From 27b11b8c86390a95249d20c9ee6e1ef037dd3c42 Mon Sep 17 00:00:00 2001
From: Tim Perry <pimterry@gmail.com>
Date: Wed, 26 Oct 2022 14:33:32 +0200
Subject: [PATCH 1/5] tls: add ALPNCallback server option for dynamic ALPN
 negotiation

---
 doc/api/errors.md                            | 14 +++++
 doc/api/tls.md                               | 14 +++++
 lib/_tls_wrap.js                             | 56 +++++++++++++++++
 lib/internal/errors.js                       | 10 +++
 src/crypto/crypto_tls.cc                     | 48 +++++++++++++++
 src/crypto/crypto_tls.h                      |  2 +
 src/env_properties.h                         |  1 +
 test/parallel/test-tls-alpn-server-client.js | 65 +++++++++++++++++++-
 8 files changed, 207 insertions(+), 3 deletions(-)

diff --git a/doc/api/errors.md b/doc/api/errors.md
index 8a212f3c19f1bc..3e338a4e8f8cd6 100644
--- a/doc/api/errors.md
+++ b/doc/api/errors.md
@@ -2746,6 +2746,20 @@ This error represents a failed test. Additional information about the failure
 is available via the `cause` property. The `failureType` property specifies
 what the test was doing when the failure occurred.
 
+<a id="ERR_TLS_ALPN_CALLBACK_INVALID_RESULT"></a>
+
+### `ERR_TLS_ALPN_CALLBACK_INVALID_RESULT`
+
+This error is thrown when an `ALPNCallback` returns a value that is not in the
+list of ALPN protocols offered by the client.
+
+<a id="ERR_TLS_ALPN_CALLBACK_WITH_PROTOCOLS"></a>
+
+### `ERR_TLS_ALPN_CALLBACK_WITH_PROTOCOLS`
+
+This error is thrown when creating a `TLSServer` if the TLS options include
+both `ALPNProtocols` and `ALPNCallback`. These options are mutually exclusive.
+
 <a id="ERR_TLS_CERT_ALTNAME_FORMAT"></a>
 
 ### `ERR_TLS_CERT_ALTNAME_FORMAT`
diff --git a/doc/api/tls.md b/doc/api/tls.md
index e1f0d28509ae34..00a15c1ed249aa 100644
--- a/doc/api/tls.md
+++ b/doc/api/tls.md
@@ -2049,6 +2049,9 @@ where `secureSocket` has the same API as `pair.cleartext`.
 <!-- YAML
 added: v0.3.2
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/45190
+    description: The `options` parameter can now include `ALPNCallback`.
   - version: v19.0.0
     pr-url: https://github.com/nodejs/node/pull/44031
     description: If `ALPNProtocols` is set, incoming connections that send an
@@ -2079,6 +2082,17 @@ changes:
     e.g. `0x05hello0x05world`, where the first byte is the length of the next
     protocol name. Passing an array is usually much simpler, e.g.
     `['hello', 'world']`. (Protocols should be ordered by their priority.)
+  * `ALPNCallback(params)`: {Function} If set, this will be called when a
+    client opens a connection using the ALPN extension. One argument will
+    be passed to the callback: an object containing `serverName` and
+    `clientALPNProtocols` fields, respectively containing the server name from
+    the SNI extension (if any) and an array of ALPN protocol name strings. The
+    callback must return either one of the strings listed in
+    `clientALPNProtocols`, which will be returned to the client as the selected
+    ALPN protocol, or `undefined`, to reject the connection with a fatal alert.
+    If a string is returned that does not match one of the client's ALPN
+    protocols, an error will be thrown. This option cannot be used with the
+    `ALPNProtocols` option, and setting both options will throw an error.
   * `clientCertEngine` {string} Name of an OpenSSL engine which can provide the
     client certificate.
   * `enableTrace` {boolean} If `true`, [`tls.TLSSocket.enableTrace()`][] will be
diff --git a/lib/_tls_wrap.js b/lib/_tls_wrap.js
index 5950c52c1dc2ec..e61962470231ad 100644
--- a/lib/_tls_wrap.js
+++ b/lib/_tls_wrap.js
@@ -72,6 +72,8 @@ const {
   ERR_INVALID_ARG_VALUE,
   ERR_MULTIPLE_CALLBACK,
   ERR_SOCKET_CLOSED,
+  ERR_TLS_ALPN_CALLBACK_INVALID_RESULT,
+  ERR_TLS_ALPN_CALLBACK_WITH_PROTOCOLS,
   ERR_TLS_DH_PARAM_SIZE,
   ERR_TLS_HANDSHAKE_TIMEOUT,
   ERR_TLS_INVALID_CONTEXT,
@@ -234,6 +236,46 @@ function loadSNI(info) {
 }
 
