From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 6 Apr 2023 12:33:05 +0000 (+0200)
Subject: CURLPROXY_HTTPS2: for HTTPS proxy that may speak HTTP/2
X-Git-Tag: curl-8_1_0~203
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=712e5f1e7f5f0d9f94a5de0bd0b8dc4f46e7816c;p=thirdparty%2Fcurl.git

CURLPROXY_HTTPS2: for HTTPS proxy that may speak HTTP/2

Setting this proxy type allows curl to negotiate and use HTTP/2 with
HTTPS proxies.

Closes #10900
---

diff --git a/docs/libcurl/opts/CURLOPT_PROXYTYPE.3 b/docs/libcurl/opts/CURLOPT_PROXYTYPE.3
index 773723886d..226f7803b1 100644
--- a/docs/libcurl/opts/CURLOPT_PROXYTYPE.3
+++ b/docs/libcurl/opts/CURLOPT_PROXYTYPE.3
@@ -38,7 +38,9 @@ Pass one of the values below to set the type of the proxy.
 .IP CURLPROXY_HTTP
 HTTP Proxy. Default.
 .IP CURLPROXY_HTTPS
-HTTPS Proxy. (Added in 7.52.0 for OpenSSL, GnuTLS and NSS)
+HTTPS Proxy using HTTP/1. (Added in 7.52.0 for OpenSSL, GnuTLS and NSS)
+.IP CURLPROXY_HTTPS2
+HTTPS Proxy and attempt to speak HTTP/2 over it. (Added in 8.1.0)
 .IP CURLPROXY_HTTP_1_0
 HTTP 1.0 Proxy. This is similar to CURLPROXY_HTTP except it uses HTTP/1.0 for
 any CONNECT tunneling. It does not change the HTTP version of the actual HTTP
diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
index a466c39d62..0398e93cda 100644
--- a/docs/libcurl/symbols-in-versions
+++ b/docs/libcurl/symbols-in-versions
@@ -954,6 +954,7 @@ CURLPROTO_TFTP                  7.19.4
 CURLPROXY_HTTP                  7.10
 CURLPROXY_HTTP_1_0              7.19.4
 CURLPROXY_HTTPS                 7.52.0
+CURLPROXY_HTTPS2                8.1.0
 CURLPROXY_SOCKS4                7.10
 CURLPROXY_SOCKS4A               7.18.0
 CURLPROXY_SOCKS5                7.10
diff --git a/include/curl/curl.h b/include/curl/curl.h
index e8b551b138..9443524216 100644
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@@ -780,7 +780,8 @@ typedef enum {
                            CONNECT HTTP/1.1 */
   CURLPROXY_HTTP_1_0 = 1,   /* added in 7.19.4, force to use CONNECT
                                HTTP/1.0  */
-  CURLPROXY_HTTPS = 2, /* added in 7.52.0 */
+  CURLPROXY_HTTPS = 2,  /* HTTPS but stick to HTTP/1 added in 7.52.0 */
+  CURLPROXY_HTTPS2 = 3, /* HTTPS and attempt HTTP/2 added in 8.1.0 */
   CURLPROXY_SOCKS4 = 4, /* support added in 7.15.2, enum existed already
                            in 7.10 */
   CURLPROXY_SOCKS5 = 5, /* added in 7.10 */
diff --git a/lib/connect.c b/lib/connect.c
index 2d940972e3..7624794cf2 100644
--- a/lib/connect.c
+++ b/lib/connect.c
@@ -1223,7 +1223,7 @@ connect_sub_chain:
 
   if(ctx->state < CF_SETUP_CNNCT_HTTP_PROXY && cf->conn->bits.httpproxy) {
 #ifdef USE_SSL
-    if(cf->conn->http_proxy.proxytype == CURLPROXY_HTTPS
+    if(IS_HTTPS_PROXY(cf->conn->http_proxy.proxytype)
        && !Curl_conn_is_ssl(cf->conn, cf->sockindex)) {
       result = Curl_cf_ssl_proxy_insert_after(cf, data);
       if(result)
diff --git a/lib/http.c b/lib/http.c
index cc6dd6c918..b2674e54a2 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -1305,7 +1305,7 @@ CURLcode Curl_buffer_send(struct dynbuf *in,
 
   if((conn->handler->flags & PROTOPT_SSL
 #ifndef CURL_DISABLE_PROXY
-      || conn->http_proxy.proxytype == CURLPROXY_HTTPS
+      || IS_HTTPS_PROXY(conn->http_proxy.proxytype)
 #endif
        )
      && conn->httpversion != 20) {
diff --git a/lib/http_proxy.h b/lib/http_proxy.h
index 2d7164badb..a1a03720bd 100644
--- a/lib/http_proxy.h
+++ b/lib/http_proxy.h
@@ -46,4 +46,7 @@ extern struct Curl_cftype Curl_cft_http_proxy;
 
