search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
widl: Add support for function parameter flags to SLTG typelib generator.
[wine.git] / dlls / wininet / netconnection.c
blob06aa5c82f6cefdabed6569f84b36af8336128f10
1 /*
2 * Wininet - networking layer
3 *
4 * Copyright 2002 TransGaming Technologies Inc.
5 * Copyright 2013 Jacek Caban for CodeWeavers
6 *
7 * David Hammerton
8 *
9 * This library is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public
11 * License as published by the Free Software Foundation; either
12 * version 2.1 of the License, or (at your option) any later version.
13 *
14 * This library is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
18 *
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
22 */
23
24 #include "ws2tcpip.h"
25
26 #include <time.h>
27 #include <stdarg.h>
28 #include <stdlib.h>
29 #include <string.h>
30 #include <stdio.h>
31 #include <assert.h>
32
33 #include "windef.h"
34 #include "winbase.h"
35 #include "wininet.h"
36 #include "winerror.h"
37
38 #include "wine/debug.h"
39 #include "internet.h"
40
41 WINE_DEFAULT_DEBUG_CHANNEL(wininet);
42
43 static DWORD netconn_verify_cert(netconn_t *conn, PCCERT_CONTEXT cert, HCERTSTORE store)
44 {
45 BOOL ret;
46 CERT_CHAIN_PARA chainPara = { sizeof(chainPara), { 0 } };
47 PCCERT_CHAIN_CONTEXT chain;
48 char oid_server_auth[] = szOID_PKIX_KP_SERVER_AUTH;
49 char *server_auth[] = { oid_server_auth };
50 DWORD err = ERROR_SUCCESS, errors;
51
52 static const DWORD supportedErrors =
53 CERT_TRUST_IS_NOT_TIME_VALID |
54 CERT_TRUST_IS_UNTRUSTED_ROOT |
55 CERT_TRUST_IS_PARTIAL_CHAIN |
56 CERT_TRUST_IS_NOT_SIGNATURE_VALID |
57 CERT_TRUST_IS_NOT_VALID_FOR_USAGE;
58
59 TRACE("verifying %s\n", debugstr_w(conn->server->name));
60
61 chainPara.RequestedUsage.Usage.cUsageIdentifier = 1;
62 chainPara.RequestedUsage.Usage.rgpszUsageIdentifier = server_auth;
63 if (!(ret = CertGetCertificateChain(NULL, cert, NULL, store, &chainPara, 0, NULL, &chain))) {
64 TRACE("failed\n");
65 return GetLastError();
66 }
67
68 errors = chain->TrustStatus.dwErrorStatus;
69
70 do {
71 /* This seems strange, but that's what tests show */
72 if(errors & CERT_TRUST_IS_PARTIAL_CHAIN) {
73 WARN("ERROR_INTERNET_SEC_CERT_REV_FAILED\n");
74 err = ERROR_INTERNET_SEC_CERT_REV_FAILED;
75 if(conn->mask_errors)
76 conn->security_flags |= _SECURITY_FLAG_CERT_REV_FAILED;
77 if(!(conn->security_flags & SECURITY_FLAG_IGNORE_REVOCATION))
78 break;
79 }
80
81 if (chain->TrustStatus.dwErrorStatus & ~supportedErrors) {
82 WARN("error status %lx\n", chain->TrustStatus.dwErrorStatus & ~supportedErrors);
83 err = conn->mask_errors && err ? ERROR_INTERNET_SEC_CERT_ERRORS : ERROR_INTERNET_SEC_INVALID_CERT;
84 errors &= supportedErrors;
85 if(!conn->mask_errors)
86 break;
87 WARN("unknown error flags\n");
88 }
89
90 if(errors & CERT_TRUST_IS_NOT_TIME_VALID) {
91 WARN("CERT_TRUST_IS_NOT_TIME_VALID\n");
92 if(!(conn->security_flags & SECURITY_FLAG_IGNORE_CERT_DATE_INVALID)) {
93 err = conn->mask_errors && err ? ERROR_INTERNET_SEC_CERT_ERRORS : ERROR_INTERNET_SEC_CERT_DATE_INVALID;
