keeperfx icon indicating copy to clipboard operation
keeperfx copied to clipboard
verified publisher icon dkfans

Steam API improvements (Certificate verification)

Open yani opened this issue 7 months ago • 9 comments

This will:

  • Verify the steam_api.dll certificate using the Windows API (protect against malware)
  • Allow loading the DLL under Wine (in a very rare cases the user might have Steam running under Wine too)
  • Make steam_api_init() a void function

yani avatar May 28 '25 16:05 yani

I am not sure what problem which this PR solves is exist at all. Consider user wants to install fake steam_api.dll into KFX installation so what?

SimLV avatar May 29 '25 09:05 SimLV

I am not sure what problem which this PR solves is exist at all. Consider user wants to install fake steam_api.dll into KFX installation so what?

Maybe a command line flag to disable the check would be better.

Normally you can not edit the DLLs of the application without admin rights (since Windows Vista), but because using the Steam API requires you to download and place a DLL, we can protect users against malicious DLLs from shady sources. Just google "steam_api.dll" and you will see a lot of download links. Who knows if all of those are safe.

yani avatar May 29 '25 13:05 yani

Okay. I am a bit concerned about bloating dependencies but ok

SimLV avatar May 29 '25 14:05 SimLV

Okay. I am a bit concerned about bloating dependencies but ok

It's the Windows API so I think that's not too much of a problem.

Binary file size change is also minimal: 9866KiB -> 9868KiB. That's a 0.02% increase.

yani avatar May 29 '25 14:05 yani

Should I add a command line option to not verify the certificate?

yani avatar May 29 '25 14:05 yani

Yes. Better to add it. I think you don't have to support it in your Qt Launcher. (I hope you have place for "other options" there)

SimLV avatar Jun 01 '25 07:06 SimLV

I added the -nocertverify command line parameter and separated the certification verification code into its own source files.

yani avatar Aug 26 '25 09:08 yani

Like @SimLV I don't see the point of checking whether the DLL is real or not. No game I know of does that.

Normally you can not edit the DLLs of the application without admin rights (since Windows Vista) ...

Depends on where and how the application is installed. Regardless, for compatibility reasons Windows will always load any DLL with the same name from the game folder first.

... Steam API requires you to download and place a DLL ...

All the games I know either ship with with a copy of this DLL and/or load the system one.

... we can protect users against malicious DLLs from shady sources. Just google "steam_api.dll" and you will see a lot of download links.

The same holds true for all other existing and non-existing DLLs. If this is the only reason for performing the validation, I'd just provide the DLL along with KFX.

I did have concerns as far as certificate expiration goes (I hate time bombs) but as long as WTD_LIFETIME_SIGNING_FLAG isn't set, expiration appears to be ignored.

xtremeqg avatar Aug 26 '25 17:08 xtremeqg

No game I know of does that.

Depends on where and how the application is installed. Regardless, for compatibility reasons Windows will always load any DLL with the same name from the game folder first.

All the games I know either ship with with a copy of this DLL and/or load the system one.

We can not ship the official DLL ourselves because we are not an official mod on Steam. So people have to add their own one. I thought it would be good to protect users who do this.

I did have concerns as far as certificate expiration goes (I hate time bombs) but as long as WTD_LIFETIME_SIGNING_FLAG isn't set, expiration appears to be ignored.

Are you sure it's ignored? I think it's just handled by Windows and its root certificate store.

yani avatar Aug 26 '25 18:08 yani