+#  include <config.h>
+#endif /* defined(HAVE_CONFIG_H) */
+
+#include "munit.h"
+
+/* include test cases' include files here */
+#include "shared_test.h"
+
+int main(int argc, char *argv[]) {
+  const MunitSuite suites[] = {
+    shared_suite,
+    {0},
+  };
+  const MunitSuite suite = {
+    .prefix = "",
+    .suites = suites,
+    .iterations = 1,
+  };
+
+  return munit_suite_main(&suite, NULL, argc, argv);
+}
diff --git a/deps/ngtcp2/ngtcp2/crypto/includes/ngtcp2/ngtcp2_crypto.h b/deps/ngtcp2/ngtcp2/crypto/includes/ngtcp2/ngtcp2_crypto.h
@@ -338,16 +338,16 @@ ngtcp2_crypto_hp_mask_cb(uint8_t *dest, const ngtcp2_crypto_cipher *hp,
  * :enum:`ngtcp2_encryption_level.NGTCP2_ENCRYPTION_LEVEL_0RTT`) to
  * set negotiated AEAD and message digest algorithm.  After the
  * successful call of this function, application can use
- * `ngtcp2_conn_get_crypto_ctx` (or `ngtcp2_conn_get_0rtt_crypto_ctx`
- * if |level| ==
+ * `ngtcp2_conn_get_crypto_ctx2` (or
+ * `ngtcp2_conn_get_0rtt_crypto_ctx2` if |level| ==
  * :enum:`ngtcp2_encryption_level.NGTCP2_ENCRYPTION_LEVEL_0RTT`) to
  * get :type:`ngtcp2_crypto_ctx`.
  *
  * If |conn| is initialized as client, and |level| is
  * :enum:`ngtcp2_encryption_level.NGTCP2_ENCRYPTION_LEVEL_1RTT`, this
  * function retrieves a remote QUIC transport parameters extension
- * from an object obtained by `ngtcp2_conn_get_tls_native_handle`, and
- * sets it to |conn| by calling
+ * from an object obtained by `ngtcp2_conn_get_tls_native_handle2`,
+ * and sets it to |conn| by calling
  * `ngtcp2_conn_decode_and_set_remote_transport_params`.
  *
  * This function returns 0 if it succeeds, or -1.
@@ -385,16 +385,16 @@ NGTCP2_EXTERN int ngtcp2_crypto_derive_and_install_rx_key(
  * :enum:`ngtcp2_encryption_level.NGTCP2_ENCRYPTION_LEVEL_0RTT`) to
  * set negotiated AEAD and message digest algorithm.  After the
  * successful call of this function, application can use
- * `ngtcp2_conn_get_crypto_ctx` (or `ngtcp2_conn_get_0rtt_crypto_ctx`
- * if |level| ==
+ * `ngtcp2_conn_get_crypto_ctx2` (or
+ * `ngtcp2_conn_get_0rtt_crypto_ctx2` if |level| ==
  * :enum:`ngtcp2_encryption_level.NGTCP2_ENCRYPTION_LEVEL_0RTT`) to
  * get :type:`ngtcp2_crypto_ctx`.
  *
  * If |conn| is initialized as server, and |level| is
  * :enum:`ngtcp2_encryption_level.NGTCP2_ENCRYPTION_LEVEL_1RTT`, this
  * function retrieves a remote QUIC transport parameters extension
- * from an object obtained by `ngtcp2_conn_get_tls_native_handle`, and
- * sets it to |conn| by calling
+ * from an object obtained by `ngtcp2_conn_get_tls_native_handle2`,
+ * and sets it to |conn| by calling
  * `ngtcp2_conn_decode_and_set_remote_transport_params`.
  *
  * This function returns 0 if it succeeds, or -1.
@@ -986,15 +986,17 @@ NGTCP2_EXTERN void ngtcp2_crypto_delete_crypto_cipher_ctx_cb(
 /**
  * @function
  *
+ * .. warning::
+ *
+ *   .. version-deprecated:: 1.22.0
+ *     Use `ngtcp2_crypto_get_path_challenge_data2_cb` instead.
+ *
  * `ngtcp2_crypto_get_path_challenge_data_cb` writes unpredictable
  * sequence of :macro:`NGTCP2_PATH_CHALLENGE_DATALEN` bytes to |data|
  * which is sent with PATH_CHALLENGE frame.
  *
  * This function can be directly passed to
  * :member:`ngtcp2_callbacks.get_path_challenge_data` field.
- *
- * Deprecated since v1.22.0.  Use
- * `ngtcp2_crypto_get_path_challenge_data2_cb` instead.
  */
 NGTCP2_EXTERN int ngtcp2_crypto_get_path_challenge_data_cb(ngtcp2_conn *conn,
                                                            uint8_t *data,
@@ -1010,7 +1012,7 @@ NGTCP2_EXTERN int ngtcp2_crypto_get_path_challenge_data_cb(ngtcp2_conn *conn,
  * This function can be directly passed to
  * :member:`ngtcp2_callbacks.get_path_challenge_data2` field.
  *
- * This function has been available since v1.22.0.
+ * .. version-added:: 1.22.0
  */
 NGTCP2_EXTERN int ngtcp2_crypto_get_path_challenge_data2_cb(
   ngtcp2_conn *conn, ngtcp2_path_challenge_data *data, void *user_data);