94 if(!conn->mask_errors)
95 break;
96 conn->security_flags |= _SECURITY_FLAG_CERT_INVALID_DATE;
97 }
98 errors &= ~CERT_TRUST_IS_NOT_TIME_VALID;
99 }
100
101 if(errors & CERT_TRUST_IS_UNTRUSTED_ROOT) {
102 WARN("CERT_TRUST_IS_UNTRUSTED_ROOT\n");
103 if(!(conn->security_flags & SECURITY_FLAG_IGNORE_UNKNOWN_CA)) {
104 err = conn->mask_errors && err ? ERROR_INTERNET_SEC_CERT_ERRORS : ERROR_INTERNET_INVALID_CA;
105 if(!conn->mask_errors)
106 break;
107 conn->security_flags |= _SECURITY_FLAG_CERT_INVALID_CA;
108 }
109 errors &= ~CERT_TRUST_IS_UNTRUSTED_ROOT;
110 }
111
112 if(errors & CERT_TRUST_IS_PARTIAL_CHAIN) {
113 WARN("CERT_TRUST_IS_PARTIAL_CHAIN\n");
114 if(!(conn->security_flags & SECURITY_FLAG_IGNORE_UNKNOWN_CA)) {
115 err = conn->mask_errors && err ? ERROR_INTERNET_SEC_CERT_ERRORS : ERROR_INTERNET_INVALID_CA;
116 if(!conn->mask_errors)
117 break;
118 conn->security_flags |= _SECURITY_FLAG_CERT_INVALID_CA;
119 }
120 errors &= ~CERT_TRUST_IS_PARTIAL_CHAIN;
121 }
122
123 if(errors & CERT_TRUST_IS_NOT_SIGNATURE_VALID) {
124 WARN("CERT_TRUST_IS_NOT_SIGNATURE_VALID\n");
125 if(!(conn->security_flags & SECURITY_FLAG_IGNORE_UNKNOWN_CA)) {
126 err = conn->mask_errors && err ? ERROR_INTERNET_SEC_CERT_ERRORS : ERROR_INTERNET_INVALID_CA;
127 if(!conn->mask_errors)
128 break;
129 conn->security_flags |= _SECURITY_FLAG_CERT_INVALID_CA;
130 }
131 errors &= ~CERT_TRUST_IS_NOT_SIGNATURE_VALID;
132 }
133
134 if(errors & CERT_TRUST_IS_NOT_VALID_FOR_USAGE) {
135 WARN("CERT_TRUST_IS_NOT_VALID_FOR_USAGE\n");
136 if(!(conn->security_flags & SECURITY_FLAG_IGNORE_WRONG_USAGE)) {
137 err = conn->mask_errors && err ? ERROR_INTERNET_SEC_CERT_ERRORS : ERROR_INTERNET_SEC_INVALID_CERT;
138 if(!conn->mask_errors)
139 break;
140 WARN("CERT_TRUST_IS_NOT_VALID_FOR_USAGE, unknown error flags\n");
141 }
142 errors &= ~CERT_TRUST_IS_NOT_VALID_FOR_USAGE;
143 }
144
145 if(err == ERROR_INTERNET_SEC_CERT_REV_FAILED) {
146 assert(conn->security_flags & SECURITY_FLAG_IGNORE_REVOCATION);
147 err = ERROR_SUCCESS;
148 }
149 }while(0);
150
151 if(!err || conn->mask_errors) {
152 CERT_CHAIN_POLICY_PARA policyPara;
153 SSL_EXTRA_CERT_CHAIN_POLICY_PARA sslExtraPolicyPara;
154 CERT_CHAIN_POLICY_STATUS policyStatus;
155 CERT_CHAIN_CONTEXT chainCopy;
156
157 /* Clear chain->TrustStatus.dwErrorStatus so
158 * CertVerifyCertificateChainPolicy will verify additional checks
159 * rather than stopping with an existing, ignored error.
160 */
161 memcpy(&chainCopy, chain, sizeof(chainCopy));
162 chainCopy.TrustStatus.dwErrorStatus = 0;
163 sslExtraPolicyPara.cbSize = sizeof(sslExtraPolicyPara);
164 sslExtraPolicyPara.dwAuthType = AUTHTYPE_SERVER;
165 sslExtraPolicyPara.pwszServerName = conn->server->name;
166 sslExtraPolicyPara.fdwChecks = conn->security_flags;
167 policyPara.cbSize = sizeof(policyPara);
168 policyPara.dwFlags = 0;
169 policyPara.pvExtraPolicyPara = &sslExtraPolicyPara;
170 ret = CertVerifyCertificateChainPolicy(CERT_CHAIN_POLICY_SSL,
171 &chainCopy, &policyPara, &policyStatus);
172 /* Any error in the policy status indicates that the
173 * policy couldn't be verified.
