mirror of
https://github.com/lwthiker/curl-impersonate.git
synced 2025-08-09 05:09:36 +00:00
149 lines
4.6 KiB
Diff
149 lines
4.6 KiB
Diff
--- curl-7.81.0-original/lib/vtls/nss.c 2022-01-03 18:36:46.000000000 +0200
|
|
+++ curl-7.81.0/lib/vtls/nss.c 2022-02-17 10:33:28.567798277 +0200
|
|
@@ -380,2 +380,91 @@
|
|
|
|
+/* See nsSSLIOLayerSetOptions@nsNSSIOLayer.cpp, Firefox source code */
|
|
+const SSLNamedGroup named_groups[] = {
|
|
+ ssl_grp_ec_curve25519, ssl_grp_ec_secp256r1, ssl_grp_ec_secp384r1,
|
|
+ ssl_grp_ec_secp521r1, ssl_grp_ffdhe_2048, ssl_grp_ffdhe_3072};
|
|
+
|
|
+#define NUM_OF_NAMED_GROUPS sizeof(named_groups)/sizeof(named_groups[0])
|
|
+
|
|
+static SECStatus set_named_groups(PRFileDesc *model)
|
|
+{
|
|
+ /* This aligns TLS extension 10 (supported_groups) to what Firefox does. */
|
|
+ return SSL_NamedGroupConfig(model, named_groups, NUM_OF_NAMED_GROUPS);
|
|
+}
|
|
+
|
|
+static const SSLSignatureScheme signatures[] = {
|
|
+ ssl_sig_ecdsa_secp256r1_sha256, ssl_sig_ecdsa_secp384r1_sha384,
|
|
+ ssl_sig_ecdsa_secp521r1_sha512, ssl_sig_rsa_pss_sha256,
|
|
+ ssl_sig_rsa_pss_sha384, ssl_sig_rsa_pss_sha512,
|
|
+ ssl_sig_rsa_pkcs1_sha256, ssl_sig_rsa_pkcs1_sha384,
|
|
+ ssl_sig_rsa_pkcs1_sha512, ssl_sig_ecdsa_sha1,
|
|
+ ssl_sig_rsa_pkcs1_sha1
|
|
+};
|
|
+
|
|
+#define NUM_OF_SIGNATURES sizeof(signatures)/sizeof(signatures[0])
|
|
+
|
|
+static SECStatus set_additional_key_shares(PRFileDesc *model)
|
|
+{
|
|
+ /* This aligns TLS extension 51 (key_share) to what Firefox does. */
|
|
+ return SSL_SendAdditionalKeyShares(model, 1);
|
|
+}
|
|
+
|
|
+static SECStatus set_signatures(PRFileDesc *model)
|
|
+{
|
|
+ /* Align TLS extension 13 (signature_algorithms) to what Firefox does. */
|
|
+ return SSL_SignatureSchemePrefSet(model, signatures, NUM_OF_SIGNATURES);
|
|
+}
|
|
+
|
|
+static SECStatus set_ssl_options(PRFileDesc *model)
|
|
+{
|
|
+ SECStatus s;
|
|
+
|
|
+ /* Enable TLS 1.3 compat mode. Firefox does this, as can be seen at
|
|
+ * nsSSLIOLayerSetOptions()@nsNSSIOLayer.cpp.
|
|
+ * This has the side effect of NSS faking a TLS session ID.
