From a1f63da057dc4ee6f5ca585b1aff3d3400cd0d5a Mon Sep 17 00:00:00 2001
From: Cameron Gutman <aicommander@gmail.com>
Date: Sat, 17 Jul 2021 19:34:08 -0500
Subject: [PATCH] Fix client auth error with some embedded clients

---
 sunshine/crypto.cpp | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/sunshine/crypto.cpp b/sunshine/crypto.cpp
index 50d190d5..006cf7fb 100644
--- a/sunshine/crypto.cpp
+++ b/sunshine/crypto.cpp
@@ -52,9 +52,13 @@ const char *cert_chain_t::verify(x509_t::element_type *cert) {
       X509_STORE_CTX_cleanup(_cert_ctx.get());
     });
 
-    X509_STORE_CTX_init(_cert_ctx.get(), x509_store.get(), nullptr, nullptr);
+    X509_STORE_CTX_init(_cert_ctx.get(), x509_store.get(), cert, nullptr);
     X509_STORE_CTX_set_verify_cb(_cert_ctx.get(), openssl_verify_cb);
-    X509_STORE_CTX_set_cert(_cert_ctx.get(), cert);
+
+    // We don't care to validate the entire chain for the purposes of client auth.
+    // Some versions of clients forked from Moonlight Embedded produce client certs
+    // that OpenSSL doesn't detect as self-signed due to some X509v3 extensions.
+    X509_STORE_CTX_set_flags(_cert_ctx.get(), X509_V_FLAG_PARTIAL_CHAIN);
 
     auto err = X509_verify_cert(_cert_ctx.get());