174 */
175 if(ret) {
176 if(policyStatus.dwError == CERT_E_CN_NO_MATCH) {
177 WARN("CERT_E_CN_NO_MATCH\n");
178 if(conn->mask_errors)
179 conn->security_flags |= _SECURITY_FLAG_CERT_INVALID_CN;
180 err = conn->mask_errors && err ? ERROR_INTERNET_SEC_CERT_ERRORS : ERROR_INTERNET_SEC_CERT_CN_INVALID;
181 }else if(policyStatus.dwError) {
182 WARN("policyStatus.dwError %lx\n", policyStatus.dwError);
183 if(conn->mask_errors)
184 WARN("unknown error flags for policy status %lx\n", policyStatus.dwError);
185 err = conn->mask_errors && err ? ERROR_INTERNET_SEC_CERT_ERRORS : ERROR_INTERNET_SEC_INVALID_CERT;
186 }
187 }else {
188 err = GetLastError();
189 }
190 }
191
192 if(err) {
193 WARN("failed %lu\n", err);
194 CertFreeCertificateChain(chain);
195 if(conn->server->cert_chain) {
196 CertFreeCertificateChain(conn->server->cert_chain);
197 conn->server->cert_chain = NULL;
198 }
199 if(conn->mask_errors)
200 conn->server->security_flags |= conn->security_flags & _SECURITY_ERROR_FLAGS_MASK;
201 return err;
202 }
203
204 /* FIXME: Reuse cached chain */
205 if(conn->server->cert_chain)
206 CertFreeCertificateChain(chain);
207 else
208 conn->server->cert_chain = chain;
209 return ERROR_SUCCESS;
210 }
211
212 static SecHandle cred_handle, compat_cred_handle;
213 static BOOL cred_handle_initialized, have_compat_cred_handle;
214
215 static CRITICAL_SECTION init_sechandle_cs;
216 static CRITICAL_SECTION_DEBUG init_sechandle_cs_debug = {
217 0, 0, &init_sechandle_cs,
218 { &init_sechandle_cs_debug.ProcessLocksList,
219 &init_sechandle_cs_debug.ProcessLocksList },
220 0, 0, { (DWORD_PTR)(__FILE__ ": init_sechandle_cs") }
221 };
222 static CRITICAL_SECTION init_sechandle_cs = { &init_sechandle_cs_debug, -1, 0, 0, 0, 0 };
223
224 static BOOL ensure_cred_handle(void)
225 {
226 SECURITY_STATUS res = SEC_E_OK;
227
228 EnterCriticalSection(&init_sechandle_cs);
229
230 if(!cred_handle_initialized) {
231 SCHANNEL_CRED cred = {SCHANNEL_CRED_VERSION};
232 SecPkgCred_SupportedProtocols prots;
233
234 res = AcquireCredentialsHandleW(NULL, (WCHAR*)UNISP_NAME_W, SECPKG_CRED_OUTBOUND, NULL, &cred,
235 NULL, NULL, &cred_handle, NULL);
236 if(res == SEC_E_OK) {
237 res = QueryCredentialsAttributesA(&cred_handle, SECPKG_ATTR_SUPPORTED_PROTOCOLS, &prots);
238 if(res != SEC_E_OK || (prots.grbitProtocol & SP_PROT_TLS1_1PLUS_CLIENT)) {
239 cred.grbitEnabledProtocols = prots.grbitProtocol & ~SP_PROT_TLS1_1PLUS_CLIENT;
240 res = AcquireCredentialsHandleW(NULL, (WCHAR*)UNISP_NAME_W, SECPKG_CRED_OUTBOUND, NULL, &cred,
241 NULL, NULL, &compat_cred_handle, NULL);
242 have_compat_cred_handle = res == SEC_E_OK;
243 }
244 }
245
246 cred_handle_initialized = res == SEC_E_OK;
247 }
248
249 LeaveCriticalSection(&init_sechandle_cs);
250
251 if(res != SEC_E_OK) {
252 WARN("Failed: %08lx\n", res);
253 return FALSE;
254 }
255
256 return TRUE;
257 }
258
259 static BOOL winsock_loaded = FALSE;
260
261 static BOOL WINAPI winsock_startup(INIT_ONCE *once, void *param, void **context)
262 {
263 WSADATA wsa_data;
264 DWORD res;
265
266 res = WSAStartup(MAKEWORD(1,1), &wsa_data);
267 if(res == ERROR_SUCCESS)
268 winsock_loaded = TRUE;
269 else
270 ERR("WSAStartup failed: %lu\n", res);
271 return TRUE;
272 }
273
274 void init_winsock(void)
275 {
276 static INIT_ONCE init_once = INIT_ONCE_STATIC_INIT;
277 InitOnceExecuteOnce(&init_once, winsock_startup, NULL, NULL);
278 }
279
280 static void set_socket_blocking(netconn_t *conn, BOOL is_blocking)
281 {
282 if(conn->is_blocking != is_blocking) {
283 ULONG arg = !is_blocking;
284 ioctlsocket(conn->socket, FIONBIO, &arg);
