Skip to content

Commit

Permalink
Update to curl 8.7.1 (#67)
Browse files Browse the repository at this point in the history
This commit actually includes the following features:

* Update to curl 8.7.1
* Add options for exclusiveness
* Update Windows build command
* Add tls_key_usage_no_check option
  • Loading branch information
perklet authored Jun 19, 2024
1 parent ace896b commit bd1dfc3
Show file tree
Hide file tree
Showing 29 changed files with 808 additions and 334 deletions.
1 change: 1 addition & 0 deletions .github/workflows/build-win.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ jobs:
mingw-w64-${{ matrix.env }}-nasm
mingw-w64-${{ matrix.env }}-gcc
mingw-w64-${{ matrix.env }}-go
mingw-w64-${{ matrix.env }}-libuv
- name: Copy and patch
shell: msys2 {0}
Expand Down
12 changes: 7 additions & 5 deletions Makefile.in
Original file line number Diff line number Diff line change
Expand Up @@ -9,16 +9,17 @@ SHELL := bash
# MAKEFLAGS += --no-builtin-rules
SUBJOBS := 4

BROTLI_VERSION := 1.0.9
BROTLI_VERSION := 1.1.0
# In case this is changed, update build-and-test-make.yml as well
# In case this is changed, update build-and-test-make.yml as well
BORING_SSL_COMMIT := d24a38200fef19150eef00cad35b138936c08767
NGHTTP2_VERSION := nghttp2-1.56.0
NGHTTP2_URL := https://github.com/nghttp2/nghttp2/releases/download/v1.56.0/nghttp2-1.56.0.tar.bz2
CURL_VERSION := curl-8_5_0
NGHTTP2_VERSION := nghttp2-1.61.0
NGHTTP2_URL := https://github.com/nghttp2/nghttp2/releases/download/v1.61.0/nghttp2-1.61.0.tar.bz2
CURL_VERSION := curl-8_7_1

# https://github.com/google/brotli/commit/641bec0e30bea648b3da1cd90fc6b44deb429f71
brotli_install_dir := $(abspath brotli-$(BROTLI_VERSION)/out/installed)
brotli_static_libs := $(brotli_install_dir)/lib/libbrotlicommon-static.a $(brotli_install_dir)/lib/libbrotlidec-static.a
brotli_static_libs := $(brotli_install_dir)/lib/libbrotlicommon.a $(brotli_install_dir)/lib/libbrotlidec.a
boringssl_install_dir := $(abspath boringssl/build)
boringssl_static_libs := $(boringssl_install_dir)/lib/libssl.a $(boringssl_install_dir)/lib/libcrypto.a
nghttp2_install_dir := $(abspath $(NGHTTP2_VERSION)/installed)
Expand Down Expand Up @@ -144,6 +145,7 @@ $(brotli_static_libs): brotli-$(BROTLI_VERSION).tar.gz
-DCMAKE_C_FLAGS="$(CFLAGS)" \
-DCMAKE_SYSTEM_NAME=$$system_name \
-DCMAKE_SYSTEM_PROCESSOR=$(host_cpu) \
-DBUILD_SHARED_LIBS=OFF \
..

