git.oblomov.eu Git - wine/blob - dlls/wininet/netconnection.c

   1 /*
   2  * Wininet - networking layer. Uses unix sockets or OpenSSL.
   3  *
   4  * Copyright 2002 TransGaming Technologies Inc.
   5  *
   6  * David Hammerton
   7  *
   8  * This library is free software; you can redistribute it and/or
   9  * modify it under the terms of the GNU Lesser General Public
  10  * License as published by the Free Software Foundation; either
  11  * version 2.1 of the License, or (at your option) any later version.
  12  *
  13  * This library is distributed in the hope that it will be useful,
  14  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  16  * Lesser General Public License for more details.
  17  *
  18  * You should have received a copy of the GNU Lesser General Public
  19  * License along with this library; if not, write to the Free Software
  20  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
  21  */
  22
  23 #include "config.h"
  24 #include "wine/port.h"
  25
  26 #define NONAMELESSUNION
  27
  28 #if defined(__MINGW32__) || defined (_MSC_VER)
  29 #include <ws2tcpip.h>
  30 #endif
  31
  32 #include <sys/types.h>
  33 #ifdef HAVE_POLL_H
  34 #include <poll.h>
  35 #endif
  36 #ifdef HAVE_SYS_POLL_H
  37 # include <sys/poll.h>
  38 #endif
  39 #ifdef HAVE_SYS_TIME_H
  40 # include <sys/time.h>
  41 #endif
  42 #ifdef HAVE_SYS_SOCKET_H
  43 # include <sys/socket.h>
  44 #endif
  45 #ifdef HAVE_SYS_FILIO_H
  46 # include <sys/filio.h>
  47 #endif
  48 #ifdef HAVE_UNISTD_H
  49 # include <unistd.h>
  50 #endif
  51 #ifdef HAVE_SYS_IOCTL_H
  52 # include <sys/ioctl.h>
  53 #endif
  54 #include <time.h>
  55 #ifdef HAVE_NETDB_H
  56 # include <netdb.h>
  57 #endif
  58 #ifdef HAVE_NETINET_IN_H
  59 # include <netinet/in.h>
  60 #endif
  61 #ifdef HAVE_OPENSSL_SSL_H
  62 # include <openssl/ssl.h>
  63 # include <openssl/opensslv.h>
  64 #undef FAR
  65 #undef DSA
  66 #endif
  67
  68 #include <stdarg.h>
  69 #include <stdlib.h>
  70 #include <string.h>
  71 #include <stdio.h>
  72 #include <errno.h>
  73
  74 #include "wine/library.h"
  75 #include "windef.h"
  76 #include "winbase.h"
  77 #include "wininet.h"
  78 #include "winerror.h"
  79 #include "wincrypt.h"
  80
  81 #include "wine/debug.h"
  82 #include "internet.h"
  83
  84 /* To avoid conflicts with the Unix socket headers. we only need it for
  85  * the error codes anyway. */
  86 #define USE_WS_PREFIX
  87 #include "winsock2.h"
  88
  89 #define RESPONSE_TIMEOUT        30            /* FROM internet.c */
  90
  91
  92 WINE_DEFAULT_DEBUG_CHANNEL(wininet);
  93
  94 /* FIXME!!!!!!
  95  *    This should use winsock - To use winsock the functions will have to change a bit
  96  *        as they are designed for unix sockets.