285 }
286 conn->is_blocking = is_blocking;
287 }
288
289 static DWORD create_netconn_socket(server_t *server, netconn_t *netconn, DWORD timeout)
290 {
291 int result;
292 ULONG flag;
293 DWORD res;
294
295 init_winsock();
296
297 assert(server->addr_len);
298 result = netconn->socket = socket(server->addr.ss_family, SOCK_STREAM, 0);
299 if(result != -1) {
300 set_socket_blocking(netconn, FALSE);
301 result = connect(netconn->socket, (struct sockaddr*)&server->addr, server->addr_len);
302 if(result == -1)
303 {
304 res = WSAGetLastError();
305 if (res == WSAEINPROGRESS || res == WSAEWOULDBLOCK) {
306 FD_SET set;
307 int res;
308 socklen_t len = sizeof(res);
309 TIMEVAL timeout_timeval = {0, timeout*1000};
310
311 FD_ZERO(&set);
312 FD_SET(netconn->socket, &set);
313 res = select(netconn->socket+1, NULL, &set, NULL, &timeout_timeval);
314 if(!res || res == SOCKET_ERROR) {
315 closesocket(netconn->socket);
316 netconn->socket = -1;
317 return ERROR_INTERNET_CANNOT_CONNECT;
318 }
319 if (!getsockopt(netconn->socket, SOL_SOCKET, SO_ERROR, (void *)&res, &len) && !res)
320 result = 0;
321 }
322 }
323 if(result == -1)
324 {
325 closesocket(netconn->socket);
326 netconn->socket = -1;
327 }
328 }
329 if(result == -1)
330 return ERROR_INTERNET_CANNOT_CONNECT;
331
332 flag = 1;
333 result = setsockopt(netconn->socket, IPPROTO_TCP, TCP_NODELAY, (void*)&flag, sizeof(flag));
334 if(result < 0)
335 WARN("setsockopt(TCP_NODELAY) failed\n");
336
337 return ERROR_SUCCESS;
338 }
339
340 DWORD create_netconn(server_t *server, DWORD security_flags, BOOL mask_errors, DWORD timeout, netconn_t **ret)
341 {
342 netconn_t *netconn;
343 int result;
344
345 netconn = calloc(1, sizeof(*netconn));
346 if(!netconn)
347 return ERROR_OUTOFMEMORY;
348
349 netconn->socket = -1;
350 netconn->security_flags = security_flags | server->security_flags;
351 netconn->mask_errors = mask_errors;
352 list_init(&netconn->pool_entry);
353 SecInvalidateHandle(&netconn->ssl_ctx);
354
355 result = create_netconn_socket(server, netconn, timeout);
356 if (result != ERROR_SUCCESS) {
357 free(netconn);
358 return result;
359 }
360
361 server_addref(server);
362 netconn->server = server;
363 *ret = netconn;
364 return result;
365 }
366
367 BOOL is_valid_netconn(netconn_t *netconn)
368 {
369 return netconn && netconn->socket != -1;
370 }
371
372 void close_netconn(netconn_t *netconn)
373 {
374 closesocket(netconn->socket);
375 netconn->socket = -1;
376 }
377
378 void free_netconn(netconn_t *netconn)
379 {
380 server_release(netconn->server);
381
382 if (netconn->secure) {
383 free(netconn->peek_msg_mem);
384 netconn->peek_msg_mem = NULL;
385 netconn->peek_msg = NULL;
386 netconn->peek_len = 0;
387 free(netconn->ssl_buf);
388 netconn->ssl_buf = NULL;
389 free(netconn->extra_buf);
390 netconn->extra_buf = NULL;
391 netconn->extra_len = 0;
392 }
393 if (SecIsValidHandle(&netconn->ssl_ctx))
394 DeleteSecurityContext(&netconn->ssl_ctx);
395
396 close_netconn(netconn);
397 free(netconn);
398 }
399
400 void NETCON_unload(void)
401 {
402 if(cred_handle_initialized)
403 FreeCredentialsHandle(&cred_handle);
404 if(have_compat_cred_handle)
405 FreeCredentialsHandle(&compat_cred_handle);
406 DeleteCriticalSection(&init_sechandle_cs);
407 if(winsock_loaded)
408 WSACleanup();
409 }
410
411 int sock_send(int fd, const void *msg, size_t len, int flags)
412 {
413 int ret;
414 do
415 {
416 ret = send(fd, msg, len, flags);
417 }
418 while(ret == -1 && WSAGetLastError() == WSAEINTR);
419 return ret;
420 }
421
422 int sock_recv(int fd, void *msg, size_t len, int flags)
423 {
424 int ret;