diff --git a/deps/ngtcp2/ngtcp2/crypto/ossl/ossl.c b/deps/ngtcp2/ngtcp2/crypto/ossl/ossl.c
@@ -440,7 +440,7 @@ static int crypto_ossl_ctx_write_crypto_data(ngtcp2_crypto_ossl_ctx *ossl_ctx,
       left = crypto_buf_left(ossl_ctx->crypto_write);
     }
 
-    n = ngtcp2_min_size((size_t)(end - data), left);
+    n = ngtcp2_min((size_t)(end - data), left);
     crypto_buf_write(ossl_ctx->crypto_write, data, n);
     data += n;
   }
@@ -871,7 +871,7 @@ int ngtcp2_crypto_hp_mask(uint8_t *dest, const ngtcp2_crypto_cipher *hp,
 int ngtcp2_crypto_read_write_crypto_data(
   ngtcp2_conn *conn, ngtcp2_encryption_level encryption_level,
   const uint8_t *data, size_t datalen) {
-  ngtcp2_crypto_ossl_ctx *ossl_ctx = ngtcp2_conn_get_tls_native_handle(conn);
+  ngtcp2_crypto_ossl_ctx *ossl_ctx = ngtcp2_conn_get_tls_native_handle2(conn);
   SSL *ssl = ossl_ctx->ssl;
   int rv;
   int err;
@@ -881,7 +881,7 @@ int ngtcp2_crypto_read_write_crypto_data(
     return -1;
   }
 
-  if (!ngtcp2_conn_get_handshake_completed(conn)) {
+  if (!ngtcp2_conn_get_handshake_completed2(conn)) {
     rv = SSL_do_handshake(ssl);
     if (rv <= 0) {
       err = SSL_get_error(ssl, rv);
@@ -1033,7 +1033,7 @@ static int ossl_yield_secret(SSL *ssl, uint32_t ossl_level, int direction,
   }
 
   conn = conn_ref->get_conn(conn_ref);
-  ossl_ctx = ngtcp2_conn_get_tls_native_handle(conn);
+  ossl_ctx = ngtcp2_conn_get_tls_native_handle2(conn);
 
   if (direction) {
     if (ngtcp2_crypto_derive_and_install_tx_key(conn, NULL, NULL, NULL, level,
@@ -1067,7 +1067,7 @@ static int ossl_crypto_send(SSL *ssl, const unsigned char *buf, size_t buflen,
   }
 
   conn = conn_ref->get_conn(conn_ref);
-  ossl_ctx = ngtcp2_conn_get_tls_native_handle(conn);
+  ossl_ctx = ngtcp2_conn_get_tls_native_handle2(conn);
 
   rv = ngtcp2_conn_submit_crypto_data(conn, ossl_ctx->tx_level, buf, buflen);
   if (rv != 0) {
@@ -1094,7 +1094,7 @@ static int ossl_crypto_recv_rcd(SSL *ssl, const unsigned char **buf,
   }
 
   conn = conn_ref->get_conn(conn_ref);
-  ossl_ctx = ngtcp2_conn_get_tls_native_handle(conn);
+  ossl_ctx = ngtcp2_conn_get_tls_native_handle2(conn);
 
   crypto_ossl_ctx_read_crypto_data(ossl_ctx, buf, bytes_read);
 