  97  *    SSL stuff should use crypt32.dll
  98  */
  99
 100 #ifdef SONAME_LIBSSL
 101
 102 #include <openssl/err.h>
 103
 104 static CRITICAL_SECTION init_ssl_cs;
 105 static CRITICAL_SECTION_DEBUG init_ssl_cs_debug =
 106 {
 107     0, 0, &init_ssl_cs,
 108     { &init_ssl_cs_debug.ProcessLocksList,
 109       &init_ssl_cs_debug.ProcessLocksList },
 110     0, 0, { (DWORD_PTR)(__FILE__ ": init_ssl_cs") }
 111 };
 112 static CRITICAL_SECTION init_ssl_cs = { &init_ssl_cs_debug, -1, 0, 0, 0, 0 };
 113
 114 static void *OpenSSL_ssl_handle;
 115 static void *OpenSSL_crypto_handle;
 116
 117 #if defined(OPENSSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER> 0x1000000)
 118 static const SSL_METHOD *meth;
 119 #else
 120 static SSL_METHOD *meth;
 121 #endif
 122 static SSL_CTX *ctx;
 123 static int hostname_idx;
 124 static int error_idx;
 125
 126 #define MAKE_FUNCPTR(f) static typeof(f) * p##f
 127
 128 /* OpenSSL functions that we use */
 129 MAKE_FUNCPTR(SSL_library_init);
 130 MAKE_FUNCPTR(SSL_load_error_strings);
 131 MAKE_FUNCPTR(SSLv23_method);
 132 MAKE_FUNCPTR(SSL_CTX_free);
 133 MAKE_FUNCPTR(SSL_CTX_new);
 134 MAKE_FUNCPTR(SSL_new);
 135 MAKE_FUNCPTR(SSL_free);
 136 MAKE_FUNCPTR(SSL_set_fd);
 137 MAKE_FUNCPTR(SSL_connect);
 138 MAKE_FUNCPTR(SSL_shutdown);
 139 MAKE_FUNCPTR(SSL_write);
 140 MAKE_FUNCPTR(SSL_read);
 141 MAKE_FUNCPTR(SSL_pending);
 142 MAKE_FUNCPTR(SSL_get_error);
 143 MAKE_FUNCPTR(SSL_get_ex_new_index);
 144 MAKE_FUNCPTR(SSL_get_ex_data);
 145 MAKE_FUNCPTR(SSL_set_ex_data);
 146 MAKE_FUNCPTR(SSL_get_ex_data_X509_STORE_CTX_idx);
 147 MAKE_FUNCPTR(SSL_get_verify_result);
 148 MAKE_FUNCPTR(SSL_get_peer_certificate);
 149 MAKE_FUNCPTR(SSL_CTX_get_timeout);
 150 MAKE_FUNCPTR(SSL_CTX_set_timeout);
 151 MAKE_FUNCPTR(SSL_CTX_set_default_verify_paths);
 152 MAKE_FUNCPTR(SSL_CTX_set_verify);
 153 MAKE_FUNCPTR(X509_STORE_CTX_get_ex_data);
 154
 155 /* OpenSSL's libcrypto functions that we use */
 156 MAKE_FUNCPTR(BIO_new_fp);
 157 MAKE_FUNCPTR(CRYPTO_num_locks);
 158 MAKE_FUNCPTR(CRYPTO_set_id_callback);
 159 MAKE_FUNCPTR(CRYPTO_set_locking_callback);
 160 MAKE_FUNCPTR(ERR_free_strings);
 161 MAKE_FUNCPTR(ERR_get_error);
 162 MAKE_FUNCPTR(ERR_error_string);
 163 MAKE_FUNCPTR(i2d_X509);
 164 MAKE_FUNCPTR(sk_num);
 165 MAKE_FUNCPTR(sk_value);
 166 #undef MAKE_FUNCPTR
 167
 168 static CRITICAL_SECTION *ssl_locks;
 169 static unsigned int num_ssl_locks;
 170
 171 static unsigned long ssl_thread_id(void)
 172 {
 173     return GetCurrentThreadId();
 174 }
 175
 176 static void ssl_lock_callback(int mode, int type, const char *file, int line)
 177 {
 178     if (mode & CRYPTO_LOCK)
 179         EnterCriticalSection(&ssl_locks[type]);
 180     else
 181         LeaveCriticalSection(&ssl_locks[type]);
 182 }
 183
 184 static PCCERT_CONTEXT X509_to_cert_context(X509 *cert)
 185 {
 186     unsigned char* buffer,*p;
 187     INT len;
 188     BOOL malloced = FALSE;
 189     PCCERT_CONTEXT ret;
 190
 191     p = NULL;
 192     len = pi2d_X509(cert,&p);
 193     /*
 194      * SSL 0.9.7 and above malloc the buffer if it is null.
 195      * however earlier version do not and so we would need to alloc the buffer.
 196      *
 197      * see the i2d_X509 man page for more details.