425 do
426 {
427 ret = recv(fd, msg, len, flags);
428 }
429 while(ret == -1 && WSAGetLastError() == WSAEINTR);
430 return ret;
431 }
432
433 static DWORD netcon_secure_connect_setup(netconn_t *connection, BOOL compat_mode)
434 {
435 SecBuffer out_buf = {0, SECBUFFER_TOKEN, NULL}, in_bufs[2] = {{0, SECBUFFER_TOKEN}, {0, SECBUFFER_EMPTY}};
436 SecBufferDesc out_desc = {SECBUFFER_VERSION, 1, &out_buf}, in_desc = {SECBUFFER_VERSION, 2, in_bufs};
437 SecHandle *cred = &cred_handle;
438 BYTE *read_buf;
439 SIZE_T read_buf_size = 2048;
440 ULONG attrs = 0;
441 CtxtHandle ctx;
442 SSIZE_T size;
443 int bits;
444 const CERT_CONTEXT *cert;
445 SECURITY_STATUS status;
446 DWORD res = ERROR_SUCCESS;
447
448 const DWORD isc_req_flags = ISC_REQ_ALLOCATE_MEMORY|ISC_REQ_USE_SESSION_KEY|ISC_REQ_CONFIDENTIALITY
449 |ISC_REQ_SEQUENCE_DETECT|ISC_REQ_REPLAY_DETECT|ISC_REQ_MANUAL_CRED_VALIDATION;
450
451 if(!ensure_cred_handle())
452 return ERROR_INTERNET_SECURITY_CHANNEL_ERROR;
453
454 if(compat_mode) {
455 if(!have_compat_cred_handle)
456 return ERROR_INTERNET_SECURITY_CHANNEL_ERROR;
457 cred = &compat_cred_handle;
458 }
459
460 read_buf = malloc(read_buf_size);
461 if(!read_buf)
462 return ERROR_OUTOFMEMORY;
463
464 status = InitializeSecurityContextW(cred, NULL, connection->server->name, isc_req_flags, 0, 0, NULL, 0,
465 &ctx, &out_desc, &attrs, NULL);
466
467 assert(status != SEC_E_OK);
468
469 set_socket_blocking(connection, TRUE);
470
471 while(status == SEC_I_CONTINUE_NEEDED || status == SEC_E_INCOMPLETE_MESSAGE) {
472 if(out_buf.cbBuffer) {
473 assert(status == SEC_I_CONTINUE_NEEDED);
474
475 TRACE("sending %lu bytes\n", out_buf.cbBuffer);
476
477 size = sock_send(connection->socket, out_buf.pvBuffer, out_buf.cbBuffer, 0);
478 if(size != out_buf.cbBuffer) {
479 ERR("send failed\n");
480 status = ERROR_INTERNET_SECURITY_CHANNEL_ERROR;
481 break;
482 }
483
484 FreeContextBuffer(out_buf.pvBuffer);
485 out_buf.pvBuffer = NULL;
486 out_buf.cbBuffer = 0;
487 }
488
489 if(status == SEC_I_CONTINUE_NEEDED) {
490 assert(in_bufs[1].cbBuffer < read_buf_size);
491
492 memmove(read_buf, (BYTE*)in_bufs[0].pvBuffer+in_bufs[0].cbBuffer-in_bufs[1].cbBuffer, in_bufs[1].cbBuffer);
493 in_bufs[0].cbBuffer = in_bufs[1].cbBuffer;
494 }
495
496 assert(in_bufs[0].BufferType == SECBUFFER_TOKEN);
497 in_bufs[1].BufferType = SECBUFFER_EMPTY;
498 in_bufs[1].cbBuffer = 0;
499 in_bufs[1].pvBuffer = NULL;
500
501 if(in_bufs[0].cbBuffer + 1024 > read_buf_size) {
502 BYTE *new_read_buf;
503
504 new_read_buf = realloc(read_buf, read_buf_size + 1024);
505 if(!new_read_buf) {
506 status = E_OUTOFMEMORY;
507 break;
508 }
509
510 in_bufs[0].pvBuffer = read_buf = new_read_buf;
511 read_buf_size += 1024;
512 }
513
514 size = sock_recv(connection->socket, read_buf+in_bufs[0].cbBuffer, read_buf_size-in_bufs[0].cbBuffer, 0);
515 if(size < 1) {
516 WARN("recv error\n");
517 res = ERROR_INTERNET_SECURITY_CHANNEL_ERROR;
518 break;
519 }
520
521 TRACE("recv %Iu bytes\n", size);
522
523 in_bufs[0].cbBuffer += size;
524 in_bufs[0].pvBuffer = read_buf;
525 status = InitializeSecurityContextW(cred, &ctx, connection->server->name, isc_req_flags, 0, 0, &in_desc,
526 0, NULL, &out_desc, &attrs, NULL);
527 TRACE("InitializeSecurityContext ret %08lx\n", status);
528
529 if(status == SEC_E_OK) {
530 if(SecIsValidHandle(&connection->ssl_ctx))
531 DeleteSecurityContext(&connection->ssl_ctx);
532 connection->ssl_ctx = ctx;
533
534 if(in_bufs[1].BufferType == SECBUFFER_EXTRA)
535 FIXME("SECBUFFER_EXTRA not supported\n");
536
537 status = QueryContextAttributesW(&ctx, SECPKG_ATTR_STREAM_SIZES, &connection->ssl_sizes);
