mirror of
https://github.com/lwthiker/curl-impersonate.git
synced 2025-08-09 05:09:36 +00:00
Commit the Dockerfile and all required patches
This commit is contained in:
lwthiker
148
curl-lib-nss.patch
Normal file
148
curl-lib-nss.patch
Normal file
@@ -0,0 +1,148 @@
|
||||
--- curl-7.81.0-original/lib/vtls/nss.c 2022-01-03 18:36:46.000000000 +0200
|
||||
+++ curl-7.81.0/lib/vtls/nss.c 2022-02-17 10:33:28.567798277 +0200
|
||||
@@ -380,2 +380,91 @@
|
||||
|
||||
+/* See nsSSLIOLayerSetOptions@nsNSSIOLayer.cpp, Firefox source code */
|
||||
+const SSLNamedGroup named_groups[] = {
|
||||
+ ssl_grp_ec_curve25519, ssl_grp_ec_secp256r1, ssl_grp_ec_secp384r1,
|
||||
+ ssl_grp_ec_secp521r1, ssl_grp_ffdhe_2048, ssl_grp_ffdhe_3072};
|
||||
+
|
||||
+#define NUM_OF_NAMED_GROUPS sizeof(named_groups)/sizeof(named_groups[0])
|
||||
+
|
||||
+static SECStatus set_named_groups(PRFileDesc *model)
|
||||
+{
|
||||
+ /* This aligns TLS extension 10 (supported_groups) to what Firefox does. */
|
||||
+ return SSL_NamedGroupConfig(model, named_groups, NUM_OF_NAMED_GROUPS);
|
||||
+}
|
||||
+
|
||||
+static const SSLSignatureScheme signatures[] = {
|
||||
+ ssl_sig_ecdsa_secp256r1_sha256, ssl_sig_ecdsa_secp384r1_sha384,
|
||||
+ ssl_sig_ecdsa_secp521r1_sha512, ssl_sig_rsa_pss_sha256,
|
||||
+ ssl_sig_rsa_pss_sha384, ssl_sig_rsa_pss_sha512,
|
||||
+ ssl_sig_rsa_pkcs1_sha256, ssl_sig_rsa_pkcs1_sha384,
|
||||
+ ssl_sig_rsa_pkcs1_sha512, ssl_sig_ecdsa_sha1,
|
||||
+ ssl_sig_rsa_pkcs1_sha1
|
||||
+};
|
||||
+
|
||||
+#define NUM_OF_SIGNATURES sizeof(signatures)/sizeof(signatures[0])
|
||||
+
|
||||
+static SECStatus set_additional_key_shares(PRFileDesc *model)
|
||||
+{
|
||||
+ /* This aligns TLS extension 51 (key_share) to what Firefox does. */
|
||||
+ return SSL_SendAdditionalKeyShares(model, 1);
|
||||
+}
|
||||
+
|
||||
+static SECStatus set_signatures(PRFileDesc *model)
|
||||
+{
|
||||
+ /* Align TLS extension 13 (signature_algorithms) to what Firefox does. */
|
||||
+ return SSL_SignatureSchemePrefSet(model, signatures, NUM_OF_SIGNATURES);
|
||||
+}
|
||||
+
|
||||
+static SECStatus set_ssl_options(PRFileDesc *model)
|
||||
+{
|
||||
+ SECStatus s;
|
||||
+
|
||||
+ /* Enable TLS 1.3 compat mode. Firefox does this, as can be seen at
|
||||
+ * nsSSLIOLayerSetOptions()@nsNSSIOLayer.cpp.
|
||||
+ * This has the side effect of NSS faking a TLS session ID.