 198      */
 199     if (!p)
 200     {
 201         buffer = HeapAlloc(GetProcessHeap(),0,len);
 202         p = buffer;
 203         len = pi2d_X509(cert,&p);
 204     }
 205     else
 206     {
 207         buffer = p;
 208         malloced = TRUE;
 209     }
 210
 211     ret = CertCreateCertificateContext(X509_ASN_ENCODING,buffer,len);
 212
 213     if (malloced)
 214         free(buffer);
 215     else
 216         HeapFree(GetProcessHeap(),0,buffer);
 217
 218     return ret;
 219 }
 220
 221 static DWORD netconn_verify_cert(PCCERT_CONTEXT cert, HCERTSTORE store,
 222     WCHAR *server)
 223 {
 224     BOOL ret;
 225     CERT_CHAIN_PARA chainPara = { sizeof(chainPara), { 0 } };
 226     PCCERT_CHAIN_CONTEXT chain;
 227     char oid_server_auth[] = szOID_PKIX_KP_SERVER_AUTH;
 228     char *server_auth[] = { oid_server_auth };
 229     DWORD err = ERROR_SUCCESS;
 230
 231     TRACE("verifying %s\n", debugstr_w(server));
 232     chainPara.RequestedUsage.Usage.cUsageIdentifier = 1;
 233     chainPara.RequestedUsage.Usage.rgpszUsageIdentifier = server_auth;
 234     if ((ret = CertGetCertificateChain(NULL, cert, NULL, store, &chainPara, 0,
 235         NULL, &chain)))
 236     {
 237         if (chain->TrustStatus.dwErrorStatus)
 238         {
 239             if (chain->TrustStatus.dwErrorStatus & CERT_TRUST_IS_NOT_TIME_VALID)
 240                 err = ERROR_INTERNET_SEC_CERT_DATE_INVALID;
 241             else if (chain->TrustStatus.dwErrorStatus &
 242                      CERT_TRUST_IS_UNTRUSTED_ROOT)
 243                 err = ERROR_INTERNET_INVALID_CA;
 244             else if ((chain->TrustStatus.dwErrorStatus &
 245                       CERT_TRUST_IS_OFFLINE_REVOCATION) ||
 246                      (chain->TrustStatus.dwErrorStatus &
 247                       CERT_TRUST_REVOCATION_STATUS_UNKNOWN))
 248                 err = ERROR_INTERNET_SEC_CERT_NO_REV;
 249             else if (chain->TrustStatus.dwErrorStatus & CERT_TRUST_IS_REVOKED)
 250                 err = ERROR_INTERNET_SEC_CERT_REVOKED;
 251             else if (chain->TrustStatus.dwErrorStatus &
 252                 CERT_TRUST_IS_NOT_VALID_FOR_USAGE)
 253                 err = ERROR_INTERNET_SEC_INVALID_CERT;
 254             else
 255                 err = ERROR_INTERNET_SEC_INVALID_CERT;
 256         }
 257         else
 258         {
 259             CERT_CHAIN_POLICY_PARA policyPara;
 260             SSL_EXTRA_CERT_CHAIN_POLICY_PARA sslExtraPolicyPara;
 261             CERT_CHAIN_POLICY_STATUS policyStatus;
 262
 263             sslExtraPolicyPara.u.cbSize = sizeof(sslExtraPolicyPara);
 264             sslExtraPolicyPara.dwAuthType = AUTHTYPE_SERVER;
 265             sslExtraPolicyPara.pwszServerName = server;
 266             policyPara.cbSize = sizeof(policyPara);
 267             policyPara.dwFlags = 0;
 268             policyPara.pvExtraPolicyPara = &sslExtraPolicyPara;
 269             ret = CertVerifyCertificateChainPolicy(CERT_CHAIN_POLICY_SSL,
 270                 chain, &policyPara, &policyStatus);
 271             /* Any error in the policy status indicates that the
 272              * policy couldn't be verified.
 273              */
 274             if (ret && policyStatus.dwError)
 275             {
 276                 if (policyStatus.dwError == CERT_E_CN_NO_MATCH)
 277                     err = ERROR_INTERNET_SEC_CERT_CN_INVALID;
 278                 else
 279                     err = ERROR_INTERNET_SEC_INVALID_CERT;
 280             }
 281         }
 282         CertFreeCertificateChain(chain);
 283     }
 284     TRACE("returning %08x\n", err);
 285     return err;
 286 }
 287
 288 static int netconn_secure_verify(int preverify_ok, X509_STORE_CTX *ctx)
 289 {
 290     SSL *ssl;
 291     WCHAR *server;
 292     BOOL ret = FALSE;
 293
 294     ssl = pX509_STORE_CTX_get_ex_data(ctx,
 295         pSSL_get_ex_data_X509_STORE_CTX_idx());
 296     server = pSSL_get_ex_data(ssl, hostname_idx);
 297     if (preverify_ok)
 298     {
 299         HCERTSTORE store = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0,
 300             CERT_STORE_CREATE_NEW_FLAG, NULL);
 301
 302         if (store)
 303         {
 304             X509 *cert;
 305             int i;
