From 58daab21cd043e1dc37024a7f99b396788372918 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Sat, 9 Mar 2024 14:19:48 +0100
Subject: Merging upstream version 1.44.3.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 libnetdata/socket/security.c | 49 ++++++++++++++++++++++++++++----------------
 1 file changed, 31 insertions(+), 18 deletions(-)

(limited to 'libnetdata/socket/security.c')

diff --git a/libnetdata/socket/security.c b/libnetdata/socket/security.c
index 3a3a171e5..4deb76623 100644
--- a/libnetdata/socket/security.c
+++ b/libnetdata/socket/security.c
@@ -24,7 +24,7 @@ static SOCKET_PEERS netdata_ssl_peers(NETDATA_SSL *ssl) {
 }
 
 static void netdata_ssl_log_error_queue(const char *call, NETDATA_SSL *ssl, unsigned long err) {
-    error_limit_static_thread_var(erl, 1, 0);
+    nd_log_limit_static_thread_var(erl, 1, 0);
 
     if(err == SSL_ERROR_NONE)
         err = ERR_get_error();
@@ -103,13 +103,14 @@ static void netdata_ssl_log_error_queue(const char *call, NETDATA_SSL *ssl, unsi
         ERR_error_string_n(err, str, 1024);
         str[1024] = '\0';
         SOCKET_PEERS peers = netdata_ssl_peers(ssl);
-        error_limit(&erl, "SSL: %s() on socket local [[%s]:%d] <-> remote [[%s]:%d], returned error %lu (%s): %s",
-                    call, peers.local.ip, peers.local.port, peers.peer.ip, peers.peer.port, err, code, str);
+        nd_log_limit(&erl, NDLS_DAEMON, NDLP_ERR,
+                     "SSL: %s() on socket local [[%s]:%d] <-> remote [[%s]:%d], returned error %lu (%s): %s",
+                     call, peers.local.ip, peers.local.port, peers.peer.ip, peers.peer.port, err, code, str);
 
     } while((err = ERR_get_error()));
 }
 
-bool netdata_ssl_open(NETDATA_SSL *ssl, SSL_CTX *ctx, int fd) {
+bool netdata_ssl_open_ext(NETDATA_SSL *ssl, SSL_CTX *ctx, int fd, const unsigned char *alpn_protos, unsigned int alpn_protos_len) {
     errno = 0;
     ssl->ssl_errno = 0;
 
@@ -138,6 +139,8 @@ bool netdata_ssl_open(NETDATA_SSL *ssl, SSL_CTX *ctx, int fd) {
             ssl->state = NETDATA_SSL_STATE_FAILED;
             return false;
         }
+        if (alpn_protos && alpn_protos_len > 0)
+            SSL_set_alpn_protos(ssl->conn, alpn_protos, alpn_protos_len);
     }
 
     if(SSL_set_fd(ssl->conn, fd) != 1) {
@@ -153,6 +156,10 @@ bool netdata_ssl_open(NETDATA_SSL *ssl, SSL_CTX *ctx, int fd) {
     return true;
 }
 
+bool netdata_ssl_open(NETDATA_SSL *ssl, SSL_CTX *ctx, int fd) {
+    return netdata_ssl_open_ext(ssl, ctx, fd, NULL, 0);
+}
+
 void netdata_ssl_close(NETDATA_SSL *ssl) {
     errno = 0;
     ssl->ssl_errno = 0;
@@ -173,7 +180,7 @@ void netdata_ssl_close(NETDATA_SSL *ssl) {
 }
 
 static inline bool is_handshake_complete(NETDATA_SSL *ssl, const char *op) {
-    error_limit_static_thread_var(erl, 1, 0);
+    nd_log_limit_static_thread_var(erl, 1, 0);
 
     if(unlikely(!ssl->conn)) {
         internal_error(true, "SSL: trying to %s on a NULL connection", op);
@@ -183,22 +190,25 @@ static inline bool is_handshake_complete(NETDATA_SSL *ssl, const char *op) {
     switch(ssl->state) {
         case NETDATA_SSL_STATE_NOT_SSL: {
             SOCKET_PEERS peers = netdata_ssl_peers(ssl);
-            error_limit(&erl, "SSL: on socket local [[%s]:%d] <-> remote [[%s]:%d], attempt to %s on non-SSL connection",
-                        peers.local.ip, peers.local.port, peers.peer.ip, peers.peer.port, op);
+            nd_log_limit(&erl, NDLS_DAEMON, NDLP_WARNING,
+                         "SSL: on socket local [[%s]:%d] <-> remote [[%s]:%d], attempt to %s on non-SSL connection",
+                         peers.local.ip, peers.local.port, peers.peer.ip, peers.peer.port, op);
             return false;
         }
 
