From 30d1defaac3c71380e11d815971dd03a300f2ac7 Mon Sep 17 00:00:00 2001 From: tb Date: Fri, 28 Jun 2024 14:48:43 +0000 Subject: [PATCH] The ALPN callback should really ignore the out parameter if there's no overlap. Document that explicitly. Also make it more explicit that that the caller must work with a copy of out. ok jsing --- lib/libssl/man/SSL_CTX_set_alpn_select_cb.3 | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3 b/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3 index 683b6696e3a..5f8da325bba 100644 --- a/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3 +++ b/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_set_alpn_select_cb.3,v 1.8 2021/09/10 09:25:29 tb Exp $ +.\" $OpenBSD: SSL_CTX_set_alpn_select_cb.3,v 1.9 2024/06/28 14:48:43 tb Exp $ .\" OpenSSL 87b81496 Apr 19 12:38:27 2017 -0400 .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: September 10 2021 $ +.Dd $Mdocdate: June 28 2024 $ .Dt SSL_CTX_SET_ALPN_SELECT_CB 3 .Os .Sh NAME @@ -153,6 +153,15 @@ It implements the standard protocol selection. It is expected that this function is called from the application callback .Fa cb . +If +.Fn SSL_select_next_proto +returns +.Dv OPENSSL_NPN_NO_OVERLAP , +.Fa cb +should ignore +.Fa out +and fail by returning +.Dv SSL_TLSEXT_ERR_ALERT_FATAL . The protocol data in .Fa server , .Fa server_len @@ -175,7 +184,8 @@ value will point into either .Fa server or .Fa client , -so it should be copied immediately. +so it must not be modified and +should be copied immediately. If no match is found, the first item in .Fa client , .Fa client_len -- 2.20.1