diff --git a/src/lib/plugin/ns/SecureSocket.cpp b/src/lib/plugin/ns/SecureSocket.cpp index f182ee8a..6a34fce3 100644 --- a/src/lib/plugin/ns/SecureSocket.cpp +++ b/src/lib/plugin/ns/SecureSocket.cpp @@ -249,7 +249,7 @@ SecureSocket::createSSL() } } -bool +int SecureSocket::secureAccept(int socket) { createSSL(); @@ -269,24 +269,31 @@ SecureSocket::secureAccept(int socket) // tell user and sleep so the socket isn't hammered. LOG((CLOG_ERR "failed to accept secure socket")); LOG((CLOG_INFO "client connection may not be secure")); + m_secureReady = false; ARCH->sleep(1); + return -1; // Failed, error out } + // If not fatal and no retry, state is good if (retry == 0) { m_secureReady = true; - } - else { - m_secureReady = false; - } - - if (m_secureReady) { LOG((CLOG_INFO "accepted secure socket")); + return 1; } - return !m_secureReady; + // If not fatal and retry is set, not ready, and return retry + if (retry > 0) { + LOG((CLOG_DEBUG2 "retry accepting secure socket")); + m_secureReady = false; + return 0; + } + + // no good state exists here + LOG((CLOG_ERR "unexpected state attempting to accept connection")); + return -1; } -bool +int SecureSocket::secureConnect(int socket) { createSSL(); @@ -304,31 +311,32 @@ SecureSocket::secureConnect(int socket) if (fatal) { LOG((CLOG_ERR "failed to connect secure socket")); - LOG((CLOG_INFO "server connection may not be secure")); - return false; + return -1; } - if (retry == 0) { - m_secureReady = true; + // If we should retry, not ready and return 0 + if (retry > 0) { + LOG((CLOG_DEBUG2 "retry connect secure socket")); + m_secureReady = false; + return 0; + } + + // No error, set ready, process and return ok + m_secureReady = true; + if (verifyCertFingerprint()) { + LOG((CLOG_INFO "connected to secure socket")); + if (!showCertificate()) { + disconnect(); + return -1;// Cert fail, error + } } else { - m_secureReady = false; + LOG((CLOG_ERR "failed to verify server certificate fingerprint")); + disconnect(); + return -1; // Fingerprint failed, error } - - if (m_secureReady) { - if (verifyCertFingerprint()) { - LOG((CLOG_INFO "connected to secure socket")); - if (!showCertificate()) { - disconnect(); - } - } - else { - LOG((CLOG_ERR "failed to verify server certificate fingerprint")); - disconnect(); - } - } - - return !m_secureReady; + LOG((CLOG_DEBUG2 "connected secure socket")); + return 1; } bool @@ -545,14 +553,21 @@ SecureSocket::serviceConnect(ISocketMultiplexerJob* job, { Lock lock(&getMutex()); - bool retry = true; + int status = 0; #ifdef SYSAPI_WIN32 - retry = secureConnect(static_cast(getSocket()->m_socket)); + status = secureConnect(static_cast(getSocket()->m_socket)); #elif SYSAPI_UNIX retry = secureConnect(getSocket()->m_fd); #endif - return retry ? job : newJob(); + if (status > 0) { + return newJob(); + } + else if (status == 0) { + return job; + } + // If status < 0, error happened + return NULL; } ISocketMultiplexerJob* @@ -561,12 +576,19 @@ SecureSocket::serviceAccept(ISocketMultiplexerJob* job, { Lock lock(&getMutex()); - bool retry = true; + int status = 0; #ifdef SYSAPI_WIN32 - retry = secureAccept(static_cast(getSocket()->m_socket)); + status = secureAccept(static_cast(getSocket()->m_socket)); #elif SYSAPI_UNIX - retry = secureAccept(getSocket()->m_fd); + status = secureAccept(getSocket()->m_fd); #endif - return retry ? job : newJob(); + if (status > 0) { + return newJob(); + } + else if (status == 0) { + return job; + } + // If status < 0, error happened + return NULL; } diff --git a/src/lib/plugin/ns/SecureSocket.h b/src/lib/plugin/ns/SecureSocket.h index 754956ca..3ea13c59 100644 --- a/src/lib/plugin/ns/SecureSocket.h +++ b/src/lib/plugin/ns/SecureSocket.h @@ -57,8 +57,8 @@ private: // SSL void initContext(bool server); void createSSL(); - bool secureAccept(int s); - bool secureConnect(int s); + int secureAccept(int s); + int secureConnect(int s); bool showCertificate(); void checkResult(int n, bool& fatal, int& retry); void showError(const char* reason = NULL);