         case NETDATA_SSL_STATE_INIT: {
             SOCKET_PEERS peers = netdata_ssl_peers(ssl);
-            error_limit(&erl, "SSL: on socket local [[%s]:%d] <-> remote [[%s]:%d], attempt to %s on an incomplete connection",
-                        peers.local.ip, peers.local.port, peers.peer.ip, peers.peer.port, op);
+            nd_log_limit(&erl, NDLS_DAEMON, NDLP_WARNING,
+                         "SSL: on socket local [[%s]:%d] <-> remote [[%s]:%d], attempt to %s on an incomplete connection",
+                         peers.local.ip, peers.local.port, peers.peer.ip, peers.peer.port, op);
             return false;
         }
 
         case NETDATA_SSL_STATE_FAILED: {
             SOCKET_PEERS peers = netdata_ssl_peers(ssl);
-            error_limit(&erl, "SSL: on socket local [[%s]:%d] <-> remote [[%s]:%d], attempt to %s on a failed connection",
-                        peers.local.ip, peers.local.port, peers.peer.ip, peers.peer.port, op);
+            nd_log_limit(&erl, NDLS_DAEMON, NDLP_WARNING,
+                         "SSL: on socket local [[%s]:%d] <-> remote [[%s]:%d], attempt to %s on a failed connection",
+                         peers.local.ip, peers.local.port, peers.peer.ip, peers.peer.port, op);
             return false;
         }
 
@@ -290,7 +300,7 @@ ssize_t netdata_ssl_write(NETDATA_SSL *ssl, const void *buf, size_t num) {
 }
 
 static inline bool is_handshake_initialized(NETDATA_SSL *ssl, const char *op) {
-    error_limit_static_thread_var(erl, 1, 0);
+    nd_log_limit_static_thread_var(erl, 1, 0);
 
     if(unlikely(!ssl->conn)) {
         internal_error(true, "SSL: trying to %s on a NULL connection", op);
@@ -300,8 +310,9 @@ static inline bool is_handshake_initialized(NETDATA_SSL *ssl, const char *op) {
     switch(ssl->state) {
         case NETDATA_SSL_STATE_NOT_SSL: {
             SOCKET_PEERS peers = netdata_ssl_peers(ssl);
-            error_limit(&erl, "SSL: on socket local [[%s]:%d] <-> remote [[%s]:%d], attempt to %s on non-SSL connection",
-                        peers.local.ip, peers.local.port, peers.peer.ip, peers.peer.port, op);
+            nd_log_limit(&erl,  NDLS_DAEMON, NDLP_WARNING,
+                         "SSL: on socket local [[%s]:%d] <-> remote [[%s]:%d], attempt to %s on non-SSL connection",
+                         peers.local.ip, peers.local.port, peers.peer.ip, peers.peer.port, op);
             return false;
         }
 
@@ -311,15 +322,17 @@ static inline bool is_handshake_initialized(NETDATA_SSL *ssl, const char *op) {
 
         case NETDATA_SSL_STATE_FAILED: {
             SOCKET_PEERS peers = netdata_ssl_peers(ssl);
-            error_limit(&erl, "SSL: on socket local [[%s]:%d] <-> remote [[%s]:%d], attempt to %s on a failed connection",
-                        peers.local.ip, peers.local.port, peers.peer.ip, peers.peer.port, op);
+            nd_log_limit(&erl, NDLS_DAEMON, NDLP_WARNING,
+                         "SSL: on socket local [[%s]:%d] <-> remote [[%s]:%d], attempt to %s on a failed connection",
+                         peers.local.ip, peers.local.port, peers.peer.ip, peers.peer.port, op);
             return false;
         }
 
         case NETDATA_SSL_STATE_COMPLETE: {
             SOCKET_PEERS peers = netdata_ssl_peers(ssl);
-            error_limit(&erl, "SSL: on socket local [[%s]:%d] <-> remote [[%s]:%d], attempt to %s on an complete connection",
-                        peers.local.ip, peers.local.port, peers.peer.ip, peers.peer.port, op);
+            nd_log_limit(&erl, NDLS_DAEMON, NDLP_WARNING,
+                         "SSL: on socket local [[%s]:%d] <-> remote [[%s]:%d], attempt to %s on an complete connection",
+                         peers.local.ip, peers.local.port, peers.peer.ip, peers.peer.port, op);
             return false;
         }
     }
-- 
cgit v1.2.3