@cmake@ --build . --config Release --target install --parallel $(SUBJOBS)
Expand Down
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
> 2. ZSTD compression support introduced in Chrome 123.
> 3. X25519Kyber768 curve introduced in Chrome 124.
> 4. More options for impersonation Akamai http/2 fingerprints, especially for Safari.
> 5. Upgrade to more recent version of curl, 8.5.0 as of April, 2024.
> 5. Upgrade to more recent version of curl, 8.7.1 as of April, 2024.
> 6. Ability to change extension orders and enable/disable TLS grease.
> 7. (In progress) Single binary to support both Webkit-based and Gecko-based browsers, i.e. Chrome and Firefox.
Expand Down
2 changes: 2 additions & 0 deletions chrome/curl_chrome100
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ dir=${0%/*}
--http2 \
--http2-settings '1:65536;3:1000;4:6291456;6:262144' \
--http2-window-update 15663105 \
--http2-stream-weight 256 \
--http2-stream-exclusive 1 \
--compressed \
--tlsv1.2 --alps \
--cert-compression brotli \
Expand Down
2 changes: 2 additions & 0 deletions chrome/curl_chrome101
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ dir=${0%/*}
--http2 \
--http2-settings '1:65536;3:1000;4:6291456;6:262144' \
--http2-window-update 15663105 \
--http2-stream-weight 256 \
--http2-stream-exclusive 1 \
--compressed \
--tlsv1.2 --alps \
--cert-compression brotli \
Expand Down
2 changes: 2 additions & 0 deletions chrome/curl_chrome104
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ dir=${0%/*}
--http2 \
--http2-settings '1:65536;3:1000;4:6291456;6:262144' \
--http2-window-update 15663105 \
--http2-stream-weight 256 \
--http2-stream-exclusive 1 \
--compressed \
--tlsv1.2 --alps \
--cert-compression brotli \
Expand Down
2 changes: 2 additions & 0 deletions chrome/curl_chrome107
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ dir=${0%/*}
--http2 \
--http2-settings '1:65536;2:0;3:1000;4:6291456;6:262144' \
--http2-window-update 15663105 \
--http2-stream-weight 256 \
--http2-stream-exclusive 1 \
--compressed \
--tlsv1.2 --alps \
--cert-compression brotli \
Expand Down
2 changes: 2 additions & 0 deletions chrome/curl_chrome110
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ dir=${0%/*}
--http2 \
--http2-settings '1:65536;2:0;3:1000;4:6291456;6:262144' \
--http2-window-update 15663105 \
--http2-stream-weight 256 \
--http2-stream-exclusive 1 \
--compressed \
--tlsv1.2 --alps --tls-permute-extensions \
--cert-compression brotli \
Expand Down
2 changes: 2 additions & 0 deletions chrome/curl_chrome116
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ dir=${0%/*}
--http2 \
--http2-settings '1:65536;2:0;3:1000;4:6291456;6:262144' \
--http2-window-update 15663105 \
--http2-stream-weight 256 \
--http2-stream-exclusive 1 \
--compressed \
--tlsv1.2 --alps --tls-permute-extensions \
--cert-compression brotli \
Expand Down
2 changes: 2 additions & 0 deletions chrome/curl_chrome119
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ dir=${0%/*}
--http2 \
--http2-settings '1:65536;2:0;4:6291456;6:262144' \
--http2-window-update 15663105 \
--http2-stream-weight 256 \
--http2-stream-exclusive 1 \
--compressed \
--ech GREASE \
--tlsv1.2 --alps --tls-permute-extensions \
Expand Down
2 changes: 2 additions & 0 deletions chrome/curl_chrome120
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ dir=${0%/*}
--http2 \
--http2-settings '1:65536;2:0;4:6291456;6:262144' \
--http2-window-update 15663105 \
--http2-stream-weight 256 \
--http2-stream-exclusive 1 \
--compressed \
--ech GREASE \
--tlsv1.2 --alps --tls-permute-extensions \
Expand Down
2 changes: 2 additions & 0 deletions chrome/curl_chrome123
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,8 @@ dir=${0%/*}
--http2 \
--http2-settings '1:65536;2:0;4:6291456;6:262144' \
--http2-window-update 15663105 \
--http2-stream-weight 256 \
--http2-stream-exclusive 1 \
--compressed \
--ech GREASE \
--tlsv1.2 --alps --tls-permute-extensions \
Expand Down
2 changes: 2 additions & 0 deletions chrome/curl_chrome124
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,8 @@ dir=${0%/*}
--http2 \
