From 719af1aff482cf1ae37bccedf071962ffad761c4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C3=A9o=20Lam?= <leo@innovatetechnologi.es>
Date: Sun, 11 Jun 2017 18:35:24 +0200
Subject: [PATCH] IOS/ES: Verify containers in ImportTicket

---
 Source/Core/Core/IOS/ES/ES.h                |  2 +-
 Source/Core/Core/IOS/ES/TitleManagement.cpp | 11 +++++++++--
 Source/Core/UICommon/WiiUtils.cpp           |  2 +-
 3 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/Source/Core/Core/IOS/ES/ES.h b/Source/Core/Core/IOS/ES/ES.h
index 8b18811ac1..27cc16bca0 100644
--- a/Source/Core/Core/IOS/ES/ES.h
+++ b/Source/Core/Core/IOS/ES/ES.h
@@ -112,7 +112,7 @@ public:
   std::vector<std::array<u8, 20>> GetSharedContents() const;
 
   // Title management
-  ReturnCode ImportTicket(const std::vector<u8>& ticket_bytes);
+  ReturnCode ImportTicket(const std::vector<u8>& ticket_bytes, const std::vector<u8>& cert_chain);
   ReturnCode ImportTmd(Context& context, const std::vector<u8>& tmd_bytes);
   ReturnCode ImportTitleInit(Context& context, const std::vector<u8>& tmd_bytes);
   ReturnCode ImportContentBegin(Context& context, u64 title_id, u32 content_id);
diff --git a/Source/Core/Core/IOS/ES/TitleManagement.cpp b/Source/Core/Core/IOS/ES/TitleManagement.cpp
index f5206ef1a1..dacefe9db9 100644
--- a/Source/Core/Core/IOS/ES/TitleManagement.cpp
+++ b/Source/Core/Core/IOS/ES/TitleManagement.cpp
@@ -46,7 +46,7 @@ static ReturnCode WriteTicket(const IOS::ES::TicketReader& ticket)
   return ticket_file.WriteBytes(raw_ticket.data(), raw_ticket.size()) ? IPC_SUCCESS : ES_EIO;
 }
 
-ReturnCode ES::ImportTicket(const std::vector<u8>& ticket_bytes)
+ReturnCode ES::ImportTicket(const std::vector<u8>& ticket_bytes, const std::vector<u8>& cert_chain)
 {
   IOS::ES::TicketReader ticket{ticket_bytes};
   if (!ticket.IsValid())
@@ -70,6 +70,11 @@ ReturnCode ES::ImportTicket(const std::vector<u8>& ticket_bytes)
     }
   }
 
+  const ReturnCode verify_ret =
+      VerifyContainer(VerifyContainerType::Ticket, VerifyMode::UpdateCertStore, ticket, cert_chain);
+  if (verify_ret != IPC_SUCCESS)
+    return verify_ret;
+
   const ReturnCode write_ret = WriteTicket(ticket);
   if (write_ret != IPC_SUCCESS)
     return write_ret;
@@ -85,7 +90,9 @@ IPCCommandResult ES::ImportTicket(const IOCtlVRequest& request)
 
   std::vector<u8> bytes(request.in_vectors[0].size);
   Memory::CopyFromEmu(bytes.data(), request.in_vectors[0].address, request.in_vectors[0].size);
-  return GetDefaultReply(ImportTicket(bytes));
+  std::vector<u8> cert_chain(request.in_vectors[1].size);
+  Memory::CopyFromEmu(bytes.data(), request.in_vectors[1].address, request.in_vectors[1].size);
+  return GetDefaultReply(ImportTicket(bytes, cert_chain));
 }
 
 ReturnCode ES::ImportTmd(Context& context, const std::vector<u8>& tmd_bytes)
diff --git a/Source/Core/UICommon/WiiUtils.cpp b/Source/Core/UICommon/WiiUtils.cpp
index acd4713a33..35e4c22678 100644
--- a/Source/Core/UICommon/WiiUtils.cpp
+++ b/Source/Core/UICommon/WiiUtils.cpp
@@ -27,7 +27,7 @@ bool InstallWAD(const std::string& wad_path)
   const auto es = ios.GetES();
 
   IOS::HLE::Device::ES::Context context;
-  if (es->ImportTicket(wad.GetTicket().GetBytes()) < 0 ||
+  if (es->ImportTicket(wad.GetTicket().GetBytes(), wad.GetCertificateChain()) < 0 ||
       es->ImportTitleInit(context, tmd.GetBytes()) < 0)
   {
     PanicAlertT("WAD installation failed: Could not initialise title import.");