cert: disable security flags when WinHttpSetOption is WINHTTP_OPTION_CLIENT_CERT_CONTEXT

2024-05-18 14:31:45 -04:00 · 2024-05-18 14:31:45 -04:00 · 42138b7a7d
commit 42138b7a7d
parent a65b996080
1 changed files with 19 additions and 5 deletions
--- a/platform/cert.c
+++ b/platform/cert.c
@ -244,16 +244,30 @@ WINHTTPAPI BOOL hook_WinHttpSetOption(
    if (dwOption == WINHTTP_OPTION_CLIENT_CERT_CONTEXT) {
        // This is U G L Y and will fail on servers that actually check the client cert.
        dprintf("Cert: Block WINHTTP_OPTION_CLIENT_CERT_CONTEXT\n");
-        return true;
-    }
-    else if (dwOption == WINHTTP_OPTION_SECURITY_FLAGS) {
-        dprintf("Cert: Add all security ignore flags\n");
-        int value = SECURITY_FLAG_IGNORE_UNKNOWN_CA | SECURITY_FLAG_IGNORE_CERT_DATE_INVALID | SECURITY_FLAG_IGNORE_CERT_CN_INVALID; // the kitchen sink
        WINHTTP_STATUS_CALLBACK cb_check = WinHttpSetStatusCallback(hInternet, (WINHTTP_STATUS_CALLBACK)ca_error_cb, WINHTTP_CALLBACK_FLAG_SECURE_FAILURE, 0);
        if (cb_check == WINHTTP_INVALID_STATUS_CALLBACK) {
            dprintf("Cert: Failed to set SSL error callback: %08lX\n", GetLastError());
            SetLastError(0);
        }
+
+        // Sneak in security disable while we're here
+        int value = SECURITY_FLAG_IGNORE_UNKNOWN_CA | SECURITY_FLAG_IGNORE_CERT_DATE_INVALID | SECURITY_FLAG_IGNORE_CERT_CN_INVALID; // the kitchen sink
+        if (!next_WinHttpSetOption(hInternet, WINHTTP_OPTION_SECURITY_FLAGS, &value, 4)) {
+            dprintf("Cert: Failed to set ignore security flags: %08lX\n", GetLastError());
+            SetLastError(0);
+        }
+        return true;
+    }
+    else if (dwOption == WINHTTP_OPTION_SECURITY_FLAGS) {
+        dprintf("Cert: Add all security ignore flags\n");
+        
+        WINHTTP_STATUS_CALLBACK cb_check = WinHttpSetStatusCallback(hInternet, (WINHTTP_STATUS_CALLBACK)ca_error_cb, WINHTTP_CALLBACK_FLAG_SECURE_FAILURE, 0);
+        if (cb_check == WINHTTP_INVALID_STATUS_CALLBACK) {
+            dprintf("Cert: Failed to set SSL error callback: %08lX\n", GetLastError());
+            SetLastError(0);
+        }
+        
+        int value = SECURITY_FLAG_IGNORE_UNKNOWN_CA | SECURITY_FLAG_IGNORE_CERT_DATE_INVALID | SECURITY_FLAG_IGNORE_CERT_CN_INVALID; // the kitchen sink
        return next_WinHttpSetOption(hInternet, dwOption, &value, dwBufferLength);
    } else {
        dprintf("Cert: hook_WinHttpSetOption %p %08X\n", hInternet, (int)dwOption);