lexiforest · perklet · Jun 19, 2024 · Apr 28, 2024 · Apr 28, 2024 · Apr 28, 2024
diff --git a/.github/workflows/build-win.yaml b/.github/workflows/build-win.yaml
@@ -61,6 +61,7 @@ jobs:
             mingw-w64-${{ matrix.env }}-nasm
             mingw-w64-${{ matrix.env }}-gcc
             mingw-w64-${{ matrix.env }}-go
+            mingw-w64-${{ matrix.env }}-libuv
 
       - name: Copy and patch
         shell: msys2 {0}

diff --git a/Makefile.in b/Makefile.in
@@ -9,16 +9,17 @@ SHELL := bash
 # MAKEFLAGS += --no-builtin-rules
 SUBJOBS := 4
 
-BROTLI_VERSION := 1.0.9
+BROTLI_VERSION := 1.1.0
  # In case this is changed, update build-and-test-make.yml as well
  # In case this is changed, update build-and-test-make.yml as well
 BORING_SSL_COMMIT := d24a38200fef19150eef00cad35b138936c08767
-NGHTTP2_VERSION := nghttp2-1.56.0
-NGHTTP2_URL := https://github.com/nghttp2/nghttp2/releases/download/v1.56.0/nghttp2-1.56.0.tar.bz2
-CURL_VERSION := curl-8_5_0
+NGHTTP2_VERSION := nghttp2-1.61.0
+NGHTTP2_URL := https://github.com/nghttp2/nghttp2/releases/download/v1.61.0/nghttp2-1.61.0.tar.bz2
+CURL_VERSION := curl-8_7_1
 
+# https://github.com/google/brotli/commit/641bec0e30bea648b3da1cd90fc6b44deb429f71
 brotli_install_dir := $(abspath brotli-$(BROTLI_VERSION)/out/installed)
-brotli_static_libs := $(brotli_install_dir)/lib/libbrotlicommon-static.a $(brotli_install_dir)/lib/libbrotlidec-static.a
+brotli_static_libs := $(brotli_install_dir)/lib/libbrotlicommon.a $(brotli_install_dir)/lib/libbrotlidec.a
 boringssl_install_dir := $(abspath boringssl/build)
 boringssl_static_libs := $(boringssl_install_dir)/lib/libssl.a $(boringssl_install_dir)/lib/libcrypto.a
 nghttp2_install_dir := $(abspath $(NGHTTP2_VERSION)/installed)
@@ -144,6 +145,7 @@ $(brotli_static_libs): brotli-$(BROTLI_VERSION).tar.gz
 			-DCMAKE_C_FLAGS="$(CFLAGS)" \
 	        -DCMAKE_SYSTEM_NAME=$$system_name \
 	        -DCMAKE_SYSTEM_PROCESSOR=$(host_cpu) \
+	        -DBUILD_SHARED_LIBS=OFF \
 	        ..
 
 	@cmake@ --build . --config Release --target install --parallel $(SUBJOBS)

diff --git a/README.md b/README.md
@@ -10,7 +10,7 @@
 > 2. ZSTD compression support introduced in Chrome 123.
 > 3. X25519Kyber768 curve introduced in Chrome 124.
 > 4. More options for impersonation Akamai http/2 fingerprints, especially for Safari.
-> 5. Upgrade to more recent version of curl, 8.5.0 as of April, 2024.
+> 5. Upgrade to more recent version of curl, 8.7.1 as of April, 2024.
 > 6. Ability to change extension orders and enable/disable TLS grease.
 > 7. (In progress) Single binary to support both Webkit-based and Gecko-based browsers, i.e. Chrome and Firefox.
 

