2 * Wininet - networking layer
4 * Copyright 2002 TransGaming Technologies Inc.
5 * Copyright 2013 Jacek Caban for CodeWeavers
9 * This library is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public
11 * License as published by the Free Software Foundation; either
12 * version 2.1 of the License, or (at your option) any later version.
14 * This library is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
24 #define NONAMELESSUNION
40 #include "wine/debug.h"
43 WINE_DEFAULT_DEBUG_CHANNEL(wininet
);
45 static DWORD
netconn_verify_cert(netconn_t
*conn
, PCCERT_CONTEXT cert
, HCERTSTORE store
)
48 CERT_CHAIN_PARA chainPara
= { sizeof(chainPara
), { 0 } };
49 PCCERT_CHAIN_CONTEXT chain
;
50 char oid_server_auth
[] = szOID_PKIX_KP_SERVER_AUTH
;
51 char *server_auth
[] = { oid_server_auth
};
52 DWORD err
= ERROR_SUCCESS
, errors
;
54 static const DWORD supportedErrors
=
55 CERT_TRUST_IS_NOT_TIME_VALID
|
56 CERT_TRUST_IS_UNTRUSTED_ROOT
|
57 CERT_TRUST_IS_PARTIAL_CHAIN
|
58 CERT_TRUST_IS_NOT_SIGNATURE_VALID
|
59 CERT_TRUST_IS_NOT_VALID_FOR_USAGE
;
61 TRACE("verifying %s\n", debugstr_w(conn
->server
->name
));
63 chainPara
.RequestedUsage
.Usage
.cUsageIdentifier
= 1;
64 chainPara
.RequestedUsage
.Usage
.rgpszUsageIdentifier
= server_auth
;
65 if (!(ret
= CertGetCertificateChain(NULL
, cert
, NULL
, store
, &chainPara
, 0, NULL
, &chain
))) {
67 return GetLastError();
70 errors
= chain
->TrustStatus
.dwErrorStatus
;
73 /* This seems strange, but that's what tests show */
74 if(errors
& CERT_TRUST_IS_PARTIAL_CHAIN
) {
75 WARN("ERROR_INTERNET_SEC_CERT_REV_FAILED\n");
76 err
= ERROR_INTERNET_SEC_CERT_REV_FAILED
;
78 conn
->security_flags
|= _SECURITY_FLAG_CERT_REV_FAILED
;
79 if(!(conn
->security_flags
& SECURITY_FLAG_IGNORE_REVOCATION
))
83 if (chain
->TrustStatus
.dwErrorStatus
& ~supportedErrors
) {
84 WARN("error status %lx\n", chain
->TrustStatus
.dwErrorStatus
& ~supportedErrors
);
85 err
= conn
->mask_errors
&& err
? ERROR_INTERNET_SEC_CERT_ERRORS
: ERROR_INTERNET_SEC_INVALID_CERT
;
86 errors
&= supportedErrors
;
87 if(!conn
->mask_errors
)
89 WARN("unknown error flags\n");
92 if(errors
& CERT_TRUST_IS_NOT_TIME_VALID
) {
93 WARN("CERT_TRUST_IS_NOT_TIME_VALID\n");
94 if(!(conn
->security_flags
& SECURITY_FLAG_IGNORE_CERT_DATE_INVALID
)) {
95 err
= conn
->mask_errors
&& err
? ERROR_INTERNET_SEC_CERT_ERRORS
: ERROR_INTERNET_SEC_CERT_DATE_INVALID
;
96 if(!conn
->mask_errors
)
98 conn
->security_flags
|= _SECURITY_FLAG_CERT_INVALID_DATE
;
100 errors
&= ~CERT_TRUST_IS_NOT_TIME_VALID
;
103 if(errors
& CERT_TRUST_IS_UNTRUSTED_ROOT
) {
104 WARN("CERT_TRUST_IS_UNTRUSTED_ROOT\n");
105 if(!(conn
->security_flags
& SECURITY_FLAG_IGNORE_UNKNOWN_CA
