fix certs, add winhttpsetoption hook

Package.mk

@@ -1,6 +1,7 @@
 $(BUILD_DIR_ZIP)/siva.zip:
 	$(V)echo ... $@
 	$(V)mkdir -p $(BUILD_DIR_ZIP)/siva
+	$(V)mkdir -p $(BUILD_DIR_ZIP)/siva/cert
 	$(V)cp $(BUILD_DIR_32)/subprojects/capnhook/inject/inject.exe \
 		$(BUILD_DIR_32)/sivahook/sivahook.dll \
 		$(BUILD_DIR_ZIP)/siva
@@ -16,8 +17,8 @@ $(BUILD_DIR_ZIP)/siva.zip:
 		$(BUILD_DIR_ZIP)/siva
 	$(V)mv $(BUILD_DIR_ZIP)/siva/iDmacDrv.dll \
 		$(BUILD_DIR_ZIP)/siva/iDmacDrv64.dll
-	$(V)cp pki/cert.p12 \
+	$(V)cp pki/nesys.cer \
-    	$(BUILD_DIR_ZIP)/siva
+    	$(BUILD_DIR_ZIP)/siva/cert
 	$(V)strip $(BUILD_DIR_ZIP)/siva/*.{exe,dll}
 	$(V)cd $(BUILD_DIR_ZIP)/siva ; zip -r ../siva.zip *
 	

hooklib/dns.c

@@ -502,11 +502,17 @@ static WINHTTPAPI BOOL hook_WinHttpCrackUrl(
     const struct dns_hook_entry *pos;
     wchar_t bfr[1024] = {0};
     if (!next_WinHttpCrackUrl(pwszUrl, dwUrlLength, dwFlags, lpUrlComponents)) {
+        dprintf("DNS: next_WinHttpCrackUrl FAIL %08X\n", (int)GetLastError());
         return false;
     }
 
-    dprintf("DNS: crack URL %S\n", lpUrlComponents->lpszHostName);
 
+    if (dns_hook_lock.DebugInfo == 0) {
+        return true;
+    }
+
+    dprintf("DNS: crack URL %S\n", lpUrlComponents->lpszHostName);
+    
     EnterCriticalSection(&dns_hook_lock);
 
     for (i = 0 ; i < dns_hook_nentries ; i++) {
@@ -520,7 +526,7 @@ static WINHTTPAPI BOOL hook_WinHttpCrackUrl(
             } else {
                 wcscat_s(bfr, _countof(bfr), pos->to);
                 wcscat_s(bfr, _countof(bfr), path);
-                //dprintf("DNS: Replaced cracked url %S (%d) -> %S\n", lpUrlComponents->lpszHostName, (int)lpUrlComponents->dwHostNameLength, bfr);
+                dprintf("DNS: Replaced cracked url %S (%d) -> %S\n", lpUrlComponents->lpszHostName, (int)lpUrlComponents->dwHostNameLength, bfr);
                 lpUrlComponents->lpszHostName = bfr;
                 lpUrlComponents->dwHostNameLength = wcslen(pos->to);
             }

initpki

@@ -23,6 +23,3 @@ openssl x509 -req -sha256 -days 3650 -in pki/PREMIUM.csr -CA pki/nesys.cer -CAke
 # Generate server cert and key
 openssl req -newkey rsa:2048 -nodes -keyout pki/server.key -out pki/server.csr -subj "/C=JP/ST=A/L=A/CN=*.nesys.jp"
 openssl x509 -req -sha256 -days 3650 -in pki/server.csr -CA pki/nesys.cer -CAkey pki/nesys.key -out pki/server.cer -set_serial 0
-
-# Pack the nesys CA and key into a p12
-openssl pkcs12 -export -in pki/PREMIUM.cer -inkey pki/PREMIUM.key -certfile pki/nesys.cer -name "Nesica" -out pki/cert.p12

platform/cert.c

@@ -1,5 +1,6 @@
 #include <windows.h>
 #include <wincrypt.h>
+#include <winhttp.h>
 
 #include <assert.h>
 #include <stdbool.h>
@@ -33,6 +34,13 @@ HCERTSTORE WINAPI hook_CertOpenStore(
     const void        *pvPara
 );
 
+WINHTTPAPI BOOL hook_WinHttpSetOption(
+    HINTERNET hInternet,
+    DWORD     dwOption,
+    LPVOID    lpBuffer,
+    DWORD     dwBufferLength
+);
+
 PCCERT_CONTEXT (WINAPI *next_CertFindCertificateInStore)(
     HCERTSTORE     hCertStore,
     DWORD          dwCertEncodingType,
@@ -50,6 +58,13 @@ HCERTSTORE (WINAPI *next_CertOpenStore)(
     const void        *pvPara
 );
 
+WINHTTPAPI BOOL (*next_WinHttpSetOption)(
+    HINTERNET hInternet,
+    DWORD     dwOption,
+    LPVOID    lpBuffer,
+    DWORD     dwBufferLength
+);
+
 static const struct hook_symbol cert_syms[] = {
     {
         .name   = "CertFindCertificateInStore",
@@ -63,6 +78,14 @@ static const struct hook_symbol cert_syms[] = {
     },
 };
 