|
||||
+ * See ssl3_CreateClientHelloPreamble()@ssl3con.c
|
||||
+ */
|
||||
+ s = SSL_OptionSet(model, SSL_ENABLE_TLS13_COMPAT_MODE, PR_TRUE);
|
||||
+ if (s != SECSuccess) {
|
||||
+ return s;
|
||||
+ }
|
||||
+
|
||||
+ /* Firefox sets the following options. I don't know what they do. */
|
||||
+ s = SSL_OptionSet(model, SSL_REQUIRE_SAFE_NEGOTIATION, false);
|
||||
+ if (s != SECSuccess) {
|
||||
+ return s;
|
||||
+ }
|
||||
+ s = SSL_OptionSet(model, SSL_ENABLE_EXTENDED_MASTER_SECRET, true);
|
||||
+ if (s != SECSuccess) {
|
||||
+ return s;
|
||||
+ }
|
||||
+ s = SSL_OptionSet(model, SSL_ENABLE_HELLO_DOWNGRADE_CHECK, true);
|
||||
+ if (s != SECSuccess) {
|
||||
+ return s;
|
||||
+ }
|
||||
+ s = SSL_OptionSet(model, SSL_ENABLE_0RTT_DATA, true);
|
||||
+ if (s != SECSuccess) {
|
||||
+ return s;
|
||||
+ }
|
||||
+
|
||||
+ /* This adds TLS extension 34 to the Client Hello. */
|
||||
+ s = SSL_OptionSet(model, SSL_ENABLE_DELEGATED_CREDENTIALS, true);
|
||||
+ if (s != SECSuccess) {
|
||||
+ return s;
|
||||
+ }
|
||||
+
|
||||
+ /* This adds TLS extension 5 (status_request) to the Client Hello. */
|
||||
+ s = SSL_OptionSet(model, SSL_ENABLE_OCSP_STAPLING, true);
|
||||
+ if (s != SECSuccess) {
|
||||
+ return s;
|
||||
+ }
|
||||
+
|
||||
+ /* Remove TLS extension 18 (signed_certificate_timestamp) */
|
||||
+ s = SSL_OptionSet(model, SSL_ENABLE_SIGNED_CERT_TIMESTAMPS, false);
|
||||
+ if (s != SECSuccess) {
|
||||
+ return s;
|
||||
+ }
|
||||
+
|
||||
+ return SSL_OptionSet(model, SSL_HANDSHAKE_AS_CLIENT, true);
|
||||
+}
|
||||
+
|
||||
/*
|
||||
@@ -1322,2 +1411,20 @@
|
||||
SECMOD_DestroyModule(module);
|
||||
+
|
||||
+ /* Patch for Ubuntu - add a "nss/" suffix to the library name */
|
||||
+ config_string = aprintf("library=/usr/lib/x86_64-linux-gnu/nss/%s name=%s", library, name);
|
||||
+ if(!config_string)
|
||||
+ return CURLE_OUT_OF_MEMORY;
|
||||
+
|
||||
+ module = SECMOD_LoadUserModule(config_string, NULL, PR_FALSE);
|
||||
+ free(config_string);
|
||||
+
|
||||
+ if(module && module->loaded) {
|
||||
+ /* loaded successfully */
|
||||
+ *pmod = module;
|
||||
+ return CURLE_OK;
|
||||
+ }
|
||||
+
|
||||
+ if(module)
|
||||
+ SECMOD_DestroyModule(module);
|
||||
+
|
||||
return CURLE_FAILED_INIT;
|
||||
@@ -1923,2 +2030,8 @@
|
||||
|
||||
+ if(SSL_SET_OPTION(primary.sessionid)) {
|
||||
+ if(SSL_OptionSet(model, SSL_ENABLE_SESSION_TICKETS,
|
||||
+ PR_TRUE) != SECSuccess)
|
||||
+ goto error;
|
||||
+ }
|
||||
+
|
||||
/* enable/disable the requested SSL version(s) */
|
||||
@@ -1962,2 +2075,10 @@
|
||||
|
||||
+ if (set_named_groups(model) != SECSuccess ||
|
||||
+ set_additional_key_shares(model) != SECSuccess ||
|
||||
+ set_signatures(model) != SECSuccess ||
|
||||
+ set_ssl_options(model) != SECSuccess) {
|
||||
+ result = CURLE_SSL_CIPHER;
|
||||
+ goto error;
|
||||
+ }
|
||||
+
|
||||
if(!SSL_CONN_CONFIG(verifypeer) && SSL_CONN_CONFIG(verifyhost))
|
||||
@@ -2115,2 +2236,6 @@
|
||||
|
||||
+ protocols[cur++] = ALPN_HTTP_1_1_LENGTH;
|
||||
+ memcpy(&protocols[cur], ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH);
|
||||
+ cur += ALPN_HTTP_1_1_LENGTH;
|
||||
+
|
||||
#ifdef USE_HTTP2
|
||||
@@ -2126,5 +2251,2 @@
|
||||
#endif
|
||||
- protocols[cur++] = ALPN_HTTP_1_1_LENGTH;
|
||||
- memcpy(&protocols[cur], ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH);
|
||||
- cur += ALPN_HTTP_1_1_LENGTH;
|
||||
|
||||
Reference in New Issue
Block a user