)) {
106 err
= conn
->mask_errors
&& err
? ERROR_INTERNET_SEC_CERT_ERRORS
: ERROR_INTERNET_INVALID_CA
;
107 if(!conn
->mask_errors
)
109 conn
->security_flags
|= _SECURITY_FLAG_CERT_INVALID_CA
;
111 errors
&= ~CERT_TRUST_IS_UNTRUSTED_ROOT
;
114 if(errors
& CERT_TRUST_IS_PARTIAL_CHAIN
) {
115 WARN("CERT_TRUST_IS_PARTIAL_CHAIN\n");
116 if(!(conn
->security_flags
& SECURITY_FLAG_IGNORE_UNKNOWN_CA
)) {
117 err
= conn
->mask_errors
&& err
? ERROR_INTERNET_SEC_CERT_ERRORS
: ERROR_INTERNET_INVALID_CA
;
118 if(!conn
->mask_errors
)
120 conn
->security_flags
|= _SECURITY_FLAG_CERT_INVALID_CA
;
122 errors
&= ~CERT_TRUST_IS_PARTIAL_CHAIN
;
125 if(errors
& CERT_TRUST_IS_NOT_SIGNATURE_VALID
) {
126 WARN("CERT_TRUST_IS_NOT_SIGNATURE_VALID\n");
127 if(!(conn
->security_flags
& SECURITY_FLAG_IGNORE_UNKNOWN_CA
)) {
128 err
= conn
->mask_errors
&& err
? ERROR_INTERNET_SEC_CERT_ERRORS
: ERROR_INTERNET_INVALID_CA
;
129 if(!conn
->mask_errors
)
131 conn
->security_flags
|= _SECURITY_FLAG_CERT_INVALID_CA
;
133 errors
&= ~CERT_TRUST_IS_NOT_SIGNATURE_VALID
;
136 if(errors
& CERT_TRUST_IS_NOT_VALID_FOR_USAGE
) {
137 WARN("CERT_TRUST_IS_NOT_VALID_FOR_USAGE\n");
138 if(!(conn
->security_flags
& SECURITY_FLAG_IGNORE_WRONG_USAGE
)) {
139 err
= conn
->mask_errors
&& err
? ERROR_INTERNET_SEC_CERT_ERRORS
: ERROR_INTERNET_SEC_INVALID_CERT
;
140 if(!conn
->mask_errors
)
142 WARN("CERT_TRUST_IS_NOT_VALID_FOR_USAGE, unknown error flags\n");
144 errors
&= ~CERT_TRUST_IS_NOT_VALID_FOR_USAGE
;
147 if(err
== ERROR_INTERNET_SEC_CERT_REV_FAILED
) {
148 assert(conn
->security_flags
& SECURITY_FLAG_IGNORE_REVOCATION
);
153 if(!err
|| conn
->mask_errors
) {
154 CERT_CHAIN_POLICY_PARA policyPara
;
155 SSL_EXTRA_CERT_CHAIN_POLICY_PARA sslExtraPolicyPara
;
156 CERT_CHAIN_POLICY_STATUS policyStatus
;
157 CERT_CHAIN_CONTEXT chainCopy
;
159 /* Clear chain->TrustStatus.dwErrorStatus so
160 * CertVerifyCertificateChainPolicy will verify additional checks
161 * rather than stopping with an existing, ignored error.
163 memcpy(&chainCopy
, chain
, sizeof(chainCopy
));
164 chainCopy
.TrustStatus
.dwErrorStatus
= 0;
165 sslExtraPolicyPara
.u
.cbSize
= sizeof(sslExtraPolicyPara
);
166 sslExtraPolicyPara
.dwAuthType
= AUTHTYPE_SERVER
;
167 sslExtraPolicyPara
.pwszServerName
= conn
->server
->name
;
168 sslExtraPolicyPara
.fdwChecks
= conn
->security_flags
;
169 policyPara
.cbSize
= sizeof(policyPara
);
170 policyPara
.dwFlags
= 0;
171 policyPara
.pvExtraPolicyPara
= &sslExtraPolicyPara
;
172 ret
= CertVerifyCertificateChainPolicy(CERT_CHAIN_POLICY_SSL
,
173 &chainCopy
, &policyPara
, &policyStatus
);
174 /* Any error in the policy status indicates that the
175 * policy couldn't be verified.
