Add TLCP ALPN support

2026-06-19 19:33:38 +08:00 · 2026-06-12 09:58:47 +08:00
parent e480e25109
commit b1f670c6c6
3 changed files with 86 additions and 9 deletions
--- a/src/tlcp.c
+++ b/src/tlcp.c
@@ -364,9 +364,13 @@ int tlcp_send_client_hello(TLS_CONNECT *conn)
 		}

 		// application_layer_protocol_negotiation
-		if (conn->ctx->application_layer_protocol_negotiation) {
-			error_print();
-			return -1;
+		if (conn->ctx->alpn_protocols_cnt) {
+			if (tls_application_layer_protocol_negotiation_ext_to_bytes(
+				conn->ctx->alpn_protocols, conn->ctx->alpn_protocols_cnt,
+				&pexts, &extslen) != 1) {
+				error_print();
+				return -1;
+			}
 		}

 		// client_id
@@ -561,7 +565,7 @@ int tlcp_recv_server_hello(TLS_CONNECT *conn)
 			break;

 		case TLS_extension_application_layer_protocol_negotiation:
-			if (!conn->ctx->application_layer_protocol_negotiation) {
+			if (!conn->ctx->alpn_protocols_cnt) {
 				error_print();
 				tls_send_alert(conn, TLS_alert_illegal_parameter);
 				return -1;
@@ -584,7 +588,19 @@ int tlcp_recv_server_hello(TLS_CONNECT *conn)

 	// application_layer_protocol_negotiation
 	if (application_layer_protocol_negotiation) {
-		// 实现ALPN的功能
+		if ((ret = tls_application_layer_protocol_negotiation_selected_from_bytes(
+			&conn->alpn_selected,
+			application_layer_protocol_negotiation, application_layer_protocol_negotiation_len,
+			conn->ctx->alpn_protocols, conn->ctx->alpn_protocols_cnt)) < 0) {
+			error_print();
+			tls_send_alert(conn, TLS_alert_decode_error);
+			return -1;
+		} else if (ret == 0) {
+			error_print();
+			tls_send_alert(conn, TLS_alert_illegal_parameter);
+			return -1;
+		}
+		conn->application_layer_protocol_negotiation = 1;
 	}


@@ -1484,6 +1500,27 @@ int tlcp_recv_client_hello(TLS_CONNECT *conn)
 		return -1;
 	}

+	if (application_layer_protocol_negotiation) {
+		if (!conn->ctx->alpn_protocols_cnt) {
+			error_print();
+			tls_send_alert(conn, TLS_alert_no_application_protocol);
+			return -1;
+		}
+		if ((ret = tls_application_layer_protocol_negotiation_select(
+			application_layer_protocol_negotiation, application_layer_protocol_negotiation_len,
+			conn->ctx->alpn_protocols, conn->ctx->alpn_protocols_cnt,
+			&conn->alpn_selected)) < 0) {
+			error_print();
+			tls_send_alert(conn, TLS_alert_decode_error);
+			return -1;
+		} else if (ret == 0) {
+			error_print();
+			tls_send_alert(conn, TLS_alert_no_application_protocol);
+			return -1;
+		}
+		conn->application_layer_protocol_negotiation = 1;
+	}
+
 	if (server_name) {
 		if (tls_server_name_from_bytes(&host_name, &host_name_len, server_name, server_name_len) != 1) {
 			error_print();
@@ -1539,7 +1576,7 @@ int tlcp_send_server_hello(TLS_CONNECT *conn)
 	tls_trace("send ServerHello\n");

 	if (conn->recordlen == 0) {
-		uint8_t exts[256];
+		uint8_t exts[TLS_MAX_EXTENSIONS_SIZE];
 		uint8_t *pexts = exts;
 		size_t extslen = 0;

@@ -1592,8 +1629,12 @@ int tlcp_send_server_hello(TLS_CONNECT *conn)
 		// signature_algorithms (client only)

 		// application_layer_protocol_negotiation
-		if (conn->application_layer_protocol_negotiation) {
-			// 这里应该设置一个协议
+		if (conn->alpn_selected) {
+			if (tls_application_layer_protocol_negotiation_selected_ext_to_bytes(
+				conn->alpn_selected, &pexts, &extslen) != 1) {
+				error_print();
+				return -1;
+			}
 		}