+static const struct hook_symbol winhttp_syms[] = {
+    {
+        .name   = "WinHttpSetOption",
+        .patch  = hook_WinHttpSetOption,
+        .link   = (void **) &next_WinHttpSetOption,
+    },
+};
+
 HRESULT cert_hook_init(const struct cert_config *cfg)
 {
     assert(cfg != NULL);
@@ -81,6 +104,12 @@ HRESULT cert_hook_init(const struct cert_config *cfg)
         "crypt32.dll",
         (struct hook_symbol *) cert_syms,
         _countof(cert_syms));
+
+    proc_addr_table_push(
+        NULL,
+        "Winhttp.dll",
+        (struct hook_symbol *) winhttp_syms,
+        _countof(winhttp_syms));
     
     return S_OK;
 }
@@ -92,6 +121,11 @@ void cert_hook_insert_hooks(HMODULE target)
         "crypt32.dll",
         cert_syms,
         _countof(cert_syms));
+    hook_table_apply(
+        target,
+        "winhttp.dll",
+        (struct hook_symbol *) winhttp_syms,
+        _countof(winhttp_syms));
 }
 
 PCCERT_CONTEXT WINAPI hook_CertFindCertificateInStore(
@@ -116,7 +150,7 @@ PCCERT_CONTEXT WINAPI hook_CertFindCertificateInStore(
         wcscat_s(cert_path, _countof(cert_path), (wchar_t *)pvFindPara); // use the search string as a name
         wcscat_s(cert_path, _countof(cert_path), L".cer");
 
-        //dprintf("Cert: Look for override cert at %S\n", cert_path);
+        dprintf("Cert: Look for override cert at %S\n", cert_path);
 
         HANDLE f = CreateFileW((LPCWSTR)cert_path, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
 
@@ -158,7 +192,7 @@ HCERTSTORE WINAPI hook_CertOpenStore(
 {
     BYTE bfr[4096] = {0};
     DWORD num_read = 0;
-    /*if (lpszStoreProvider <= CERT_STORE_PROV_PKCS12) {
+    if (lpszStoreProvider <= CERT_STORE_PROV_PKCS12) {
         dprintf("Cert: Open store for %p -> %S (%04X)\n", lpszStoreProvider, (wchar_t *)pvPara, (int)dwFlags);
     } else {
         dprintf("Cert: Open store for %s\n", lpszStoreProvider);
@@ -175,8 +209,8 @@ HCERTSTORE WINAPI hook_CertOpenStore(
         }
         dprintf("Cert: Failed to open store %08X\n", (int)err);
     }
-    return ret;*/
+    return ret;
-    HANDLE f = CreateFileW(path, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+    /*HANDLE f = CreateFileW(path, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
 
         if (f != INVALID_HANDLE_VALUE) {
             dprintf("Cert: Read file %S\n", path);
@@ -195,6 +229,27 @@ HCERTSTORE WINAPI hook_CertOpenStore(
             }
         }
 
-    return next_CertOpenStore(lpszStoreProvider, dwEncodingType, hCryptProv, dwFlags, pvPara);
+    return next_CertOpenStore(lpszStoreProvider, dwEncodingType, hCryptProv, dwFlags, pvPara);*/
 
 }
+WINHTTPAPI BOOL hook_WinHttpSetOption(
+    HINTERNET hInternet,
+    DWORD     dwOption,
+    LPVOID    lpBuffer,
+    DWORD     dwBufferLength
+)
+{
+    dprintf("Cert: hook_WinHttpSetOption %p %08X\n", hInternet, (int)dwOption);
+    if (dwOption == WINHTTP_OPTION_CLIENT_CERT_CONTEXT) {
+        // This is U G L Y and will fail on servers that actually check the client cert.
+        dprintf("Cert: Block WINHTTP_OPTION_CLIENT_CERT_CONTEXT\n");
+        return true;
+    }
+    else if (dwOption == WINHTTP_OPTION_SECURITY_FLAGS) {
+        dprintf("Cert: Add all security ignore flags\n");
+        int value = SECURITY_FLAG_IGNORE_UNKNOWN_CA | SECURITY_FLAG_IGNORE_CERT_DATE_INVALID | SECURITY_FLAG_IGNORE_CERT_CN_INVALID; // the kitchen sink
+        return next_WinHttpSetOption(hInternet, dwOption, &value, dwBufferLength);
+    }
+
+    return next_WinHttpSetOption(hInternet, dwOption, lpBuffer, dwBufferLength);
+}

platform/config.c

@@ -44,7 +44,7 @@ void cert_config_load(struct cert_config *cfg, const wchar_t *filename)
     GetPrivateProfileStringW(
             L"cert",
             L"path",
-            L"cert.p12",
+            L"cert",
             cfg->path,
             _countof(cfg->path),
             filename);