diff --git a/chrome/curl_chrome100 b/chrome/curl_chrome100
@@ -23,6 +23,8 @@ dir=${0%/*}
     --http2 \
     --http2-settings '1:65536;3:1000;4:6291456;6:262144' \
     --http2-window-update 15663105 \
+    --http2-stream-weight 256 \
+    --http2-stream-exclusive 1 \
     --compressed \
     --tlsv1.2 --alps \
     --cert-compression brotli \

diff --git a/chrome/curl_chrome101 b/chrome/curl_chrome101
@@ -23,6 +23,8 @@ dir=${0%/*}
     --http2 \
     --http2-settings '1:65536;3:1000;4:6291456;6:262144' \
     --http2-window-update 15663105 \
+    --http2-stream-weight 256 \
+    --http2-stream-exclusive 1 \
     --compressed \
     --tlsv1.2 --alps \
     --cert-compression brotli \

diff --git a/chrome/curl_chrome104 b/chrome/curl_chrome104
@@ -23,6 +23,8 @@ dir=${0%/*}
     --http2 \
     --http2-settings '1:65536;3:1000;4:6291456;6:262144' \
     --http2-window-update 15663105 \
+    --http2-stream-weight 256 \
+    --http2-stream-exclusive 1 \
     --compressed \
     --tlsv1.2 --alps \
     --cert-compression brotli \

diff --git a/chrome/curl_chrome107 b/chrome/curl_chrome107
@@ -23,6 +23,8 @@ dir=${0%/*}
     --http2 \
     --http2-settings '1:65536;2:0;3:1000;4:6291456;6:262144' \
     --http2-window-update 15663105 \
+    --http2-stream-weight 256 \
+    --http2-stream-exclusive 1 \
     --compressed \
     --tlsv1.2 --alps \
     --cert-compression brotli \

diff --git a/chrome/curl_chrome110 b/chrome/curl_chrome110
@@ -23,6 +23,8 @@ dir=${0%/*}
     --http2 \
     --http2-settings '1:65536;2:0;3:1000;4:6291456;6:262144' \
     --http2-window-update 15663105 \
+    --http2-stream-weight 256 \
+    --http2-stream-exclusive 1 \
     --compressed \
     --tlsv1.2 --alps --tls-permute-extensions \
     --cert-compression brotli \

diff --git a/chrome/curl_chrome116 b/chrome/curl_chrome116
@@ -23,6 +23,8 @@ dir=${0%/*}
     --http2 \
     --http2-settings '1:65536;2:0;3:1000;4:6291456;6:262144' \
     --http2-window-update 15663105 \
+    --http2-stream-weight 256 \
+    --http2-stream-exclusive 1 \
     --compressed \
     --tlsv1.2 --alps --tls-permute-extensions \
     --cert-compression brotli \

diff --git a/chrome/curl_chrome119 b/chrome/curl_chrome119
@@ -23,6 +23,8 @@ dir=${0%/*}
     --http2 \
     --http2-settings '1:65536;2:0;4:6291456;6:262144' \
     --http2-window-update 15663105 \
+    --http2-stream-weight 256 \
+    --http2-stream-exclusive 1 \
     --compressed \
     --ech GREASE \
     --tlsv1.2 --alps --tls-permute-extensions \

diff --git a/chrome/curl_chrome120 b/chrome/curl_chrome120
@@ -23,6 +23,8 @@ dir=${0%/*}
     --http2 \
     --http2-settings '1:65536;2:0;4:6291456;6:262144' \
     --http2-window-update 15663105 \
+    --http2-stream-weight 256 \
+    --http2-stream-exclusive 1 \
     --compressed \
     --ech GREASE \
     --tlsv1.2 --alps --tls-permute-extensions \

diff --git a/chrome/curl_chrome123 b/chrome/curl_chrome123
@@ -26,6 +26,8 @@ dir=${0%/*}
     --http2 \
     --http2-settings '1:65536;2:0;4:6291456;6:262144' \
     --http2-window-update 15663105 \
+    --http2-stream-weight 256 \
+    --http2-stream-exclusive 1 \
     --compressed \
     --ech GREASE \
     --tlsv1.2 --alps --tls-permute-extensions \

diff --git a/chrome/curl_chrome124 b/chrome/curl_chrome124
@@ -29,6 +29,8 @@ dir=${0%/*}
     --http2 \
     --http2-settings '1:65536;2:0;4:6291456;6:262144' \
     --http2-window-update 15663105 \
+    --http2-stream-weight 256 \
+    --http2-stream-exclusive 1 \
     --compressed \
     --ech GREASE \
     --tlsv1.2 --alps --tls-permute-extensions \