 306             PCCERT_CONTEXT endCert = NULL;
 307
 308             ret = TRUE;
 309             for (i = 0; ret && i < psk_num((struct stack_st *)ctx->chain); i++)
 310             {
 311                 PCCERT_CONTEXT context;
 312
 313                 cert = (X509 *)psk_value((struct stack_st *)ctx->chain, i);
 314                 if ((context = X509_to_cert_context(cert)))
 315                 {
 316                     if (i == 0)
 317                         ret = CertAddCertificateContextToStore(store, context,
 318                             CERT_STORE_ADD_ALWAYS, &endCert);
 319                     else
 320                         ret = CertAddCertificateContextToStore(store, context,
 321                             CERT_STORE_ADD_ALWAYS, NULL);
 322                     CertFreeCertificateContext(context);
 323                 }
 324             }
 325             if (!endCert) ret = FALSE;
 326             if (ret)
 327             {
 328                 DWORD_PTR err = netconn_verify_cert(endCert, store, server);
 329
 330                 if (err)
 331                 {
 332                     pSSL_set_ex_data(ssl, error_idx, (void *)err);
 333                     ret = FALSE;
 334                 }
 335             }
 336             CertFreeCertificateContext(endCert);
 337             CertCloseStore(store, 0);
 338         }
 339     } else
 340         pSSL_set_ex_data(ssl, error_idx, (void *)ERROR_INTERNET_SEC_CERT_ERRORS);
 341
 342     return ret;
 343 }
 344
 345 #endif
 346
 347 DWORD NETCON_init(WININET_NETCONNECTION *connection, BOOL useSSL)
 348 {
 349     connection->useSSL = FALSE;
 350     connection->socketFD = -1;
 351     if (useSSL)
 352     {
 353 #if defined(SONAME_LIBSSL) && defined(SONAME_LIBCRYPTO)
 354         int i;
 355
 356         TRACE("using SSL connection\n");
 357         EnterCriticalSection(&init_ssl_cs);
 358         if (OpenSSL_ssl_handle) /* already initialized everything */
 359         {
 360             LeaveCriticalSection(&init_ssl_cs);
 361             return ERROR_SUCCESS;
 362         }
 363         OpenSSL_ssl_handle = wine_dlopen(SONAME_LIBSSL, RTLD_NOW, NULL, 0);
 364         if (!OpenSSL_ssl_handle)
 365         {
 366             ERR("trying to use a SSL connection, but couldn't load %s. Expect trouble.\n",
 367                 SONAME_LIBSSL);
 368             LeaveCriticalSection(&init_ssl_cs);
 369             return ERROR_INTERNET_SECURITY_CHANNEL_ERROR;
 370         }
 371         OpenSSL_crypto_handle = wine_dlopen(SONAME_LIBCRYPTO, RTLD_NOW, NULL, 0);
 372         if (!OpenSSL_crypto_handle)
 373         {
 374             ERR("trying to use a SSL connection, but couldn't load %s. Expect trouble.\n",
 375                 SONAME_LIBCRYPTO);
 376             LeaveCriticalSection(&init_ssl_cs);
 377             return ERROR_INTERNET_SECURITY_CHANNEL_ERROR;
 378         }
 379
 380         /* mmm nice ugly macroness */
 381 #define DYNSSL(x) \
 382     p##x = wine_dlsym(OpenSSL_ssl_handle, #x, NULL, 0); \
 383     if (!p##x) \
 384     { \
 385         ERR("failed to load symbol %s\n", #x); \
 386         LeaveCriticalSection(&init_ssl_cs); \
 387         return ERROR_INTERNET_SECURITY_CHANNEL_ERROR; \
 388     }
 389
 390         DYNSSL(SSL_library_init);
 391         DYNSSL(SSL_load_error_strings);
 392         DYNSSL(SSLv23_method);
 393         DYNSSL(SSL_CTX_free);
 394         DYNSSL(SSL_CTX_new);
 395         DYNSSL(SSL_new);
 396         DYNSSL(SSL_free);
 397         DYNSSL(SSL_set_fd);
 398         DYNSSL(SSL_connect);
 399         DYNSSL(SSL_shutdown);
 400         DYNSSL(SSL_write);
 401         DYNSSL(SSL_read);
 402         DYNSSL(SSL_pending);
 403         DYNSSL(SSL_get_error);
 404         DYNSSL(SSL_get_ex_new_index);
 405         DYNSSL(SSL_get_ex_data);
 406         DYNSSL(SSL_set_ex_data);
 407         DYNSSL(SSL_get_ex_data_X509_STORE_CTX_idx);
 408         DYNSSL(SSL_get_verify_result);
 409         DYNSSL(SSL_get_peer_certificate);
 410         DYNSSL(SSL_CTX_get_timeout);
 411         DYNSSL(SSL_CTX_set_timeout);
 412         DYNSSL(SSL_CTX_set_default_verify_paths);
 413         DYNSSL(SSL_CTX_set_verify);
 414         DYNSSL(X509_STORE_CTX_get_ex_data);