 
+function callALPNCallback(protocolsBuffer) {
+  const handle = this;
+  const socket = handle[owner_symbol];
+
+  const serverName = handle.getServername();
+
+  // Collect all the protocols from the given buffer:
+  const protocols = [];
+  let offset = 0;
+  while (offset < protocolsBuffer.length) {
+    const protocolLen = protocolsBuffer[offset];
+    offset += 1;
+
+    const protocol = protocolsBuffer.slice(offset, offset + protocolLen);
+    offset += protocolLen;
+
+    protocols.push(protocol.toString('ascii'));
+  }
+
+  const selectedProtocol = socket._ALPNCallback({
+    serverName,
+    clientALPNProtocols: protocols
+  });
+
+  // Undefined -> all proposed protocols rejected
+  if (selectedProtocol === undefined) return undefined;
+
+  const protocolIndex = protocols.indexOf(selectedProtocol);
+  if (protocolIndex === -1) {
+    throw new ERR_TLS_ALPN_CALLBACK_INVALID_RESULT(selectedProtocol, protocols);
+  }
+  let protocolOffset = 0;
+  for (let i = 0; i < protocolIndex; i++) {
+    protocolOffset += 1 + protocols[i].length;
+  }
+
+  return protocolOffset;
+}
+
+
 function requestOCSP(socket, info) {
   if (!info.OCSPRequest || !socket.server)
     return requestOCSPDone(socket);
@@ -493,6 +535,7 @@ function TLSSocket(socket, opts) {
   this._controlReleased = false;
   this.secureConnecting = true;
   this._SNICallback = null;
+  this._ALPNCallback = null;
   this.servername = null;
   this.alpnProtocol = null;
   this.authorized = false;
@@ -755,6 +798,13 @@ TLSSocket.prototype._init = function(socket, wrap) {
     ssl.lastHandshakeTime = 0;
     ssl.handshakes = 0;
 
+    if (options.ALPNCallback) {
+      assert(typeof options.ALPNCallback === 'function');
+      this._ALPNCallback = options.ALPNCallback;
+      ssl.ALPNCallback = callALPNCallback;
+      ssl.enableALPNCb();
+    }
+
     if (this.server) {
       if (this.server.listenerCount('resumeSession') > 0 ||
           this.server.listenerCount('newSession') > 0) {
@@ -1133,6 +1183,7 @@ function tlsConnectionListener(rawSocket) {
     rejectUnauthorized: this.rejectUnauthorized,
     handshakeTimeout: this[kHandshakeTimeout],
     ALPNProtocols: this.ALPNProtocols,
+    ALPNCallback: this.ALPNCallback,
     SNICallback: this[kSNICallback] || SNICallback,
     enableTrace: this[kEnableTrace],
     pauseOnConnect: this.pauseOnConnect,
@@ -1232,6 +1283,11 @@ function Server(options, listener) {
   this.requestCert = options.requestCert === true;
   this.rejectUnauthorized = options.rejectUnauthorized !== false;
 
+  this.ALPNCallback = options.ALPNCallback;
+  if (this.ALPNCallback && options.ALPNProtocols) {
+    throw new ERR_TLS_ALPN_CALLBACK_WITH_PROTOCOLS();
+  }
+
   if (options.sessionTimeout)
     this.sessionTimeout = options.sessionTimeout;
 
