From ac936dba53aeeeb422a85a12f18f1bfb94c603f7 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Tue, 24 Jun 2025 13:37:11 +0000
Subject: nc: add ALPN TLS option, so you can specify -T alpn=value

From David Leadbeater with a report_tls tweak by me
ok jsing
---
 src/usr.bin/nc/netcat.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/usr.bin/nc/netcat.c b/src/usr.bin/nc/netcat.c
index 566c63bf31..e3c9c939e2 100644
--- a/src/usr.bin/nc/netcat.c
+++ b/src/usr.bin/nc/netcat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: netcat.c,v 1.233 2025/06/24 13:27:28 tb Exp $ */
+/* $OpenBSD: netcat.c,v 1.234 2025/06/24 13:37:11 tb Exp $ */
 /*
  * Copyright (c) 2001 Eric Jackson <ericj@monkey.org>
  * Copyright (c) 2015 Bob Beck.  All rights reserved.
@@ -108,6 +108,7 @@ char	*tls_expectname;			/* required name in peer cert */
 char	*tls_expecthash;			/* required hash of peer cert */
 char	*tls_ciphers;				/* TLS ciphers */
 char	*tls_protocols;				/* TLS protocols */
+char	*tls_alpn;				/* TLS ALPN */
 FILE	*Zflag;					/* file to save peer cert */
 
 int recvcount, recvlimit;
@@ -534,6 +535,8 @@ main(int argc, char *argv[])
 			errx(1, "%s", tls_config_error(tls_cfg));
 		if (tls_config_set_ciphers(tls_cfg, tls_ciphers) == -1)
 			errx(1, "%s", tls_config_error(tls_cfg));
+		if (tls_alpn != NULL && tls_config_set_alpn(tls_cfg, tls_alpn) == -1)
+			errx(1, "%s", tls_config_error(tls_cfg));
 		if (!lflag && (TLSopt & TLS_CCERT))
 			errx(1, "clientcert is only valid with -l");
 		if (TLSopt & TLS_NONAME)
@@ -1671,6 +1674,7 @@ process_tls_opt(char *s, int *flags)
 		int		 flag;
 		char		**value;
 	} *t, tlskeywords[] = {
+		{ "alpn",		-1,			&tls_alpn },
 		{ "ciphers",		-1,			&tls_ciphers },
 		{ "clientcert",		TLS_CCERT,		NULL },
 		{ "muststaple",		TLS_MUSTSTAPLE,		NULL },
@@ -1722,7 +1726,7 @@ void
 report_tls(struct tls *tls_ctx, char *host)
 {
 	time_t t;
-	const char *ocsp_url;
+	const char *alpn_proto, *ocsp_url;
 
 	fprintf(stderr, "TLS handshake negotiated %s/%s with host %s\n",
 	    tls_conn_version(tls_ctx), tls_conn_cipher(tls_ctx), host);
@@ -1774,6 +1778,8 @@ report_tls(struct tls *tls_ctx, char *host)
 		    tls_peer_ocsp_result(tls_ctx));
 		break;
 	}
+	if ((alpn_proto = tls_conn_alpn_selected(tls_ctx)) != NULL)
+		fprintf(stderr, "Application Layer Protocol: %s\n", alpn_proto);
 }
 
 void
-- 
cgit v1.2.3-55-g6feb