[nagiosplug] Ditch contrib/check_http-with-client-certificate.c

Nagios Plugin Development nagios-plugins at users.sourceforge.net
Tue Aug 20 23:20:16 CEST 2013


 Module: nagiosplug
 Branch: master
 Commit: 7a80e27fb38b26713ac5a1f6810b99519a31dbf3
 Author: Holger Weiss <holger at zedat.fu-berlin.de>
   Date: Tue Aug 20 23:11:38 2013 +0200
    URL: http://nagiosplug.git.sf.net/git/gitweb.cgi?p=nagiosplug/nagiosplug;a=commit;h=7a80e27

Ditch contrib/check_http-with-client-certificate.c

The standard check_http plugin now supports client certificate
authentication.

---

 contrib/check_http-with-client-certificate.c | 1567 --------------------------
 1 files changed, 0 insertions(+), 1567 deletions(-)

diff --git a/contrib/check_http-with-client-certificate.c b/contrib/check_http-with-client-certificate.c
deleted file mode 100644
index c47cbd4..0000000
--- a/contrib/check_http-with-client-certificate.c
+++ /dev/null
@@ -1,1567 +0,0 @@
-/****************************************************************************
- *
- * Program: HTTP plugin for Nagios
- * License: GPL
- *
- * License Information:
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
- *
- *****************************************************************************/
-
-/****************************************************************************
- *
- * check_http is derived from the original check_http provided by
- * Ethan Galstad/Karl DeBisschop
- *
- * This provides some additional functionality including:
- * - check server certificate against supplied hostname (Host: header) if any
- * - check server certificate against local CA certificates (as browsers do)
- * - authenticate with client certificate (and optional passphrase)
- * - specify HTTP returncodes to return a status of WARNING or OK instead of
- *   CRITICAL (only global for 3xx or 4xx errors)
- * - check only against HTTP status line and exit immediately if not matched
- *
- *****************************************************************************/
-
-const char *progname = "check_http";
-#define REVISION "$Revision: 1117 $"
-#define CVSREVISION "1.24"
-#define COPYRIGHT "2003"
-#define AUTHORS "Fabian Pehla"
-#define EMAIL "fabian at pehla.de"
-
-#include "config.h"
-#include "common.h"
-#include "netutils.h"
-#include "utils.h"
-
-
-#define HELP_TXT_SUMMARY "\
-This plugin tests the HTTP service on the specified host. It can test\n\
-normal (http) and secure (https) servers, follow redirects, search for\n\
-strings and regular expressions, check connection times, and report on\n\
-certificate expiration times.\n"
-
-#define HELP_TXT_OPTIONS "\
--H <virtual host> -I <ip address> [-p <port>] [-u <uri>]\n\
-            [-w <warn time>] [-c <critical time>] [-t <timeout>]\n\
-            [-S] [-C <days>] [-a <basic auth>] [-A <certificate file>]\n\
-            [-Z <ca certificate file>] [-e <expect>] [-E <expect only>]\n\
-            [-s <string>] [-r <regex>] [-R <regex case insensitive>]\n\
-            [-f (ok|warn|critical|follow)] [-g (ok|warn|critical)]\n"
-
-#define HELP_TXT_LONGOPTIONS "\
- -H, --hostname=<virtual host>\n\
-    FQDN host name argument for use in HTTP Host:-Header (virtual host)\n\
-    If used together wich the -S option, the server certificate will\n\
-    be checked against this hostname\n\
- -I, --ip-address=<address>\n\
-   IP address or hostname for TCP connect (use IP to avoid DNS lookup)\n\
- -p, --port=<port>\n\
-   Port number (default: %d)\n\
- -u, --url-path=<uri>\n\
-   URL to request from host (default: %s)\n\
- -S, --ssl\n\
-   Use SSL (default port: %d)\n\
- -C, --server-certificate-days=<days>\n\
-   Minimum number of days a server certificate must be valid\n\
-   No other check can be combined with this option\n\
- -a, --basic-auth=<username:password>\n\
-   Colon separated username and password for basic authentication\n\
- -A, --client-certificate=<certificate file>\n\
-   File containing X509 client certificate and key\n\
- -K, --passphrase=<passphrase>\n\
-   Passphrase for the client certificate key\n\
-   This option can only be used in combination with the -A option\n\
- -Z, --ca-certificate=<certificate file>\n\
-   File containing certificates of trusted CAs\n\
-   The server certificate will be checked against these CAs\n\