diff --git a/lib/internal/errors.js b/lib/internal/errors.js
index 651a2fa99cb715..a7120564c468fb 100644
--- a/lib/internal/errors.js
+++ b/lib/internal/errors.js
@@ -1628,6 +1628,16 @@ E('ERR_TEST_FAILURE', function(error, failureType) {
   this.cause = error;
   return msg;
 }, Error);
+E('ERR_TLS_ALPN_CALLBACK_INVALID_RESULT', (value, protocols) => {
+  return `ALPN callback returned a value (${
+    value
+  }) that did not match any of the client's offered protocols (${
+    protocols.join(', ')
+  })`;
+}, TypeError);
+E('ERR_TLS_ALPN_CALLBACK_WITH_PROTOCOLS',
+  'The ALPNCallback and ALPNProtocols TLS options are mutually exclusive',
+  TypeError);
 E('ERR_TLS_CERT_ALTNAME_FORMAT', 'Invalid subject alternative name string',
   SyntaxError);
 E('ERR_TLS_CERT_ALTNAME_INVALID', function(reason, host, cert) {
diff --git a/src/crypto/crypto_tls.cc b/src/crypto/crypto_tls.cc
index cc2f6d60e75990..7c76453593d7fe 100644
--- a/src/crypto/crypto_tls.cc
+++ b/src/crypto/crypto_tls.cc
@@ -224,6 +224,43 @@ int SelectALPNCallback(
     unsigned int inlen,
     void* arg) {
   TLSWrap* w = static_cast<TLSWrap*>(arg);
+  if (w->alpn_callback_enabled_) {
+    Environment* env = w->env();
+
+    Local<Value> callback_arg =
+        Buffer::Copy(env, reinterpret_cast<const char*>(in), inlen)
+            .ToLocalChecked();
+
+    MaybeLocal<Value> maybe_callback_result =
+        w->MakeCallback(env->alpn_callback_string(), 1, &callback_arg);
+
+    if (UNLIKELY(maybe_callback_result.IsEmpty())) {
+      // Implies the callback didn't return, because some exception was thrown
+      // during processing, e.g. if callback returned an invalid ALPN value.
+      return SSL_TLSEXT_ERR_ALERT_FATAL;
+    }
+
+    Local<Value> callback_result = maybe_callback_result.ToLocalChecked();
+
+    if (callback_result->IsUndefined()) {
+      // If you set an ALPN callback, but you return undefined for an ALPN
+      // request, you're rejecting all proposed ALPN protocols, and so we send
+      // a fatal alert:
+      return SSL_TLSEXT_ERR_ALERT_FATAL;
+    }
+
+    CHECK(callback_result->IsNumber());
+    unsigned int result_int = callback_result.As<v8::Number>()->Value();
+
+    // The callback returns an offset into the given buffer, for the selected
+    // protocol that should be returned. We then set outlen & out to point
+    // to the selected input length & value directly:
+    *outlen = *(in + result_int);
+    *out = (in + result_int + 1);
+
+    return SSL_TLSEXT_ERR_OK;
+  }
+
   const std::vector<unsigned char>& alpn_protos = w->alpn_protos_;
 
   if (alpn_protos.empty()) return SSL_TLSEXT_ERR_NOACK;
@@ -1224,6 +1261,15 @@ void TLSWrap::OnClientHelloParseEnd(void* arg) {
   c->Cycle();
 }
 
+void TLSWrap::EnableALPNCb(const FunctionCallbackInfo<Value>& args) {
+  TLSWrap* wrap;
+  ASSIGN_OR_RETURN_UNWRAP(&wrap, args.Holder());
+  wrap->alpn_callback_enabled_ = true;
+
+  SSL* ssl = wrap->ssl_.get();
+  SSL_CTX_set_alpn_select_cb(SSL_get_SSL_CTX(ssl), SelectALPNCallback, wrap);
+}
+
 void TLSWrap::GetServername(const FunctionCallbackInfo<Value>& args) {
   Environment* env = Environment::GetCurrent(args);
 
@@ -2034,6 +2080,7 @@ void TLSWrap::Initialize(
   SetProtoMethod(isolate, t, "certCbDone", CertCbDone);
   SetProtoMethod(isolate, t, "destroySSL", DestroySSL);
   SetProtoMethod(isolate, t, "enableCertCb", EnableCertCb);
+  SetProtoMethod(isolate, t, "enableALPNCb", EnableALPNCb);
   SetProtoMethod(isolate, t, "endParser", EndParser);
   SetProtoMethod(isolate, t, "enableKeylogCallback", EnableKeylogCallback);
   SetProtoMethod(isolate, t, "enableSessionCallbacks", EnableSessionCallbacks);
@@ -2099,6 +2146,7 @@ void TLSWrap::RegisterExternalReferences(ExternalReferenceRegistry* registry) {
   registry->Register(CertCbDone);
   registry->Register(DestroySSL);
   registry->Register(EnableCertCb);
+  registry->Register(EnableALPNCb);
   registry->Register(EndParser);
   registry->Register(EnableKeylogCallback);
   registry->Register(EnableSessionCallbacks);
diff --git a/src/crypto/crypto_tls.h b/src/crypto/crypto_tls.h
index 5d1b24ff772328..a1a7f2ef240cc0 100644
--- a/src/crypto/crypto_tls.h
+++ b/src/crypto/crypto_tls.h
@@ -172,6 +172,7 @@ class TLSWrap : public AsyncWrap,
   static void CertCbDone(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void DestroySSL(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void EnableCertCb(const v8::FunctionCallbackInfo<v8::Value>& args);
+  static void EnableALPNCb(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void EnableKeylogCallback(
       const v8::FunctionCallbackInfo<v8::Value>& args);
   static void EnableSessionCallbacks(
@@ -285,6 +286,7 @@ class TLSWrap : public AsyncWrap,
 
