Commit the Dockerfile and all required patches

2025-08-09 05:09:36 +00:00 · 2022-02-17 18:38:58 +02:00
parent 3439319c42
commit fecd28a00c
5 changed files with 224 additions and 0 deletions
--- a/curl-configure.patch
+++ b/curl-configure.patch
@@ -0,0 +1,17 @@
+--- curl-7.81.0-original/configure.ac	2022-01-03 18:36:46.000000000 +0200
+++ curl-7.81.0/configure.ac	2022-02-17 13:40:02.248497926 +0200
+@@ -2575,3 +2575,3 @@
+     LIB_H2=`CURL_EXPORT_PCDIR([$want_nghttp2_path])
+-      $PKGCONFIG --libs-only-l libnghttp2`
+      $PKGCONFIG --static --libs-only-l libnghttp2`
+     AC_MSG_NOTICE([-l is $LIB_H2])
+@@ -2579,3 +2579,3 @@
+     CPP_H2=`CURL_EXPORT_PCDIR([$want_nghttp2_path]) dnl
+-      $PKGCONFIG --cflags-only-I libnghttp2`
+      $PKGCONFIG --static --cflags-only-I libnghttp2`
+     AC_MSG_NOTICE([-I is $CPP_H2])
+@@ -2583,3 +2583,3 @@
+     LD_H2=`CURL_EXPORT_PCDIR([$want_nghttp2_path])
+-      $PKGCONFIG --libs-only-L libnghttp2`
+      $PKGCONFIG --static --libs-only-L libnghttp2`
+     AC_MSG_NOTICE([-L is $LD_H2])
--- a/curl-lib-nss.patch
+++ b/curl-lib-nss.patch
@@ -0,0 +1,148 @@
+--- curl-7.81.0-original/lib/vtls/nss.c	2022-01-03 18:36:46.000000000 +0200
+++ curl-7.81.0/lib/vtls/nss.c	2022-02-17 10:33:28.567798277 +0200
+@@ -380,2 +380,91 @@
+ 
+/* See nsSSLIOLayerSetOptions@nsNSSIOLayer.cpp, Firefox source code */
+const SSLNamedGroup named_groups[] = {
+  ssl_grp_ec_curve25519, ssl_grp_ec_secp256r1, ssl_grp_ec_secp384r1,
+  ssl_grp_ec_secp521r1,  ssl_grp_ffdhe_2048,   ssl_grp_ffdhe_3072};
+
+#define NUM_OF_NAMED_GROUPS sizeof(named_groups)/sizeof(named_groups[0])
+
+static SECStatus set_named_groups(PRFileDesc *model)
+{
+  /* This aligns TLS extension 10 (supported_groups) to what Firefox does. */
+  return SSL_NamedGroupConfig(model, named_groups, NUM_OF_NAMED_GROUPS);
+}
+
+static const SSLSignatureScheme signatures[] = {
+    ssl_sig_ecdsa_secp256r1_sha256, ssl_sig_ecdsa_secp384r1_sha384,
+    ssl_sig_ecdsa_secp521r1_sha512, ssl_sig_rsa_pss_sha256,
+    ssl_sig_rsa_pss_sha384,         ssl_sig_rsa_pss_sha512,
+    ssl_sig_rsa_pkcs1_sha256,       ssl_sig_rsa_pkcs1_sha384,
+    ssl_sig_rsa_pkcs1_sha512,       ssl_sig_ecdsa_sha1,
+    ssl_sig_rsa_pkcs1_sha1
+};
+
+#define NUM_OF_SIGNATURES sizeof(signatures)/sizeof(signatures[0])
+
+static SECStatus set_additional_key_shares(PRFileDesc *model)
+{
+  /* This aligns TLS extension 51 (key_share) to what Firefox does. */
+  return SSL_SendAdditionalKeyShares(model, 1);
+}
+
+static SECStatus set_signatures(PRFileDesc *model)
+{
+  /* Align TLS extension 13 (signature_algorithms) to what Firefox does. */
+  return SSL_SignatureSchemePrefSet(model, signatures, NUM_OF_SIGNATURES);
+}
+
+static SECStatus set_ssl_options(PRFileDesc *model)
+{
+  SECStatus s;
+
+  /* Enable TLS 1.3 compat mode. Firefox does this, as can be seen at
+   * nsSSLIOLayerSetOptions()@nsNSSIOLayer.cpp.
