diff --git a/apps/s_client.c b/apps/s_client.c index 975aa2fb447353a08250b37d9f016ed7d08a691c..4d2fa861a58c5d252bd84e24e5b44762920bb77d 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -1889,8 +1889,7 @@ int s_client_main(int argc, char **argv) goto end; } /* By default the SNI should be the same as was set in the session */ - if (!noservername && servername == NULL) - { + if (!noservername && servername == NULL) { const char *sni = SSL_SESSION_get0_hostname(sess); if (sni != NULL) { diff --git a/doc/man3/SSL_SESSION_get0_hostname.pod b/doc/man3/SSL_SESSION_get0_hostname.pod index 642daaa531e2a297dc90e2e7ae15ff500d7f56c2..f0f02d32a2d5b67809ff9059c75f84dbd53c1897 100644 --- a/doc/man3/SSL_SESSION_get0_hostname.pod +++ b/doc/man3/SSL_SESSION_get0_hostname.pod @@ -37,8 +37,9 @@ session and its associated length in bytes. The returned value of B<*alpn> is a pointer to memory maintained within B and should not be free'd. SSL_SESSION_set1_alpn_selected() sets the ALPN protocol for this session to the -value in B<*alpn> which should be of length B bytes. A copy of this value -is taken. +value in B which should be of length B bytes. A copy of the input +value is made, and the caller retains ownership of the memory pointed to by +B. =head1 SEE ALSO diff --git a/doc/man3/SSL_read_early_data.pod b/doc/man3/SSL_read_early_data.pod index a593b147b87f0dd33d46e9ec9eb053f601cd64c9..10736841a12940dc37cc4083209e515f3d6406f7 100644 --- a/doc/man3/SSL_read_early_data.pod +++ b/doc/man3/SSL_read_early_data.pod @@ -63,7 +63,9 @@ will return the maximum number of early data bytes that can be sent. The function SSL_SESSION_set_max_early_data() sets the maximum number of early data bytes that can be sent for a session. This would typically be used when -creating a PSK session file (see L). +creating a PSK session file (see L). If +using a ticket based PSK then this is set automatically to the value provided by +the server. A client uses the function SSL_write_early_data() to send early data. This function is similar to the L function, but with the following diff --git a/ssl/record/ssl3_record_tls13.c b/ssl/record/ssl3_record_tls13.c index 0c3fc6bf16073f5fbec9f27275d026522cf9901f..696cc37fd3d22b20a7cbba3973785e402c39fc01 100644 --- a/ssl/record/ssl3_record_tls13.c +++ b/ssl/record/ssl3_record_tls13.c @@ -58,10 +58,14 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) if (s->early_data_state == SSL_EARLY_DATA_WRITING || s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY) { - if (s->session != NULL && s->session->ext.max_early_data > 0) + if (s->session != NULL && s->session->ext.max_early_data > 0) { alg_enc = s->session->cipher->algorithm_enc; - else + } else { + if (!ossl_assert(s->psksession != NULL + && s->psksession->ext.max_early_data > 0)) + return -1; alg_enc = s->psksession->cipher->algorithm_enc; + } } else { /* * To get here we must have selected a ciphersuite - otherwise ctx would diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index bcbcbac87325b476b49a34ce399b1b31c1d5a37f..8db895b0fe71a1fa31f40af6a9803407c3792269 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -1401,10 +1401,10 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, } s->s3->alpn_selected_len = len; - if (s->session->ext.alpn_selected != NULL - && (s->session->ext.alpn_selected_len != len - || memcmp(s->session->ext.alpn_selected, s->s3->alpn_selected, - len) != 0)) { + if (s->session->ext.alpn_selected == NULL + || s->session->ext.alpn_selected_len != len + || memcmp(s->session->ext.alpn_selected, s->s3->alpn_selected, len) + != 0) { /* ALPN not consistent with the old session so cannot use early_data */ s->ext.early_data_ok = 0; }