  public:
   std::vector<unsigned char> alpn_protos_;  // Accessed by SelectALPNCallback.
+  bool alpn_callback_enabled_ = false;      // Accessed by SelectALPNCallback.
 };
 
 }  // namespace crypto
diff --git a/src/env_properties.h b/src/env_properties.h
index 77b143dbf78931..bc4e840f956c04 100644
--- a/src/env_properties.h
+++ b/src/env_properties.h
@@ -50,6 +50,7 @@
   V(ack_string, "ack")                                                         \
   V(address_string, "address")                                                 \
   V(aliases_string, "aliases")                                                 \
+  V(alpn_callback_string, "ALPNCallback")                                      \
   V(args_string, "args")                                                       \
   V(asn1curve_string, "asn1Curve")                                             \
   V(async_ids_stack_string, "async_ids_stack")                                 \
diff --git a/test/parallel/test-tls-alpn-server-client.js b/test/parallel/test-tls-alpn-server-client.js
index 2961c0ed1d4af4..890b36c0ca78a9 100644
--- a/test/parallel/test-tls-alpn-server-client.js
+++ b/test/parallel/test-tls-alpn-server-client.js
@@ -41,9 +41,8 @@ function runTest(clientsOptions, serverOptions, cb) {
     opt.rejectUnauthorized = false;
 
     results[clientIndex] = {};
-    const client = tls.connect(opt, function() {
-      results[clientIndex].client = { ALPN: client.alpnProtocol };
-      client.end();
+
+    function startNextClient() {
       if (options.length) {
         clientIndex++;
         connectClient(options);
@@ -53,6 +52,15 @@ function runTest(clientsOptions, serverOptions, cb) {
           cb(results);
         });
       }
+    }
+
+    const client = tls.connect(opt, function() {
+      results[clientIndex].client = { ALPN: client.alpnProtocol };
+      client.end();
+      startNextClient();
+    }).on('error', function(err) {
+      results[clientIndex].client = { error: err };
+      startNextClient();
     });
   }
 
@@ -200,12 +208,63 @@ function TestFatalAlert() {
           .on('close', common.mustCall(() => {
             assert.match(stderr, /SSL alert number 120/);
             server.close();
+            TestALPNCallback();
           }));
       } else {
         server.close();
+        TestALPNCallback();
       }
     }));
   }));
 }
 
+function TestALPNCallback() {
+  // Server always selects the client's 2nd preference:
+  const serverOptions = {
+    ALPNCallback: ({ clientALPNProtocols }) => {
+      return clientALPNProtocols[1];
+    }
+  };
+
+  const clientsOptions = [{
+    ALPNProtocols: ['a', 'b', 'c'],
+  }, {
+    ALPNProtocols: ['a'],
+  }];
+
+  runTest(clientsOptions, serverOptions, function(results) {
+    // Callback picks 2nd preference => picks 'b'
+    checkResults(results[0],
+                 { server: { ALPN: 'b' },
+                   client: { ALPN: 'b' } });
+
+    // Callback picks 2nd preference => undefined => ALPN rejected:
+    assert.strictEqual(results[1].server, undefined);
+    assert.strictEqual(results[1].client.error.code, 'ECONNRESET');
+
+    TestBadALPNCallback();
+  });
+}
+
+function TestBadALPNCallback() {
+  // Server always returns a fixed invalid value:
+  const serverOptions = {
+    ALPNCallback: () => 'http/5'
+  };
+
+  const clientsOptions = [{
+    ALPNProtocols: ['http/1', 'h2'],
+  }];
+
+  process.once('uncaughtException', common.mustCall((error) => {
+    assert.strictEqual(error.code, 'ERR_TLS_ALPN_CALLBACK_INVALID_RESULT');
+  }));
+
+  runTest(clientsOptions, serverOptions, function(results) {
+    // Callback returns 'http/5' => doesn't match client ALPN => error & reset
+    assert.strictEqual(results[0].server, undefined);
+    assert.strictEqual(results[0].client.error.code, 'ECONNRESET');
+  });
+}
+
 Test1();

