From 234cc45192cc854a2b1897bd90af86a66ff59ae4 Mon Sep 17 00:00:00 2001 From: liamwhite Date: Fri, 25 Aug 2023 18:02:32 -0400 Subject: ssl: tolerate handshake without hostname set (#11328) --- src/core/hle/service/ssl/ssl.cpp | 10 +-------- src/core/hle/service/ssl/ssl_backend_openssl.cpp | 3 +-- src/core/hle/service/ssl/ssl_backend_schannel.cpp | 25 +++++++++++------------ 3 files changed, 14 insertions(+), 24 deletions(-) diff --git a/src/core/hle/service/ssl/ssl.cpp b/src/core/hle/service/ssl/ssl.cpp index 2cba9e5c9..6c8427b0d 100644 --- a/src/core/hle/service/ssl/ssl.cpp +++ b/src/core/hle/service/ssl/ssl.cpp @@ -139,7 +139,6 @@ private: bool do_not_close_socket = false; bool get_server_cert_chain = false; std::shared_ptr socket; - bool did_set_host_name = false; bool did_handshake = false; Result SetSocketDescriptorImpl(s32* out_fd, s32 fd) { @@ -174,11 +173,7 @@ private: Result SetHostNameImpl(const std::string& hostname) { LOG_DEBUG(Service_SSL, "called. hostname={}", hostname); ASSERT(!did_handshake); - Result res = backend->SetHostName(hostname); - if (res == ResultSuccess) { - did_set_host_name = true; - } - return res; + return backend->SetHostName(hostname); } Result SetVerifyOptionImpl(u32 option) { @@ -208,9 +203,6 @@ private: Result DoHandshakeImpl() { ASSERT_OR_EXECUTE(!did_handshake && socket, { return ResultNoSocket; }); - ASSERT_OR_EXECUTE_MSG( - did_set_host_name, { return ResultInternalError; }, - "Expected SetHostName before DoHandshake"); Result res = backend->DoHandshake(); did_handshake = res.IsSuccess(); return res; diff --git a/src/core/hle/service/ssl/ssl_backend_openssl.cpp b/src/core/hle/service/ssl/ssl_backend_openssl.cpp index b2dd37cd4..5714e6f3c 100644 --- a/src/core/hle/service/ssl/ssl_backend_openssl.cpp +++ b/src/core/hle/service/ssl/ssl_backend_openssl.cpp @@ -167,9 +167,8 @@ public: } ~SSLConnectionBackendOpenSSL() { - // these are null-tolerant: + // this is null-tolerant: SSL_free(ssl); - BIO_free(bio); } static void KeyLogCallback(const SSL* ssl, const char* line) { diff --git a/src/core/hle/service/ssl/ssl_backend_schannel.cpp b/src/core/hle/service/ssl/ssl_backend_schannel.cpp index bda12b761..d834a0c1f 100644 --- a/src/core/hle/service/ssl/ssl_backend_schannel.cpp +++ b/src/core/hle/service/ssl/ssl_backend_schannel.cpp @@ -31,9 +31,9 @@ CredHandle cred_handle; static void OneTimeInit() { schannel_cred.dwVersion = SCHANNEL_CRED_VERSION; schannel_cred.dwFlags = - SCH_USE_STRONG_CRYPTO | // don't allow insecure protocols - SCH_CRED_AUTO_CRED_VALIDATION | // validate certs - SCH_CRED_NO_DEFAULT_CREDS; // don't automatically present a client certificate + SCH_USE_STRONG_CRYPTO | // don't allow insecure protocols + SCH_CRED_NO_SERVERNAME_CHECK | // don't validate server names + SCH_CRED_NO_DEFAULT_CREDS; // don't automatically present a client certificate // ^ I'm assuming that nobody would want to connect Yuzu to a // service that requires some OS-provided corporate client // certificate, and presenting one to some arbitrary server @@ -227,16 +227,15 @@ public: ciphertext_read_buf.size()); } - const SECURITY_STATUS ret = - InitializeSecurityContextA(&cred_handle, initial_call_done ? &ctxt : nullptr, - // Caller ensured we have set a hostname: - const_cast(hostname.value().c_str()), req, - 0, // Reserved1 - 0, // TargetDataRep not used with Schannel - initial_call_done ? &input_desc : nullptr, - 0, // Reserved2 - initial_call_done ? nullptr : &ctxt, &output_desc, &attr, - nullptr); // ptsExpiry + char* hostname_ptr = hostname ? const_cast(hostname->c_str()) : nullptr; + const SECURITY_STATUS ret = InitializeSecurityContextA( + &cred_handle, initial_call_done ? &ctxt : nullptr, hostname_ptr, req, + 0, // Reserved1 + 0, // TargetDataRep not used with Schannel + initial_call_done ? &input_desc : nullptr, + 0, // Reserved2 + initial_call_done ? nullptr : &ctxt, &output_desc, &attr, + nullptr); // ptsExpiry if (output_buffers[0].pvBuffer) { const std::span span(static_cast(output_buffers[0].pvBuffer), -- cgit v1.2.3