178 if(policyStatus
.dwError
== CERT_E_CN_NO_MATCH
) {
179 WARN("CERT_E_CN_NO_MATCH\n");
180 if(conn
->mask_errors
)
181 conn
->security_flags
|= _SECURITY_FLAG_CERT_INVALID_CN
;
182 err
= conn
->mask_errors
&& err
? ERROR_INTERNET_SEC_CERT_ERRORS
: ERROR_INTERNET_SEC_CERT_CN_INVALID
;
183 }else if(policyStatus
.dwError
) {
184 WARN("policyStatus.dwError %lx\n", policyStatus
.dwError
);
185 if(conn
->mask_errors
)
186 WARN("unknown error flags for policy status %lx\n", policyStatus
.dwError
);
187 err
= conn
->mask_errors
&& err
? ERROR_INTERNET_SEC_CERT_ERRORS
: ERROR_INTERNET_SEC_INVALID_CERT
;
190 err
= GetLastError();
195 WARN("failed %lu\n", err
);
196 CertFreeCertificateChain(chain
);
197 if(conn
->server
->cert_chain
) {
198 CertFreeCertificateChain(conn
->server
->cert_chain
);
199 conn
->server
->cert_chain
= NULL
;
201 if(conn
->mask_errors
)
202 conn
->server
->security_flags
|= conn
->security_flags
& _SECURITY_ERROR_FLAGS_MASK
;
206 /* FIXME: Reuse cached chain */
207 if(conn
->server
->cert_chain
)
208 CertFreeCertificateChain(chain
);
210 conn
->server
->cert_chain
= chain
;
211 return ERROR_SUCCESS
;
214 static SecHandle cred_handle
, compat_cred_handle
;
215 static BOOL cred_handle_initialized
, have_compat_cred_handle
;
217 static CRITICAL_SECTION init_sechandle_cs
;
218 static CRITICAL_SECTION_DEBUG init_sechandle_cs_debug
= {
219 0, 0, &init_sechandle_cs
,
220 { &init_sechandle_cs_debug
.ProcessLocksList
,
221 &init_sechandle_cs_debug
.ProcessLocksList
},
222 0, 0, { (DWORD_PTR
)(__FILE__
": init_sechandle_cs") }
224 static CRITICAL_SECTION init_sechandle_cs
= { &init_sechandle_cs_debug
, -1, 0, 0, 0, 0 };
226 static BOOL
ensure_cred_handle(void)
228 SECURITY_STATUS res
= SEC_E_OK
;
230 EnterCriticalSection(&init_sechandle_cs
);
232 if(!cred_handle_initialized
) {
233 SCHANNEL_CRED cred
= {SCHANNEL_CRED_VERSION
};
234 SecPkgCred_SupportedProtocols prots
;
236 res
= AcquireCredentialsHandleW(NULL
, (WCHAR
*)UNISP_NAME_W
, SECPKG_CRED_OUTBOUND
, NULL
, &cred
,
237 NULL
, NULL
, &cred_handle
, NULL
);
238 if(res
== SEC_E_OK
) {
239 res
= QueryCredentialsAttributesA(&cred_handle
, SECPKG_ATTR_SUPPORTED_PROTOCOLS
, &prots
);
240 if(res
!= SEC_E_OK
|| (prots
.grbitProtocol
& SP_PROT_TLS1_1PLUS_CLIENT
)) {
241 cred
.grbitEnabledProtocols
= prots
.grbitProtocol
& ~SP_PROT_TLS1_1PLUS_CLIENT
;
242 res
= AcquireCredentialsHandleW(NULL
, (WCHAR
*)UNISP_NAME_W
, SECPKG_CRED_OUTBOUND
, NULL
, &cred
,
243 NULL
, NULL
, &compat_cred_handle
, NULL
);
244 have_compat_cred_handle
= res
== SEC_E_OK
;
248 cred_handle_initialized
= res
== SEC_E_OK
;
251 LeaveCriticalSection(&init_sechandle_cs
);
253 if(res
!= SEC_E_OK
) {
254 WARN("Failed: %08lx\n", res
);
261 static BOOL winsock_loaded
= FALSE
;
263 static BOOL WINAPI
winsock_startup(INIT_ONCE
*once
, void *param
, void **context
)
268 res
= WSAStartup(MAKEWORD(1,1), &wsa_data
);
269 if(res
== ERROR_SUCCESS
)
270 winsock_loaded
= TRUE
;
272 ERR("WSAStartup failed: %lu\n", res
);
276 void init_winsock(void)
278 static INIT_ONCE init_once
= INIT_ONCE_STATIC_INIT
;
279 InitOnceExecuteOnce(&init_once
, winsock_startup
