forked from lwthiker/curl-impersonate
/
curl-lib-nss.patch
152 lines (147 loc) · 4.78 KB
/
curl-lib-nss.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
--- curl-7.81.0-original/lib/vtls/nss.c 2022-01-03 18:36:46.000000000 +0200
+++ curl-7.81.0/lib/vtls/nss.c 2022-02-18 07:47:17.612205091 +0200
@@ -145,2 +145,3 @@
{"dhe_dss_des_sha", SSL_DHE_DSS_WITH_DES_CBC_SHA},
+ {"rsa_3des_ede_cbc_sha", TLS_RSA_WITH_3DES_EDE_CBC_SHA},
/* TLS 1.0: Exportable 56-bit Cipher Suites. */
@@ -380,2 +381,91 @@
+/* See nsSSLIOLayerSetOptions@nsNSSIOLayer.cpp, Firefox source code */
+const SSLNamedGroup named_groups[] = {
+ ssl_grp_ec_curve25519, ssl_grp_ec_secp256r1, ssl_grp_ec_secp384r1,
+ ssl_grp_ec_secp521r1, ssl_grp_ffdhe_2048, ssl_grp_ffdhe_3072};
+
+#define NUM_OF_NAMED_GROUPS sizeof(named_groups)/sizeof(named_groups[0])
+
+static SECStatus set_named_groups(PRFileDesc *model)
+{
+ /* This aligns TLS extension 10 (supported_groups) to what Firefox does. */
+ return SSL_NamedGroupConfig(model, named_groups, NUM_OF_NAMED_GROUPS);
+}
+
+static const SSLSignatureScheme signatures[] = {
+ ssl_sig_ecdsa_secp256r1_sha256, ssl_sig_ecdsa_secp384r1_sha384,
+ ssl_sig_ecdsa_secp521r1_sha512, ssl_sig_rsa_pss_sha256,
+ ssl_sig_rsa_pss_sha384, ssl_sig_rsa_pss_sha512,
+ ssl_sig_rsa_pkcs1_sha256, ssl_sig_rsa_pkcs1_sha384,
+ ssl_sig_rsa_pkcs1_sha512, ssl_sig_ecdsa_sha1,
+ ssl_sig_rsa_pkcs1_sha1
+};
+
+#define NUM_OF_SIGNATURES sizeof(signatures)/sizeof(signatures[0])
+
+static SECStatus set_additional_key_shares(PRFileDesc *model)
+{
+ /* This aligns TLS extension 51 (key_share) to what Firefox does. */
+ return SSL_SendAdditionalKeyShares(model, 1);
+}
+
+static SECStatus set_signatures(PRFileDesc *model)
+{
+ /* Align TLS extension 13 (signature_algorithms) to what Firefox does. */
+ return SSL_SignatureSchemePrefSet(model, signatures, NUM_OF_SIGNATURES);
+}
+
+static SECStatus set_ssl_options(PRFileDesc *model)
+{
+ SECStatus s;
+
+ /* Enable TLS 1.3 compat mode. Firefox does this, as can be seen at
+ * nsSSLIOLayerSetOptions()@nsNSSIOLayer.cpp.
+ * This has the side effect of NSS faking a TLS session ID.
+ * See ssl3_CreateClientHelloPreamble()@ssl3con.c
+ */
+ s = SSL_OptionSet(model, SSL_ENABLE_TLS13_COMPAT_MODE, PR_TRUE);
+ if (s != SECSuccess) {
+ return s;
+ }
+
+ /* Firefox sets the following options. I don't know what they do. */
+ s = SSL_OptionSet(model, SSL_REQUIRE_SAFE_NEGOTIATION, false);
+ if (s != SECSuccess) {
+ return s;
+ }
+ s = SSL_OptionSet(model, SSL_ENABLE_EXTENDED_MASTER_SECRET, true);
+ if (s != SECSuccess) {
+ return s;
+ }
+ s = SSL_OptionSet(model, SSL_ENABLE_HELLO_DOWNGRADE_CHECK, true);
+ if (s != SECSuccess) {
+ return s;
+ }
+ s = SSL_OptionSet(model, SSL_ENABLE_0RTT_DATA, true);
+ if (s != SECSuccess) {
+ return s;
+ }
+
+ /* This adds TLS extension 34 to the Client Hello. */
+ s = SSL_OptionSet(model, SSL_ENABLE_DELEGATED_CREDENTIALS, true);
+ if (s != SECSuccess) {
+ return s;
+ }
+
+ /* This adds TLS extension 5 (status_request) to the Client Hello. */
+ s = SSL_OptionSet(model, SSL_ENABLE_OCSP_STAPLING, true);
+ if (s != SECSuccess) {
+ return s;
+ }
+
+ /* Remove TLS extension 18 (signed_certificate_timestamp) */
+ s = SSL_OptionSet(model, SSL_ENABLE_SIGNED_CERT_TIMESTAMPS, false);
+ if (s != SECSuccess) {
+ return s;
+ }
+
+ return SSL_OptionSet(model, SSL_HANDSHAKE_AS_CLIENT, true);
+}
+
/*
@@ -1322,2 +1412,20 @@
SECMOD_DestroyModule(module);
+
+ /* Patch for Ubuntu - add a "nss/" suffix to the library name */
+ config_string = aprintf("library=/usr/lib/x86_64-linux-gnu/nss/%s name=%s", library, name);
+ if(!config_string)
+ return CURLE_OUT_OF_MEMORY;
+
+ module = SECMOD_LoadUserModule(config_string, NULL, PR_FALSE);
+ free(config_string);
+
+ if(module && module->loaded) {
+ /* loaded successfully */
+ *pmod = module;
+ return CURLE_OK;
+ }
+
+ if(module)
+ SECMOD_DestroyModule(module);
+
return CURLE_FAILED_INIT;
@@ -1923,2 +2031,8 @@
+ if(SSL_SET_OPTION(primary.sessionid)) {
+ if(SSL_OptionSet(model, SSL_ENABLE_SESSION_TICKETS,
+ PR_TRUE) != SECSuccess)
+ goto error;
+ }
+
/* enable/disable the requested SSL version(s) */
@@ -1962,2 +2076,10 @@
+ if (set_named_groups(model) != SECSuccess ||
+ set_additional_key_shares(model) != SECSuccess ||
+ set_signatures(model) != SECSuccess ||
+ set_ssl_options(model) != SECSuccess) {
+ result = CURLE_SSL_CIPHER;
+ goto error;
+ }
+
if(!SSL_CONN_CONFIG(verifypeer) && SSL_CONN_CONFIG(verifyhost))
@@ -2115,2 +2237,6 @@
+ protocols[cur++] = ALPN_HTTP_1_1_LENGTH;
+ memcpy(&protocols[cur], ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH);
+ cur += ALPN_HTTP_1_1_LENGTH;
+
#ifdef USE_HTTP2
@@ -2126,5 +2252,2 @@
#endif
- protocols[cur++] = ALPN_HTTP_1_1_LENGTH;
- memcpy(&protocols[cur], ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH);
- cur += ALPN_HTTP_1_1_LENGTH;