> Is it valid to call: > > size_t size = SSL_get_finished(ssl, NULL, 0); No > Because SSL_get_finished invokes memcpy even if the size is 0, so is the > undefined behaviour? Yes