--http2-settings '1:65536;2:0;4:6291456;6:262144' \
--http2-window-update 15663105 \
--http2-stream-weight 256 \
--http2-stream-exclusive 1 \
--compressed \
--ech GREASE \
--tlsv1.2 --alps --tls-permute-extensions \
Expand Down
2 changes: 2 additions & 0 deletions chrome/curl_chrome99
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ dir=${0%/*}
--http2 \
--http2-settings '1:65536;3:1000;4:6291456;6:262144' \
--http2-window-update 15663105 \
--http2-stream-weight 256 \
--http2-stream-exclusive 1 \
--compressed \
--tlsv1.2 --alps \
--cert-compression brotli \
Expand Down
2 changes: 2 additions & 0 deletions chrome/curl_chrome99_android
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ dir=${0%/*}
--http2 \
--http2-settings '1:65536;3:1000;4:6291456;6:262144' \
--http2-window-update 15663105 \
--http2-stream-weight 256 \
--http2-stream-exclusive 1 \
--compressed \
--tlsv1.2 --alps \
--cert-compression brotli \
Expand Down
2 changes: 2 additions & 0 deletions chrome/curl_edge101
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ dir=${0%/*}
--http2 \
--http2-settings '1:65536;3:1000;4:6291456;6:262144' \
--http2-window-update 15663105 \
--http2-stream-weight 256 \
--http2-stream-exclusive 1 \
--compressed \
--tlsv1.2 --alps \
--cert-compression brotli \
Expand Down
2 changes: 2 additions & 0 deletions chrome/curl_edge99
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ dir=${0%/*}
--http2 \
--http2-settings '1:65536;3:1000;4:6291456;6:262144' \
--http2-window-update 15663105 \
--http2-stream-weight 256 \
--http2-stream-exclusive 1 \
--compressed \
--tlsv1.2 --alps \
--cert-compression brotli \
Expand Down
2 changes: 2 additions & 0 deletions chrome/curl_safari15_3
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ dir=${0%/*}
--http2-settings '4:4194304;3:100' \
--http2-pseudo-headers-order 'mspa' \
--http2-window-update 10485760 \
--http2-stream-weight 255 \
--http2-stream-exclusive 0 \
--compressed \
--tlsv1.0 --no-tls-session-ticket \
--tls-grease \
Expand Down
2 changes: 2 additions & 0 deletions chrome/curl_safari15_5
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ dir=${0%/*}
--http2-settings '4:4194304;3:100' \
--http2-pseudo-headers-order 'mspa' \
--http2-window-update 10485760 \
--http2-stream-weight 255 \
--http2-stream-exclusive 0 \
--compressed \
--tlsv1.0 --no-tls-session-ticket \
--cert-compression zlib \
Expand Down
2 changes: 2 additions & 0 deletions chrome/curl_safari17_0
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@ dir=${0%/*}
--http2-settings '2:0;4:4194304;3:100' \
--http2-pseudo-headers-order 'mspa' \
--http2-window-update 10485760 \
--http2-stream-weight 255 \
--http2-stream-exclusive 0 \
--compressed \
--tlsv1.0 --no-tls-session-ticket \
--cert-compression zlib \
Expand Down
2 changes: 2 additions & 0 deletions chrome/curl_safari17_2_ios
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@ dir=${0%/*}
--http2-settings '2:0;4:2097152;3:100' \
--http2-pseudo-headers-order 'mspa' \
--http2-window-update 10485760 \
--http2-stream-weight 255 \
--http2-stream-exclusive 0 \
--compressed \
--tlsv1.0 --no-tls-session-ticket \
--cert-compression zlib \
Expand Down
59 changes: 45 additions & 14 deletions chrome/patches/boringssl.patch
Original file line number Diff line number Diff line change
@@ -1,33 +1,39 @@
diff --git a/export.sh b/export.sh
new file mode 100755
index 000000000..2e1f397aa
index 000000000..678d1ca41
--- /dev/null
+++ b/export.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+git df d24a382 > boringssl.patch
+git diff d24a382 > boringssl.patch
+mv boringssl.patch ../curl-impersonate/chrome/patches/boringssl.patch
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index e500dd76e..487945969 100644
index e500dd76e..e75bca26b 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1560,6 +1560,9 @@ OPENSSL_EXPORT int SSL_CTX_set_strict_cipher_list(SSL_CTX *ctx,
@@ -1560,6 +1560,12 @@ OPENSSL_EXPORT int SSL_CTX_set_strict_cipher_list(SSL_CTX *ctx,
// garbage inputs, unless an empty cipher list results.
OPENSSL_EXPORT int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str);