|
|
+ * See ssl3_CreateClientHelloPreamble()@ssl3con.c
|
|
+ */
|
|
+ s = SSL_OptionSet(model, SSL_ENABLE_TLS13_COMPAT_MODE, PR_TRUE);
|
|
+ if (s != SECSuccess) {
|
|
+ return s;
|
|
+ }
|
|
+
|
|
+ /* Firefox sets the following options. I don't know what they do. */
|
|
+ s = SSL_OptionSet(model, SSL_REQUIRE_SAFE_NEGOTIATION, false);
|
|
+ if (s != SECSuccess) {
|
|
+ return s;
|
|
+ }
|
|
+ s = SSL_OptionSet(model, SSL_ENABLE_EXTENDED_MASTER_SECRET, true);
|
|
+ if (s != SECSuccess) {
|
|
+ return s;
|
|
+ }
|
|
+ s = SSL_OptionSet(model, SSL_ENABLE_HELLO_DOWNGRADE_CHECK, true);
|
|
+ if (s != SECSuccess) {
|
|
+ return s;
|
|
+ }
|
|
+ s = SSL_OptionSet(model, SSL_ENABLE_0RTT_DATA, true);
|
|
+ if (s != SECSuccess) {
|
|
+ return s;
|
|
+ }
|
|
+
|
|
+ /* This adds TLS extension 34 to the Client Hello. */
|
|
+ s = SSL_OptionSet(model, SSL_ENABLE_DELEGATED_CREDENTIALS, true);
|
|
+ if (s != SECSuccess) {
|
|
+ return s;
|
|
+ }
|
|
+
|
|
+ /* This adds TLS extension 5 (status_request) to the Client Hello. */
|
|
+ s = SSL_OptionSet(model, SSL_ENABLE_OCSP_STAPLING, true);
|
|
+ if (s != SECSuccess) {
|
|
+ return s;
|
|
+ }
|
|
+
|
|
+ /* Remove TLS extension 18 (signed_certificate_timestamp) */
|
|
+ s = SSL_OptionSet(model, SSL_ENABLE_SIGNED_CERT_TIMESTAMPS, false);
|
|
+ if (s != SECSuccess) {
|
|
+ return s;
|
|
+ }
|
|
+
|
|
+ return SSL_OptionSet(model, SSL_HANDSHAKE_AS_CLIENT, true);
|
|
+}
|
|
+
|
|
/*
|
|
@@ -1322,2 +1411,20 @@
|
|
SECMOD_DestroyModule(module);
|
|
+
|
|
+ /* Patch for Ubuntu - add a "nss/" suffix to the library name */
|
|
+ config_string = aprintf("library=/usr/lib/x86_64-linux-gnu/nss/%s name=%s", library, name);
|
|
+ if(!config_string)
|
|
+ return CURLE_OUT_OF_MEMORY;
|
|
+
|
|
+ module = SECMOD_LoadUserModule(config_string, NULL, PR_FALSE);
|
|
+ free(config_string);
|
|
+
|
|
+ if(module && module->loaded) {
|
|
+ /* loaded successfully */
|
|
+ *pmod = module;
|
|
+ return CURLE_OK;
|
|
+ }
|
|
+
|
|
+ if(module)
|
|
+ SECMOD_DestroyModule(module);
|
|
+
|
|
return CURLE_FAILED_INIT;
|
|
@@ -1923,2 +2030,8 @@
|
|
|
|
+ if(SSL_SET_OPTION(primary.sessionid)) {
|
|
+ if(SSL_OptionSet(model, SSL_ENABLE_SESSION_TICKETS,
|
|
+ PR_TRUE) != SECSuccess)
|
|
+ goto error;
|
|
+ }
|
|
+
|
|
/* enable/disable the requested SSL version(s) */
|
|
@@ -1962,2 +2075,10 @@
|
|
|
|
+ if (set_named_groups(model) != SECSuccess ||
|
|
+ set_additional_key_shares(model) != SECSuccess ||
|
|
+ set_signatures(model) != SECSuccess ||
|
|
+ set_ssl_options(model) != SECSuccess) {
|
|
+ result = CURLE_SSL_CIPHER;
|
|
+ goto error;
|
|
+ }
|
|
+
|
|
if(!SSL_CONN_CONFIG(verifypeer) && SSL_CONN_CONFIG(verifyhost))
|
|
@@ -2115,2 +2236,6 @@
|
|
|
|
+ protocols[cur++] = ALPN_HTTP_1_1_LENGTH;
|
|
+ memcpy(&protocols[cur], ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH);
|
|
+ cur += ALPN_HTTP_1_1_LENGTH;
|
|
+
|
|
#ifdef USE_HTTP2
|
|
@@ -2126,5 +2251,2 @@
|
|
#endif
|
|
- protocols[cur++] = ALPN_HTTP_1_1_LENGTH;
|
|
- memcpy(&protocols[cur], ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH);
|
|
- cur += ALPN_HTTP_1_1_LENGTH;
|
|
|