- -e, --http-expect=<expect string>\n\
-   String to expect in HTTP response line (Default: %s)\n\
- -E, --http-expect-only=<expect only string>\n\
-   String to expect in HTTP response line\n\
-   No other checks are made, this either matches the response\n\
-   or exits immediately\n\
- -s, --content-string=<string>\n\
-   String to expect in content\n\
- -r, --content-ereg=<regex>\n\
-   Regular expression to expect in content\n\
- -R, --content-eregi=<regex case insensitive>\n\
-   Case insensitive regular expression to expect in content\n\
- -f, --onredirect=(ok|warning|critical|follow)\n\
-   Follow a redirect (3xx) or return with a user defined state\n\
-   Default: OK\n\
- -g, --onerror=(ok|warning|critical)\n\
-   Status to return on a client error (4xx)\n\
- -m, --min=INTEGER\n\
-   Minimum page size required (bytes)\n\
- -t, --timeout=<timeout>\n\
-   Seconds before connection times out (default: %d)\n\
- -c, --critical=<critical time>\n\
-   Response time to result in critical status (seconds)\n\
- -w, --warning=<warn time>\n\
-   Response time to result in warning status (seconds)\n\
- -V, --version\n\
-    Print version information\n\
- -v, --verbose\n\
-    Show details for command-line debugging (do not use with nagios server)\n\
- -h, --help\n\
-    Print detailed help screen\n"
-
-
-
-#define HTTP_PORT 80
-#define DEFAULT_HTTP_URL_PATH "/"
-#define DEFAULT_HTTP_EXPECT "HTTP/1."
-#define DEFAULT_HTTP_METHOD "GET"
-#define DEFAULT_HTTP_REDIRECT_STATE STATE_OK
-#define DEFAULT_HTTP_CLIENT_ERROR_STATE STATE_WARNING
-
-#define HTTP_TEMPLATE_REQUEST "%s%s %s HTTP/1.0\r\n"
-#define HTTP_TEMPLATE_HEADER_USERAGENT "%sUser-Agent: %s/%s (nagios-plugins %s)\r\n"
-#define HTTP_TEMPLATE_HEADER_HOST "%sHost: %s\r\n"
-#define HTTP_TEMPLATE_HEADER_AUTH "%sAuthorization: Basic %s\r\n"
-
-/* fill in printf with protocol_text(use_ssl), state_text(state), page->status, elapsed_time */
-#define RESULT_TEMPLATE_STATUS_RESPONSE_TIME "%s %s: %s - %7.3f seconds response time|time=%7.3f\n"
-#define RESULT_TEMPLATE_RESPONSE_TIME "%s %s: %7.3f seconds response time|time=%7.3f\n"
-
-#ifdef HAVE_SSL
-
-#ifdef HAVE_SSL_H
-#include <rsa.h>
-#include <crypto.h>
-#include <x509.h>
-#include <pem.h>
-#include <ssl.h>
-#include <err.h>
-#include <rand.h>
-#endif
-
-#ifdef HAVE_OPENSSL_SSL_H
-#include <openssl/rsa.h>
-#include <openssl/crypto.h>
-#include <openssl/x509.h>
-#include <openssl/pem.h>
-#include <openssl/ssl.h>
-#include <openssl/err.h>
-#include <openssl/rand.h>
-#endif
-
-#define HTTPS_PORT 443
-#endif 
-
-#ifdef HAVE_REGEX_H
-#include <regex.h>
-#define REGEX_REGS 2
-#define MAX_REGEX_SIZE 256
-#endif
-
-#define chk_protocol(protocol) ( strstr( protocol, "https" ) ? TRUE : FALSE );
-#define protocol_std_port(use_ssl) ( use_ssl ? HTTPS_PORT : HTTP_PORT );
-#define protocol_text(use_ssl) ( use_ssl ? "HTTPS" : "HTTP" )
-
-#define MAX_IPV4_HOSTLENGTH 64
-#define HTTP_HEADER_LOCATION_MATCH "%*[Ll]%*[Oo]%*[Cc]%*[Aa]%*[Tt]%*[Ii]%*[Oo]%*[Nn]: "
-#define HTTP_HEADER_PROTOCOL_MATCH "%[HTPShtps]://"
-#define HTTP_HEADER_HOSTNAME_MATCH "%[a-zA-Z0-9.-]"
-#define HTTP_HEADER_PORT_MATCH ":%[0-9]"
-#define HTTP_HEADER_URL_PATH_MATCH "%[/a-zA-Z0-9._-=@,]"
-
-/*
-************************************************************************
-* GLOBAL VARIABLE/POINTER DEFINITIONS                                  *
-************************************************************************
-*/
-
-/* misc variables */
-int verbose = FALSE;
-
-/* time thresholds to determine exit code */
-int use_warning_interval = FALSE;
-double warning_interval = 0;
-int use_critical_interval = FALSE;
-double critical_interval = 0;
-double elapsed_time = 0;
-struct timeval start_tv;
-
-/* variables concerning the server host */
-int use_server_hostname = FALSE;
-char *server_hostname = "";  // hostname for use in HTTPs Host: header
-char *server_host = "";      // hostname or ip address for tcp connect
-int use_server_port = FALSE;
-int server_port = HTTP_PORT;
-
-int use_basic_auth = FALSE;
-char basic_auth[MAX_INPUT_BUFFER] = "";
-
-/* variables concerning server responce */
-struct pageref {
-        char   *content;
-        size_t size;
-        char   *status;
-        char   *header;
-        char   *body;
-};
-
-/* variables concerning ssl connections */