From bdb26fc590b6fc39aea28cafe70bfbad82f386ee Mon Sep 17 00:00:00 2001
From: Tim Perry <pimterry@gmail.com>
Date: Mon, 31 Oct 2022 14:29:37 +0100
Subject: [PATCH 2/5] test: add test for ERR_TLS_ALPN_CALLBACK_WITH_PROTOCOLS
 error case

---
 test/parallel/test-tls-alpn-server-client.js | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/test/parallel/test-tls-alpn-server-client.js b/test/parallel/test-tls-alpn-server-client.js
index 890b36c0ca78a9..1e1c0aa4768144 100644
--- a/test/parallel/test-tls-alpn-server-client.js
+++ b/test/parallel/test-tls-alpn-server-client.js
@@ -264,7 +264,17 @@ function TestBadALPNCallback() {
     // Callback returns 'http/5' => doesn't match client ALPN => error & reset
     assert.strictEqual(results[0].server, undefined);
     assert.strictEqual(results[0].client.error.code, 'ECONNRESET');
+
+    TestALPNOptionsCallback();
   });
 }
 
+function TestALPNOptionsCallback() {
+  // Server sets two incompatible ALPN options:
+  assert.throws(() => tls.createServer({
+    ALPNCallback: () => 'a',
+    ALPNProtocols: ['b', 'c']
+  }), (error) => error.code === 'ERR_TLS_ALPN_CALLBACK_WITH_PROTOCOLS');
+}
+
 Test1();

From 9ae8945008d4119c0f8a7827ea67a6781360829d Mon Sep 17 00:00:00 2001
From: Tim Perry <pimterry@gmail.com>
Date: Fri, 5 May 2023 12:57:53 +0200
Subject: [PATCH 3/5] Update ALPNCallback param names & other tweaks after
 review

---
 doc/api/tls.md                               |  8 ++++----
 lib/_tls_wrap.js                             | 16 ++++++++++------
 test/parallel/test-tls-alpn-server-client.js |  8 ++++----
 3 files changed, 18 insertions(+), 14 deletions(-)

diff --git a/doc/api/tls.md b/doc/api/tls.md
index 00a15c1ed249aa..71a63cabc4e4af 100644
--- a/doc/api/tls.md
+++ b/doc/api/tls.md
@@ -2082,13 +2082,13 @@ changes:
     e.g. `0x05hello0x05world`, where the first byte is the length of the next
     protocol name. Passing an array is usually much simpler, e.g.
     `['hello', 'world']`. (Protocols should be ordered by their priority.)
-  * `ALPNCallback(params)`: {Function} If set, this will be called when a
+  * `ALPNCallback`: {Function} If set, this will be called when a
     client opens a connection using the ALPN extension. One argument will
-    be passed to the callback: an object containing `serverName` and
-    `clientALPNProtocols` fields, respectively containing the server name from
+    be passed to the callback: an object containing `servername` and
+    `protocols` fields, respectively containing the server name from
     the SNI extension (if any) and an array of ALPN protocol name strings. The
     callback must return either one of the strings listed in
-    `clientALPNProtocols`, which will be returned to the client as the selected
+    `protocols`, which will be returned to the client as the selected
     ALPN protocol, or `undefined`, to reject the connection with a fatal alert.
     If a string is returned that does not match one of the client's ALPN
     protocols, an error will be thrown. This option cannot be used with the
diff --git a/lib/_tls_wrap.js b/lib/_tls_wrap.js
index e61962470231ad..f3696ce212fdad 100644
--- a/lib/_tls_wrap.js
+++ b/lib/_tls_wrap.js
@@ -110,6 +110,7 @@ const kErrorEmitted = Symbol('error-emitted');
 const kHandshakeTimeout = Symbol('handshake-timeout');
 const kRes = Symbol('res');
 const kSNICallback = Symbol('snicallback');
+const kALPNCallback = Symbol('alpncallback');
 const kEnableTrace = Symbol('enableTrace');
 const kPskCallback = Symbol('pskcallback');
 const kPskIdentityHint = Symbol('pskidentityhint');
@@ -240,7 +241,7 @@ function callALPNCallback(protocolsBuffer) {
   const handle = this;
   const socket = handle[owner_symbol];
 
-  const serverName = handle.getServername();
+  const servername = handle.getServername();
 