538 if(status != SEC_E_OK) {
539 WARN("Could not get sizes\n");
540 break;
541 }
542
543 status = QueryContextAttributesW(&ctx, SECPKG_ATTR_REMOTE_CERT_CONTEXT, (void*)&cert);
544 if(status == SEC_E_OK) {
545 res = netconn_verify_cert(connection, cert, cert->hCertStore);
546 CertFreeCertificateContext(cert);
547 if(res != ERROR_SUCCESS) {
548 WARN("cert verify failed: %lu\n", res);
549 break;
550 }
551 }else {
552 WARN("Could not get cert\n");
553 break;
554 }
555
556 connection->ssl_buf = malloc(connection->ssl_sizes.cbHeader + connection->ssl_sizes.cbMaximumMessage
557 + connection->ssl_sizes.cbTrailer);
558 if(!connection->ssl_buf) {
559 res = GetLastError();
560 break;
561 }
562 }
563 }
564
565 free(read_buf);
566
567 if(status != SEC_E_OK || res != ERROR_SUCCESS) {
568 WARN("Failed to establish SSL connection: %08lx (%lu)\n", status, res);
569 free(connection->ssl_buf);
570 connection->ssl_buf = NULL;
571 return res ? res : ERROR_INTERNET_SECURITY_CHANNEL_ERROR;
572 }
573
574 TRACE("established SSL connection\n");
575 connection->secure = TRUE;
576 connection->security_flags |= SECURITY_FLAG_SECURE;
577
578 bits = NETCON_GetCipherStrength(connection);
579 if (bits >= 128)
580 connection->security_flags |= SECURITY_FLAG_STRENGTH_STRONG;
581 else if (bits >= 56)
582 connection->security_flags |= SECURITY_FLAG_STRENGTH_MEDIUM;
583 else
584 connection->security_flags |= SECURITY_FLAG_STRENGTH_WEAK;
585
586 if(connection->mask_errors)
587 connection->server->security_flags = connection->security_flags;
588 return ERROR_SUCCESS;
589 }
590
591 /******************************************************************************
592 * NETCON_secure_connect
593 * Initiates a secure connection over an existing plaintext connection.
594 */
595 DWORD NETCON_secure_connect(netconn_t *connection, server_t *server)
596 {
597 DWORD res;
598
599 /* can't connect if we are already connected */
600 if(connection->secure) {
601 ERR("already connected\n");
602 return ERROR_INTERNET_CANNOT_CONNECT;
603 }
604
605 if(server != connection->server) {
606 server_release(connection->server);
607 server_addref(server);
608 connection->server = server;
609 }
610
611 /* connect with given TLS options */
612 res = netcon_secure_connect_setup(connection, FALSE);
613 if (res == ERROR_SUCCESS)
614 return res;
615
616 /* FIXME: when got version alert and FIN from server */
617 /* fallback to connect without TLSv1.1/TLSv1.2 */
618 if (res == ERROR_INTERNET_SECURITY_CHANNEL_ERROR && have_compat_cred_handle)
619 {
620 closesocket(connection->socket);
621 res = create_netconn_socket(connection->server, connection, 500);
622 if (res != ERROR_SUCCESS)
623 return res;
624 res = netcon_secure_connect_setup(connection, TRUE);
625 }
626 return res;
627 }
628
629 static BOOL send_ssl_chunk(netconn_t *conn, const void *msg, size_t size)
630 {
631 SecBuffer bufs[4] = {
632 {conn->ssl_sizes.cbHeader, SECBUFFER_STREAM_HEADER, conn->ssl_buf},
633 {size, SECBUFFER_DATA, conn->ssl_buf+conn->ssl_sizes.cbHeader},
634 {conn->ssl_sizes.cbTrailer, SECBUFFER_STREAM_TRAILER, conn->ssl_buf+conn->ssl_sizes.cbHeader+size},
635 {0, SECBUFFER_EMPTY, NULL}
636 };
637 SecBufferDesc buf_desc = {SECBUFFER_VERSION, ARRAY_SIZE(bufs), bufs};
638 SECURITY_STATUS res;
639
640 memcpy(bufs[1].pvBuffer, msg, size);
641 res = EncryptMessage(&conn->ssl_ctx, 0, &buf_desc, 0);
642 if(res != SEC_E_OK) {
643 WARN("EncryptMessage failed\n");
644 return FALSE;
645 }
646
647 if(sock_send(conn->socket, conn->ssl_buf, bufs[0].cbBuffer+bufs[1].cbBuffer+bufs[2].cbBuffer, 0) < 1) {