-int use_ssl = FALSE;
-#ifdef HAVE_SSL
-int server_certificate_min_days_valid = 0;
-int check_server_certificate = FALSE;
-X509 *server_certificate;            // structure containing server certificate
-int use_client_certificate = FALSE;
-char *client_certificate_file = NULL;
-int use_client_certificate_passphrase = FALSE;
-char *client_certificate_passphrase = NULL;
-int use_ca_certificate = FALSE;
-char *ca_certificate_file = NULL;
-
-BIO *bio_err = 0;             // error write context
-#endif
-
-
-/* variables concerning check behaviour */
-char *http_method = DEFAULT_HTTP_METHOD;
-char *http_url_path = "";
-int use_http_post_data = FALSE;
-char *http_post_data = "";
-int use_min_content_length = FALSE;
-int min_content_length = 0;
-int use_http_expect_only = FALSE;
-char http_expect[MAX_INPUT_BUFFER] = DEFAULT_HTTP_EXPECT;
-int check_content_string = FALSE;
-char content_string[MAX_INPUT_BUFFER] = "";
-int http_redirect_state = DEFAULT_HTTP_REDIRECT_STATE;
-int http_client_error_state = DEFAULT_HTTP_CLIENT_ERROR_STATE;
-
-#ifdef HAVE_REGEX_H
-regex_t regex_preg;
-regmatch_t regex_pmatch[REGEX_REGS];
-int check_content_regex = FALSE;
-char content_regex[MAX_REGEX_SIZE] = "";
-int regex_cflags = REG_NOSUB | REG_EXTENDED | REG_NEWLINE;
-int regex_error = 0;
-char regex_error_buffer[MAX_INPUT_BUFFER] = "";
-#endif
-
-
-
-/*
-************************************************************************
-* FUNCTION PROTOTYPES                                                  *
-************************************************************************
-*/
-
-void print_usage( void );
-void print_help( void );
-int process_arguments (int, char **);
-int http_request( int sock, struct pageref *page);
-
-int parse_http_response( struct pageref *page );
-int check_http_response( struct pageref *page );
-int check_http_content( struct pageref *page );
-int prepare_follow_redirect( struct pageref *page );
-
-static char *base64 (char *bin, int len);
-
-#ifdef HAVE_SSL
-int ssl_terminate( int state, char *string );
-static int passwd_cb( char *buf, int num, int rwflag, void *userdata );
-static void sigpipe_handle( int x );
-SSL_CTX * initialize_ssl_ctx( void );
-void destroy_ssl_ctx( SSL_CTX *ctx );
-int fetch_server_certificate( SSL *ssl );
-int check_server_certificate_chain( SSL *ssl );
-int check_server_certificate_hostname( void );
-int check_server_certificate_expires( void );
-int https_request( SSL_CTX *ctx, SSL *ssl, struct pageref *page );
-#endif
-
-/*
-************************************************************************
-* IMPLEMENTATION                                                       * 
-************************************************************************
-*/
-
-/*
- * main()
- *
- * PSEUDOCODE OF HOW MAIN IS SUPPOSED TO WORK
- *
- * process command line arguments including sanity check
- * initialize alarm signal handling
- * if use_ssl
- *   build ssl context
- * LOOP:
- * make tcp connection
- * if use_ssl 
- *   make ssl connection
- *   if use_server_hostname
- *     check if certificate matches hostname
- *   if check_server_certificate
- *     check expiration date of server certificate
- *     return STATUS
- *   else 
- *     request http page
- *     handle ssl rehandshake
- *   close ssl connection
- * else
- *   request http page
- * close tcp connection
- * analyze http page
- * if follow on redirect
- *   repeat LOOP
- * end of LOOP
- * destroy ssl context
- */
-int
-main (int argc, char **argv)
-{
-        int result = STATE_UNKNOWN;
-        int sock;
-        struct pageref page;
-#ifdef HAVE_SSL
-        SSL_CTX *ctx;
-        SSL *ssl;
-        BIO *sbio;
-#endif
-
-        if ( process_arguments(argc, argv) == ERROR )
-                usage( "check_http: could not parse arguments\n" );
-
-#ifdef HAVE_SSL
-        /* build SSL context if required:
-         * a) either we use ssl from the beginning OR
-         * b) or we follor redirects wich may lead os to a ssl page 
-         */
-        if ( use_ssl || ( http_redirect_state == STATE_DEPENDENT ) )
-                ctx=initialize_ssl_ctx();
-#endif
-
-        /* Loop around 3xx onredirect=follow */
-        do {
-
-                /*
-                 * initialize alarm signal handling, set socket timeout, start timer
