mirror of
https://github.com/lwthiker/curl-impersonate.git
synced 2025-08-09 13:19:37 +00:00
f08db5c1cc
In preparation for merging the support for Chrome impersonation, move all build files to the 'firefox' folder. The two builds will live separately as they are rather different (using two different SSL libraries for instance).
153 lines
4.8 KiB
Diff
153 lines
4.8 KiB
Diff
--- curl-7.81.0-original/lib/vtls/nss.c 2022-01-03 18:36:46.000000000 +0200
|
|
+++ curl-7.81.0/lib/vtls/nss.c 2022-02-18 07:47:17.612205091 +0200
|
|
@@ -145,2 +145,3 @@
|
|
{"dhe_dss_des_sha", SSL_DHE_DSS_WITH_DES_CBC_SHA},
|
|
+ {"rsa_3des_ede_cbc_sha", TLS_RSA_WITH_3DES_EDE_CBC_SHA},
|
|
/* TLS 1.0: Exportable 56-bit Cipher Suites. */
|
|
@@ -380,2 +381,91 @@
|
|
|
|
+/* See nsSSLIOLayerSetOptions@nsNSSIOLayer.cpp, Firefox source code */
|
|
+const SSLNamedGroup named_groups[] = {
|
|
+ ssl_grp_ec_curve25519, ssl_grp_ec_secp256r1, ssl_grp_ec_secp384r1,
|
|
+ ssl_grp_ec_secp521r1, ssl_grp_ffdhe_2048, ssl_grp_ffdhe_3072};
|
|
+
|
|
+#define NUM_OF_NAMED_GROUPS sizeof(named_groups)/sizeof(named_groups[0])
|
|
+
|
|
+static SECStatus set_named_groups(PRFileDesc *model)
|
|
+{
|
|
+ /* This aligns TLS extension 10 (supported_groups) to what Firefox does. */
|
|
+ return SSL_NamedGroupConfig(model, named_groups, NUM_OF_NAMED_GROUPS);
|
|
+}
|
|
+
|
|
+static const SSLSignatureScheme signatures[] = {
|
|
+ ssl_sig_ecdsa_secp256r1_sha256, ssl_sig_ecdsa_secp384r1_sha384,
|
|
+ ssl_sig_ecdsa_secp521r1_sha512, ssl_sig_rsa_pss_sha256,
|
|
+ ssl_sig_rsa_pss_sha384, ssl_sig_rsa_pss_sha512,
|
|
+ ssl_sig_rsa_pkcs1_sha256, ssl_sig_rsa_pkcs1_sha384,
|
|
+ ssl_sig_rsa_pkcs1_sha512, ssl_sig_ecdsa_sha1,
|
|
+ ssl_sig_rsa_pkcs1_sha1
|
|
+};
|
|
+
|
|
+#define NUM_OF_SIGNATURES sizeof(signatures)/sizeof(signatures[0])
|
|
+
|
|
+static SECStatus set_additional_key_shares(PRFileDesc *model)
|
|
+{
|
|
+ /* This aligns TLS extension 51 (key_share) to what Firefox does. */
|
|
+ return SSL_SendAdditionalKeyShares(model, 1);
|
|
+}
|
|
+
|
|
+static SECStatus set_signatures(PRFileDesc *model)
|
|
+{
|
|
+ /* Align TLS extension 13 (signature_algorithms) to what Firefox does. */
|
|
+ return SSL_SignatureSchemePrefSet(model, signatures, NUM_OF_SIGNATURES);
|
|
+}
|
|
+
|
|
+static SECStatus set_ssl_options(PRFileDesc *model)
|
|
+{
|
|
+ SECStatus s;
|
|
+
|
|
+ /* Enable TLS 1.3 compat mode. Firefox does this, as can be seen at
|
|
+ * nsSSLIOLayerSetOptions()@nsNSSIOLayer.cpp.
|
|
+ * This has the side effect of NSS faking a TLS session ID.