+// curl-impersonate: set the extension order by given string
+OPENSSL_EXPORT int SSL_CTX_set_extension_order(SSL_CTX *ctx, char *order);
+
+// curl-impersonate
+OPENSSL_EXPORT int SSL_CTX_set_key_usage_check_enabled(SSL_CTX *ctx, int enabled);
+
// SSL_set_strict_cipher_list configures the cipher list for |ssl|, evaluating
// |str| as a cipher string and returning error if |str| contains anything
// meaningless. It returns one on success and zero on failure.
@@ -4583,6 +4586,9 @@ OPENSSL_EXPORT void SSL_CTX_set_grease_enabled(SSL_CTX *ctx, int enabled);
@@ -4583,6 +4589,12 @@ OPENSSL_EXPORT void SSL_CTX_set_grease_enabled(SSL_CTX *ctx, int enabled);
// permute extensions. For now, this is only implemented for the ClientHello.
OPENSSL_EXPORT void SSL_CTX_set_permute_extensions(SSL_CTX *ctx, int enabled);

+// curl-impersonate
+OPENSSL_EXPORT int SSL_CTX_set_extension_order(SSL_CTX *ctx, char *order);
+
+// curl-impersonate
+OPENSSL_EXPORT int SSL_CTX_set_key_usage_check_enabled(SSL_CTX *ctx, int enabled);
+
// SSL_set_permute_extensions configures whether sockets on |ssl| should
// permute extensions. For now, this is only implemented for the ClientHello.
Expand Down Expand Up @@ -126,7 +132,7 @@ index b13400097..8b457b873 100644
if (!kExtensions[i].add_clienthello(hs, &extensions, &extensions, type)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_ADDING_EXTENSION);
diff --git a/ssl/handshake_client.cc b/ssl/handshake_client.cc
index 971ebd0b1..0005c6d79 100644
index 971ebd0b1..effe5c920 100644
--- a/ssl/handshake_client.cc
+++ b/ssl/handshake_client.cc
@@ -215,14 +215,6 @@ static void ssl_get_client_disabled(const SSL_HANDSHAKE *hs,
Expand Down Expand Up @@ -182,8 +188,18 @@ index 971ebd0b1..0005c6d79 100644
!ssl_encrypt_client_hello(hs, MakeConstSpan(ech_enc, ech_enc_len)) ||
!ssl_add_client_hello(hs)) {
return ssl_hs_error;
@@ -1402,7 +1374,8 @@ static enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) {
ssl_key_usage_t intended_use = (alg_k & SSL_kRSA)
? key_usage_encipherment
: key_usage_digital_signature;
- if (!ssl_cert_check_key_usage(&leaf_cbs, intended_use)) {
+ if (hs->config->key_usage_check_enabled &&
+ !ssl_cert_check_key_usage(&leaf_cbs, intended_use)) {
if (hs->config->enforce_rsa_key_usage ||
EVP_PKEY_id(hs->peer_pubkey.get()) != EVP_PKEY_RSA) {
return ssl_hs_error;
diff --git a/ssl/internal.h b/ssl/internal.h
index c9facb699..eab61611e 100644
index c9facb699..a32e9b4ba 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -574,9 +574,14 @@ BSSL_NAMESPACE_BEGIN
Expand All @@ -202,32 +218,41 @@ index c9facb699..eab61611e 100644