-                 * socket_timeout and socket_timeout_alarm_handler are defined in
-                 * netutils.c
-                 */
-                (void) signal( SIGALRM, socket_timeout_alarm_handler );
-                (void) alarm( socket_timeout );
-                gettimeofday( &start_tv, NULL );
-        
-                /* make a tcp connection */
-                result = my_tcp_connect( server_host, server_port, &sock );
-        
-                /* result of tcp connect */
-                if ( result == STATE_OK )
-                {
-#ifdef HAVE_SSL
-                        /* make a ssl connection */
-                        if ( use_ssl ) {
-                                ssl=SSL_new( ctx );
-                                sbio=BIO_new_socket( sock, BIO_NOCLOSE );
-                                SSL_set_bio( ssl, sbio, sbio);
-                                if ( SSL_connect( ssl ) <= 0 )
-                                        ssl_terminate( STATE_CRITICAL, "check_http: SSL connect error" );
-
-                                /* fetch server certificate */
-                                result = fetch_server_certificate( ssl );
-
-                                /* verify server certificate against CAs */
-                                if ( ( result == STATE_OK ) && use_ca_certificate ) {
-                                        result = check_server_certificate_chain( ssl );
-                                }
-
-                                /* check if certificate matches hostname */
-                                if ( ( result == STATE_OK ) && use_server_hostname ) {
-                                        result = check_server_certificate_hostname();
-                                }
-
-                                if ( result == STATE_OK ) {
-                                        /* check server certificate expire date */
-                                        if ( check_server_certificate ) {
-                                                result = check_server_certificate_expires();
-                                        /* OR: perform http request */
-                                        } else {
-                                                result = https_request( ctx, ssl, (struct pageref *) &page );
-                                        }
-                                }
-                                SSL_shutdown( ssl );
-                                SSL_free( ssl );
-                        } else {
-#endif
-                        /* HTTP implementation */
-                        result = http_request( sock, (struct pageref *) &page );
-#ifdef HAVE_SSL
-                        }
-#endif
-                        /* stop timer and calculate elapsed_time */
-                        elapsed_time = delta_time( start_tv );
-
-                        /* close the tcp connection */
-                        close( sock );
-
-                        /* reset the alarm */
-                        alarm( 0 );
-
-                        /* analyze http page */
-                        /* TO DO */
-                        if ( result == STATE_OK )
-                                result = parse_http_response( (struct pageref *) &page );
-
-                        if ( result == STATE_OK )
-                                result = check_http_response( (struct pageref *) &page );
-
-                        switch ( result ) {
-                                case STATE_OK:
-                                        /* weiter geht's */
-                                        result = check_http_content( (struct pageref *) &page );
-                                        break;
-                                case STATE_DEPENDENT:
-                                        /* try to determine redirect parameters */
-                                        result = prepare_follow_redirect( (struct pageref *) &page );
-                                        break;
-                        }
-
-                } else {
-                        /* some error occured while trying to make a tcp connect */
-                        exit( result );
-                }
-
-        } while ( result == STATE_DEPENDENT ); // end of onredirect loop
-
-        /* destroy SSL context */
-#ifdef HAVE_SSL
-        if ( use_ssl || ( http_redirect_state == STATE_DEPENDENT ) )
-                destroy_ssl_ctx( ctx );
-#endif
-
-        /* if we ever get to this point, everything went fine */
-        printf( RESULT_TEMPLATE_STATUS_RESPONSE_TIME, 
-                protocol_text( use_ssl ),
-                state_text( result ),
-                page.status,
-                elapsed_time,
-                elapsed_time );
-
-        return result;
-}
-
-
-void
-print_help( void )
-{
-        print_revision( progname, REVISION );
-        printf
-                ( "Copyright (c) %s %s <%s>\n\n%s\n",
-                 COPYRIGHT, AUTHORS, EMAIL, HELP_TXT_SUMMARY );
-        print_usage();
-        printf( "NOTE: One or both of -H and -I must be specified\n" );
-        printf( "\nOptions:\n" HELP_TXT_LONGOPTIONS "\n",
-                HTTP_PORT, DEFAULT_HTTP_URL_PATH, HTTPS_PORT,
-                DEFAULT_HTTP_EXPECT, DEFAULT_SOCKET_TIMEOUT );
-#ifdef HAVE_SSL
-        //printf( SSLDESCRIPTION );
-#endif
-}
-
-
-void
-print_usage( void )
-{
-        printf( "Usage:\n" " %s %s\n"
-#ifdef HAVE_GETOPT_H
-                " %s (-h | --help) for detailed help\n"
-                " %s (-V | --version) for version information\n",
-#else
-                " %s -h for detailed help\n"
-                " %s -V for version information\n",
-#endif
-        progname, HELP_TXT_OPTIONS, progname, progname );
-}
-
-
-/*
-* process_arguments()
-*
-* process command line arguments either using getopt_long or getopt
-* (parsing long argumants manually)
-*/
-int
-process_arguments( int argc, char **argv )
-{
-        int c, i = 1;
-        extern char *optarg;
-
-#ifdef HAVE_GETOPT_H
-        int option_index = 0;
-        static struct option long_options[] = {
-                STD_LONG_OPTS,
-                {"file", required_argument, 0, 'F'},
-                {"ip-address", required_argument, 0, 'I'},
-                {"port", required_argument, 0, 'p'},
-                {"url-path", required_argument, 0, 'u'},
-                {"post-data", required_argument, 0, 'P'},
-                {"ssl", no_argument, 0, 'S'},
-                {"server-certificate-days", required_argument, 0, 'C'},
-                {"basic-auth", required_argument, 0, 'a'},
-                {"client-certificate", required_argument, 0, 'A'},
-                {"passphrase", required_argument, 0, 'K'},
-                {"ca-certificate", required_argument, 0, 'Z'},
-                {"http-expect", required_argument, 0, 'e'},
-                {"http-expect-only", required_argument, 0, 'E'},
-                {"content-string", required_argument, 0, 's'},
-                {"content-ereg-linespan", required_argument, 0, 'l'},
-                {"content-ereg", required_argument, 0, 'r'},
-                {"content-eregi", required_argument, 0, 'R'},
-                {"onredirect", required_argument, 0, 'f'},
-                {"onerror", required_argument, 0, 'g'},
-                {"min", required_argument, 0, 'm'},
-                {0, 0, 0, 0}
-        };
-#endif
-
-
-        /* convert commonly used arguments to their equivalent standard options */
-        for (c = 1; c < argc; c++) {
-                if ( strcmp( "-to", argv[c]) == 0 )
-                        strcpy( argv[c], "-t" );
-                if ( strcmp( "-hn", argv[c]) == 0 )
-                        strcpy( argv[c], "-H" );
-                if ( strcmp( "-wt", argv[c]) == 0 )
-                        strcpy( argv[c], "-w" );
-                if ( strcmp( "-ct", argv[c]) == 0 )
-                        strcpy( argv[c], "-c" );
-        }
-
-#define OPTCHARS "Vvht:c:w:H:F:I:p:u:P:SC:a:A:K:Z:e:E:s:r:R:f:g:lm:"
-
-
-        while (1) {
-
-#ifdef HAVE_GETOPT_H
-                c = getopt_long( argc, argv, OPTCHARS, long_options, &option_index );
-#else
-                c = getopt( argc, argv, OPTCHARS );
-#endif
-
-                if ( ( c == -1 ) || ( c == EOF ) ) {
-                        break;
-                }
-
-                switch (c) {
-                case '?': /* usage */
-                        usage2( "unknown argument", optarg );
-                        break;
-
-		/* Standard options */
-                case 'h': /* help */
-                        print_help();