648 WARN("send failed\n");
649 return FALSE;
650 }
651
652 return TRUE;
653 }
654
655 /******************************************************************************
656 * NETCON_send
657 * Basically calls 'send()' unless we should use SSL
658 * number of chars send is put in *sent
659 */
660 DWORD NETCON_send(netconn_t *connection, const void *msg, size_t len, int flags,
661 int *sent /* out */)
662 {
663 /* send is always blocking. */
664 set_socket_blocking(connection, TRUE);
665
666 if(!connection->secure)
667 {
668 *sent = sock_send(connection->socket, msg, len, flags);
669 return *sent == -1 ? WSAGetLastError() : ERROR_SUCCESS;
670 }
671 else
672 {
673 const BYTE *ptr = msg;
674 size_t chunk_size;
675
676 *sent = 0;
677
678 while(len) {
679 chunk_size = min(len, connection->ssl_sizes.cbMaximumMessage);
680 if(!send_ssl_chunk(connection, ptr, chunk_size))
681 return ERROR_INTERNET_SECURITY_CHANNEL_ERROR;
682
683 *sent += chunk_size;
684 ptr += chunk_size;
685 len -= chunk_size;
686 }
687
688 return ERROR_SUCCESS;
689 }
690 }
691
692 static BOOL read_ssl_chunk(netconn_t *conn, void *buf, SIZE_T buf_size, BOOL blocking, SIZE_T *ret_size, BOOL *eof)
693 {
694 const SIZE_T ssl_buf_size = conn->ssl_sizes.cbHeader+conn->ssl_sizes.cbMaximumMessage+conn->ssl_sizes.cbTrailer;
695 SecBuffer bufs[4];
696 SecBufferDesc buf_desc = {SECBUFFER_VERSION, ARRAY_SIZE(bufs), bufs};
697 SSIZE_T size, buf_len = 0;
698 int i;
699 SECURITY_STATUS res;
700
701 assert(conn->extra_len < ssl_buf_size);
702
703 if(conn->extra_len) {
704 memcpy(conn->ssl_buf, conn->extra_buf, conn->extra_len);
705 buf_len = conn->extra_len;
706 conn->extra_len = 0;
707 free(conn->extra_buf);
708 conn->extra_buf = NULL;
709 }
710
711 set_socket_blocking(conn, blocking && !buf_len);
712 size = sock_recv(conn->socket, conn->ssl_buf+buf_len, ssl_buf_size-buf_len, 0);
713 if(size < 0) {
714 if(!buf_len) {
715 if(WSAGetLastError() == WSAEWOULDBLOCK) {
716 TRACE("would block\n");
717 return WSAEWOULDBLOCK;
718 }
719 WARN("recv failed\n");
720 return ERROR_INTERNET_CONNECTION_ABORTED;
721 }
722 }else {
723 buf_len += size;
724 }
725
726 if(!buf_len) {
727 TRACE("EOF\n");
728 *eof = TRUE;
729 *ret_size = 0;
730 return ERROR_SUCCESS;
731 }
732
733 *eof = FALSE;
734
735 do {
736 memset(bufs, 0, sizeof(bufs));
737 bufs[0].BufferType = SECBUFFER_DATA;
738 bufs[0].cbBuffer = buf_len;
739 bufs[0].pvBuffer = conn->ssl_buf;
740
741 res = DecryptMessage(&conn->ssl_ctx, &buf_desc, 0, NULL);
742 switch(res) {
743 case SEC_E_OK:
744 break;
745 case SEC_I_CONTEXT_EXPIRED:
746 TRACE("context expired\n");
747 *eof = TRUE;
748 return ERROR_SUCCESS;
749 case SEC_E_INCOMPLETE_MESSAGE:
750 assert(buf_len < ssl_buf_size);
751
752 set_socket_blocking(conn, blocking);
753 size = sock_recv(conn->socket, conn->ssl_buf+buf_len, ssl_buf_size-buf_len, 0);
754 if(size < 1) {
755 if(size < 0 && WSAGetLastError() == WSAEWOULDBLOCK) {
756 TRACE("would block\n");
757
758 /* FIXME: Optimize extra_buf usage. */
759 conn->extra_buf = malloc(buf_len);
760 if(!conn->extra_buf)
761 return ERROR_NOT_ENOUGH_MEMORY;
762
763 conn->extra_len = buf_len;
764 memcpy(conn->extra_buf, conn->ssl_buf, conn->extra_len);
765 return WSAEWOULDBLOCK;
766 }
767
768 return ERROR_INTERNET_CONNECTION_ABORTED;
769 }
770
771 buf_len += size;
772 continue;
773 default:
774 WARN("failed: %08lx\n", res);
775 return ERROR_INTERNET_CONNECTION_ABORTED;
776 }
777 } while(res != SEC_E_OK);
778
779 for(i = 0; i < ARRAY_SIZE(bufs); i++) {
780 if(bufs[i].BufferType == SECBUFFER_DATA) {