diff --git a/chrome/curl_chrome99 b/chrome/curl_chrome99
@@ -23,6 +23,8 @@ dir=${0%/*}
     --http2 \
     --http2-settings '1:65536;3:1000;4:6291456;6:262144' \
     --http2-window-update 15663105 \
+    --http2-stream-weight 256 \
+    --http2-stream-exclusive 1 \
     --compressed \
     --tlsv1.2 --alps \
     --cert-compression brotli \

diff --git a/chrome/curl_chrome99_android b/chrome/curl_chrome99_android
@@ -23,6 +23,8 @@ dir=${0%/*}
     --http2 \
     --http2-settings '1:65536;3:1000;4:6291456;6:262144' \
     --http2-window-update 15663105 \
+    --http2-stream-weight 256 \
+    --http2-stream-exclusive 1 \
     --compressed \
     --tlsv1.2 --alps \
     --cert-compression brotli \

diff --git a/chrome/curl_edge101 b/chrome/curl_edge101
@@ -23,6 +23,8 @@ dir=${0%/*}
     --http2 \
     --http2-settings '1:65536;3:1000;4:6291456;6:262144' \
     --http2-window-update 15663105 \
+    --http2-stream-weight 256 \
+    --http2-stream-exclusive 1 \
     --compressed \
     --tlsv1.2 --alps \
     --cert-compression brotli \

diff --git a/chrome/curl_edge99 b/chrome/curl_edge99
@@ -23,6 +23,8 @@ dir=${0%/*}
     --http2 \
     --http2-settings '1:65536;3:1000;4:6291456;6:262144' \
     --http2-window-update 15663105 \
+    --http2-stream-weight 256 \
+    --http2-stream-exclusive 1 \
     --compressed \
     --tlsv1.2 --alps \
     --cert-compression brotli \

diff --git a/chrome/curl_safari15_3 b/chrome/curl_safari15_3
@@ -18,6 +18,8 @@ dir=${0%/*}
     --http2-settings '4:4194304;3:100' \
     --http2-pseudo-headers-order 'mspa' \
     --http2-window-update 10485760 \
+    --http2-stream-weight 255 \
+    --http2-stream-exclusive 0 \
     --compressed \
     --tlsv1.0 --no-tls-session-ticket \
     --tls-grease \

diff --git a/chrome/curl_safari15_5 b/chrome/curl_safari15_5
@@ -18,6 +18,8 @@ dir=${0%/*}
     --http2-settings '4:4194304;3:100' \
     --http2-pseudo-headers-order 'mspa' \
     --http2-window-update 10485760 \
+    --http2-stream-weight 255 \
+    --http2-stream-exclusive 0 \
     --compressed \
     --tlsv1.0 --no-tls-session-ticket \
     --cert-compression zlib \

diff --git a/chrome/curl_safari17_0 b/chrome/curl_safari17_0
@@ -21,6 +21,8 @@ dir=${0%/*}
     --http2-settings '2:0;4:4194304;3:100' \
     --http2-pseudo-headers-order 'mspa' \
     --http2-window-update 10485760 \
+    --http2-stream-weight 255 \
+    --http2-stream-exclusive 0 \
     --compressed \
     --tlsv1.0 --no-tls-session-ticket \
     --cert-compression zlib \

diff --git a/chrome/curl_safari17_2_ios b/chrome/curl_safari17_2_ios
@@ -21,6 +21,8 @@ dir=${0%/*}
     --http2-settings '2:0;4:2097152;3:100' \
     --http2-pseudo-headers-order 'mspa' \
     --http2-window-update 10485760 \
+    --http2-stream-weight 255 \
+    --http2-stream-exclusive 0 \
     --compressed \
     --tlsv1.0 --no-tls-session-ticket \
     --cert-compression zlib \