 415 #undef DYNSSL
 416
 417 #define DYNCRYPTO(x) \
 418     p##x = wine_dlsym(OpenSSL_crypto_handle, #x, NULL, 0); \
 419     if (!p##x) \
 420     { \
 421         ERR("failed to load symbol %s\n", #x); \
 422         LeaveCriticalSection(&init_ssl_cs); \
 423         return ERROR_INTERNET_SECURITY_CHANNEL_ERROR; \
 424     }
 425         DYNCRYPTO(BIO_new_fp);
 426         DYNCRYPTO(CRYPTO_num_locks);
 427         DYNCRYPTO(CRYPTO_set_id_callback);
 428         DYNCRYPTO(CRYPTO_set_locking_callback);
 429         DYNCRYPTO(ERR_free_strings);
 430         DYNCRYPTO(ERR_get_error);
 431         DYNCRYPTO(ERR_error_string);
 432         DYNCRYPTO(i2d_X509);
 433         DYNCRYPTO(sk_num);
 434         DYNCRYPTO(sk_value);
 435 #undef DYNCRYPTO
 436
 437         pSSL_library_init();
 438         pSSL_load_error_strings();
 439         pBIO_new_fp(stderr, BIO_NOCLOSE); /* FIXME: should use winedebug stuff */
 440
 441         meth = pSSLv23_method();
 442         ctx = pSSL_CTX_new(meth);
 443         if (!pSSL_CTX_set_default_verify_paths(ctx))
 444         {
 445             ERR("SSL_CTX_set_default_verify_paths failed: %s\n",
 446                 pERR_error_string(pERR_get_error(), 0));
 447             LeaveCriticalSection(&init_ssl_cs);
 448             return ERROR_OUTOFMEMORY;
 449         }
 450         hostname_idx = pSSL_get_ex_new_index(0, (void *)"hostname index",
 451                 NULL, NULL, NULL);
 452         if (hostname_idx == -1)
 453         {
 454             ERR("SSL_get_ex_new_index failed; %s\n",
 455                 pERR_error_string(pERR_get_error(), 0));
 456             LeaveCriticalSection(&init_ssl_cs);
 457             return ERROR_OUTOFMEMORY;
 458         }
 459         error_idx = pSSL_get_ex_new_index(0, (void *)"error index",
 460                 NULL, NULL, NULL);
 461         if (error_idx == -1)
 462         {
 463             ERR("SSL_get_ex_new_index failed; %s\n",
 464                 pERR_error_string(pERR_get_error(), 0));
 465             LeaveCriticalSection(&init_ssl_cs);
 466             return ERROR_OUTOFMEMORY;
 467         }
 468         pSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, netconn_secure_verify);
 469
 470         pCRYPTO_set_id_callback(ssl_thread_id);
 471         num_ssl_locks = pCRYPTO_num_locks();
 472         ssl_locks = HeapAlloc(GetProcessHeap(), 0, num_ssl_locks * sizeof(CRITICAL_SECTION));
 473         if (!ssl_locks)
 474         {
 475             LeaveCriticalSection(&init_ssl_cs);
 476             return ERROR_OUTOFMEMORY;
 477         }
 478         for (i = 0; i < num_ssl_locks; i++)
 479             InitializeCriticalSection(&ssl_locks[i]);
 480         pCRYPTO_set_locking_callback(ssl_lock_callback);
 481         LeaveCriticalSection(&init_ssl_cs);
 482 #else
 483         FIXME("can't use SSL, not compiled in.\n");
 484         return ERROR_INTERNET_SECURITY_CHANNEL_ERROR;
 485 #endif
 486     }
 487     return ERROR_SUCCESS;
 488 }
 489
 490 void NETCON_unload(void)
 491 {
 492 #if defined(SONAME_LIBSSL) && defined(SONAME_LIBCRYPTO)
 493     if (OpenSSL_crypto_handle)
 494     {
 495         pERR_free_strings();
 496         wine_dlclose(OpenSSL_crypto_handle, NULL, 0);
 497     }
 498     if (OpenSSL_ssl_handle)
 499     {
 500         if (ctx)
 501             pSSL_CTX_free(ctx);
 502         wine_dlclose(OpenSSL_ssl_handle, NULL, 0);
 503     }
 504     if (ssl_locks)
 505     {
 506         int i;
 507         for (i = 0; i < num_ssl_locks; i++) DeleteCriticalSection(&ssl_locks[i]);
 508         HeapFree(GetProcessHeap(), 0, ssl_locks);
 509     }
 510 #endif
 511 }
 512
 513 BOOL NETCON_connected(WININET_NETCONNECTION *connection)
 514 {
 515     if (connection->socketFD == -1)
 516         return FALSE;
 517     else
 518         return TRUE;
 519 }
 520
 521 /* translate a unix error code into a winsock one */
 522 int sock_get_error( int err )
 523 {
 524 #if !defined(__MINGW32__) && !defined (_MSC_VER)
 525     switch (err)
 526     {
 527         case EINTR:             return WSAEINTR;
 528         case EBADF:             return WSAEBADF;
 529         case EPERM:
 530         case EACCES:            return WSAEACCES;