@@ -1116,7 +1116,7 @@ static int ossl_crypto_release_rcd(SSL *ssl, size_t released, void *arg) {
   }
 
   conn = conn_ref->get_conn(conn_ref);
-  ossl_ctx = ngtcp2_conn_get_tls_native_handle(conn);
+  ossl_ctx = ngtcp2_conn_get_tls_native_handle2(conn);
 
   crypto_ossl_ctx_release_crypto_data(ossl_ctx, released);
 

diff --git a/deps/ngtcp2/ngtcp2/crypto/picotls/picotls.c b/deps/ngtcp2/ngtcp2/crypto/picotls/picotls.c
@@ -378,7 +378,7 @@ int ngtcp2_crypto_hp_mask(uint8_t *dest, const ngtcp2_crypto_cipher *hp,
 int ngtcp2_crypto_read_write_crypto_data(
   ngtcp2_conn *conn, ngtcp2_encryption_level encryption_level,
   const uint8_t *data, size_t datalen) {
-  ngtcp2_crypto_picotls_ctx *cptls = ngtcp2_conn_get_tls_native_handle(conn);
+  ngtcp2_crypto_picotls_ctx *cptls = ngtcp2_conn_get_tls_native_handle2(conn);
   ptls_buffer_t sendbuf;
   size_t epoch_offsets[5] = {0};
   size_t epoch =
@@ -402,7 +402,7 @@ int ngtcp2_crypto_read_write_crypto_data(
     goto fin;
   }
 
-  if (!ngtcp2_conn_is_server(conn) &&
+  if (!ngtcp2_conn_is_server2(conn) &&
       cptls->handshake_properties.client.early_data_acceptance ==
         PTLS_EARLY_DATA_REJECTED) {
     rv = ngtcp2_conn_tls_early_data_rejected(conn);
@@ -540,7 +540,7 @@ static int set_additional_extensions(ptls_handshake_properties_t *hsprops,
     return -1;
   }
 
-  nwrite = ngtcp2_conn_encode_local_transport_params(conn, buf, buflen);
+  nwrite = ngtcp2_conn_encode_local_transport_params2(conn, buf, buflen);
   if (nwrite < 0) {
     goto fail;
   }
@@ -620,7 +620,7 @@ static int update_traffic_key_server_cb(ptls_update_traffic_key_t *self,
        * wait for the key to get the correct local transport
        * parameters from ngtcp2_conn.
        */
-      cptls = ngtcp2_conn_get_tls_native_handle(conn);
+      cptls = ngtcp2_conn_get_tls_native_handle2(conn);
 
       if (set_additional_extensions(&cptls->handshake_properties, conn) != 0) {
         return -1;

diff --git a/deps/ngtcp2/ngtcp2/crypto/quictls/quictls.c b/deps/ngtcp2/ngtcp2/crypto/quictls/quictls.c
@@ -812,7 +812,7 @@ int ngtcp2_crypto_hp_mask(uint8_t *dest, const ngtcp2_crypto_cipher *hp,
 int ngtcp2_crypto_read_write_crypto_data(
   ngtcp2_conn *conn, ngtcp2_encryption_level encryption_level,
   const uint8_t *data, size_t datalen) {
-  SSL *ssl = ngtcp2_conn_get_tls_native_handle(conn);
+  SSL *ssl = ngtcp2_conn_get_tls_native_handle2(conn);
   int rv;
   int err;
 
@@ -824,7 +824,7 @@ int ngtcp2_crypto_read_write_crypto_data(
     return -1;
   }
 
-  if (!ngtcp2_conn_get_handshake_completed(conn)) {
+  if (!ngtcp2_conn_get_handshake_completed2(conn)) {
     rv = SSL_do_handshake(ssl);
     if (rv <= 0) {
       err = SSL_get_error(ssl, rv);