From b7d9388bf39514b78e47f81550806744323b9076 Mon Sep 17 00:00:00 2001
From: lwthiker <lwt@lwthiker.com>
Date: Fri, 18 Feb 2022 19:47:59 +0200
Subject: [PATCH] Improve curl-impersonate for Chrome

* Enable TLS extension 35 (session_ticket) which Curl turned off.
* Set the signature algorithms to match Chrome's.
* Fix the headers to exactly match Chrome.

It seems that the Client Hello message is now identical to Chrome.
However, it is still getting rejected.
---
 curl-openssl.patch | 50 +++++++++++++++++++++++++++++++++++++++-------
 curl_chrome98      |  7 ++++---
 2 files changed, 47 insertions(+), 10 deletions(-)

diff --git a/curl-openssl.patch b/curl-openssl.patch
index 3145af0..22db8ab 100644
--- a/curl-openssl.patch
+++ b/curl-openssl.patch
@@ -1,5 +1,5 @@
 --- curl-7.81.0-original/lib/vtls/openssl.c	2022-01-03 18:36:46.000000000 +0200
-+++ curl-7.81.0/lib/vtls/openssl.c	2022-02-18 17:05:57.253198793 +0200
++++ curl-7.81.0/lib/vtls/openssl.c	2022-02-18 18:07:04.220805893 +0200
 @@ -78,2 +78,4 @@
  
 +#include <brotli/decode.h>
@@ -33,15 +33,25 @@
 +}
 +
  static CURLcode ossl_connect_step1(struct Curl_easy *data,
-@@ -2769,2 +2796,5 @@
+@@ -2769,3 +2796,6 @@
  #ifdef SSL_OP_NO_TICKET
+-  ctx_options |= SSL_OP_NO_TICKET;
 +  /* curl-impersonate patch.
-+   * Don't turn on SSL_OP_NO_TICKET, we want TLS extension 35 (session_ticket)
++   * Turn off SSL_OP_NO_TICKET, we want TLS extension 35 (session_ticket)
 +   * to be sent. */
-   ctx_options |= SSL_OP_NO_TICKET;
-@@ -2939,2 +2969,18 @@
++  ctx_options &= ~SSL_OP_NO_TICKET;
+ #endif
+@@ -2823,4 +2853,7 @@
+ #ifdef HAS_NPN
++  /* curl-impersonate: Do not enable the NPN extension. */
++  /*
+   if(conn->bits.tls_enable_npn)
+     SSL_CTX_set_next_proto_select_cb(backend->ctx, select_next_proto_cb, data);
++  */
+ #endif
+@@ -2939,2 +2972,19 @@
  
-+  /* curl-impersonate
++  /* curl-impersonate:
 +   * Configure BoringSSL to behave like Chrome. 
 +   * See Constructor of SSLContext at net/socket/ssl_client_socket_impl.cc
 +   * and SSLClientSocketImpl::Init()
@@ -52,9 +62,35 @@
 +
 +  /* Add support for TLS extension 27 - compress_certificate.
 +   * Add Brotli decompression. See Chromium net/ssl/cert_compression.cc */
-+  SSL_CTX_add_cert_compression_alg(backend->ctx, TLSEXT_cert_compression_brotli, NULL, DecompressBrotliCert);
++  SSL_CTX_add_cert_compression_alg(backend->ctx,
++          TLSEXT_cert_compression_brotli, NULL, DecompressBrotliCert);
 +
 +  /* Enable TLS extensions 5 - status_request and 18 - signed_certificate_timestamp. */
 +  SSL_CTX_enable_ocsp_stapling(backend->ctx);
 +  SSL_CTX_enable_signed_cert_timestamps(backend->ctx);
  
+@@ -3238,2 +3288,24 @@
+ 
++#ifdef USE_HTTP2
++  /* curl-impersonate: This adds the ALPS extension (17513).
++   * Chromium calls this function as well in SSLClientSocketImpl::Init().
++   * The 4th parameter is called "settings", and I don't know what it
++   * should contain. For now, use an empty string. */
++  SSL_add_application_settings(backend->handle, "h2", 2, "", 0);
++#endif
++
++  /* curl-impersonate: Set the signature algorithms.
++   * (TLS extension 13).
++   * See net/socket/ssl_client_socket_impl.cc in Chromium's source. */
++  static const uint16_t kVerifyPrefs[] = {
++    SSL_SIGN_ECDSA_SECP256R1_SHA256, SSL_SIGN_RSA_PSS_RSAE_SHA256,
++    SSL_SIGN_RSA_PKCS1_SHA256,       SSL_SIGN_ECDSA_SECP384R1_SHA384,
++    SSL_SIGN_RSA_PSS_RSAE_SHA384,    SSL_SIGN_RSA_PKCS1_SHA384,
++    SSL_SIGN_RSA_PSS_RSAE_SHA512,    SSL_SIGN_RSA_PKCS1_SHA512,
++  };
++  if (!SSL_set_verify_algorithm_prefs(backend->handle, kVerifyPrefs,
++              sizeof(kVerifyPrefs) / sizeof(kVerifyPrefs[0]))) {
++    return CURLE_SSL_CIPHER;
++  }
++
+   backend->server_cert = 0x0;
diff --git a/curl_chrome98 b/curl_chrome98
index 58e20f2..8e60b00 100755
--- a/curl_chrome98
+++ b/curl_chrome98
@@ -13,12 +13,13 @@ exec 5<>"$PIPE" 3>"$PIPE" 4<"$PIPE" 5>&-
 # https://wiki.mozilla.org/Security/Cipher_Suites
 "$dir/curl-impersonate-ch" \
     --ciphers TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-RSA-CHACHA20-POLY1305,ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES256-SHA,AES128-GCM-SHA256,AES256-GCM-SHA384,AES128-SHA,AES256-SHA \
+    -H 'Connection: keep-alive' \
+    -H 'sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"' \
+    -H 'sec-ch-ua-mobile: ?0' \
+    -H 'sec-ch-ua-platform: "Windows"' \
     -H 'Upgrade-Insecure-Requests: 1' \
     -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36' \
     -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \
-    -H 'Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"' \
-    -H 'Sec-Ch-Ua-Mobile: ?0' \
-    -H 'Sec-Ch-Ua-Platform: Windows' \
     -H 'Sec-Fetch-Site: none' \
     -H 'Sec-Fetch-Mode: navigate' \
     -H 'Sec-Fetch-User: ?1' \