781 size = min(buf_size, bufs[i].cbBuffer);
782 memcpy(buf, bufs[i].pvBuffer, size);
783 if(size < bufs[i].cbBuffer) {
784 assert(!conn->peek_len);
785 conn->peek_msg_mem = conn->peek_msg = malloc(bufs[i].cbBuffer - size);
786 if(!conn->peek_msg)
787 return ERROR_NOT_ENOUGH_MEMORY;
788 conn->peek_len = bufs[i].cbBuffer-size;
789 memcpy(conn->peek_msg, (char*)bufs[i].pvBuffer+size, conn->peek_len);
790 }
791
792 *ret_size = size;
793 }
794 }
795
796 for(i = 0; i < ARRAY_SIZE(bufs); i++) {
797 if(bufs[i].BufferType == SECBUFFER_EXTRA) {
798 conn->extra_buf = malloc(bufs[i].cbBuffer);
799 if(!conn->extra_buf)
800 return ERROR_NOT_ENOUGH_MEMORY;
801
802 conn->extra_len = bufs[i].cbBuffer;
803 memcpy(conn->extra_buf, bufs[i].pvBuffer, conn->extra_len);
804 }
805 }
806
807 return ERROR_SUCCESS;
808 }
809
810 /******************************************************************************
811 * NETCON_recv
812 * Basically calls 'recv()' unless we should use SSL
813 * number of chars received is put in *recvd
814 */
815 DWORD NETCON_recv(netconn_t *connection, void *buf, size_t len, BOOL blocking, int *recvd)
816 {
817 *recvd = 0;
818 if (!len)
819 return ERROR_SUCCESS;
820
821 if (!connection->secure)
822 {
823 set_socket_blocking(connection, blocking);
824 *recvd = sock_recv(connection->socket, buf, len, 0);
825 return *recvd == -1 ? WSAGetLastError() : ERROR_SUCCESS;
826 }
827 else
828 {
829 SIZE_T size = 0;
830 BOOL eof;
831 DWORD res;
832
833 if(connection->peek_msg) {
834 size = min(len, connection->peek_len);
835 memcpy(buf, connection->peek_msg, size);
836 connection->peek_len -= size;
837 connection->peek_msg += size;
838
839 if(!connection->peek_len) {
840 free(connection->peek_msg_mem);
841 connection->peek_msg_mem = connection->peek_msg = NULL;
842 }
843
844 *recvd = size;
845 return ERROR_SUCCESS;
846 }
847
848 do {
849 res = read_ssl_chunk(connection, (BYTE*)buf, len, blocking, &size, &eof);
850 if(res != ERROR_SUCCESS) {
851 if(res == WSAEWOULDBLOCK) {
852 if(size)
853 res = ERROR_SUCCESS;
854 }else {
855 WARN("read_ssl_chunk failed\n");
856 }
857 break;
858 }
859 }while(!size && !eof);
860
861 TRACE("received %Id bytes\n", size);
862 *recvd = size;
863 return res;
864 }
865 }
866
867 BOOL NETCON_is_alive(netconn_t *netconn)
868 {
869 int len;
870 char b;
871
872 set_socket_blocking(netconn, FALSE);
873 len = sock_recv(netconn->socket, &b, 1, MSG_PEEK);
874
875 return len == 1 || (len == -1 && WSAGetLastError() == WSAEWOULDBLOCK);
876 }
877
878 LPCVOID NETCON_GetCert(netconn_t *connection)
879 {
880 const CERT_CONTEXT *ret;
881 SECURITY_STATUS res;
882
883 res = QueryContextAttributesW(&connection->ssl_ctx, SECPKG_ATTR_REMOTE_CERT_CONTEXT, (void*)&ret);
884 return res == SEC_E_OK ? ret : NULL;
885 }
886
887 int NETCON_GetCipherStrength(netconn_t *connection)
888 {
889 SecPkgContext_ConnectionInfo conn_info;
890 SECURITY_STATUS res;
891
892 if (!connection->secure)
893 return 0;
894
895 res = QueryContextAttributesW(&connection->ssl_ctx, SECPKG_ATTR_CONNECTION_INFO, (void*)&conn_info);
896 if(res != SEC_E_OK)
897 WARN("QueryContextAttributesW failed: %08lx\n", res);
898 return res == SEC_E_OK ? conn_info.dwCipherStrength : 0;
899 }
900
901 DWORD NETCON_set_timeout(netconn_t *connection, BOOL send, DWORD value)
902 {
903 int result;
904
905 result = setsockopt(connection->socket, SOL_SOCKET,
906 send ? SO_SNDTIMEO : SO_RCVTIMEO, (void*)&value,
907 sizeof(value));
908 if (result == -1)
909 {
910 WARN("setsockopt failed\n");
911 return WSAGetLastError();
912 }
913 return ERROR_SUCCESS;
914 }
Windows API implementation