 531         case EFAULT:            return WSAEFAULT;
 532         case EINVAL:            return WSAEINVAL;
 533         case EMFILE:            return WSAEMFILE;
 534         case EWOULDBLOCK:       return WSAEWOULDBLOCK;
 535         case EINPROGRESS:       return WSAEINPROGRESS;
 536         case EALREADY:          return WSAEALREADY;
 537         case ENOTSOCK:          return WSAENOTSOCK;
 538         case EDESTADDRREQ:      return WSAEDESTADDRREQ;
 539         case EMSGSIZE:          return WSAEMSGSIZE;
 540         case EPROTOTYPE:        return WSAEPROTOTYPE;
 541         case ENOPROTOOPT:       return WSAENOPROTOOPT;
 542         case EPROTONOSUPPORT:   return WSAEPROTONOSUPPORT;
 543         case ESOCKTNOSUPPORT:   return WSAESOCKTNOSUPPORT;
 544         case EOPNOTSUPP:        return WSAEOPNOTSUPP;
 545         case EPFNOSUPPORT:      return WSAEPFNOSUPPORT;
 546         case EAFNOSUPPORT:      return WSAEAFNOSUPPORT;
 547         case EADDRINUSE:        return WSAEADDRINUSE;
 548         case EADDRNOTAVAIL:     return WSAEADDRNOTAVAIL;
 549         case ENETDOWN:          return WSAENETDOWN;
 550         case ENETUNREACH:       return WSAENETUNREACH;
 551         case ENETRESET:         return WSAENETRESET;
 552         case ECONNABORTED:      return WSAECONNABORTED;
 553         case EPIPE:
 554         case ECONNRESET:        return WSAECONNRESET;
 555         case ENOBUFS:           return WSAENOBUFS;
 556         case EISCONN:           return WSAEISCONN;
 557         case ENOTCONN:          return WSAENOTCONN;
 558         case ESHUTDOWN:         return WSAESHUTDOWN;
 559         case ETOOMANYREFS:      return WSAETOOMANYREFS;
 560         case ETIMEDOUT:         return WSAETIMEDOUT;
 561         case ECONNREFUSED:      return WSAECONNREFUSED;
 562         case ELOOP:             return WSAELOOP;
 563         case ENAMETOOLONG:      return WSAENAMETOOLONG;
 564         case EHOSTDOWN:         return WSAEHOSTDOWN;
 565         case EHOSTUNREACH:      return WSAEHOSTUNREACH;
 566         case ENOTEMPTY:         return WSAENOTEMPTY;
 567 #ifdef EPROCLIM
 568         case EPROCLIM:          return WSAEPROCLIM;
 569 #endif
 570 #ifdef EUSERS
 571         case EUSERS:            return WSAEUSERS;
 572 #endif
 573 #ifdef EDQUOT
 574         case EDQUOT:            return WSAEDQUOT;
 575 #endif
 576 #ifdef ESTALE
 577         case ESTALE:            return WSAESTALE;
 578 #endif
 579 #ifdef EREMOTE
 580         case EREMOTE:           return WSAEREMOTE;
 581 #endif
 582     default: errno=err; perror("sock_set_error"); return WSAEFAULT;
 583     }
 584 #endif
 585     return err;
 586 }
 587
 588 /******************************************************************************
 589  * NETCON_create
 590  * Basically calls 'socket()'
 591  */
 592 DWORD NETCON_create(WININET_NETCONNECTION *connection, int domain,
 593               int type, int protocol)
 594 {
 595 #ifdef SONAME_LIBSSL
 596     if (connection->useSSL)
 597         return ERROR_NOT_SUPPORTED;
 598 #endif
 599
 600     connection->socketFD = socket(domain, type, protocol);
 601     if (connection->socketFD == -1)
 602         return sock_get_error(errno);
 603
 604     return ERROR_SUCCESS;
 605 }
 606
 607 /******************************************************************************
 608  * NETCON_close
 609  * Basically calls 'close()' unless we should use SSL
 610  */
 611 DWORD NETCON_close(WININET_NETCONNECTION *connection)
 612 {
 613     int result;
 614
 615     if (!NETCON_connected(connection)) return ERROR_SUCCESS;
 616
 617 #ifdef SONAME_LIBSSL
 618     if (connection->useSSL)
 619     {
 620         pSSL_shutdown(connection->ssl_s);
 621         pSSL_free(connection->ssl_s);
 622         connection->ssl_s = NULL;
 623
 624         connection->useSSL = FALSE;
 625     }
 626 #endif
 627
 628     result = closesocket(connection->socketFD);
 629     connection->socketFD = -1;
 630
 631     if (result == -1)
 632         return sock_get_error(errno);
 633     return ERROR_SUCCESS;
 634 }
 635
 636 /******************************************************************************
 637  * NETCON_secure_connect
 638  * Initiates a secure connection over an existing plaintext connection.