+   * This has the side effect of NSS faking a TLS session ID.
+   * See ssl3_CreateClientHelloPreamble()@ssl3con.c
+   */
+  s = SSL_OptionSet(model, SSL_ENABLE_TLS13_COMPAT_MODE, PR_TRUE);
+  if (s != SECSuccess) {
+      return s;
+  }
+
+  /* Firefox sets the following options. I don't know what they do. */
+  s = SSL_OptionSet(model, SSL_REQUIRE_SAFE_NEGOTIATION, false);
+  if (s != SECSuccess) {
+      return s;
+  }
+  s = SSL_OptionSet(model, SSL_ENABLE_EXTENDED_MASTER_SECRET, true);
+  if (s != SECSuccess) {
+      return s;
+  }
+  s = SSL_OptionSet(model, SSL_ENABLE_HELLO_DOWNGRADE_CHECK, true);
+  if (s != SECSuccess) {
+      return s;
+  }
+  s = SSL_OptionSet(model, SSL_ENABLE_0RTT_DATA, true);
+  if (s != SECSuccess) {
+      return s;
+  }
+
+  /* This adds TLS extension 34 to the Client Hello. */
+  s = SSL_OptionSet(model, SSL_ENABLE_DELEGATED_CREDENTIALS, true);
+  if (s != SECSuccess) {
+      return s;
+  }
+
+  /* This adds TLS extension 5 (status_request) to the Client Hello. */
+  s = SSL_OptionSet(model, SSL_ENABLE_OCSP_STAPLING, true);
+  if (s != SECSuccess) {
+      return s;
+  }
+
+  /* Remove TLS extension 18 (signed_certificate_timestamp) */
+  s = SSL_OptionSet(model, SSL_ENABLE_SIGNED_CERT_TIMESTAMPS, false);
+  if (s != SECSuccess) {
+      return s;
+  }
+
+  return SSL_OptionSet(model, SSL_HANDSHAKE_AS_CLIENT, true);
+}
+
+ /*
+@@ -1322,2 +1411,20 @@
+     SECMOD_DestroyModule(module);
+
+  /* Patch for Ubuntu - add a "nss/" suffix to the library name */
+  config_string = aprintf("library=/usr/lib/x86_64-linux-gnu/nss/%s name=%s", library, name);
+  if(!config_string)
+    return CURLE_OUT_OF_MEMORY;
+
+  module = SECMOD_LoadUserModule(config_string, NULL, PR_FALSE);
+  free(config_string);
+
+  if(module && module->loaded) {
+    /* loaded successfully */
+    *pmod = module;
+    return CURLE_OK;
+  }
+
+  if(module)
+    SECMOD_DestroyModule(module);
+
+   return CURLE_FAILED_INIT;
+@@ -1923,2 +2030,8 @@
+ 
+  if(SSL_SET_OPTION(primary.sessionid)) {
+    if(SSL_OptionSet(model, SSL_ENABLE_SESSION_TICKETS,
+                     PR_TRUE) != SECSuccess)
+      goto error;
+  }
+
+   /* enable/disable the requested SSL version(s) */
+@@ -1962,2 +2075,10 @@
+ 
+  if (set_named_groups(model) != SECSuccess ||
+      set_additional_key_shares(model) != SECSuccess ||
+      set_signatures(model) != SECSuccess ||
+      set_ssl_options(model) != SECSuccess) {
+      result = CURLE_SSL_CIPHER;
+      goto error;
+  }
+
+   if(!SSL_CONN_CONFIG(verifypeer) && SSL_CONN_CONFIG(verifyhost))
+@@ -2115,2 +2236,6 @@
+ 
+    protocols[cur++] = ALPN_HTTP_1_1_LENGTH;
+    memcpy(&protocols[cur], ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH);
+    cur += ALPN_HTTP_1_1_LENGTH;
+
+ #ifdef USE_HTTP2
+@@ -2126,5 +2251,2 @@
+ #endif
+-    protocols[cur++] = ALPN_HTTP_1_1_LENGTH;
+-    memcpy(&protocols[cur], ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH);
+-    cur += ALPN_HTTP_1_1_LENGTH;
+ 
--- a/curl-static-libnss.patch
+++ b/curl-static-libnss.patch