, NULL
, NULL
);
282 static void set_socket_blocking(netconn_t
*conn
, BOOL is_blocking
)
284 if(conn
->is_blocking
!= is_blocking
) {
285 ULONG arg
= !is_blocking
;
286 ioctlsocket(conn
->socket
, FIONBIO
, &arg
);
288 conn
->is_blocking
= is_blocking
;
291 static DWORD
create_netconn_socket(server_t
*server
, netconn_t
*netconn
, DWORD timeout
)
299 assert(server
->addr_len
);
300 result
= netconn
->socket
= socket(server
->addr
.ss_family
, SOCK_STREAM
, 0);
302 set_socket_blocking(netconn
, FALSE
);
303 result
= connect(netconn
->socket
, (struct sockaddr
*)&server
->addr
, server
->addr_len
);
306 res
= WSAGetLastError();
307 if (res
== WSAEINPROGRESS
|| res
== WSAEWOULDBLOCK
) {
310 socklen_t len
= sizeof(res
);
311 TIMEVAL timeout_timeval
= {0, timeout
*1000};
314 FD_SET(netconn
->socket
, &set
);
315 res
= select(netconn
->socket
+1, NULL
, &set
, NULL
, &timeout_timeval
);
316 if(!res
|| res
== SOCKET_ERROR
) {
317 closesocket(netconn
->socket
);
318 netconn
->socket
= -1;
319 return ERROR_INTERNET_CANNOT_CONNECT
;
321 if (!getsockopt(netconn
->socket
, SOL_SOCKET
, SO_ERROR
, (void *)&res
, &len
) && !res
)
327 closesocket(netconn
->socket
);
328 netconn
->socket
= -1;
332 return ERROR_INTERNET_CANNOT_CONNECT
;
335 result
= setsockopt(netconn
->socket
, IPPROTO_TCP
, TCP_NODELAY
, (void*)&flag
, sizeof(flag
));
337 WARN("setsockopt(TCP_NODELAY) failed\n");
339 return ERROR_SUCCESS
;
342 DWORD
create_netconn(server_t
*server
, DWORD security_flags
, BOOL mask_errors
, DWORD timeout
, netconn_t
**ret
)
347 netconn
= calloc(1, sizeof(*netconn
));
349 return ERROR_OUTOFMEMORY
;
351 netconn
->socket
= -1;
352 netconn
->security_flags
= security_flags
| server
->security_flags
;
353 netconn
->mask_errors
= mask_errors
;
354 list_init(&netconn
->pool_entry
);
355 SecInvalidateHandle(&netconn
->ssl_ctx
);
357 result
= create_netconn_socket(server
, netconn
, timeout
);
358 if (result
!= ERROR_SUCCESS
) {
363 server_addref(server
);
364 netconn
->server
= server
;
369 BOOL
is_valid_netconn(netconn_t
*netconn
)
371 return netconn
&& netconn
->socket
!= -1;
374 void close_netconn(netconn_t
*netconn
)
376 closesocket(netconn
->socket
);
377 netconn
->socket
= -1;
380 void free_netconn(netconn_t
*netconn
)
382 server_release(netconn
->server
);
384 if (netconn
->secure
) {
385 free(netconn
->peek_msg_mem
);
386 netconn
->peek_msg_mem
= NULL
;
387 netconn
->peek_msg
= NULL
;
388 netconn
->peek_len
= 0;
389 free(netconn
->ssl_buf
);
390 netconn
->ssl_buf
= NULL
;
391 free(netconn
->extra_buf
);
392 netconn
->extra_buf
= NULL
;
393 netconn
->extra_len
= 0;
395 if (SecIsValidHandle(&netconn
->ssl_ctx
))
396 DeleteSecurityContext(&netconn
->ssl_ctx
);
398 close_netconn(netconn
);
402 void NETCON_unload(void)
404 if(cred_handle_initialized
)
405 FreeCredentialsHandle(&cred_handle
);
406 if(have_compat_cred_handle
)
407 FreeCredentialsHandle(&compat_cred_handle
);
408 DeleteCriticalSection(&init_sechandle_cs
);
413 int sock_send(int fd
, const void *msg
, size_t len
, int flags
)
418 ret
= send(fd
, msg
, len
, flags
);
420 while(ret
== -1 && WSAGetLastError() == WSAEINTR