 639  */
 640 DWORD NETCON_secure_connect(WININET_NETCONNECTION *connection, LPWSTR hostname)
 641 {
 642     DWORD res = ERROR_NOT_SUPPORTED;
 643 #ifdef SONAME_LIBSSL
 644     long verify_res;
 645     X509 *cert;
 646
 647     /* can't connect if we are already connected */
 648     if (connection->useSSL)
 649     {
 650         ERR("already connected\n");
 651         return ERROR_INTERNET_CANNOT_CONNECT;
 652     }
 653
 654     connection->ssl_s = pSSL_new(ctx);
 655     if (!connection->ssl_s)
 656     {
 657         ERR("SSL_new failed: %s\n",
 658             pERR_error_string(pERR_get_error(), 0));
 659         res = ERROR_OUTOFMEMORY;
 660         goto fail;
 661     }
 662
 663     if (!pSSL_set_fd(connection->ssl_s, connection->socketFD))
 664     {
 665         ERR("SSL_set_fd failed: %s\n",
 666             pERR_error_string(pERR_get_error(), 0));
 667         res = ERROR_INTERNET_SECURITY_CHANNEL_ERROR;
 668         goto fail;
 669     }
 670
 671     if (pSSL_connect(connection->ssl_s) <= 0)
 672     {
 673         res = (DWORD_PTR)pSSL_get_ex_data(connection->ssl_s, error_idx);
 674         if (!res)
 675             res = ERROR_INTERNET_SECURITY_CHANNEL_ERROR;
 676         ERR("SSL_connect failed: %d\n", res);
 677         goto fail;
 678     }
 679     pSSL_set_ex_data(connection->ssl_s, hostname_idx, hostname);
 680     cert = pSSL_get_peer_certificate(connection->ssl_s);
 681     if (!cert)
 682     {
 683         ERR("no certificate for server %s\n", debugstr_w(hostname));
 684         /* FIXME: is this the best error? */
 685         res = ERROR_INTERNET_INVALID_CA;
 686         goto fail;
 687     }
 688     verify_res = pSSL_get_verify_result(connection->ssl_s);
 689     if (verify_res != X509_V_OK)
 690     {
 691         ERR("couldn't verify the security of the connection, %ld\n", verify_res);
 692         /* FIXME: we should set an error and return, but we only warn at
 693          * the moment */
 694     }
 695
 696     connection->useSSL = TRUE;
 697     return ERROR_SUCCESS;
 698
 699 fail:
 700     if (connection->ssl_s)
 701     {
 702         pSSL_shutdown(connection->ssl_s);
 703         pSSL_free(connection->ssl_s);
 704         connection->ssl_s = NULL;
 705     }
 706 #endif
 707     return res;
 708 }
 709
 710 /******************************************************************************
 711  * NETCON_connect
 712  * Connects to the specified address.