@@ -0,0 +1,13 @@
+diff -u1 -Nar curl-7.81.0-original/m4/curl-nss.m4 curl-7.81.0/m4/curl-nss.m4
+--- curl-7.81.0-original/m4/curl-nss.m4	2021-12-10 09:40:37.000000000 +0200
+++ curl-7.81.0/m4/curl-nss.m4	2022-02-16 09:15:11.162546224 +0200
+@@ -76,3 +76,3 @@
+       addld="-L$OPT_NSS/lib"
+-      addlib="-lssl3 -lsmime3 -lnss3 -lplds4 -lplc4 -lnspr4"
+      addlib="-Wl,-Bstatic -Wl,--start-group -lssl -lnss_static -lpk11wrap_static -lcertdb -lcerthi -lsmime -lnsspki -lnssdev -lsoftokn_static -lfreebl_static -lsha-x86_c_lib -lgcm-aes-x86_c_lib -lhw-acc-crypto-avx -lhw-acc-crypto-avx2  -lnssutil -lnssb -lcryptohi -l:libplc4.a -l:libplds4.a -l:libnspr4.a -lsqlite -Wl,--end-group -Wl,-Bdynamic -pthread -ldl"
+       addcflags="-I$OPT_NSS/include"
+@@ -93,3 +93,3 @@
+     dnl The function SSL_VersionRangeSet() is needed to enable TLS > 1.0
+-    AC_CHECK_LIB(nss3, SSL_VersionRangeSet,
+    AC_CHECK_LIB(nss_static, SSL_VersionRangeSet,
+      [
--- a/38
+++ b/38
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+# Find the directory of this script
+dir=`echo "$0" | sed 's%/[^/]*$%%'`
+
+rm pipe && mkfifo pipe
+exec 5<>pipe 3>pipe 4<pipe 5>&-
+
+# The list of ciphers can be obtained by looking at the Client Hello message in
+# Wireshark, then converting it using the cipherlist array at
+# https://github.com/curl/curl/blob/master/lib/vtls/nss.c
+"$dir/curl-nss" \
+    --ciphers aes_128_gcm_sha_256,chacha20_poly1305_sha_256,aes_256_gcm_sha_384,ecdhe_ecdsa_aes_128_gcm_sha_256,ecdhe_rsa_aes_128_gcm_sha_256,ecdhe_ecdsa_chacha20_poly1305_sha_256,ecdhe_rsa_chacha20_poly1305_sha_256,ecdhe_ecdsa_aes_256_gcm_sha_384,ecdhe_rsa_aes_256_gcm_sha_384,ecdhe_ecdsa_aes_256_sha,ecdhe_ecdsa_aes_128_sha,ecdhe_rsa_aes_128_sha,ecdhe_rsa_aes_256_sha,rsa_aes_128_gcm_sha_256,rsa_aes_256_gcm_sha_384,rsa_aes_128_sha,rsa_aes_256_sha \
+    -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0' \
+    -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' \
+    -H 'Accept-Language: en-US,en;q=0.5' \
+    -H 'Accept-Encoding: gzip, deflate, br' \
+    -H 'DNT: 1' \
+    -H 'Connection: keep-alive' \
+    -H 'Upgrade-Insecure-Requests: 1' \
+    -H 'Sec-Fetch-Dest: document' \
+    -H 'Sec-Fetch-Mode: navigate' \
+    -H 'Sec-Fetch-Site: none' \
+    -H 'Sec-Fetch-User: ?1' \
+    -H 'TE: Trailers' \
+    --http2 --false-start \
+    $@ >&3
+
+exec 3>&-
+
+IFS= read -d '' -r -n 2 -u 4 header
+
+# Due to the "Accept-Encoding: gzip" header, we may receive a gzipped file.
+if [ "$(echo -n $header | xxd -l 2 -p)" == "1f8b" ]; then
+    (printf "%s" "$header"; cat <&4) | gzip -cd;
+else
+    printf "%s" "$header"; cat <&4;
+fi
--- a/libnghttp2-pc.patch
+++ b/libnghttp2-pc.patch
@@ -0,0 +1,8 @@
+--- nghttp2-1.46.0-original/lib/libnghttp2.pc.in	2021-10-19 12:31:47.000000000 +0300
+++ nghttp2-1.46.0/lib/libnghttp2.pc.in	2022-02-17 13:44:46.722604316 +0200
+@@ -31,3 +31,4 @@
+ Version: @VERSION@
+-Libs: -L${libdir} -lnghttp2
+Libs: -L${libdir}
+Libs.private: -l:libnghttp2.a
+ Cflags: -I${includedir}