   // Collect all the protocols from the given buffer:
   const protocols = [];
@@ -255,9 +256,9 @@ function callALPNCallback(protocolsBuffer) {
     protocols.push(protocol.toString('ascii'));
   }
 
-  const selectedProtocol = socket._ALPNCallback({
-    serverName,
-    clientALPNProtocols: protocols
+  const selectedProtocol = socket[kALPNCallback]({
+    servername,
+    protocols,
   });
 
   // Undefined -> all proposed protocols rejected
@@ -535,7 +536,7 @@ function TLSSocket(socket, opts) {
   this._controlReleased = false;
   this.secureConnecting = true;
   this._SNICallback = null;
-  this._ALPNCallback = null;
+  this[kALPNCallback] = null;
   this.servername = null;
   this.alpnProtocol = null;
   this.authorized = false;
@@ -799,8 +800,11 @@ TLSSocket.prototype._init = function(socket, wrap) {
     ssl.handshakes = 0;
 
     if (options.ALPNCallback) {
+      if (typeof options.ALPNCallback !== 'function') {
+        throw new ERR_INVALID_ARG_TYPE('options.ALPNCallback', 'Function', options.ALPNCallback);
+      }
       assert(typeof options.ALPNCallback === 'function');
-      this._ALPNCallback = options.ALPNCallback;
+      this[kALPNCallback] = options.ALPNCallback;
       ssl.ALPNCallback = callALPNCallback;
       ssl.enableALPNCb();
     }
diff --git a/test/parallel/test-tls-alpn-server-client.js b/test/parallel/test-tls-alpn-server-client.js
index 1e1c0aa4768144..a77c15b77ab254 100644
--- a/test/parallel/test-tls-alpn-server-client.js
+++ b/test/parallel/test-tls-alpn-server-client.js
@@ -221,9 +221,9 @@ function TestFatalAlert() {
 function TestALPNCallback() {
   // Server always selects the client's 2nd preference:
   const serverOptions = {
-    ALPNCallback: ({ clientALPNProtocols }) => {
-      return clientALPNProtocols[1];
-    }
+    ALPNCallback: common.mustCall(({ protocols }) => {
+      return protocols[1];
+    }, 2)
   };
 
   const clientsOptions = [{
@@ -249,7 +249,7 @@ function TestALPNCallback() {
 function TestBadALPNCallback() {
   // Server always returns a fixed invalid value:
   const serverOptions = {
-    ALPNCallback: () => 'http/5'
+    ALPNCallback: common.mustCall(() => 'http/5')
   };
 
   const clientsOptions = [{

From bfcdb4c6ae375e33da405e68ddd03edd621b8843 Mon Sep 17 00:00:00 2001
From: Tim Perry <1526883+pimterry@users.noreply.github.com>
Date: Wed, 10 May 2023 13:17:17 +0200
Subject: [PATCH 4/5] Formatting fix in lib/_tls_wrap.js

Co-authored-by: James M Snell <jasnell@gmail.com>
---
 lib/_tls_wrap.js | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lib/_tls_wrap.js b/lib/_tls_wrap.js
index f3696ce212fdad..1975e823ee588e 100644
--- a/lib/_tls_wrap.js
+++ b/lib/_tls_wrap.js
@@ -276,7 +276,6 @@ function callALPNCallback(protocolsBuffer) {
   return protocolOffset;
 }
 
-
 function requestOCSP(socket, info) {
   if (!info.OCSPRequest || !socket.server)
     return requestOCSPDone(socket);

From 3086710108ed16d61986d20517925124ff03b244 Mon Sep 17 00:00:00 2001
From: Tim Perry <pimterry@gmail.com>
Date: Tue, 27 Jun 2023 16:08:25 +0100
Subject: [PATCH 5/5] Add missing handle_scope in ALPN callback handling

This wasn't included in initial versions but appears to be required for
the subsequent Buffer::copy in arm-debug builds.
---
 src/crypto/crypto_tls.cc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/crypto/crypto_tls.cc b/src/crypto/crypto_tls.cc
index 7c76453593d7fe..028b251b3e7799 100644
--- a/src/crypto/crypto_tls.cc
+++ b/src/crypto/crypto_tls.cc
@@ -226,6 +226,7 @@ int SelectALPNCallback(
   TLSWrap* w = static_cast<TLSWrap*>(arg);
   if (w->alpn_callback_enabled_) {
     Environment* env = w->env();
+    HandleScope handle_scope(env->isolate());
 
     Local<Value> callback_arg =
         Buffer::Copy(env, reinterpret_cast<const char*>(in), inlen)