diff --git a/chrome/patches/boringssl.patch b/chrome/patches/boringssl.patch
@@ -1,33 +1,39 @@
 diff --git a/export.sh b/export.sh
 new file mode 100755
-index 000000000..2e1f397aa
+index 000000000..678d1ca41
 --- /dev/null
 +++ b/export.sh
 @@ -0,0 +1,4 @@
 +#!/bin/bash
 +
-+git df d24a382 > boringssl.patch
++git diff d24a382 > boringssl.patch
 +mv boringssl.patch ../curl-impersonate/chrome/patches/boringssl.patch
 diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
-index e500dd76e..487945969 100644
+index e500dd76e..e75bca26b 100644
 --- a/include/openssl/ssl.h
 +++ b/include/openssl/ssl.h
-@@ -1560,6 +1560,9 @@ OPENSSL_EXPORT int SSL_CTX_set_strict_cipher_list(SSL_CTX *ctx,
+@@ -1560,6 +1560,12 @@ OPENSSL_EXPORT int SSL_CTX_set_strict_cipher_list(SSL_CTX *ctx,
  // garbage inputs, unless an empty cipher list results.
  OPENSSL_EXPORT int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str);
 
 +// curl-impersonate: set the extension order by given string
 +OPENSSL_EXPORT int SSL_CTX_set_extension_order(SSL_CTX *ctx, char *order);
++
++// curl-impersonate
++OPENSSL_EXPORT int SSL_CTX_set_key_usage_check_enabled(SSL_CTX *ctx, int enabled);
 +
  // SSL_set_strict_cipher_list configures the cipher list for |ssl|, evaluating
  // |str| as a cipher string and returning error if |str| contains anything
  // meaningless. It returns one on success and zero on failure.
-@@ -4583,6 +4586,9 @@ OPENSSL_EXPORT void SSL_CTX_set_grease_enabled(SSL_CTX *ctx, int enabled);
+@@ -4583,6 +4589,12 @@ OPENSSL_EXPORT void SSL_CTX_set_grease_enabled(SSL_CTX *ctx, int enabled);
  // permute extensions. For now, this is only implemented for the ClientHello.
  OPENSSL_EXPORT void SSL_CTX_set_permute_extensions(SSL_CTX *ctx, int enabled);
 
 +// curl-impersonate
 +OPENSSL_EXPORT int SSL_CTX_set_extension_order(SSL_CTX *ctx, char *order);
++
++// curl-impersonate
++OPENSSL_EXPORT int SSL_CTX_set_key_usage_check_enabled(SSL_CTX *ctx, int enabled);
 +
  // SSL_set_permute_extensions configures whether sockets on |ssl| should
  // permute extensions. For now, this is only implemented for the ClientHello.
@@ -126,7 +132,7 @@ index b13400097..8b457b873 100644
      if (!kExtensions[i].add_clienthello(hs, &extensions, &extensions, type)) {
        OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_ADDING_EXTENSION);
 diff --git a/ssl/handshake_client.cc b/ssl/handshake_client.cc
-index 971ebd0b1..0005c6d79 100644
+index 971ebd0b1..effe5c920 100644
 --- a/ssl/handshake_client.cc
 +++ b/ssl/handshake_client.cc
 @@ -215,14 +215,6 @@ static void ssl_get_client_disabled(const SSL_HANDSHAKE *hs,
@@ -182,8 +188,18 @@ index 971ebd0b1..0005c6d79 100644
        !ssl_encrypt_client_hello(hs, MakeConstSpan(ech_enc, ech_enc_len)) ||
        !ssl_add_client_hello(hs)) {
      return ssl_hs_error;
+@@ -1402,7 +1374,8 @@ static enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) {
+     ssl_key_usage_t intended_use = (alg_k & SSL_kRSA)
+                                        ? key_usage_encipherment
+                                        : key_usage_digital_signature;
+-    if (!ssl_cert_check_key_usage(&leaf_cbs, intended_use)) {
++    if (hs->config->key_usage_check_enabled &&
++        !ssl_cert_check_key_usage(&leaf_cbs, intended_use)) {
+       if (hs->config->enforce_rsa_key_usage ||
+           EVP_PKEY_id(hs->peer_pubkey.get()) != EVP_PKEY_RSA) {
+         return ssl_hs_error;
 diff --git a/ssl/internal.h b/ssl/internal.h
-index c9facb699..eab61611e 100644
+index c9facb699..a32e9b4ba 100644
 --- a/ssl/internal.h
 +++ b/ssl/internal.h
 @@ -574,9 +574,14 @@ BSSL_NAMESPACE_BEGIN
@@ -202,32 +218,41 @@ index c9facb699..eab61611e 100644
 