 713  */
 714 DWORD NETCON_connect(WININET_NETCONNECTION *connection, const struct sockaddr *serv_addr,
 715                     unsigned int addrlen)
 716 {
 717     int result;
 718
 719     result = connect(connection->socketFD, serv_addr, addrlen);
 720     if (result == -1)
 721     {
 722         WARN("Unable to connect to host (%s)\n", strerror(errno));
 723
 724         closesocket(connection->socketFD);
 725         connection->socketFD = -1;
 726         return sock_get_error(errno);
 727     }
 728
 729     return ERROR_SUCCESS;
 730 }
 731
 732 /******************************************************************************
 733  * NETCON_send
 734  * Basically calls 'send()' unless we should use SSL
 735  * number of chars send is put in *sent
 736  */
 737 DWORD NETCON_send(WININET_NETCONNECTION *connection, const void *msg, size_t len, int flags,
 738                 int *sent /* out */)
 739 {
 740     if (!NETCON_connected(connection)) return ERROR_INTERNET_CONNECTION_ABORTED;
 741     if (!connection->useSSL)
 742     {
 743         *sent = send(connection->socketFD, msg, len, flags);
 744         if (*sent == -1)
 745             return sock_get_error(errno);
 746         return ERROR_SUCCESS;
 747     }
 748     else
 749     {
 750 #ifdef SONAME_LIBSSL
 751         if (flags)
 752             FIXME("SSL_write doesn't support any flags (%08x)\n", flags);
 753         *sent = pSSL_write(connection->ssl_s, msg, len);
 754         if (*sent < 1 && len)
 755             return ERROR_INTERNET_CONNECTION_ABORTED;
 756         return ERROR_SUCCESS;
 757 #else
 758         return ERROR_NOT_SUPPORTED;
 759 #endif
 760     }
 761 }
 762
 763 /******************************************************************************
 764  * NETCON_recv
 765  * Basically calls 'recv()' unless we should use SSL
 766  * number of chars received is put in *recvd
 767  */
 768 DWORD NETCON_recv(WININET_NETCONNECTION *connection, void *buf, size_t len, int flags,
 769                 int *recvd /* out */)
 770 {
 771     *recvd = 0;
 772     if (!NETCON_connected(connection)) return ERROR_INTERNET_CONNECTION_ABORTED;
 773     if (!len)
 774         return ERROR_SUCCESS;
 775     if (!connection->useSSL)
 776     {
 777         *recvd = recv(connection->socketFD, buf, len, flags);
 778         if(!*recvd)
 779             NETCON_close(connection);
 780         return *recvd == -1 ? sock_get_error(errno) :  ERROR_SUCCESS;
 781     }
 782     else
 783     {
 784 #ifdef SONAME_LIBSSL
 785         *recvd = pSSL_read(connection->ssl_s, buf, len);
 786
 787         /* Check if EOF was received */
 788         if(!*recvd && (pSSL_get_error(connection->ssl_s, *recvd)==SSL_ERROR_ZERO_RETURN
 789                     || pSSL_get_error(connection->ssl_s, *recvd)==SSL_ERROR_SYSCALL)) {
 790             NETCON_close(connection);
 791             return ERROR_SUCCESS;
 792         }
 793
 794         return *recvd > 0 ? ERROR_SUCCESS : ERROR_INTERNET_CONNECTION_ABORTED;
 795 #else
 796         return ERROR_NOT_SUPPORTED;
 797 #endif
 798     }
 799 }
 800
 801 /******************************************************************************
 802  * NETCON_query_data_available
 803  * Returns the number of bytes of peeked data plus the number of bytes of
 804  * queued, but unread data.
 805  */
 806 BOOL NETCON_query_data_available(WININET_NETCONNECTION *connection, DWORD *available)
 807 {
 808     *available = 0;
 809     if (!NETCON_connected(connection))
 810         return FALSE;
 811
 812     if (!connection->useSSL)
 813     {
 814 #ifdef FIONREAD
 815         int unread;
 816         int retval = ioctlsocket(connection->socketFD, FIONREAD, &unread);
 817         if (!retval)
 818         {
 819             TRACE("%d bytes of queued, but unread data\n", unread);
 820             *available += unread;
 821         }
 822 #endif
 823     }
 824     else
 825     {
 826 #ifdef SONAME_LIBSSL
 827         *available = pSSL_pending(connection->ssl_s);
 828 #endif
 829     }
 830     return TRUE;
 831 }
 832
 833 LPCVOID NETCON_GetCert(WININET_NETCONNECTION *connection)
 834 {
 835 #ifdef SONAME_LIBSSL
 836     X509* cert;
 837     LPCVOID r = NULL;
 838
 839     if (!connection->useSSL)
 840         return NULL;
 841
 842     cert = pSSL_get_peer_certificate(connection->ssl_s);
 843     r = X509_to_cert_context(cert);
 844     return r;
 845 #else
 846     return NULL;
 847 #endif
 848 }
 849
 850 DWORD NETCON_set_timeout(WININET_NETCONNECTION *connection, BOOL send, int value)
 851 {
 852     int result;
 853     struct timeval tv;
 854
 855     /* FIXME: we should probably store the timeout in the connection to set
 856      * when we do connect */
 857     if (!NETCON_connected(connection))
 858         return ERROR_SUCCESS;
 859
 860     /* value is in milliseconds, convert to struct timeval */
 861     tv.tv_sec = value / 1000;
 862     tv.tv_usec = (value % 1000) * 1000;
 863
 864     result = setsockopt(connection->socketFD, SOL_SOCKET,
 865                         send ? SO_SNDTIMEO : SO_RCVTIMEO, (void*)&tv,
 866                         sizeof(tv));
 867
 868     if (result == -1)
 869     {
 870         WARN("setsockopt failed (%s)\n", strerror(errno));
 871         return sock_get_error(errno);
 872     }
 873
 874     return ERROR_SUCCESS;
 875 }