// Bits for |algorithm_prf| (handshake digest).
#define SSL_HANDSHAKE_MAC_DEFAULT 0x1
@@ -2161,6 +2166,9 @@ bssl::UniquePtr<SSL_SESSION> tls13_create_session_with_ticket(SSL *ssl,
@@ -2161,6 +2166,12 @@ bssl::UniquePtr<SSL_SESSION> tls13_create_session_with_ticket(SSL *ssl,
// for |hs|, if applicable. It returns true on success and false on error.
bool ssl_setup_extension_permutation(SSL_HANDSHAKE *hs);

+// curl-impersonate
+bool ssl_set_extension_order(SSL_HANDSHAKE *hs);
+
+// curl-impersonate
+bool ssl_set_key_usage_check_enabled(SSL_HANDSHAKE *hs);
+
// ssl_setup_key_shares computes client key shares and saves them in |hs|. It
// returns true on success and false on failure. If |override_group_id| is zero,
// it offers the default groups, including GREASE. If it is non-zero, it offers
@@ -3033,6 +3041,9 @@ struct SSL_CONFIG {
@@ -3033,6 +3044,12 @@ struct SSL_CONFIG {
// crypto
UniquePtr<SSLCipherPreferenceList> cipher_list;

+ // curl-impersonate
+ char *extension_order = nullptr;
+
+ // curl-impersonate
+ int key_usage_check_enabled = 1;
+
// This is used to hold the local certificate used (i.e. the server
// certificate for a server or the client certificate for a client).
UniquePtr<CERT> cert;
@@ -3490,6 +3501,9 @@ struct ssl_ctx_st {
@@ -3490,6 +3507,12 @@ struct ssl_ctx_st {

bssl::UniquePtr<bssl::SSLCipherPreferenceList> cipher_list;

+ // curl-impersonate
+ char *extension_order = nullptr;
+
+ // curl-impersonate
+ int key_usage_check_enabled = 1;
+
X509_STORE *cert_store = nullptr;
LHASH_OF(SSL_SESSION) *sessions = nullptr;
Expand Down Expand Up @@ -463,18 +488,19 @@ index fd8cef95d..3d2c8ff6d 100644
"Not all ciphers are included in the cipher order");

diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc
index 58b68e675..15eb823b3 100644
index 58b68e675..455ee4dd0 100644
--- a/ssl/ssl_lib.cc
+++ b/ssl/ssl_lib.cc
@@ -657,6 +657,7 @@ SSL *SSL_new(SSL_CTX *ctx) {
@@ -657,6 +657,8 @@ SSL *SSL_new(SSL_CTX *ctx) {
ssl->config->retain_only_sha256_of_client_certs =
ctx->retain_only_sha256_of_client_certs;
ssl->config->permute_extensions = ctx->permute_extensions;
+ ssl->config->extension_order = ctx->extension_order;
+ ssl->config->extension_order = ctx->extension_order; // curl-impersonate
+ ssl->config->key_usage_check_enabled = ctx->key_usage_check_enabled; // curl-impersonate
ssl->config->aes_hw_override = ctx->aes_hw_override;
ssl->config->aes_hw_override_value = ctx->aes_hw_override_value;
ssl->config->tls13_cipher_policy = ctx->tls13_cipher_policy;
@@ -3015,6 +3016,12 @@ void SSL_CTX_set_permute_extensions(SSL_CTX *ctx, int enabled) {
@@ -3015,6 +3017,17 @@ void SSL_CTX_set_permute_extensions(SSL_CTX *ctx, int enabled) {
ctx->permute_extensions = !!enabled;
}

Expand All @@ -483,6 +509,11 @@ index 58b68e675..15eb823b3 100644
+ ctx->extension_order = order;
+ return 0;
+}
+
+int SSL_CTX_set_key_usage_check_enabled(SSL_CTX *ctx, int enabled) {
+ ctx->key_usage_check_enabled = enabled;
+ return 0;
+}
+
void SSL_set_permute_extensions(SSL *ssl, int enabled) {
if (!ssl->config) {
Expand Down
Loading

0 comments on commit bd1dfc3

Please sign in to comment.