);
424 int sock_recv(int fd
, void *msg
, size_t len
, int flags
)
429 ret
= recv(fd
, msg
, len
, flags
);
431 while(ret
== -1 && WSAGetLastError() == WSAEINTR
);
435 static DWORD
netcon_secure_connect_setup(netconn_t
*connection
, BOOL compat_mode
)
437 SecBuffer out_buf
= {0, SECBUFFER_TOKEN
, NULL
}, in_bufs
[2] = {{0, SECBUFFER_TOKEN
}, {0, SECBUFFER_EMPTY
}};
438 SecBufferDesc out_desc
= {SECBUFFER_VERSION
, 1, &out_buf
}, in_desc
= {SECBUFFER_VERSION
, 2, in_bufs
};
439 SecHandle
*cred
= &cred_handle
;
441 SIZE_T read_buf_size
= 2048;
446 const CERT_CONTEXT
*cert
;
447 SECURITY_STATUS status
;
448 DWORD res
= ERROR_SUCCESS
;
450 const DWORD isc_req_flags
= ISC_REQ_ALLOCATE_MEMORY
|ISC_REQ_USE_SESSION_KEY
|ISC_REQ_CONFIDENTIALITY
451 |ISC_REQ_SEQUENCE_DETECT
|ISC_REQ_REPLAY_DETECT
|ISC_REQ_MANUAL_CRED_VALIDATION
;
453 if(!ensure_cred_handle())
454 return ERROR_INTERNET_SECURITY_CHANNEL_ERROR
;
457 if(!have_compat_cred_handle
)
458 return ERROR_INTERNET_SECURITY_CHANNEL_ERROR
;
459 cred
= &compat_cred_handle
;
462 read_buf
= malloc(read_buf_size
);
464 return ERROR_OUTOFMEMORY
;
466 status
= InitializeSecurityContextW(cred
, NULL
, connection
->server
->name
, isc_req_flags
, 0, 0, NULL
, 0,
467 &ctx
, &out_desc
, &attrs
, NULL
);
469 assert(status
!= SEC_E_OK
);
471 set_socket_blocking(connection
, TRUE
);
473 while(status
== SEC_I_CONTINUE_NEEDED
|| status
== SEC_E_INCOMPLETE_MESSAGE
) {
474 if(out_buf
.cbBuffer
) {
475 assert(status
== SEC_I_CONTINUE_NEEDED
);
477 TRACE("sending %lu bytes\n", out_buf
.cbBuffer
);
479 size
= sock_send(connection
->socket
, out_buf
.pvBuffer
, out_buf
.cbBuffer
, 0);
480 if(size
!= out_buf
.cbBuffer
) {
481 ERR("send failed\n");
482 status
= ERROR_INTERNET_SECURITY_CHANNEL_ERROR
;
486 FreeContextBuffer(out_buf
.pvBuffer
);
487 out_buf
.pvBuffer
= NULL
;
488 out_buf
.cbBuffer
= 0;
491 if(status
== SEC_I_CONTINUE_NEEDED
) {
492 assert(in_bufs
[1].cbBuffer
< read_buf_size
);
494 memmove(read_buf
, (BYTE
*)in_bufs
[0].pvBuffer
+in_bufs
[0].cbBuffer
-in_bufs
[1].cbBuffer
, in_bufs
[1].cbBuffer
);
495 in_bufs
[0].cbBuffer
= in_bufs
[1].cbBuffer
;
498 assert(in_bufs
[0].BufferType
== SECBUFFER_TOKEN
);
499 in_bufs
[1].BufferType
= SECBUFFER_EMPTY
;
500 in_bufs
[1].cbBuffer
= 0;
501 in_bufs
[1].pvBuffer
= NULL
;
503 if(in_bufs
[0].cbBuffer
+ 1024 > read_buf_size
) {
506 new_read_buf
= realloc(read_buf
, read_buf_size
+ 1024);
508 status
= E_OUTOFMEMORY
;
512 in_bufs
[0].pvBuffer
= read_buf
= new_read_buf
;
513 read_buf_size
+= 1024;
516 size
= sock_recv(connection
->socket
, read_buf
+in_bufs
[0].cbBuffer
, read_buf_size
-in_bufs
[0].cbBuffer
, 0);
518 WARN("recv error\n");
519 res
= ERROR_INTERNET_SECURITY_CHANNEL_ERROR
;
523 TRACE("recv %Iu bytes\n", size
);
525 in_bufs
[0].cbBuffer
+= size
;
526 in_bufs
[0].pvBuffer
= read_buf
;
527 status
= InitializeSecurityContextW(cred
, &ctx
, connection
->server
->name
, isc_req_flags
, 0, 0, &in_desc
,
528 0, NULL
, &out_desc
, &attrs
, NULL
);
529 TRACE("InitializeSecurityContext ret %08lx\n", status
);
531 if(status
== SEC_E_OK
) {
532 if(SecIsValidHandle(&connection
->ssl_ctx