 		// client_id (client only)
--- a/tools/tlcp_client.c
+++ b/tools/tlcp_client.c
@@ -24,6 +24,7 @@ static const char *usage =
 	" [-cert file -key file -pass str]"
 	" [-outcerts file]"
 	" [-get path]"
+	" [-alpn str]"
 	" [-quiet]";

 static const char *help =
@@ -43,6 +44,7 @@ static const char *help =
 "    -get path              Send a GET request with given path of URI\n"
 "    -outcerts file         Save server certificates to a PEM file\n"
 "    -server_name str       Send server_name (SNI) request\n"
+"    -alpn str              Application protocol name, may appear multiple times, higher priority first\n"
 "    -status_request        Send status_request (OCSP Stapling) request\n"
 "    -quiet                 Without printing any status message\n"
 "\n"
@@ -69,6 +71,8 @@ int tlcp_client_main(int argc, char *argv[])
 	char *keyfile = NULL;
 	char *pass = NULL;
 	char *server_name = NULL;
+	char *alpn_protocols[4];
+	size_t alpn_protocols_cnt = 0;
 	int client_cert_optional = 0;
 	char *get = NULL;
 	char *outcertsfile = NULL;
@@ -165,6 +169,13 @@ int tlcp_client_main(int argc, char *argv[])
 		} else if (!strcmp(*argv, "-server_name")) {
 			if (--argc < 1) goto bad;
 			server_name = *(++argv);
+		} else if (!strcmp(*argv, "-alpn")) {
+			if (alpn_protocols_cnt >= sizeof(alpn_protocols)/sizeof(alpn_protocols[0])) {
+				fprintf(stderr, "%s: too many -alpn options\n", prog);
+				return -1;
+			}
+			if (--argc < 1) goto bad;
+			alpn_protocols[alpn_protocols_cnt++] = *(++argv);
 		} else if (!strcmp(*argv, "-client_cert_optional")) {
 			client_cert_optional = 1;
 		} else if (!strcmp(*argv, "-get")) {
@@ -213,6 +224,14 @@ bad:
 		goto end;
 	}

+	if (alpn_protocols_cnt) {
+		if (tls_ctx_set_application_layer_protocol_negotiation(&ctx,
+			alpn_protocols, alpn_protocols_cnt) != 1) {
+			error_print();
+			goto end;
+		}
+	}
+
 	if (cacertfile) {
 		if (tls_ctx_set_ca_certificates(&ctx, cacertfile, verify_depth) != 1) {
 			fprintf(stderr, "%s: failed to load CA certificate\n", prog);
--- a/tools/tlcp_server.c
+++ b/tools/tlcp_server.c
@@ -18,7 +18,7 @@
 #include <gmssl/error.h>


-static const char *options = "[-port num] -cert file -key file -pass str -ex_key file -ex_pass str [-cacert file]";
+static const char *options = "[-port num] -cert file -key file -pass str -ex_key file -ex_pass str [-alpn str] [-cacert file]";


 static const char *help =
@@ -30,6 +30,7 @@ static const char *help =
 "    -pass str              Password to decrypt signing private key, may appear multiple times\n"
 "    -ex_key file           Server's encryption private key in PEM format, may appear multiple times\n"
 "    -ex_pass str           Password to decrypt encryption private key, may appear multiple times\n"
+"    -alpn str              Application protocol name, may appear multiple times, higher priority first\n"
 "    -cacert file           CA certificate for client certificate verification\n"
 "\n"
 #include "tlcp_help.h"
@@ -50,6 +51,8 @@ int tlcp_server_main(int argc , char **argv)
 	size_t enckeyfiles_cnt = 0;
 	char *encpasses[sizeof(certfiles)/sizeof(certfiles[0])];
 	size_t encpasses_cnt = 0;
+	char *alpn_protocols[4];
+	size_t alpn_protocols_cnt = 0;
 	char *cacertfile = NULL;

 	int server_ciphers[] = {
@@ -119,6 +122,13 @@ int tlcp_server_main(int argc , char **argv)
 			}
 			if (--argc < 1) goto bad;
 			encpasses[encpasses_cnt++] = *(++argv);
+		} else if (!strcmp(*argv, "-alpn")) {
+			if (alpn_protocols_cnt >= sizeof(alpn_protocols)/sizeof(alpn_protocols[0])) {
+				fprintf(stderr, "%s: too many -alpn options\n", prog);
+				return -1;
+			}
+			if (--argc < 1) goto bad;
+			alpn_protocols[alpn_protocols_cnt++] = *(++argv);
 		} else if (!strcmp(*argv, "-cacert")) {
 			if (--argc < 1) goto bad;
 			cacertfile = *(++argv);
@@ -166,6 +176,13 @@ bad:
 		error_print();
 		return -1;
 	}
+	if (alpn_protocols_cnt) {
+		if (tls_ctx_set_application_layer_protocol_negotiation(&ctx,
+			alpn_protocols, alpn_protocols_cnt) != 1) {
+			error_print();
+			return -1;
+		}
+	}
 	for (i = 0; i < certfiles_cnt; i++) {
 		if (tlcp_ctx_add_server_certificate_and_keys(&ctx,
 			certfiles[i], signkeyfiles[i], signpasses[i],