From d3be9d155da6d53e5cd6fc7e2eafe2488abecdd0 Mon Sep 17 00:00:00 2001 From: Sepalani Date: Sun, 7 Jun 2015 00:49:18 +0200 Subject: [PATCH] Fixed: Allowed unknown certificates --- .../IPC_HLE/WII_IPC_HLE_Device_net_ssl.cpp | 2 +- Source/Core/Core/IPC_HLE/WII_Socket.cpp | 22 ++++++++++++++++++- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/Source/Core/Core/IPC_HLE/WII_IPC_HLE_Device_net_ssl.cpp b/Source/Core/Core/IPC_HLE/WII_IPC_HLE_Device_net_ssl.cpp index 4a4e9823b3..bfd51243d3 100644 --- a/Source/Core/Core/IPC_HLE/WII_IPC_HLE_Device_net_ssl.cpp +++ b/Source/Core/Core/IPC_HLE/WII_IPC_HLE_Device_net_ssl.cpp @@ -174,7 +174,7 @@ IPCCommandResult CWII_IPC_HLE_Device_net_ssl::IOCtlV(u32 _CommandAddress) mbedtls_ssl_set_session(&ssl->ctx, &ssl->session); - mbedtls_ssl_conf_authmode(&ssl->config, MBEDTLS_SSL_VERIFY_NONE); + mbedtls_ssl_conf_authmode(&ssl->config, MBEDTLS_SSL_VERIFY_REQUIRED); mbedtls_ssl_conf_renegotiation(&ssl->config, MBEDTLS_SSL_RENEGOTIATION_ENABLED); ssl->hostname = hostname; diff --git a/Source/Core/Core/IPC_HLE/WII_Socket.cpp b/Source/Core/Core/IPC_HLE/WII_Socket.cpp index 229073bbfd..e956168116 100644 --- a/Source/Core/Core/IPC_HLE/WII_Socket.cpp +++ b/Source/Core/Core/IPC_HLE/WII_Socket.cpp @@ -312,7 +312,8 @@ void WiiSocket::Update(bool read, bool write, bool except) { case IOCTLV_NET_SSL_DOHANDSHAKE: { - int ret = mbedtls_ssl_handshake(&CWII_IPC_HLE_Device_net_ssl::_SSL[sslID].ctx); + mbedtls_ssl_context* ctx = &CWII_IPC_HLE_Device_net_ssl::_SSL[sslID].ctx; + int ret = mbedtls_ssl_handshake(ctx); switch (ret) { case 0: @@ -328,6 +329,25 @@ void WiiSocket::Update(bool read, bool write, bool except) if (!nonBlock) ReturnValue = SSL_ERR_WAGAIN; break; + case MBEDTLS_ERR_X509_CERT_VERIFY_FAILED: + { + int flags = ctx->session_negotiate->verify_result; + if (flags & MBEDTLS_X509_BADCERT_CN_MISMATCH) + ret = SSL_ERR_VCOMMONNAME; + else if (flags & MBEDTLS_X509_BADCERT_NOT_TRUSTED) + ret = SSL_ERR_VROOTCA; + else if (flags & MBEDTLS_X509_BADCERT_REVOKED) + ret = SSL_ERR_VCHAIN; + else if (flags & MBEDTLS_X509_BADCERT_EXPIRED || + flags & MBEDTLS_X509_BADCERT_FUTURE) + ret = SSL_ERR_VDATE; + else + ret = SSL_ERR_FAILED; + Memory::Write_U32(ret, BufferIn); + if (!nonBlock) + ReturnValue = ret; + break; + } default: Memory::Write_U32(SSL_ERR_FAILED, BufferIn); break;