From c0953c341c6b47ff394e36feae24b919e42d437c Mon Sep 17 00:00:00 2001 From: Yifei Kong Date: Fri, 5 Jan 2024 17:32:41 +0800 Subject: [PATCH] Upgrade curl to 8.5.0 --- .github/workflows/build-win.yaml | 4 - Dockerfile.template | 2 +- Makefile.in | 2 +- chrome/Dockerfile | 2 +- chrome/Dockerfile.alpine | 2 +- chrome/patches/curl-impersonate.patch | 413 +++++++++++++------------- firefox/Dockerfile | 2 +- firefox/Dockerfile.alpine | 2 +- win/build.sh | 2 +- 9 files changed, 218 insertions(+), 213 deletions(-) diff --git a/.github/workflows/build-win.yaml b/.github/workflows/build-win.yaml index 1c386a5e..912e5796 100644 --- a/.github/workflows/build-win.yaml +++ b/.github/workflows/build-win.yaml @@ -13,10 +13,6 @@ on: permissions: contents: write -env: - NSS_VERSION: nss-3.77 - BORING_SSL_COMMIT: d24a38200fef19150eef00cad35b138936c08767 - jobs: build-windows: name: Build windows binaries diff --git a/Dockerfile.template b/Dockerfile.template index ed7232e0..6a6b2c9c 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -134,7 +134,7 @@ RUN cd ${NGHTTP2_VERSION} && \ make && make install # Download curl. -ARG CURL_VERSION=curl-8.1.1 +ARG CURL_VERSION=curl-8.5.0 RUN curl -o ${CURL_VERSION}.tar.xz https://curl.se/download/${CURL_VERSION}.tar.xz RUN tar xf ${CURL_VERSION}.tar.xz diff --git a/Makefile.in b/Makefile.in index 3190fabe..262ea385 100644 --- a/Makefile.in +++ b/Makefile.in @@ -16,7 +16,7 @@ NSS_URL := https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_92_RTM/src/ns BORING_SSL_COMMIT := d24a38200fef19150eef00cad35b138936c08767 NGHTTP2_VERSION := nghttp2-1.56.0 NGHTTP2_URL := https://github.com/nghttp2/nghttp2/releases/download/v1.56.0/nghttp2-1.56.0.tar.bz2 -CURL_VERSION := curl-8.1.1 +CURL_VERSION := curl-8.5.0 brotli_install_dir := $(abspath brotli-$(BROTLI_VERSION)/out/installed) brotli_static_libs := $(brotli_install_dir)/lib/libbrotlicommon-static.a $(brotli_install_dir)/lib/libbrotlidec-static.a diff --git a/chrome/Dockerfile b/chrome/Dockerfile index 4aba74dc..1c2cd303 100644 --- a/chrome/Dockerfile +++ b/chrome/Dockerfile @@ -75,7 +75,7 @@ RUN cd ${NGHTTP2_VERSION} && \ make && make install # Download curl. -ARG CURL_VERSION=curl-8.1.1 +ARG CURL_VERSION=curl-8.5.0 RUN curl -o ${CURL_VERSION}.tar.xz https://curl.se/download/${CURL_VERSION}.tar.xz RUN tar xf ${CURL_VERSION}.tar.xz diff --git a/chrome/Dockerfile.alpine b/chrome/Dockerfile.alpine index b60f4f0b..8573b14b 100644 --- a/chrome/Dockerfile.alpine +++ b/chrome/Dockerfile.alpine @@ -68,7 +68,7 @@ RUN cd ${NGHTTP2_VERSION} && \ make && make install # Download curl. -ARG CURL_VERSION=curl-8.1.1 +ARG CURL_VERSION=curl-8.5.0 RUN curl -o ${CURL_VERSION}.tar.xz https://curl.se/download/${CURL_VERSION}.tar.xz RUN tar xf ${CURL_VERSION}.tar.xz diff --git a/chrome/patches/curl-impersonate.patch b/chrome/patches/curl-impersonate.patch index 2bc8422d..bf7d51b7 100644 --- a/chrome/patches/curl-impersonate.patch +++ b/chrome/patches/curl-impersonate.patch @@ -1,8 +1,8 @@ diff --git a/CMakeLists.txt b/CMakeLists.txt -index 49a44eabf..fe8b38915 100644 +index a54c2fff9..7d22d4e96 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt -@@ -550,6 +550,29 @@ if(CURL_ZSTD) +@@ -619,6 +619,29 @@ if(CURL_ZSTD) endif() endif() @@ -29,14 +29,14 @@ index 49a44eabf..fe8b38915 100644 + endif() +endif() + - option(USE_NGHTTP2 "Use Nghttp2 library" OFF) - if(USE_NGHTTP2) - find_package(NGHTTP2 REQUIRED) + # Check symbol in OpenSSL-like TLS backends. + macro(openssl_check_symbol_exists SYMBOL FILES VARIABLE) + cmake_push_check_state() diff --git a/Makefile.am b/Makefile.am -index f25e4e2f0..ff0c5630b 100644 +index c8afcb505..234125083 100644 --- a/Makefile.am +++ b/Makefile.am -@@ -156,13 +156,13 @@ CLEANFILES = $(VC10_LIBVCXPROJ) $(VC10_SRCVCXPROJ) $(VC11_LIBVCXPROJ) \ +@@ -131,13 +131,13 @@ CLEANFILES = $(VC14_LIBVCXPROJ) \ $(VC14_SRCVCXPROJ) $(VC14_10_LIBVCXPROJ) $(VC14_10_SRCVCXPROJ) \ $(VC14_30_LIBVCXPROJ) $(VC14_30_SRCVCXPROJ) @@ -53,10 +53,10 @@ index f25e4e2f0..ff0c5630b 100644 # List of files required to generate VC IDE .dsp, .vcproj and .vcxproj files include lib/Makefile.inc diff --git a/configure.ac b/configure.ac -index 75a882b12..8697a6f74 100644 +index d9b396376..cd3b845f4 100644 --- a/configure.ac +++ b/configure.ac -@@ -1493,7 +1493,8 @@ if test X"$OPT_BROTLI" != Xno; then +@@ -1422,7 +1422,8 @@ if test X"$OPT_BROTLI" != Xno; then dnl if given with a prefix, we set -L and -I based on that if test -n "$PREFIX_BROTLI"; then @@ -66,7 +66,7 @@ index 75a882b12..8697a6f74 100644 LD_BROTLI=-L${PREFIX_BROTLI}/lib$libsuff CPP_BROTLI=-I${PREFIX_BROTLI}/include DIR_BROTLI=${PREFIX_BROTLI}/lib$libsuff -@@ -1503,7 +1504,11 @@ if test X"$OPT_BROTLI" != Xno; then +@@ -1432,7 +1433,11 @@ if test X"$OPT_BROTLI" != Xno; then CPPFLAGS="$CPPFLAGS $CPP_BROTLI" LIBS="$LIB_BROTLI $LIBS" @@ -79,7 +79,7 @@ index 75a882b12..8697a6f74 100644 AC_CHECK_HEADERS(brotli/decode.h, curl_brotli_msg="enabled (libbrotlidec)" -@@ -4306,14 +4311,23 @@ if test "x$want_ech" != "xno"; then +@@ -4383,14 +4388,23 @@ if test "x$want_ech" != "xno"; then ECH_ENABLED=0 ECH_SUPPORT='' @@ -108,7 +108,7 @@ index 75a882b12..8697a6f74 100644 fi dnl now deal with whatever we found -@@ -4706,8 +4720,8 @@ AC_CONFIG_FILES([Makefile \ +@@ -4795,8 +4809,8 @@ AC_CONFIG_FILES([Makefile \ tests/http/clients/Makefile \ packages/Makefile \ packages/vms/Makefile \ @@ -144,11 +144,21 @@ index 54f92d931..ea5895e9b 100644 else echo "curl was built with static libraries disabled" >&2 exit 1 +diff --git a/export.sh b/export.sh +new file mode 100755 +index 000000000..34b44cd2a +--- /dev/null ++++ b/export.