-                        exit( STATE_OK );
-                        break;
-                case 'V': /* version */
-                        print_revision( progname, REVISION );
-                        exit( STATE_OK );
-                        break;
-                case 'v': /* verbose */
-                        verbose = TRUE;
-                        break;
-                case 't': /* timeout period */
-                        if ( !is_intnonneg( optarg ) )
-                                usage2( "timeout interval must be a non-negative integer", optarg );
-                        /* socket_timeout is defined in netutils.h and defaults to
-                         * DEFAULT_SOCKET_TIMEOUT from common.h
-                         */
-                        socket_timeout = atoi( optarg );
-                        break;
-                case 'c': /* critical time threshold */
-                        if ( !is_nonnegative( optarg ) )
-                                usage2( "invalid critical threshold", optarg );
-                        critical_interval = strtod( optarg, NULL );
-                        use_critical_interval = TRUE;
-                        break;
-                case 'w': /* warning time threshold */
-                        if ( !is_nonnegative( optarg ) )
-                                usage2( "invalid warning threshold", optarg );
-                        warning_interval = strtod( optarg, NULL );
-                        use_warning_interval = TRUE;
-                        break;
-                case 'H': /* Host Name (virtual host) */
-                        /* this rejects FQDNs, so we leave it for now... 
-                         *if ( !is_hostname( optarg ) )
-                         *        usage2( "invalid hostname", optarg );
-                         */
-                        xasprintf( &server_hostname, "%s", optarg );
-                        use_server_hostname = TRUE;
-                        break;
-                case 'F': /* File (dummy) */
-                        break;
-		/* End of standard options */
-
-
-                case 'I': /* Server IP-address or Hostname */
-                        /* this rejects FQDNs, so we leave it for now... 
-                         *if ( !is_host( optarg ) )
-                         *        usage2( "invalid ip address or hostname", optarg )
-                         */
-                        xasprintf( &server_host, "%s", optarg );
-                        break;
-                case 'p': /* Server port */
-                        if ( !is_intnonneg( optarg ) )
-                                usage2( "invalid port number", optarg );
-                        server_port = atoi( optarg );
-                        use_server_port = TRUE;
-                        break;
-                case 'S': /* use SSL */
-#ifdef HAVE_SSL
-                        use_ssl = TRUE;
-                        if ( use_server_port == FALSE )
-                                server_port = HTTPS_PORT;
-#else
-                        usage( "check_http: invalid option - SSL is not available\n" );
-#endif
-                        break;
-                case 'C': /* Server certificate warning time threshold */
-#ifdef HAVE_SSL
-                        if ( !is_intnonneg( optarg ) )
-                                usage2( "invalid certificate expiration period", optarg );
-                        server_certificate_min_days_valid = atoi( optarg );
-                        check_server_certificate = TRUE;
-#else
-                        usage( "check_http: invalid option - SSL is not available\n" );
-#endif
-                        break;
-                case 'a': /* basic authorization info */
-                        strncpy( basic_auth, optarg, MAX_INPUT_BUFFER - 1 );
-                        basic_auth[MAX_INPUT_BUFFER - 1] = 0;
-                        use_basic_auth = TRUE;
-                        break;
-                case 'A': /* client certificate */
-#ifdef HAVE_SSL
-                        xasprintf( &client_certificate_file, "%s", optarg );
-                        use_client_certificate = TRUE;
-#else
-                        usage( "check_http: invalid option - SSL is not available\n" );
-#endif
