The ALPN callback should really ignore the out parameter if there's

author tb <tb@openbsd.org>

Fri, 28 Jun 2024 14:48:43 +0000 (14:48 +0000)

committer tb <tb@openbsd.org>

Fri, 28 Jun 2024 14:48:43 +0000 (14:48 +0000)
author tb <tb@openbsd.org>
Fri, 28 Jun 2024 14:48:43 +0000 (14:48 +0000)
committer tb <tb@openbsd.org>
Fri, 28 Jun 2024 14:48:43 +0000 (14:48 +0000)
diff --git a/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3 b/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3

index 683b669..5f8da32 100644 (file)
--- a/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3
+++ b/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3
@@ -1,4 +1,4 @@
-.\"    $OpenBSD: SSL_CTX_set_alpn_select_cb.3,v 1.8 2021/09/10 09:25:29 tb Exp $
+.\"    $OpenBSD: SSL_CTX_set_alpn_select_cb.3,v 1.9 2024/06/28 14:48:43 tb Exp $
  .\"    OpenSSL 87b81496 Apr 19 12:38:27 2017 -0400
  .\"    OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
  .\"
@@ -49,7 +49,7 @@
  .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  .\" OF THE POSSIBILITY OF SUCH DAMAGE.
  .\"
-.Dd $Mdocdate: September 10 2021 $
+.Dd $Mdocdate: June 28 2024 $
  .Dt SSL_CTX_SET_ALPN_SELECT_CB 3
  .Os
  .Sh NAME
@@ -153,6 +153,15 @@ It implements the standard protocol selection.
  It is expected that this function is called from the application
  callback
  .Fa cb .
+If
+.Fn SSL_select_next_proto
+returns
+.Dv OPENSSL_NPN_NO_OVERLAP ,
+.Fa cb
+should ignore
+.Fa out
+and fail by returning
+.Dv SSL_TLSEXT_ERR_ALERT_FATAL .
  The protocol data in
  .Fa server ,
  .Fa server_len
@@ -175,7 +184,8 @@ value will point into either
  .Fa server
  or
  .Fa client ,
-so it should be copied immediately.
+so it must not be modified and
+should be copied immediately.
  If no match is found, the first item in
  .Fa client ,
  .Fa client_len
author	tb <tb@openbsd.org>
	Fri, 28 Jun 2024 14:48:43 +0000 (14:48 +0000)
committer	tb <tb@openbsd.org>
	Fri, 28 Jun 2024 14:48:43 +0000 (14:48 +0000)