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++ ++git df curl-8_5_0 > chrome.patch ++mv chrome.patch ../curl-impersonate/chrome/patches/curl-impersonate.patch diff --git a/include/curl/curl.h b/include/curl/curl.h -index 944352421..8d81e9a8d 100644 +index cc24c0506..2199a34fc 100644 --- a/include/curl/curl.h +++ b/include/curl/curl.h -@@ -640,6 +640,7 @@ typedef enum { +@@ -631,6 +631,7 @@ typedef enum { CURLE_PROXY, /* 97 - proxy handshake error */ CURLE_SSL_CLIENTCERT, /* 98 - client-side certificate required */ CURLE_UNRECOVERABLE_POLL, /* 99 - poll/select returned fatal error */ @@ -156,32 +166,32 @@ index 944352421..8d81e9a8d 100644 CURL_LAST /* never use! */ } CURLcode; -@@ -2207,6 +2208,59 @@ typedef enum { - /* Can leak things, gonna exit() soon */ - CURLOPT(CURLOPT_QUICK_EXIT, CURLOPTTYPE_LONG, 322), +@@ -2201,6 +2202,59 @@ typedef enum { + /* set a specific client IP for HAProxy PROXY protocol header? */ + CURLOPT(CURLOPT_HAPROXY_CLIENT_IP, CURLOPTTYPE_STRINGPOINT, 323), + /* curl-impersonate: A list of headers used by the impersonated browser. + * If given, merged with CURLOPT_HTTPHEADER. */ -+ CURLOPT(CURLOPT_HTTPBASEHEADER, CURLOPTTYPE_SLISTPOINT, 323), ++ CURLOPT(CURLOPT_HTTPBASEHEADER, CURLOPTTYPE_SLISTPOINT, 324), + + /* curl-impersonate: A list of TLS signature hash algorithms. + * See https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.1.4.1 */ -+ CURLOPT(CURLOPT_SSL_SIG_HASH_ALGS, CURLOPTTYPE_STRINGPOINT, 324), ++ CURLOPT(CURLOPT_SSL_SIG_HASH_ALGS, CURLOPTTYPE_STRINGPOINT, 325), + + /* curl-impersonate: Whether to enable ALPS in TLS or not. + * See https://datatracker.ietf.org/doc/html/draft-vvv-tls-alps. + * Support for ALPS is minimal and is intended only for the TLS client + * hello to match. */ -+ CURLOPT(CURLOPT_SSL_ENABLE_ALPS, CURLOPTTYPE_LONG, 325), ++ CURLOPT(CURLOPT_SSL_ENABLE_ALPS, CURLOPTTYPE_LONG, 326), + + /* curl-impersonate: Comma-separated list of certificate compression + * algorithms to use. These are published in the client hello. + * Supported algorithms are "zlib" and "brotli". + * See https://datatracker.ietf.org/doc/html/rfc8879 */ -+ CURLOPT(CURLOPT_SSL_CERT_COMPRESSION, CURLOPTTYPE_STRINGPOINT, 326), ++ CURLOPT(CURLOPT_SSL_CERT_COMPRESSION, CURLOPTTYPE_STRINGPOINT, 327), + + /* Enable/disable TLS session ticket extension (RFC5077) */ -+ CURLOPT(CURLOPT_SSL_ENABLE_TICKET, CURLOPTTYPE_LONG, 327), ++ CURLOPT(CURLOPT_SSL_ENABLE_TICKET, CURLOPTTYPE_LONG, 328), + + /* + * curl-impersonate: @@ -190,28 +200,28 @@ index 944352421..8d81e9a8d 100644 + * ":method", ":authority", ":scheme", ":path" in the desired order of + * appearance in the HTTP/2 HEADERS frame. + */ -+ CURLOPT(CURLOPT_HTTP2_PSEUDO_HEADERS_ORDER, CURLOPTTYPE_STRINGPOINT, 328), ++ CURLOPT(CURLOPT_HTTP2_PSEUDO_HEADERS_ORDER, CURLOPTTYPE_STRINGPOINT, 329), + + /* + * curl-impersonate: + * HTTP2 settings frame keys and values, format: 1:v;2:v;3:v + */ -+ CURLOPT(CURLOPT_HTTP2_SETTINGS, CURLOPTTYPE_STRINGPOINT, 329), ++ CURLOPT(CURLOPT_HTTP2_SETTINGS, CURLOPTTYPE_STRINGPOINT, 330), + + /* + * curl-impersonate: Whether to enable Boringssl permute extensions + * See https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#SSL_set_permute_extensions. + */ -+ CURLOPT(CURLOPT_SSL_PERMUTE_EXTENSIONS, CURLOPTTYPE_LONG, 330), ++ CURLOPT(CURLOPT_SSL_PERMUTE_EXTENSIONS, CURLOPTTYPE_LONG, 331), + + /* + * curl-impersonate: + * HTTP2 initial window update + */ -+ CURLOPT(CURLOPT_HTTP2_WINDOW_UPDATE, CURLOPTTYPE_LONG, 331), ++ CURLOPT(CURLOPT_HTTP2_WINDOW_UPDATE, CURLOPTTYPE_LONG, 332), + + /* set ECH configuration, XXX, the official one is 324 */ -+ CURLOPT(CURLOPT_ECH, CURLOPTTYPE_STRINGPOINT, 332), ++ CURLOPT(CURLOPT_ECH, CURLOPTTYPE_STRINGPOINT, 333), + CURLOPT_LASTENTRY /* the last unused */ } CURLoption; @@ -238,7 +248,7 @@ index 1285101c5..c620065dc 100644 * NAME curl_easy_getinfo() * diff --git a/include/curl/typecheck-gcc.h b/include/curl/typecheck-gcc.h -index bc8d7a78c..033c994ca 100644 +index b880f3dc6..79074e011 100644 --- a/include/curl/typecheck-gcc.h +++ b/include/curl/typecheck-gcc.h @@ -275,6 +275,7 @@ CURLWARNING(_curl_easy_getinfo_err_curl_off_t, @@ -250,7 +260,7 @@ index bc8d7a78c..033c994ca 100644 (option) == CURLOPT_FTP_ACCOUNT || \ (option) == CURLOPT_FTP_ALTERNATIVE_TO_USER || \ diff --git a/lib/Makefile.am b/lib/Makefile.am -index 3c0a70912..61a9eb90b 100644 +index 1237c8e99..6b2961018 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -31,7 +31,7 @@ EXTRA_DIST = Makefile.mk config-win32.h config-win32ce.h config-plan9.h \ @@ -322,19 +332,19 @@ index 3c0a70912..61a9eb90b 100644 endif -libcurl_la_CPPFLAGS = $(AM_CPPFLAGS) $(libcurl_la_CPPFLAGS_EXTRA) --libcurl_la_LDFLAGS = $(AM_LDFLAGS) $(libcurl_la_LDFLAGS_EXTRA) $(LDFLAGS) $(LIBCURL_LIBS) +-libcurl_la_LDFLAGS = $(AM_LDFLAGS) $(libcurl_la_LDFLAGS_EXTRA) $(CURL_LDFLAGS_LIB) $(LIBCURL_LIBS) -libcurl_la_CFLAGS = $(AM_CFLAGS) $(libcurl_la_CFLAGS_EXTRA) +libcurl_impersonate_chrome_la_CPPFLAGS = $(AM_CPPFLAGS) $(libcurl_impersonate_chrome_la_CPPFLAGS_EXTRA) -+libcurl_impersonate_chrome_la_LDFLAGS = $(AM_LDFLAGS) $(libcurl_impersonate_chrome_la_LDFLAGS_EXTRA) $(LDFLAGS) $(LIBCURL_LIBS) ++libcurl_impersonate_chrome_la_LDFLAGS = $(AM_LDFLAGS) $(libcurl_impersonate_chrome_la_LDFLAGS_EXTRA) $(CURL_LDFLAGS_LIB) $(LIBCURL_LIBS) +libcurl_impersonate_chrome_la_CFLAGS = $(AM_CFLAGS) $(libcurl_impersonate_chrome_la_CFLAGS_EXTRA) libcurlu_la_CPPFLAGS = $(AM_CPPFLAGS) -DCURL_STATICLIB -DUNITTESTS libcurlu_la_LDFLAGS = $(AM_LDFLAGS) -static $(LIBCURL_LIBS) diff --git a/lib/Makefile.inc b/lib/Makefile.inc -index f815170a7..9d9417edc 100644 +index e568ef953..298b16050 100644 --- a/lib/Makefile.inc +++ b/lib/Makefile.inc -@@ -174,6 +174,7 @@ LIB_CFILES = \ +@@ -171,6 +171,7 @@ LIB_CFILES = \ idn.c \ if2ip.c \ imap.c \ @@ -343,21 +353,21 @@ index f815170a7..9d9417edc 100644 inet_pton.c \ krb5.c \ diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake -index eca71bdef..ae9f02aca 100644 +index 339358ea3..a9cf400fb 100644 --- a/lib/curl_config.h.cmake +++ b/lib/curl_config.h.cmake -@@ -783,3 +783,6 @@ ${SIZEOF_TIME_T_CODE} +@@ -811,3 +811,6 @@ ${SIZEOF_TIME_T_CODE} - /* Define to 1 to enable websocket support. */ - #cmakedefine USE_WEBSOCKETS 1 + /* Define to 1 to enable TLS-SRP support. */ + #cmakedefine USE_TLS_SRP 1 + +/* if ECH support is available */ +#cmakedefine USE_ECH 1 diff --git a/lib/dynhds.c b/lib/dynhds.c -index b325e0060..4c8a73bab 100644 +index d7548959b..00f97506b 100644 --- a/lib/dynhds.c +++ b/lib/dynhds.c -@@ -52,6 +52,8 @@ entry_new(const char *name, size_t namelen, +@@ -56,6 +56,8 @@ entry_new(const char *name, size_t namelen, e->valuelen = valuelen; if(opts & DYNHDS_OPT_LOWERCASE) Curl_strntolower(e->name, e->name, e->namelen); @@ -366,7 +376,7 @@ index b325e0060..4c8a73bab 100644 return e; } -@@ -134,6 +136,16 @@ void Curl_dynhds_set_opts(struct dynhds *dynhds, int opts) +@@ -138,6 +140,16 @@ void Curl_dynhds_set_opts(struct dynhds *dynhds, int opts) dynhds->opts = opts; } @@ -384,7 +394,7 @@ index b325e0060..4c8a73bab 100644 { DEBUGASSERT(dynhds); diff --git a/lib/dynhds.h b/lib/dynhds.h -index 777baa58a..2d542dfd6 100644 +index 3b536000a..d7135698f 100644 --- a/lib/dynhds.h +++ b/lib/dynhds.h @@ -53,6 +53,7 @@ struct dynhds { @@ -405,10 +415,10 @@ index 777baa58a..2d542dfd6 100644 /** * Return the n-th header entry or NULL if it does not exist. diff --git a/lib/easy.c b/lib/easy.c -index d36cc03d1..ec25400c5 100644 +index 322d1a41b..fcf637e55 100644 --- a/lib/easy.c +++ b/lib/easy.c -@@ -73,6 +73,8 @@ +@@ -74,6 +74,8 @@ #include "dynbuf.h" #include "altsvc.h" #include "hsts.h" @@ -417,7 +427,7 @@ index d36cc03d1..ec25400c5 100644 #include "easy_lock.h" -@@ -330,6 +332,146 @@ CURLsslset curl_global_sslset(curl_sslbackend id, const char *name, +@@ -341,6 +343,146 @@ CURLsslset curl_global_sslset(curl_sslbackend id, const char *name, return rc; } @@ -564,7 +574,7 @@ index d36cc03d1..ec25400c5 100644 /* * curl_easy_init() is the external interface to alloc, setup and init an * easy handle that is returned. If anything goes wrong, NULL is returned. -@@ -338,6 +480,8 @@ struct Curl_easy *curl_easy_init(void) +@@ -349,6 +491,8 @@ struct Curl_easy *curl_easy_init(void) { CURLcode result; struct Curl_easy *data; @@ -573,7 +583,7 @@ index d36cc03d1..ec25400c5 100644 /* Make sure we inited the global SSL stuff */ global_init_lock(); -@@ -360,6 +504,29 @@ struct Curl_easy *curl_easy_init(void) +@@ -371,6 +515,29 @@ struct Curl_easy *curl_easy_init(void) return NULL; } @@ -603,7 +613,7 @@ index d36cc03d1..ec25400c5 100644 return data; } -@@ -930,6 +1097,13 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data) +@@ -945,6 +1112,13 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data) outcurl->state.referer_alloc = TRUE; } @@ -617,7 +627,7 @@ index d36cc03d1..ec25400c5 100644 /* Reinitialize an SSL engine for the new handle * note: the engine name has already been copied by dupset */ if(outcurl->set.str[STRING_SSL_ENGINE]) { -@@ -1019,6 +1193,9 @@ fail: +@@ -1004,6 +1178,9 @@ fail: */ void curl_easy_reset(struct Curl_easy *data) { @@ -627,8 +637,8 @@ index d36cc03d1..ec25400c5 100644 Curl_free_request_state(data); /* zero out UserDefined data: */ -@@ -1043,6 +1220,23 @@ void curl_easy_reset(struct Curl_easy *data) - #if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH) +@@ -1028,6 +1205,23 @@ void curl_easy_reset(struct Curl_easy *data) + #if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_DIGEST_AUTH) Curl_http_auth_cleanup_digest(data); #endif + @@ -652,7 +662,7 @@ index d36cc03d1..ec25400c5 100644 /* diff --git a/lib/easyoptions.c b/lib/easyoptions.c -index a9c1efd00..b81f3a671 100644 +index e69c658b0..585a6638b 100644 --- a/lib/easyoptions.c +++ b/lib/easyoptions.c @@ -86,6 +86,7 @@ struct curl_easyoption Curl_easyopts[] = { @@ -663,7 +673,7 @@ index a9c1efd00..b81f3a671 100644 {"EGDSOCKET", CURLOPT_EGDSOCKET, CURLOT_STRING, 0}, {"ENCODING", CURLOPT_ACCEPT_ENCODING, CURLOT_STRING, CURLOT_FLAG_ALIAS}, {"ERRORBUFFER", CURLOPT_ERRORBUFFER, CURLOT_OBJECT, 0}, -@@ -132,8 +133,13 @@ struct curl_easyoption Curl_easyopts[] = { +@@ -133,8 +134,13 @@ struct curl_easyoption Curl_easyopts[] = { {"HSTS_CTRL", CURLOPT_HSTS_CTRL, CURLOT_LONG, 0}, {"HTTP09_ALLOWED", CURLOPT_HTTP09_ALLOWED, CURLOT_LONG, 0}, {"HTTP200ALIASES", CURLOPT_HTTP200ALIASES, CURLOT_SLIST, 0}, @@ -677,7 +687,7 @@ index a9c1efd00..b81f3a671 100644 {"HTTPHEADER", CURLOPT_HTTPHEADER, CURLOT_SLIST, 0}, {"HTTPPOST", CURLOPT_HTTPPOST, CURLOT_OBJECT, 0}, {"HTTPPROXYTUNNEL", CURLOPT_HTTPPROXYTUNNEL, CURLOT_LONG, 0}, -@@ -302,18 +308,23 @@ struct curl_easyoption Curl_easyopts[] = { +@@ -305,18 +311,23 @@ struct curl_easyoption Curl_easyopts[] = { {"SSLKEYTYPE", CURLOPT_SSLKEYTYPE, CURLOT_STRING, 0}, {"SSLKEY_BLOB", CURLOPT_SSLKEY_BLOB, CURLOT_BLOB, 0}, {"SSLVERSION", CURLOPT_SSLVERSION, CURLOT_VALUES, 0}, @@ -701,16 +711,16 @@ index a9c1efd00..b81f3a671 100644 {"STDERR", CURLOPT_STDERR, CURLOT_OBJECT, 0}, {"STREAM_DEPENDS", CURLOPT_STREAM_DEPENDS, CURLOT_OBJECT, 0}, {"STREAM_DEPENDS_E", CURLOPT_STREAM_DEPENDS_E, CURLOT_OBJECT, 0}, -@@ -370,6 +381,6 @@ struct curl_easyoption Curl_easyopts[] = { +@@ -373,6 +384,6 @@ struct curl_easyoption Curl_easyopts[] = { */ int Curl_easyopts_check(void) { -- return ((CURLOPT_LASTENTRY%10000) != (322 + 1)); -+ return ((CURLOPT_LASTENTRY%10000) != (332 + 1)); +- return ((CURLOPT_LASTENTRY%10000) != (323 + 1)); ++ return ((CURLOPT_LASTENTRY%10000) != (333 + 1)); } #endif diff --git a/lib/http.c b/lib/http.c -index 219dcc2c0..7b04c6c36 100644 +index be6d442e8..ca537314a 100644 --- a/lib/http.c +++ b/lib/http.c @@ -90,6 +90,7 @@ @@ -721,7 +731,7 @@ index 219dcc2c0..7b04c6c36 100644 /* The last 3 #include files should be in this order */ #include "curl_printf.h" -@@ -1881,6 +1882,15 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data, +@@ -1937,6 +1938,15 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data, int numlists = 1; /* by default */ int i; @@ -737,7 +747,7 @@ index 219dcc2c0..7b04c6c36 100644 #ifndef CURL_DISABLE_PROXY enum proxy_use proxy; -@@ -1892,10 +1902,10 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data, +@@ -1948,10 +1958,10 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data, switch(proxy) { case HEADER_SERVER: @@ -750,7 +760,7 @@ index 219dcc2c0..7b04c6c36 100644 if(data->set.sep_headers) { h[1] = data->set.proxyheaders; numlists++; -@@ -1905,12 +1915,12 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data, +@@ -1961,12 +1971,12 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data, if(data->set.sep_headers) h[0] = data->set.proxyheaders; else @@ -765,7 +775,7 @@ index 219dcc2c0..7b04c6c36 100644 #endif /* loop through one or two lists */ -@@ -2146,6 +2156,108 @@ void Curl_http_method(struct Curl_easy *data, struct connectdata *conn, +@@ -2202,6 +2212,108 @@ void Curl_http_method(struct Curl_easy *data, struct connectdata *conn, *reqp = httpreq; } @@ -874,7 +884,7 @@ index 219dcc2c0..7b04c6c36 100644 CURLcode Curl_http_useragent(struct Curl_easy *data) { /* The User-Agent string might have been allocated in url.c already, because -@@ -3165,6 +3277,11 @@ CURLcode Curl_http(struct Curl_easy *data, bool *done) +@@ -3210,6 +3322,11 @@ CURLcode Curl_http(struct Curl_easy *data, bool *done) http = data->req.p.http; DEBUGASSERT(http); @@ -886,7 +896,7 @@ index 219dcc2c0..7b04c6c36 100644 result = Curl_http_host(data, conn); if(result) return result; -@@ -4777,12 +4894,41 @@ static bool h2_non_field(const char *name, size_t namelen) +@@ -4847,12 +4964,41 @@ static bool h2_non_field(const char *name, size_t namelen) return FALSE; } @@ -928,7 +938,7 @@ index 219dcc2c0..7b04c6c36 100644 CURLcode result; DEBUGASSERT(req); -@@ -4816,25 +4962,56 @@ CURLcode Curl_http_req_to_h2(struct dynhds *h2_headers, +@@ -4886,25 +5032,56 @@ CURLcode Curl_http_req_to_h2(struct dynhds *h2_headers, Curl_dynhds_reset(h2_headers); Curl_dynhds_set_opts(h2_headers, DYNHDS_OPT_LOWERCASE); @@ -998,10 +1008,10 @@ index 219dcc2c0..7b04c6c36 100644 } diff --git a/lib/http2.c b/lib/http2.c -index