))
533 DeleteSecurityContext(&connection
->ssl_ctx
);
534 connection
->ssl_ctx
= ctx
;
536 if(in_bufs
[1].BufferType
== SECBUFFER_EXTRA
)
537 FIXME("SECBUFFER_EXTRA not supported\n");
539 status
= QueryContextAttributesW(&ctx
, SECPKG_ATTR_STREAM_SIZES
, &connection
->ssl_sizes
);
540 if(status
!= SEC_E_OK
) {
541 WARN("Could not get sizes\n");
545 status
= QueryContextAttributesW(&ctx
, SECPKG_ATTR_REMOTE_CERT_CONTEXT
, (void*)&cert
);
546 if(status
== SEC_E_OK
) {
547 res
= netconn_verify_cert(connection
, cert
, cert
->hCertStore
);
548 CertFreeCertificateContext(cert
);
549 if(res
!= ERROR_SUCCESS
) {
550 WARN("cert verify failed: %lu\n", res
);
554 WARN("Could not get cert\n");
558 connection
->ssl_buf
= malloc(connection
->ssl_sizes
.cbHeader
+ connection
->ssl_sizes
.cbMaximumMessage
559 + connection
->ssl_sizes
.cbTrailer
);
560 if(!connection
->ssl_buf
) {
561 res
= GetLastError();
569 if(status
!= SEC_E_OK
|| res
!= ERROR_SUCCESS
) {
570 WARN("Failed to establish SSL connection: %08lx (%lu)\n", status
, res
);
571 free(connection
->ssl_buf
);
572 connection
->ssl_buf
= NULL
;
573 return res
? res
: ERROR_INTERNET_SECURITY_CHANNEL_ERROR
;
576 TRACE("established SSL connection\n");
577 connection
->secure
= TRUE
;
578 connection
->security_flags
|= SECURITY_FLAG_SECURE
;
580 bits
= NETCON_GetCipherStrength(connection
);
582 connection
->security_flags
|= SECURITY_FLAG_STRENGTH_STRONG
;
584 connection
->security_flags
|= SECURITY_FLAG_STRENGTH_MEDIUM
;
586 connection
->security_flags
|= SECURITY_FLAG_STRENGTH_WEAK
;
588 if(connection
->mask_errors
)
589 connection
->server
->security_flags
= connection
->security_flags
;
590 return ERROR_SUCCESS
;
593 /******************************************************************************
594 * NETCON_secure_connect
595 * Initiates a secure connection over an existing plaintext connection.
597 DWORD
NETCON_secure_connect(netconn_t
*connection
, server_t
*server
)
601 /* can't connect if we are already connected */
602 if(connection
->secure
) {
603 ERR("already connected\n");
604 return ERROR_INTERNET_CANNOT_CONNECT
;
607 if(server
!= connection
->server
) {
608 server_release(connection
->server
);
609 server_addref(server
);
610 connection
->server
= server
;
613 /* connect with given TLS options */
614 res
= netcon_secure_connect_setup(connection
, FALSE
);
615 if (res
== ERROR_SUCCESS
)
618 /* FIXME: when got version alert and FIN from server */
619 /* fallback to connect without TLSv1.1/TLSv1.2 */
620 if (res
== ERROR_INTERNET_SECURITY_CHANNEL_ERROR
&& have_compat_cred_handle
)
622 closesocket(connection
->socket
);
623 res
= create_netconn_socket(connection
->server
, connection
, 500);
624 if (res
!= ERROR_SUCCESS
)
626 res
= netcon_secure_connect_setup(connection
, TRUE
);
631 static BOOL
send_ssl_chunk(netconn_t
*conn
, const void *msg
, size_t size
)
633 SecBuffer bufs
[4] = {
634 {conn
->ssl_sizes
.cbHeader
, SECBUFFER_STREAM_HEADER
, conn
->ssl_buf
},
635 {size
, SECBUFFER_DATA
, conn
->ssl_buf
+conn
->ssl_sizes
.cbHeader
},
636 {conn
->ssl_sizes
.cbTrailer
, SECBUFFER_STREAM_TRAILER
, conn
->ssl_buf
