The ALPN callback should really ignore the out parameter if there's

no overlap. Document that explicitly. Also make it more explicit that
that the caller must work with a copy of out.

ok jsing

1 files changed, 13 insertions, 3 deletions

diff --git a/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3 b/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3
index 683b6696e3a..5f8da325bba 100644
--- a/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3
+++ b/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: SSL_CTX_set_alpn_select_cb.3,v 1.8 2021/09/10 09:25:29 tb Exp $
+.\"	$OpenBSD: SSL_CTX_set_alpn_select_cb.3,v 1.9 2024/06/28 14:48:43 tb Exp $
 .\"	OpenSSL 87b81496 Apr 19 12:38:27 2017 -0400
 .\"	OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 10 2021 $
+.Dd $Mdocdate: June 28 2024 $
 .Dt SSL_CTX_SET_ALPN_SELECT_CB 3
 .Os
 .Sh NAME
@@ -153,6 +153,15 @@ It implements the standard protocol selection.
 It is expected that this function is called from the application
 callback
 .Fa cb .
+If
+.Fn SSL_select_next_proto
+returns
+.Dv OPENSSL_NPN_NO_OVERLAP ,
+.Fa cb
+should ignore
+.Fa out
+and fail by returning
+.Dv SSL_TLSEXT_ERR_ALERT_FATAL .
 The protocol data in
 .Fa server ,
 .Fa server_len
@@ -175,7 +184,8 @@ value will point into either
 .Fa server
 or
 .Fa client ,
-so it should be copied immediately.
+so it must not be modified and
+should be copied immediately.
 If no match is found, the first item in
 .Fa client ,
 .Fa client_len