c666192fc..5a90b28ea 100644 +index 973848484..a4bda9b97 100644 --- a/lib/http2.c +++ b/lib/http2.c -@@ -50,6 +50,7 @@ +@@ -51,6 +51,7 @@ #include "curl_printf.h" #include "curl_memory.h" #include "memdebug.h" @@ -1009,16 +1019,16 @@ index c666192fc..5a90b28ea 100644 #if (NGHTTP2_VERSION_NUM < 0x010c00) #error too old nghttp2 version, upgrade! -@@ -68,7 +69,7 @@ +@@ -69,7 +70,7 @@ * use 16K as chunk size, as that fits H2 DATA frames well */ #define H2_CHUNK_SIZE (16 * 1024) /* this is how much we want "in flight" for a stream */ -#define H2_STREAM_WINDOW_SIZE (10 * 1024 * 1024) +#define H2_STREAM_WINDOW_SIZE (1024 * 1024) - /* on receving from TLS, we prep for holding a full stream window */ + /* on receiving from TLS, we prep for holding a full stream window */ #define H2_NW_RECV_CHUNKS (H2_STREAM_WINDOW_SIZE / H2_CHUNK_SIZE) /* on send into TLS, we just want to accumulate small frames */ -@@ -86,24 +87,84 @@ +@@ -87,24 +88,84 @@ * will block their received QUOTA in the connection window. And if we * run out of space, the server is blocked from sending us any data. * See #10988 for an issue with this. */ @@ -1050,14 +1060,14 @@ index c666192fc..5a90b28ea 100644 + if(data->set.str[STRING_HTTP2_SETTINGS]) { + http2_settings = data->set.str[STRING_HTTP2_SETTINGS]; + } - -- iv[1].settings_id = NGHTTP2_SETTINGS_INITIAL_WINDOW_SIZE; -- iv[1].value = H2_STREAM_WINDOW_SIZE; ++ + // printf("USING settings %s\n", http2_settings); + + char *tmp = strdup(http2_settings); + char *setting = strtok(tmp, delimiter); -+ + +- iv[1].settings_id = NGHTTP2_SETTINGS_INITIAL_WINDOW_SIZE; +- iv[1].value = H2_STREAM_WINDOW_SIZE; + // loop through the string to extract all other tokens + while(setting != NULL) { + // deal with each setting @@ -1111,8 +1121,8 @@ index c666192fc..5a90b28ea 100644 + return i; } - static size_t populate_binsettings(uint8_t *binsettings, -@@ -483,8 +544,22 @@ static CURLcode cf_h2_ctx_init(struct Curl_cfilter *cf, + static ssize_t populate_binsettings(uint8_t *binsettings, +@@ -504,8 +565,22 @@ static CURLcode cf_h2_ctx_init(struct Curl_cfilter *cf, } } @@ -1137,7 +1147,7 @@ index c666192fc..5a90b28ea 100644 if(rc) { failf(data, "nghttp2_session_set_local_window_size() failed: %s(%d)", nghttp2_strerror(rc), rc); -@@ -1616,11 +1691,17 @@ out: +@@ -1747,11 +1822,17 @@ out: return rv; } @@ -1156,7 +1166,7 @@ index c666192fc..5a90b28ea 100644 } static int sweight_in_effect(const struct Curl_easy *data) -@@ -1642,9 +1723,11 @@ static void h2_pri_spec(struct Curl_easy *data, +@@ -1773,9 +1854,11 @@ static void h2_pri_spec(struct Curl_easy *data, struct Curl_data_priority *prio = &data->set.priority; struct stream_ctx *depstream = H2_STREAM_CTX(prio->parent); int32_t depstream_id = depstream? depstream->id:0; @@ -1169,24 +1179,22 @@ index c666192fc..5a90b28ea 100644 data->state.priority = *prio; } -@@ -1661,20 +1744,25 @@ static CURLcode h2_progress_egress(struct Curl_cfilter *cf, +@@ -1792,20 +1875,24 @@ static CURLcode h2_progress_egress(struct Curl_cfilter *cf, struct stream_ctx *stream = H2_STREAM_CTX(data); int rv = 0; -- if((sweight_wanted(data) != sweight_in_effect(data)) || -- (data->set.priority.exclusive != data->state.priority.exclusive) || -- (data->set.priority.parent != data->state.priority.parent) ) { + /* curl-impersonate: Check if stream exclusive flag is true. */ -+ if(stream && stream->id > 0 && -+ ((sweight_wanted(data) != sweight_in_effect(data)) || + if(stream && stream->id > 0 && + ((sweight_wanted(data) != sweight_in_effect(data)) || +- (data->set.priority.exclusive != data->state.priority.exclusive) || +- (data->set.priority.parent != data->state.priority.parent)) ) { + (data->set.priority.exclusive != 1) || + (data->set.priority.parent != data->state.priority.parent))) { /* send new weight and/or dependency */ nghttp2_priority_spec pri_spec; h2_pri_spec(data, &pri_spec); -- DEBUGF(LOG_CF(data, cf, "[h2sid=%d] Queuing PRIORITY", -- stream->id)); +- CURL_TRC_CF(data, cf, "[%d] Queuing PRIORITY", stream->id); - DEBUGASSERT(stream->id != -1); - rv = nghttp2_submit_priority(ctx->h2, NGHTTP2_FLAG_NONE, - stream->id, &pri_spec); @@ -1194,8 +1202,7 @@ index c666192fc..5a90b28ea 100644 - goto out; + /* curl-impersonate: Don't send PRIORITY frames for main stream. */ + if(stream->id != 1) { -+ DEBUGF(LOG_CF(data, cf, "[h2sid=%d] Queuing PRIORITY", -+ stream->id)); ++ CURL_TRC_CF(data, cf, "[%d] Queuing PRIORITY", stream->id); + DEBUGASSERT(stream->id != -1); + rv = nghttp2_submit_priority(ctx->h2, NGHTTP2_FLAG_NONE, + stream->id, &pri_spec); @@ -1204,9 +1211,9 @@ index c666192fc..5a90b28ea 100644 + } } - while(!rv && nghttp2_session_want_write(ctx->h2)) + ctx->nw_out_blocked = 0; diff --git a/lib/http2.h b/lib/http2.h -index 562c05c99..b99c085d5 100644 +index 80e183480..8ee390b7e 100644 --- a/lib/http2.h +++ b/lib/http2.h @@ -31,7 +31,8 @@ @@ -2024,13 +2031,13 @@ index 000000000..0158d5477 + +#endif /* HEADER_CURL_IMPERSONATE_H */ diff --git a/lib/multi.c b/lib/multi.c -index d1d32b793..3b49a1b4c 100644 +index 5456113be..85841f769 100644 --- a/lib/multi.c +++ b/lib/multi.c -@@ -424,7 +424,8 @@ struct Curl_multi *Curl_multi_handle(int hashsize, /* socket hash */ +@@ -396,7 +396,8 @@ struct Curl_multi *Curl_multi_handle(int hashsize, /* socket hash */ + Curl_llist_init(&multi->msgsent, NULL); - /* -1 means it not set by user, use the default value */ - multi->maxconnects = -1; + multi->multiplexing = TRUE; - multi->max_concurrent_streams = 100; + /* curl-impersonate: Use 1000 concurrent streams like Chrome. */ + multi->max_concurrent_streams = 1000; @@ -2038,18 +2045,18 @@ index d1d32b793..3b49a1b4c 100644 #ifdef USE_WINSOCK multi->wsa_event = WSACreateEvent(); diff --git a/lib/setopt.c b/lib/setopt.c -index 0c3b9634d..a65c5d99e 100644 +index a08140cce..fe468ca87 100644 --- a/lib/setopt.c +++ b/lib/setopt.c -@@ -50,6 +50,7 @@ - #include "multiif.h" +@@ -51,6 +51,7 @@ #include "altsvc.h" #include "hsts.h" + #include "tftp.h" +#include "slist.h" /* The last 3 #include files should be in this order */ #include "curl_printf.h" -@@ -712,6 +713,23 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) +@@ -710,6 +711,23 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) va_arg(param, char *)); break; @@ -2073,7 +2080,7 @@ index 0c3b9634d..a65c5d99e 100644 #ifndef CURL_DISABLE_PROXY case CURLOPT_PROXYHEADER: /* -@@ -2410,6 +2428,27 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) +@@ -2394,6 +2412,27 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) result = Curl_setstropt(&data->set.str[STRING_SSL_EC_CURVES], va_arg(param, char *)); break; @@ -2101,9 +2108,9 @@ index 0c3b9634d..a65c5d99e 100644 #endif case CURLOPT_IPRESOLVE: arg = va_arg(param, long); -@@ -2953,6 +2992,31 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) +@@ -2936,6 +2975,31 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) case CURLOPT_SSL_ENABLE_ALPN: - data->set.ssl_enable_alpn = (0 != va_arg(param, long)) ? TRUE : FALSE; + data->set.ssl_enable_alpn = (0 != va_arg(param, long)); break; + case CURLOPT_SSL_ENABLE_ALPS: + data->set.ssl_enable_alps = (0 != va_arg(param, long)) ? TRUE : FALSE; @@ -2133,7 +2140,7 @@ index 0c3b9634d..a65c5d99e 100644 #ifdef USE_UNIX_SOCKETS case CURLOPT_UNIX_SOCKET_PATH: data->set.abstract_unix_socket = FALSE; -@@ -3146,6 +3210,31 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) +@@ -3128,6 +3192,31 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) data->set.ws_raw_mode = raw; break; } @@ -2166,7 +2173,7 @@ index 0c3b9634d..a65c5d99e 100644 case CURLOPT_QUICK_EXIT: data->set.quick_exit = (0 != va_arg(param, long)) ? 1L:0L; diff --git a/lib/strerror.c b/lib/strerror.c -index bd9cc535c..971568792 100644 +index 0d5f9276f..232116383 100644 --- a/lib/strerror.c +++ b/lib/strerror.c @@ -319,6 +319,11 @@ curl_easy_strerror(CURLcode error) @@ -2182,10 +2189,10 @@ index bd9cc535c..971568792 100644 case CURLE_OBSOLETE20: case CURLE_OBSOLETE24: diff --git a/lib/transfer.c b/lib/transfer.c -index d2ff0c24c..56e2090b6 100644 +index 96f1fde75..4a57497c7 100644 --- a/lib/transfer.c +++ b/lib/transfer.c -@@ -106,7 +106,15 @@ char *Curl_checkheaders(const struct Curl_easy *data, +@@ -104,7 +104,15 @@ char *Curl_checkheaders(const struct Curl_easy *data, DEBUGASSERT(thislen); DEBUGASSERT(thisheader[thislen-1] != ':'); @@ -2203,10 +2210,10 @@ index d2ff0c24c..56e2090b6 100644 Curl_headersep(head->data[thislen]) ) return head->data; diff --git a/lib/url.c b/lib/url.c -index b37d13f8f..f1b3b5440 100644 +index b81785fe2..699e8037a 100644 --- a/lib/url.c +++ b/lib/url.c -@@ -444,6 +444,11 @@ CURLcode Curl_close(struct Curl_easy **datap) +@@ -322,6 +322,11 @@ CURLcode Curl_close(struct Curl_easy **datap) Curl_safefree(data->state.aptr.proxyuser); Curl_safefree(data->state.aptr.proxypasswd); @@ -2218,7 +2225,7 @@ index b37d13f8f..f1b3b5440 100644 #ifndef CURL_DISABLE_DOH if(data->req.doh) { Curl_dyn_free(&data->req.doh->probe[0].serverdoh); -@@ -595,6 +600,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data) +@@ -468,6 +473,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data) set->tcp_fastopen = FALSE; set->tcp_nodelay = TRUE; set->ssl_enable_alpn = TRUE; @@ -2226,17 +2233,7 @@ index b37d13f8f..f1b3b5440 100644 set->expect_100_timeout = 1000L; /* Wait for a second by default. */ set->sep_headers = TRUE; /* separated header lists by default */ set->buffer_size = READBUFFER_SIZE; -@@ -3584,6 +3590,9 @@ static CURLcode create_conn(struct Curl_easy *data, - data->set.ssl.primary.cert_blob = data->set.blobs[BLOB_CERT]; - data->set.ssl.primary.ca_info_blob = data->set.blobs[BLOB_CAINFO]; - data->set.ssl.primary.curves = data->set.str[STRING_SSL_EC_CURVES]; -+ data->set.ssl.primary.sig_hash_algs = data->set.str[STRING_SSL_SIG_HASH_ALGS]; -+ data->set.ssl.primary.cert_compression = -+ data->set.str[STRING_SSL_CERT_COMPRESSION]; - - #ifndef CURL_DISABLE_PROXY - data->set.proxy_ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY]; -@@ -3695,6 +3704,11 @@ static CURLcode create_conn(struct Curl_easy *data, +@@ -3672,6 +3678,11 @@ static CURLcode create_conn(struct Curl_easy *data, (default) */ if(data->set.ssl_enable_alpn) conn->bits.tls_enable_alpn = TRUE; @@ -2249,7 +2246,7 @@ index b37d13f8f..f1b3b5440 100644 if(waitpipe) diff --git a/lib/urldata.h b/lib/urldata.h -index f02e66541..058ace33c 100644 +index ff661482e..b78408094 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -53,6 +53,15 @@ @@ -2268,7 +2265,7 @@ index f02e66541..058ace33c 100644 #ifdef USE_WEBSOCKETS /* CURLPROTO_GOPHERS (29) is the highest publicly used protocol bit number, * the rest are internal information. If we use higher bits we only do this on -@@ -277,6 +286,8 @@ struct ssl_primary_config { +@@ -290,6 +299,8 @@ struct ssl_primary_config { char *password; /* TLS password (for, e.g., SRP) */ #endif char *curves; /* list of curves to use */ @@ -2277,7 +2274,7 @@ index f02e66541..058ace33c 100644 unsigned char ssl_options; /* the CURLOPT_SSL_OPTIONS bitmask */ unsigned int version_max; /* max supported version the client wants to use */ unsigned char version; /* what version the client wants to use */ -@@ -526,6 +537,9 @@ struct ConnectBits { +@@ -541,6 +552,9 @@ struct ConnectBits { BIT(multiplex); /* connection is multiplexed */ BIT(tcp_fastopen); /* use TCP Fast Open */ BIT(tls_enable_alpn); /* TLS ALPN extension? */ @@ -2287,7 +2284,7 @@ index f02e66541..058ace33c 100644 #ifndef CURL_DISABLE_DOH BIT(doh); #endif -@@ -1395,6 +1409,19 @@ struct UrlState { +@@ -1452,6 +1466,19 @@ struct UrlState { CURLcode hresult; /* used to pass return codes back from hyper callbacks */ #endif @@ -2307,10 +2304,10 @@ index f02e66541..058ace33c 100644 /* Dynamically allocated strings, MUST be freed before this struct is killed. */ struct dynamically_allocated_data { -@@ -1563,6 +1590,12 @@ enum dupstring { - STRING_DNS_LOCAL_IP6, +@@ -1628,6 +1655,12 @@ enum dupstring { STRING_SSL_EC_CURVES, STRING_AWS_SIGV4, /* Parameters for V4 signature */ + STRING_HAPROXY_CLIENT_IP, /* CURLOPT_HAPROXY_CLIENT_IP */ + STRING_SSL_SIG_HASH_ALGS, + STRING_SSL_CERT_COMPRESSION, + STRING_HTTP2_PSEUDO_HEADERS_ORDER, @@ -2320,7 +2317,7 @@ index f02e66541..058ace33c 100644 /* -- end of null-terminated strings -- */ -@@ -1857,6 +1890,9 @@ struct UserDefined { +@@ -1921,6 +1954,9 @@ struct UserDefined { BIT(tcp_keepalive); /* use TCP keepalives */ BIT(tcp_fastopen); /* use TCP Fast Open */ BIT(ssl_enable_alpn);/* TLS ALPN extension? */ @@ -2330,7 +2327,7 @@ index f02e66541..058ace33c 100644 BIT(path_as_is); /* allow dotdots? */ BIT(pipewait); /* wait for multiplex status before starting a new connection */ -@@ -1877,6 +1913,10 @@ struct UserDefined { +@@ -1941,6 +1977,10 @@ struct UserDefined { #ifdef USE_WEBSOCKETS BIT(ws_raw_mode); #endif @@ -2342,15 +2339,17 @@ index f02e66541..058ace33c 100644 struct Names { diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c -index 6543fb19a..58d243f1e 100644 +index 8c8f43e83..1c5566738 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c -@@ -79,6 +79,21 @@ +@@ -79,9 +79,24 @@ #include #include #include +#include -+ + #include + #include + +#ifdef HAVE_LIBZ +#include +#endif @@ -2364,10 +2363,11 @@ index 6543fb19a..58d243f1e 100644 +# endif +# include "curl_base64.h" +#endif /* USE_ECH */ - ++ #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_OCSP) #include -@@ -266,6 +281,113 @@ + #endif +@@ -276,6 +291,113 @@ #define HAVE_OPENSSL_VERSION #endif @@ -2478,10 +2478,10 @@ index 6543fb19a..58d243f1e 100644 + +#endif + - #ifdef OPENSSL_IS_BORINGSSL + #if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) typedef uint32_t sslerr_t; #else -@@ -2583,6 +2705,151 @@ static const char *tls_rt_type(int type) +@@ -2601,6 +2723,151 @@ static const char *tls_rt_type(int type) } } @@ -2633,7 +2633,7 @@ index 6543fb19a..58d243f1e 100644 /* * Our callback from the SSL/TLS layers. */ -@@ -3536,7 +3803,14 @@ static CURLcode ossl_connect_step1(struct Curl_cfilter *cf, +@@ -3571,7 +3838,14 @@ static CURLcode ossl_connect_step1(struct Curl_cfilter *cf, ctx_options = SSL_OP_ALL; #ifdef SSL_OP_NO_TICKET @@ -2649,7 +2649,7 @@ index 6543fb19a..58d243f1e 100644 #endif #ifdef SSL_OP_NO_COMPRESSION -@@ -3603,6 +3877,16 @@ static CURLcode ossl_connect_step1(struct Curl_cfilter *cf, +@@ -3638,6 +3912,16 @@ static CURLcode ossl_connect_step1(struct Curl_cfilter *cf, } #endif @@ -2666,7 +2666,7 @@ index 6543fb19a..58d243f1e 100644 if(ssl_cert || ssl_cert_blob || ssl_cert_type) { if(!result && !cert_stuff(data, backend->ctx, -@@ -3656,6 +3940,35 @@ static CURLcode ossl_connect_step1(struct Curl_cfilter *cf, +@@ -3691,6 +3975,35 @@ static CURLcode ossl_connect_step1(struct Curl_cfilter *cf, } #endif @@ -2702,7 +2702,7 @@ index 6543fb19a..58d243f1e 100644 #ifdef USE_OPENSSL_SRP if(ssl_config->primary.username && Curl_auth_allowed_to_host(data)) { char * const ssl_username = ssl_config->primary.username; -@@ -3681,6 +3994,30 @@ static CURLcode ossl_connect_step1(struct Curl_cfilter *cf, +@@ -3716,6 +4029,30 @@ static CURLcode ossl_connect_step1(struct Curl_cfilter *cf, } #endif @@ -2733,7 +2733,7 @@ index 6543fb19a..58d243f1e 100644 /* OpenSSL always tries to verify the peer, this only says whether it should * fail to connect if the verification fails, or if it should continue * anyway. In the latter case the result of the verification is checked with -@@ -3727,6 +4064,23 @@ static CURLcode ossl_connect_step1(struct Curl_cfilter *cf, +@@ -3771,6 +4108,23 @@ static CURLcode ossl_connect_step1(struct Curl_cfilter *cf, SSL_set_app_data(backend->handle, cf); @@ -2757,7 +2757,7 @@ index 6543fb19a..58d243f1e 100644 #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \ !defined(OPENSSL_NO_OCSP) if(conn_config->verifystatus) -@@ -3755,6 +4109,21 @@ static CURLcode ossl_connect_step1(struct Curl_cfilter *cf, +@@ -3794,6 +4148,21 @@ static CURLcode ossl_connect_step1(struct Curl_cfilter *cf, } #endif @@ -2778,10 +2778,10 @@ index 6543fb19a..58d243f1e 100644 + SSL_set_app_data(backend->handle, cf); - if(ssl_config->primary.sessionid) { -@@ -3946,6 +4315,60 @@ static CURLcode ossl_connect_step2(struct Curl_cfilter *cf, - SSL_get_version(backend->handle), - SSL_get_cipher(backend->handle)); + connssl->reused_session = FALSE; +@@ -4005,6 +4374,60 @@ static CURLcode ossl_connect_step2(struct Curl_cfilter *cf, + negotiated_group_name? negotiated_group_name : "[blank]", + OBJ_nid2sn(psigtype_nid)); +#ifdef USE_ECH +# ifndef OPENSSL_IS_BORINGSSL @@ -2841,10 +2841,10 @@ index 6543fb19a..58d243f1e 100644 /* Sets data and len to negotiated protocol, len is 0 if no protocol was * negotiated diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c -index 32334016b..1a8a75ade 100644 +index 34eda3e5a..eda3f6d58 100644 --- a/lib/vtls/vtls.c +++ b/lib/vtls/vtls.c -@@ -141,6 +141,9 @@ static const struct alpn_spec ALPN_SPEC_H11 = { +@@ -139,6 +139,9 @@ static const struct alpn_spec ALPN_SPEC_H11 = { static const struct alpn_spec ALPN_SPEC_H2_H11 = { { ALPN_H2, ALPN_HTTP_1_1 }, 2 }; @@ -2855,7 +2855,7 @@ index 32334016b..1a8a75ade 100644 static const struct alpn_spec *alpn_get_spec(int httpwant, bool use_alpn) @@ -155,6 +158,17 @@ static const struct alpn_spec *alpn_get_spec(int httpwant, bool use_alpn) - #endif + Avoid "http/1.0" because some servers don't support it. */ return &ALPN_SPEC_H11; } + @@ -2872,16 +2872,16 @@ index 32334016b..1a8a75ade 100644 #endif /* USE_SSL */ -@@ -182,6 +196,8 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, - strcasecompare(data->cipher_list, needle->cipher_list) && - strcasecompare(data->cipher_list13, needle->cipher_list13) && - strcasecompare(data->curves, needle->curves) && -+ strcasecompare(data->sig_hash_algs, needle->sig_hash_algs) && -+ strcasecompare(data->cert_compression, needle->cert_compression) && - strcasecompare(data->CRLfile, needle->CRLfile) && - strcasecompare(data->pinned_key, needle->pinned_key)) +@@ -198,6 +212,8 @@ match_ssl_primary_config(struct Curl_easy *data, + strcasecompare(c1->cipher_list, c2->cipher_list) && + strcasecompare(c1->cipher_list13, c2->cipher_list13) && + strcasecompare(c1->curves, c2->curves) && ++ strcasecompare(c1->sig_hash_algs, c2->sig_hash_algs) && ++ strcasecompare(c1->cert_compression, c2->cert_compression) && + strcasecompare(c1->CRLfile, c2->CRLfile) && + strcasecompare(c1->pinned_key, c2->pinned_key)) return TRUE; -@@ -212,6 +228,8 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, +@@ -242,6 +258,8 @@ static bool clone_ssl_primary_config(struct ssl_primary_config *source, CLONE_STRING(cipher_list13); CLONE_STRING(pinned_key); CLONE_STRING(curves); @@ -2890,7 +2890,7 @@ index 32334016b..1a8a75ade 100644 CLONE_STRING(CRLfile); #ifdef USE_TLS_SRP CLONE_STRING(username); -@@ -234,6 +252,8 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc) +@@ -264,6 +282,8 @@ static void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc) Curl_safefree(sslc->ca_info_blob); Curl_safefree(sslc->issuercert_blob); Curl_safefree(sslc->curves); @@ -2899,7 +2899,16 @@ index 32334016b..1a8a75ade 100644 Curl_safefree(sslc->CRLfile); #ifdef USE_TLS_SRP Curl_safefree(sslc->username); -@@ -318,7 +338,8 @@ static bool ssl_prefs_check(struct Curl_easy *data) +@@ -287,6 +307,8 @@ CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data) + data->set.ssl.primary.cert_blob = data->set.blobs[BLOB_CERT]; + data->set.ssl.primary.ca_info_blob = data->set.blobs[BLOB_CAINFO]; + data->set.ssl.primary.curves = data->set.str[STRING_SSL_EC_CURVES]; ++ data->set.ssl.primary.sig_hash_algs = data->set.str[STRING_SSL_SIG_HASH_ALGS]; ++ data->set.ssl.primary.cert_compression = data->set.str[STRING_SSL_CERT_COMPRESSION]; + #ifdef USE_TLS_SRP + data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME]; + data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD]; +@@ -453,7 +475,8 @@ static bool ssl_prefs_check(struct Curl_easy *data) } static struct ssl_connect_data *cf_ctx_new(struct Curl_easy *data, @@ -2909,7 +2918,7 @@ index 32334016b..1a8a75ade 100644 { struct ssl_connect_data *ctx; -@@ -328,6 +349,7 @@ static struct ssl_connect_data *cf_ctx_new(struct Curl_easy *data, +@@ -463,6 +486,7 @@ static struct ssl_connect_data *cf_ctx_new(struct Curl_easy *data, return NULL; ctx->alpn = alpn; @@ -2917,7 +2926,7 @@ index 32334016b..1a8a75ade 100644 ctx->backend = calloc(1, Curl_ssl->sizeof_ssl_backend_data); if(!ctx->backend) { free(ctx); -@@ -1760,8 +1782,11 @@ static CURLcode cf_ssl_create(struct Curl_cfilter **pcf, +@@ -1883,8 +1907,11 @@ static CURLcode cf_ssl_create(struct Curl_cfilter **pcf, DEBUGASSERT(data->conn); @@ -2931,7 +2940,7 @@ index 32334016b..1a8a75ade 100644 if(!ctx) { result = CURLE_OUT_OF_MEMORY; goto out; -@@ -1811,6 +1836,7 @@ static CURLcode cf_ssl_proxy_create(struct Curl_cfilter **pcf, +@@ -1934,6 +1961,7 @@ static CURLcode cf_ssl_proxy_create(struct Curl_cfilter **pcf, struct ssl_connect_data *ctx; CURLcode result; bool use_alpn = conn->bits.tls_enable_alpn; @@ -2939,7 +2948,7 @@ index 32334016b..1a8a75ade 100644 int httpwant = CURL_HTTP_VERSION_1_1; #ifdef USE_HTTP2 -@@ -1820,7 +1846,8 @@ static CURLcode cf_ssl_proxy_create(struct Curl_cfilter **pcf, +@@ -1943,7 +1971,8 @@ static CURLcode cf_ssl_proxy_create(struct Curl_cfilter **pcf, } #endif @@ -2950,28 +2959,28 @@ index 32334016b..1a8a75ade 100644 result = CURLE_OUT_OF_MEMORY; goto out; diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h -index f24dca15b..595d437f9 100644 +index f1856bd33..fe9f5c266 100644 --- a/lib/vtls/vtls.h +++ b/lib/vtls/vtls.h @@ -44,6 +44,8 @@ struct Curl_ssl_session; "ALPN: server did not agree on a protocol. Uses default." #define VTLS_INFOF_ALPN_OFFER_1STR \ - "ALPN: offers %s" + "ALPN: curl offers %s" +#define VTLS_INFOF_ALPS_OFFER_1STR \ + "ALPS: offers %s" #define VTLS_INFOF_ALPN_ACCEPTED_1STR \ ALPN_ACCEPTED "%s" #define VTLS_INFOF_ALPN_ACCEPTED_LEN_1STR \ diff --git a/lib/vtls/vtls_int.h b/lib/vtls/vtls_int.h -index ed49339e4..9fddc7494 100644 +index af7ae552e..f22147e22 100644 --- a/lib/vtls/vtls_int.h +++ b/lib/vtls/vtls_int.h -@@ -73,6 +73,7 @@ struct ssl_connect_data { - char *hostname; /* hostname for verification */ - char *dispname; /* display version of hostname */ +@@ -70,6 +70,7 @@ struct ssl_connect_data { + ssl_connect_state connecting_state; + struct ssl_peer peer; const struct alpn_spec *alpn; /* ALPN to use or NULL for none */ + const struct alpn_spec *alps; /* ALPS to use or NULL for none */ - struct ssl_backend_data *backend; /* vtls backend specific props */ + void *backend; /* vtls backend specific props */ struct cf_call_data call_data; /* data handle used in current call */ struct curltime handshake_done; /* time when handshake finished */ diff --git a/libcurl.pc.in b/libcurl.pc.in @@ -2987,10 +2996,10 @@ index 9db6b0f89..14c2f23e0 100644 Libs.private: @LIBCURL_LIBS@ Cflags: -I${includedir} @CPPFLAG_CURL_STATICLIB@ diff --git a/m4/curl-compilers.m4 b/m4/curl-compilers.m4 -index caa2b14cb..0a0af4361 100644 +index 35ba19866..3bab99f62 100644 --- a/m4/curl-compilers.m4 +++ b/m4/curl-compilers.m4 -@@ -373,42 +373,55 @@ AC_DEFUN([CURL_CONVERT_INCLUDE_TO_ISYSTEM], [ +@@ -382,42 +382,55 @@ AC_DEFUN([CURL_CONVERT_INCLUDE_TO_ISYSTEM], [ AC_REQUIRE([CURL_SHFUNC_SQUEEZE])dnl AC_REQUIRE([CURL_CHECK_COMPILER])dnl AC_MSG_CHECKING([convert -I options to -isystem]) @@ -3082,7 +3091,7 @@ index caa2b14cb..0a0af4361 100644 diff --git a/src/Makefile.am b/src/Makefile.am -index f24cb6924..30b4fdb0a 100644 +index dced53e0f..dee8a2fc3 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -43,7 +43,7 @@ AM_CPPFLAGS = -I$(top_srcdir)/include \ @@ -3094,7 +3103,7 @@ index f24cb6924..30b4fdb0a 100644 SUBDIRS = ../docs -@@ -54,9 +54,9 @@ endif +@@ -55,9 +55,9 @@ AM_CPPFLAGS += -DBUILDING_CURL include Makefile.inc # CURL_FILES comes from Makefile.inc @@ -3106,23 +3115,23 @@ index f24cb6924..30b4fdb0a 100644 $(CURL_RCFILES): tool_version.h endif -@@ -67,9 +67,9 @@ CFLAGS += @CURL_CFLAG_EXTRAS@ +@@ -70,9 +70,9 @@ CFLAGS += @CURL_CFLAG_EXTRAS@ LIBS = $(BLANK_AT_MAKETIME) if USE_EXPLICIT_LIB_DEPS -curl_LDADD = $(top_builddir)/lib/libcurl.la @LIBCURL_LIBS@ +curl_impersonate_chrome_LDADD = $(top_builddir)/lib/libcurl-impersonate-chrome.la @LIBCURL_LIBS@ else --curl_LDADD = $(top_builddir)/lib/libcurl.la @NSS_LIBS@ @SSL_LIBS@ @ZLIB_LIBS@ @CURL_NETWORK_AND_TIME_LIBS@ -+curl_impersonate_chrome_LDADD = $(top_builddir)/lib/libcurl-impersonate-chrome.la @NSS_LIBS@ @SSL_LIBS@ @ZLIB_LIBS@ @CURL_NETWORK_AND_TIME_LIBS@ +-curl_LDADD = $(top_builddir)/lib/libcurl.la @SSL_LIBS@ @ZLIB_LIBS@ @CURL_NETWORK_AND_TIME_LIBS@ ++curl_impersonate_chrome_LDADD = $(top_builddir)/lib/libcurl-impersonate-chrome.la @SSL_LIBS@ @ZLIB_LIBS@ @CURL_NETWORK_AND_TIME_LIBS@ endif # if unit tests are enabled, build a static library to link them with diff --git a/src/tool_cfgable.c b/src/tool_cfgable.c -index ec5698ba2..df8d5913c 100644 +index 906e23e14..3a492996b 100644 --- a/src/tool_cfgable.c +++ b/src/tool_cfgable.c -@@ -172,6 +172,14 @@ static void free_config_fields(struct OperationConfig *config) +@@ -175,6 +175,14 @@ static void free_config_fields(struct OperationConfig *config) Curl_safefree(config->aws_sigv4); Curl_safefree(config->proto_str); Curl_safefree(config->proto_redir_str); @@ -3138,10 +3147,10 @@ index ec5698ba2..df8d5913c 100644 void config_free(struct OperationConfig *config) diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h -index 9a15659bc..d7355cfd8 100644 +index 57e8fce52..5174bfaa7 100644 --- a/src/tool_cfgable.h +++ b/src/tool_cfgable.h -@@ -160,8 +160,13 @@ struct OperationConfig { +@@ -161,8 +161,13 @@ struct OperationConfig { bool crlf; char *customrequest; char *ssl_ec_curves; @@ -3155,7 +3164,7 @@ index 9a15659bc..d7355cfd8 100644 long httpversion; bool http09_allowed; bool nobuffer; -@@ -191,6 +196,7 @@ struct OperationConfig { +@@ -192,6 +197,7 @@ struct OperationConfig { struct curl_slist *prequote; long ssl_version; long ssl_version_max; @@ -3163,7 +3172,7 @@ index 9a15659bc..d7355cfd8 100644 long proxy_ssl_version; long ip_version; long create_file_mode; /* CURLOPT_NEW_FILE_PERMS */ -@@ -266,6 +272,8 @@ struct OperationConfig { +@@ -268,6 +274,8 @@ struct OperationConfig { bool proxy_ssl_auto_client_cert; /* proxy version of ssl_auto_client_cert */ char *oauth_bearer; /* OAuth 2.0 bearer token */ bool noalpn; /* enable/disable TLS ALPN extension */ @@ -3172,7 +3181,7 @@ index 9a15659bc..d7355cfd8 100644 char *unix_socket_path; /* path to Unix domain socket */ bool abstract_unix_socket; /* path to an abstract Unix domain socket */ bool falsestart; -@@ -295,6 +303,11 @@ struct OperationConfig { +@@ -298,6 +306,11 @@ struct OperationConfig { struct State state; /* for create_transfer() */ bool rm_partial; /* on error, remove partially written output files */ @@ -3185,15 +3194,15 @@ index 9a15659bc..d7355cfd8 100644 struct GlobalConfig { diff --git a/src/tool_getparam.c b/src/tool_getparam.c -index c9810e9d4..8bcd914db 100644 +index 5fa1ace10..a5df5601a 100644 --- a/src/tool_getparam.c +++ b/src/tool_getparam.c -@@ -287,6 +287,17 @@ static const struct LongShort aliases[]= { +@@ -296,6 +296,17 @@ static const struct LongShort aliases[]= { {"EC", "etag-save", ARG_FILENAME}, {"ED", "etag-compare", ARG_FILENAME}, {"EE", "curves", ARG_STRING}, -+ {"EG", "signature-hashes", ARG_STRING}, -+ {"EH", "alps", ARG_BOOL}, ++ {"ET", "signature-hashes", ARG_STRING}, ++ {"EU", "alps", ARG_BOOL}, + {"EI", "cert-compression", ARG_STRING}, + {"EJ", "tls-session-ticket", ARG_BOOL}, + {"EK", "http2-pseudo-headers-order", ARG_STRING}, @@ -3206,16 +3215,16 @@ index c9810e9d4..8bcd914db 100644 {"f", "fail", ARG_BOOL}, {"fa", "fail-early", ARG_BOOL}, {"fb", "styled-output", ARG_BOOL}, -@@ -1940,6 +1951,62 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ +@@ -2124,6 +2135,62 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ GetStr(&config->ssl_ec_curves, nextarg); break; -+ case 'G': ++ case 'T': + /* --signature-hashes */ + GetStr(&config->ssl_sig_hash_algs, nextarg); + break; + -+ case 'H': ++ case 'U': + /* --alps */ + config->alps = toggle; + break; @@ -3267,13 +3276,13 @@ index c9810e9d4..8bcd914db 100644 + break; +#endif default: /* unknown flag */ - return PARAM_OPTION_UNKNOWN; - } + err = PARAM_OPTION_UNKNOWN; + break; diff --git a/src/tool_listhelp.c b/src/tool_listhelp.c -index 61550de72..c3b99ab72 100644 +index 4e7a6dd63..8093b7f8e 100644 --- a/src/tool_listhelp.c +++ b/src/tool_listhelp.c -@@ -108,6 +108,27 @@ const struct helptxt helptext[] = { +@@ -111,6 +111,27 @@ const struct helptxt helptext[] = { {" --curves ", "(EC) TLS key exchange algorithm(s) to request", CURLHELP_TLS}, @@ -3301,7 +3310,7 @@ index 61550de72..c3b99ab72 100644 {"-d, --data ", "HTTP POST data", CURLHELP_IMPORTANT | CURLHELP_HTTP | CURLHELP_POST | CURLHELP_UPLOAD}, -@@ -165,6 +186,11 @@ const struct helptxt helptext[] = { +@@ -168,6 +189,11 @@ const struct helptxt helptext[] = { {"-D, --dump-header ", "Write the received headers to ", CURLHELP_HTTP | CURLHELP_FTP}, @@ -3313,7 +3322,7 @@ index 61550de72..c3b99ab72 100644 {" --egd-file ", "EGD socket path for random data", CURLHELP_TLS}, -@@ -387,6 +413,9 @@ const struct helptxt helptext[] = { +@@ -396,6 +422,9 @@ const struct helptxt helptext[] = { {" --no-alpn", "Disable the ALPN TLS extension", CURLHELP_TLS | CURLHELP_HTTP}, @@ -3324,10 +3333,10 @@ index 61550de72..c3b99ab72 100644 "Disable buffering of the output stream", CURLHELP_CURL}, diff --git a/src/tool_operate.c b/src/tool_operate.c -index ead7dca63..c3d1aecf5 100644 +index c805b7732..81ba30670 100644 --- a/src/tool_operate.c +++ b/src/tool_operate.c -@@ -1493,6 +1493,22 @@ static CURLcode single_transfer(struct GlobalConfig *global, +@@ -1522,6 +1522,22 @@ static CURLcode single_transfer(struct GlobalConfig *global, return result; } @@ -3350,7 +3359,7 @@ index ead7dca63..c3d1aecf5 100644 } /* (proto_http) */ if(proto_ftp) -@@ -1581,6 +1597,14 @@ static CURLcode single_transfer(struct GlobalConfig *global, +@@ -1610,6 +1626,14 @@ static CURLcode single_transfer(struct GlobalConfig *global, if(config->ssl_ec_curves) my_setopt_str(curl, CURLOPT_SSL_EC_CURVES, config->ssl_ec_curves); @@ -3365,7 +3374,7 @@ index ead7dca63..c3d1aecf5 100644 if(config->writeout) my_setopt_str(curl, CURLOPT_CERTINFO, 1L); -@@ -1914,6 +1938,10 @@ static CURLcode single_transfer(struct GlobalConfig *global, +@@ -1942,6 +1966,10 @@ static CURLcode single_transfer(struct GlobalConfig *global, my_setopt_str(curl, CURLOPT_PROXY_TLS13_CIPHERS, config->proxy_cipher13_list); @@ -3376,7 +3385,7 @@ index ead7dca63..c3d1aecf5 100644 /* new in libcurl 7.9.2: */ if(config->disable_epsv) /* disable it */ -@@ -2123,6 +2151,14 @@ static CURLcode single_transfer(struct GlobalConfig *global, +@@ -2151,6 +2179,14 @@ static CURLcode single_transfer(struct GlobalConfig *global, my_setopt(curl, CURLOPT_SSL_ENABLE_ALPN, 0L); } @@ -3391,7 +3400,7 @@ index ead7dca63..c3d1aecf5 100644 /* new in 7.40.0, abstract support added in 7.53.0 */ if(config->unix_socket_path) { if(config->abstract_unix_socket) { -@@ -2166,6 +2202,16 @@ static CURLcode single_transfer(struct GlobalConfig *global, +@@ -2199,6 +2235,16 @@ static CURLcode single_transfer(struct GlobalConfig *global, if(config->hsts) my_setopt_str(curl, CURLOPT_HSTS, config->hsts); @@ -3409,7 +3418,7 @@ index ead7dca63..c3d1aecf5 100644 per->retry_sleep_default = (config->retry_delay) ? config->retry_delay*1000L : RETRY_SLEEP_DEFAULT; /* ms */ diff --git a/src/tool_setopt.c b/src/tool_setopt.c -index 0f3cc83b9..1c14e9854 100644 +index de3b78fab..e034c9848 100644 --- a/src/tool_setopt.c +++ b/src/tool_setopt.c @@ -153,6 +153,8 @@ static const struct NameValue setopt_nv_CURLNONZERODEFAULTS[] = { diff --git a/firefox/Dockerfile b/firefox/Dockerfile index 87377c41..2f657758 100644 --- a/firefox/Dockerfile +++ b/firefox/Dockerfile @@ -69,7 +69,7 @@ RUN cd ${NGHTTP2_VERSION} && \ make && make install # Download curl. -ARG CURL_VERSION=curl-8.1.1 +ARG CURL_VERSION=curl-8.5.0 RUN curl -o ${CURL_VERSION}.tar.xz https://curl.se/download/${CURL_VERSION}.tar.xz RUN tar xf ${CURL_VERSION}.tar.xz diff --git a/firefox/Dockerfile.alpine b/firefox/Dockerfile.alpine index c702d150..8fb0bce6 100644 --- a/firefox/Dockerfile.alpine +++ b/firefox/Dockerfile.alpine @@ -58,7 +58,7 @@ RUN cd ${NGHTTP2_VERSION} && \ make && make install # Download curl. -ARG CURL_VERSION=curl-8.1.1 +ARG CURL_VERSION=curl-8.5.0 RUN curl -o ${CURL_VERSION}.tar.xz https://curl.se/download/${CURL_VERSION}.tar.xz RUN tar xf ${CURL_VERSION}.tar.xz diff --git a/win/build.sh b/win/build.sh index 66e7e53f..53aa3efc 100644 --- a/win/build.sh +++ b/win/build.sh @@ -38,7 +38,7 @@ export OPENSSL_LIBPATH=$PWD/boringssl/lib export OPENSSL_LIBS='-lssl -lcrypto' -CURL_VERSION=curl-8_1_1 +CURL_VERSION=curl-8_5_0 curl -L https://github.com/curl/curl/archive/${CURL_VERSION}.zip -o curl.zip unzip -q -o curl.zip