  // Bits for |algorithm_prf| (handshake digest).
  #define SSL_HANDSHAKE_MAC_DEFAULT 0x1
-@@ -2161,6 +2166,9 @@ bssl::UniquePtr<SSL_SESSION> tls13_create_session_with_ticket(SSL *ssl,
+@@ -2161,6 +2166,12 @@ bssl::UniquePtr<SSL_SESSION> tls13_create_session_with_ticket(SSL *ssl,
  // for |hs|, if applicable. It returns true on success and false on error.
  bool ssl_setup_extension_permutation(SSL_HANDSHAKE *hs);
 
 +// curl-impersonate
 +bool ssl_set_extension_order(SSL_HANDSHAKE *hs);
++
++// curl-impersonate
++bool ssl_set_key_usage_check_enabled(SSL_HANDSHAKE *hs);
 +
  // ssl_setup_key_shares computes client key shares and saves them in |hs|. It
  // returns true on success and false on failure. If |override_group_id| is zero,
  // it offers the default groups, including GREASE. If it is non-zero, it offers
-@@ -3033,6 +3041,9 @@ struct SSL_CONFIG {
+@@ -3033,6 +3044,12 @@ struct SSL_CONFIG {
    // crypto
    UniquePtr<SSLCipherPreferenceList> cipher_list;
 
 +  // curl-impersonate
 +  char *extension_order = nullptr;
++
++  // curl-impersonate
++  int key_usage_check_enabled = 1;
 +
    // This is used to hold the local certificate used (i.e. the server
    // certificate for a server or the client certificate for a client).
    UniquePtr<CERT> cert;
-@@ -3490,6 +3501,9 @@ struct ssl_ctx_st {
+@@ -3490,6 +3507,12 @@ struct ssl_ctx_st {
 
    bssl::UniquePtr<bssl::SSLCipherPreferenceList> cipher_list;
 
 +  // curl-impersonate
 +  char *extension_order = nullptr;
++
++  // curl-impersonate
++  int key_usage_check_enabled = 1;
 +
    X509_STORE *cert_store = nullptr;
    LHASH_OF(SSL_SESSION) *sessions = nullptr;
@@ -463,18 +488,19 @@ index fd8cef95d..3d2c8ff6d 100644
                  "Not all ciphers are included in the cipher order");
 
 diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc
-index 58b68e675..15eb823b3 100644
+index 58b68e675..455ee4dd0 100644
 --- a/ssl/ssl_lib.cc
 +++ b/ssl/ssl_lib.cc
-@@ -657,6 +657,7 @@ SSL *SSL_new(SSL_CTX *ctx) {
+@@ -657,6 +657,8 @@ SSL *SSL_new(SSL_CTX *ctx) {
    ssl->config->retain_only_sha256_of_client_certs =
        ctx->retain_only_sha256_of_client_certs;
    ssl->config->permute_extensions = ctx->permute_extensions;
-+  ssl->config->extension_order = ctx->extension_order;
++  ssl->config->extension_order = ctx->extension_order;  // curl-impersonate
++  ssl->config->key_usage_check_enabled = ctx->key_usage_check_enabled;  // curl-impersonate
    ssl->config->aes_hw_override = ctx->aes_hw_override;
    ssl->config->aes_hw_override_value = ctx->aes_hw_override_value;
    ssl->config->tls13_cipher_policy = ctx->tls13_cipher_policy;
-@@ -3015,6 +3016,12 @@ void SSL_CTX_set_permute_extensions(SSL_CTX *ctx, int enabled) {
+@@ -3015,6 +3017,17 @@ void SSL_CTX_set_permute_extensions(SSL_CTX *ctx, int enabled) {
    ctx->permute_extensions = !!enabled;
  }
 
@@ -483,6 +509,11 @@ index 58b68e675..15eb823b3 100644
 +  ctx->extension_order = order;
 +  return 0;
 +}
++
++int SSL_CTX_set_key_usage_check_enabled(SSL_CTX *ctx, int enabled) {
++  ctx->key_usage_check_enabled = enabled;
++  return 0;
++}
 +
  void SSL_set_permute_extensions(SSL *ssl, int enabled) {
    if (!ssl->config) {