+conn
->ssl_sizes
.cbHeader
+size
},
637 {0, SECBUFFER_EMPTY
, NULL
}
639 SecBufferDesc buf_desc
= {SECBUFFER_VERSION
, ARRAY_SIZE(bufs
), bufs
};
642 memcpy(bufs
[1].pvBuffer
, msg
, size
);
643 res
= EncryptMessage(&conn
->ssl_ctx
, 0, &buf_desc
, 0);
644 if(res
!= SEC_E_OK
) {
645 WARN("EncryptMessage failed\n");
649 if(sock_send(conn
->socket
, conn
->ssl_buf
, bufs
[0].cbBuffer
+bufs
[1].cbBuffer
+bufs
[2].cbBuffer
, 0) < 1) {
650 WARN("send failed\n");
657 /******************************************************************************
659 * Basically calls 'send()' unless we should use SSL
660 * number of chars send is put in *sent
662 DWORD
NETCON_send(netconn_t
*connection
, const void *msg
, size_t len
, int flags
,
665 /* send is always blocking. */
666 set_socket_blocking(connection
, TRUE
);
668 if(!connection
->secure
)
670 *sent
= sock_send(connection
->socket
, msg
, len
, flags
);
671 return *sent
== -1 ? WSAGetLastError() : ERROR_SUCCESS
;
675 const BYTE
*ptr
= msg
;
681 chunk_size
= min(len
, connection
->ssl_sizes
.cbMaximumMessage
);
682 if(!send_ssl_chunk(connection
, ptr
, chunk_size
))
683 return ERROR_INTERNET_SECURITY_CHANNEL_ERROR
;
690 return ERROR_SUCCESS
;
694 static BOOL
read_ssl_chunk(netconn_t
*conn
, void *buf
, SIZE_T buf_size
, BOOL blocking
, SIZE_T
*ret_size
, BOOL
*eof
)
696 const SIZE_T ssl_buf_size
= conn
->ssl_sizes
.cbHeader
+conn
->ssl_sizes
.cbMaximumMessage
+conn
->ssl_sizes
.cbTrailer
;
698 SecBufferDesc buf_desc
= {SECBUFFER_VERSION
, ARRAY_SIZE(bufs
), bufs
};
699 SSIZE_T size
, buf_len
= 0;
703 assert(conn
->extra_len
< ssl_buf_size
);
705 if(conn
->extra_len
) {
706 memcpy(conn
->ssl_buf
, conn
->extra_buf
, conn
->extra_len
);
707 buf_len
= conn
->extra_len
;
709 free(conn
->extra_buf
);
710 conn
->extra_buf
= NULL
;
713 set_socket_blocking(conn
, blocking
&& !buf_len
);
714 size
= sock_recv(conn
->socket
, conn
->ssl_buf
+buf_len
, ssl_buf_size
-buf_len
, 0);
717 if(WSAGetLastError() == WSAEWOULDBLOCK
) {
718 TRACE("would block\n");
719 return WSAEWOULDBLOCK
;
721 WARN("recv failed\n");
722 return ERROR_INTERNET_CONNECTION_ABORTED
;
732 return ERROR_SUCCESS
;
738 memset(bufs
, 0, sizeof(bufs
));
739 bufs
[0].BufferType
= SECBUFFER_DATA
;
740 bufs
[0].cbBuffer
= buf_len
;
741 bufs
[0].pvBuffer
= conn
->ssl_buf
;
743 res
= DecryptMessage(&conn
->ssl_ctx
, &buf_desc
, 0, NULL
);
747 case SEC_I_CONTEXT_EXPIRED
:
748 TRACE("context expired\n");
750 return ERROR_SUCCESS
;
751 case SEC_E_INCOMPLETE_MESSAGE
:
752 assert(buf_len
< ssl_buf_size
);
754 set_socket_blocking(conn
, blocking
);
755 size
= sock_recv(conn
->socket
, conn
->ssl_buf
+buf_len
, ssl_buf_size
-buf_len
, 0);
757 if(size
< 0 && WSAGetLastError() == WSAEWOULDBLOCK
) {
758 TRACE("would block\n");
760 /* FIXME: Optimize extra_buf usage. */
761 conn
->extra_buf
= malloc(buf_len
);
763 return ERROR_NOT_ENOUGH_MEMORY
;
765 conn
->extra_len
= buf_len
;
766 memcpy(conn
->extra_buf
, conn
->ssl_buf
, conn
->extra_len
);
767 return WSAEWOULDBLOCK
;
770 return ERROR_INTERNET_CONNECTION_ABORTED
;
776 WARN("failed: %08lx\n", res
);
777 return ERROR_INTERNET_CONNECTION_ABORTED