|
|
+ * See ssl3_CreateClientHelloPreamble()@ssl3con.c
|
|
+ */
|
|
+ s = SSL_OptionSet(model, SSL_ENABLE_TLS13_COMPAT_MODE, PR_TRUE);
|
|
+ if (s != SECSuccess) {
|
|
+ return s;
|
|
+ }
|
|
+
|
|
+ /* Firefox sets the following options. I don't know what they do. */
|
|
+ s = SSL_OptionSet(model, SSL_REQUIRE_SAFE_NEGOTIATION, false);
|
|
+ if (s != SECSuccess) {
|
|
+ return s;
|
|
+ }
|
|
+ s = SSL_OptionSet(model, SSL_ENABLE_EXTENDED_MASTER_SECRET, true);
|
|
+ if (s != SECSuccess) {
|
|
+ return s;
|
|
+ }
|
|
+ s = SSL_OptionSet(model, SSL_ENABLE_HELLO_DOWNGRADE_CHECK, true);
|
|
+ if (s != SECSuccess) {
|
|
+ return s;
|
|
+ }
|
|
+ s = SSL_OptionSet(model, SSL_ENABLE_0RTT_DATA, true);
|
|
+ if (s != SECSuccess) {
|
|
+ return s;
|
|
+ }
|
|
+
|
|
+ /* This adds TLS extension 34 to the Client Hello. */
|
|
+ s = SSL_OptionSet(model, SSL_ENABLE_DELEGATED_CREDENTIALS, true);
|
|
+ if (s != SECSuccess) {
|
|
+ return s;
|
|
+ }
|
|
+
|
|
+ /* This adds TLS extension 5 (status_request) to the Client Hello. */
|
|
+ s = SSL_OptionSet(model, SSL_ENABLE_OCSP_STAPLING, true);
|
|
+ if (s != SECSuccess) {
|
|
+ return s;
|
|
+ }
|
|
+
|
|
+ /* Remove TLS extension 18 (signed_certificate_timestamp) */
|
|
+ s = SSL_OptionSet(model, SSL_ENABLE_SIGNED_CERT_TIMESTAMPS, false);
|
|
+ if (s != SECSuccess) {
|
|
+ return s;
|
|
+ }
|
|
+
|
|
+ return SSL_OptionSet(model, SSL_HANDSHAKE_AS_CLIENT, true);
|
|
+}
|
|
+
|
|
/*
|
|
@@ -1322,2 +1412,20 @@
|
|
SECMOD_DestroyModule(module);
|
|
+
|
|
+ /* Patch for Ubuntu - add a "nss/" suffix to the library name */
|
|
+ config_string = aprintf("library=/usr/lib/x86_64-linux-gnu/nss/%s name=%s", library, name);
|
|
+ if(!config_string)
|
|
+ return CURLE_OUT_OF_MEMORY;
|
|
+
|
|
+ module = SECMOD_LoadUserModule(config_string, NULL, PR_FALSE);
|
|
+ free(config_string);
|
|
+
|
|
+ if(module && module->loaded) {
|
|
+ /* loaded successfully */
|
|
+ *pmod = module;
|
|
+ return CURLE_OK;
|
|
+ }
|
|
+
|
|
+ if(module)
|
|
+ SECMOD_DestroyModule(module);
|
|
+
|
|
return CURLE_FAILED_INIT;
|
|
@@ -1923,2 +2031,8 @@
|
|
|
|
+ if(SSL_SET_OPTION(primary.sessionid)) {
|
|
+ if(SSL_OptionSet(model, SSL_ENABLE_SESSION_TICKETS,
|
|
+ PR_TRUE) != SECSuccess)
|
|
+ goto error;
|
|
+ }
|
|
+
|
|
/* enable/disable the requested SSL version(s) */
|
|
@@ -1962,2 +2076,10 @@
|
|
|
|
+ if (set_named_groups(model) != SECSuccess ||
|
|
+ set_additional_key_shares(model) != SECSuccess ||
|
|
+ set_signatures(model) != SECSuccess ||
|
|
+ set_ssl_options(model) != SECSuccess) {
|
|
+ result = CURLE_SSL_CIPHER;
|
|
+ goto error;
|
|
+ }
|
|
+
|
|
if(!SSL_CONN_CONFIG(verifypeer) && SSL_CONN_CONFIG(verifyhost))
|
|
@@ -2115,2 +2237,6 @@
|
|
|
|
+ protocols[cur++] = ALPN_HTTP_1_1_LENGTH;
|
|
+ memcpy(&protocols[cur], ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH);
|
|
+ cur += ALPN_HTTP_1_1_LENGTH;
|
|
+
|
|
#ifdef USE_HTTP2
|
|
@@ -2126,5 +2252,2 @@
|
|
#endif
|
|
- protocols[cur++] = ALPN_HTTP_1_1_LENGTH;
|
|
- memcpy(&protocols[cur], ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH);
|
|
- cur += ALPN_HTTP_1_1_LENGTH;
|
|
|