 #endif /* !CURL_DISABLE_PROXY  && !CURL_DISABLE_HTTP */
 
+#define IS_HTTPS_PROXY(t) (((t) == CURLPROXY_HTTPS) ||  \
+                           ((t) == CURLPROXY_HTTPS2))
+
 #endif /* HEADER_CURL_HTTP_PROXY_H */
diff --git a/lib/setopt.c b/lib/setopt.c
index 6bb88791ca..b4ba30764c 100644
--- a/lib/setopt.c
+++ b/lib/setopt.c
@@ -1155,7 +1155,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
 
   case CURLOPT_PROXYTYPE:
     /*
-     * Set proxy type. HTTP/HTTP_1_0/SOCKS4/SOCKS4a/SOCKS5/SOCKS5_HOSTNAME
+     * Set proxy type.
      */
     arg = va_arg(param, long);
     if((arg < CURLPROXY_HTTP) || (arg > CURLPROXY_SOCKS5_HOSTNAME))
diff --git a/lib/url.c b/lib/url.c
index c4844c95de..1f61edff53 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -1209,17 +1209,19 @@ ConnectionExists(struct Curl_easy *data,
         if(needle->bits.tunnel_proxy != check->bits.tunnel_proxy)
           continue;
 
-        if(needle->http_proxy.proxytype == CURLPROXY_HTTPS) {
+        if(IS_HTTPS_PROXY(needle->http_proxy.proxytype)) {
           /* use https proxy */
-          if(needle->handler->flags&PROTOPT_SSL) {
+          if(needle->http_proxy.proxytype !=
+             check->http_proxy.proxytype)
+            continue;
+          else if(needle->handler->flags&PROTOPT_SSL) {
             /* use double layer ssl */
             if(!Curl_ssl_config_matches(&needle->proxy_ssl_config,
                                         &check->proxy_ssl_config))
               continue;
           }
-
-          if(!Curl_ssl_config_matches(&needle->ssl_config,
-                                      &check->ssl_config))
+          else if(!Curl_ssl_config_matches(&needle->ssl_config,
+                                           &check->ssl_config))
             continue;
         }
       }
@@ -1521,8 +1523,8 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
   conn->bits.httpproxy = (conn->bits.proxy &&
                           (conn->http_proxy.proxytype == CURLPROXY_HTTP ||
                            conn->http_proxy.proxytype == CURLPROXY_HTTP_1_0 ||
-                           conn->http_proxy.proxytype == CURLPROXY_HTTPS)) ?
-                           TRUE : FALSE;
+                           IS_HTTPS_PROXY(conn->http_proxy.proxytype))) ?
+    TRUE : FALSE;
   conn->bits.socksproxy = (conn->bits.proxy &&
                            !conn->bits.httpproxy) ? TRUE : FALSE;
 
@@ -2154,8 +2156,12 @@ static CURLcode parse_proxy(struct Curl_easy *data,
       goto error;
     }
 
-    if(strcasecompare("https", scheme))
-      proxytype = CURLPROXY_HTTPS;
+    if(strcasecompare("https", scheme)) {
+      if(proxytype != CURLPROXY_HTTPS2)
+        proxytype = CURLPROXY_HTTPS;
+      else
+        proxytype = CURLPROXY_HTTPS2;
+    }
     else if(strcasecompare("socks5h", scheme))
       proxytype = CURLPROXY_SOCKS5_HOSTNAME;
     else if(strcasecompare("socks5", scheme))
@@ -2183,9 +2189,9 @@ static CURLcode parse_proxy(struct Curl_easy *data,
 #ifdef USE_SSL
   if(!Curl_ssl_supports(data, SSLSUPP_HTTPS_PROXY))
 #endif
-    if(proxytype == CURLPROXY_HTTPS) {
+    if(IS_HTTPS_PROXY(proxytype)) {
       failf(data, "Unsupported proxy \'%s\', libcurl is built without the "
-                  "HTTPS-proxy support.", proxy);
+            "HTTPS-proxy support.", proxy);
       result = CURLE_NOT_BUILT_IN;
       goto error;
     }
@@ -2242,7 +2248,7 @@ static CURLcode parse_proxy(struct Curl_easy *data,
          given */
       port = (int)data->set.proxyport;
     else {
-      if(proxytype == CURLPROXY_HTTPS)
+      if(IS_HTTPS_PROXY(proxytype))
         port = CURL_DEFAULT_HTTPS_PROXY_PORT;
       else
         port = CURL_DEFAULT_PROXY_PORT;
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
index 1fa05dca39..80168ee75f 100644
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@@ -1813,8 +1813,14 @@ static CURLcode cf_ssl_proxy_create(struct Curl_cfilter **pcf,
   bool use_alpn = conn->bits.tls_enable_alpn;
   int httpwant = CURL_HTTP_VERSION_1_1;
 
-#if defined(USE_HTTP2) && defined(DEBUGBUILD)
-  if(conn->bits.tunnel_proxy && getenv("CURL_PROXY_TUNNEL_H2")) {
+#ifdef USE_HTTP2
+  if(conn->bits.tunnel_proxy &&
+     ((conn->http_proxy.proxytype == CURLPROXY_HTTPS2)
+#ifdef DEBUGBUILD
+      || getenv("CURL_PROXY_TUNNEL_H2")
+#endif
+       )
+    ) {
     use_alpn = TRUE;
     httpwant = CURL_HTTP_VERSION_2;
   }