;
779 } while(res
!= SEC_E_OK
);
781 for(i
= 0; i
< ARRAY_SIZE(bufs
); i
++) {
782 if(bufs
[i
].BufferType
== SECBUFFER_DATA
) {
783 size
= min(buf_size
, bufs
[i
].cbBuffer
);
784 memcpy(buf
, bufs
[i
].pvBuffer
, size
);
785 if(size
< bufs
[i
].cbBuffer
) {
786 assert(!conn
->peek_len
);
787 conn
->peek_msg_mem
= conn
->peek_msg
= malloc(bufs
[i
].cbBuffer
- size
);
789 return ERROR_NOT_ENOUGH_MEMORY
;
790 conn
->peek_len
= bufs
[i
].cbBuffer
-size
;
791 memcpy(conn
->peek_msg
, (char*)bufs
[i
].pvBuffer
+size
, conn
->peek_len
);
798 for(i
= 0; i
< ARRAY_SIZE(bufs
); i
++) {
799 if(bufs
[i
].BufferType
== SECBUFFER_EXTRA
) {
800 conn
->extra_buf
= malloc(bufs
[i
].cbBuffer
);
802 return ERROR_NOT_ENOUGH_MEMORY
;
804 conn
->extra_len
= bufs
[i
].cbBuffer
;
805 memcpy(conn
->extra_buf
, bufs
[i
].pvBuffer
, conn
->extra_len
);
809 return ERROR_SUCCESS
;
812 /******************************************************************************
814 * Basically calls 'recv()' unless we should use SSL
815 * number of chars received is put in *recvd
817 DWORD
NETCON_recv(netconn_t
*connection
, void *buf
, size_t len
, BOOL blocking
, int *recvd
)
821 return ERROR_SUCCESS
;
823 if (!connection
->secure
)
825 set_socket_blocking(connection
, blocking
);
826 *recvd
= sock_recv(connection
->socket
, buf
, len
, 0);
827 return *recvd
== -1 ? WSAGetLastError() : ERROR_SUCCESS
;
835 if(connection
->peek_msg
) {
836 size
= min(len
, connection
->peek_len
);
837 memcpy(buf
, connection
->peek_msg
, size
);
838 connection
->peek_len
-= size
;
839 connection
->peek_msg
+= size
;
841 if(!connection
->peek_len
) {
842 free(connection
->peek_msg_mem
);
843 connection
->peek_msg_mem
= connection
->peek_msg
= NULL
;
847 return ERROR_SUCCESS
;
851 res
= read_ssl_chunk(connection
, (BYTE
*)buf
, len
, blocking
, &size
, &eof
);
852 if(res
!= ERROR_SUCCESS
) {
853 if(res
== WSAEWOULDBLOCK
) {
857 WARN("read_ssl_chunk failed\n");
861 }while(!size
&& !eof
);
863 TRACE("received %Id bytes\n", size
);
869 BOOL
NETCON_is_alive(netconn_t
*netconn
)
874 set_socket_blocking(netconn
, FALSE
);
875 len
= sock_recv(netconn
->socket
, &b
, 1, MSG_PEEK
);
877 return len
== 1 || (len
== -1 && WSAGetLastError() == WSAEWOULDBLOCK
);
880 LPCVOID
NETCON_GetCert(netconn_t
*connection
)
882 const CERT_CONTEXT
*ret
;
885 res
= QueryContextAttributesW(&connection
->ssl_ctx
, SECPKG_ATTR_REMOTE_CERT_CONTEXT
, (void*)&ret
);
886 return res
== SEC_E_OK
? ret
: NULL
;
889 int NETCON_GetCipherStrength(netconn_t
*connection
)
891 SecPkgContext_ConnectionInfo conn_info
;
894 if (!connection
->secure
)
897 res
= QueryContextAttributesW(&connection
->ssl_ctx
, SECPKG_ATTR_CONNECTION_INFO
, (void*)&conn_info
);
899 WARN("QueryContextAttributesW failed: %08lx\n", res
);
900 return res
== SEC_E_OK
? conn_info
.dwCipherStrength
: 0;
903 DWORD
NETCON_set_timeout(netconn_t
*connection
, BOOL send
, DWORD value
)
907 result
= setsockopt(connection
->socket
, SOL_SOCKET
,
908 send
? SO_SNDTIMEO
: SO_RCVTIMEO
, (void*)&value
,
912 WARN("setsockopt failed\n");
913 return WSAGetLastError();
915 return ERROR_SUCCESS
;