-                        break;
-                case 'K': /* client certificate passphrase */
-#ifdef HAVE_SSL
-                        xasprintf( &client_certificate_passphrase, "%s", optarg );
-                        use_client_certificate_passphrase = TRUE;
-#else
-                        usage( "check_http: invalid option - SSL is not available\n" );
-#endif
-                case 'Z': /* valid CA certificates */
-#ifdef HAVE_SSL
-                        xasprintf( &ca_certificate_file, "%s", optarg );
-                        use_ca_certificate = TRUE;
-#else
-                        usage( "check_http: invalid option - SSL is not available\n" );
-#endif
-                        break;
-                case 'u': /* URL PATH */
-                        xasprintf( &http_url_path, "%s", optarg );
-                        break;
-                case 'P': /* POST DATA */
-                        xasprintf( &http_post_data, "%s", optarg );
-                        use_http_post_data = TRUE;
-                        xasprintf( &http_method, "%s", "POST" );
-                        break;
-                case 'e': /* expected string in first line of HTTP response */
-                        strncpy( http_expect , optarg, MAX_INPUT_BUFFER - 1 );
-                        http_expect[MAX_INPUT_BUFFER - 1] = 0;
-                        break;
-                case 'E': /* expected string in first line of HTTP response and process no other check*/
-                        strncpy( http_expect , optarg, MAX_INPUT_BUFFER - 1 );
-                        http_expect[MAX_INPUT_BUFFER - 1] = 0;
-                        use_http_expect_only = TRUE;
-                        break;
-                case 's': /* expected (sub-)string in content */
-                        strncpy( content_string , optarg, MAX_INPUT_BUFFER - 1 );
-                        content_string[MAX_INPUT_BUFFER - 1] = 0;
-                        check_content_string = TRUE;
-                        break;
-                case 'l': /* regex linespan */
-#ifdef HAVE_REGEX_H
-                        regex_cflags &= ~REG_NEWLINE;
-#else
-                        usage( "check_http: call for regex which was not a compiled option\n" );
-#endif
-                        break;
-                case 'R': /* expected case insensitive regular expression in content */
-#ifdef HAVE_REGEX_H
-                        regex_cflags |= REG_ICASE;
-#else
-                        usage( "check_http: call for regex which was not a compiled option\n" );
-#endif
-                case 'r': /* expected regular expression in content */
-#ifdef HAVE_REGEX_H
-                        strncpy( content_regex , optarg, MAX_REGEX_SIZE - 1 );
-                        content_regex[MAX_REGEX_SIZE - 1] = 0;
-                        check_content_regex = TRUE;
-                        regex_error = regcomp( &regex_preg, content_regex, regex_cflags );
-                        if ( regex_error != 0 ) {
-                                regerror( regex_error, &regex_preg, regex_error_buffer, MAX_INPUT_BUFFER );
-                                printf( "Could Not Compile Regular Expression: %s", regex_error_buffer );
-                                return ERROR;
-                        }
-#else
-                        usage( "check_http: call for regex which was not a compiled option\n" );
-#endif
-                        break;
-                case 'f': /* onredirect (3xx errors) */
-                        if ( !strcmp( optarg, "follow" ) )
-                                http_redirect_state = STATE_DEPENDENT;
-                        if ( !strcmp( optarg, "unknown" ) )
-                                http_redirect_state = STATE_UNKNOWN;
-                        if ( !strcmp( optarg, "ok" ) )
-                                http_redirect_state = STATE_OK;
-                        if ( !strcmp( optarg, "warning" ) )
-                                http_redirect_state = STATE_WARNING;
-                        if ( !strcmp( optarg, "critical" ) )
-                                http_redirect_state = STATE_CRITICAL;
-                        break;
-                case 'g': /* onerror (4xx errors) */
-                        if ( !strcmp( optarg, "unknown" ) )
-                                http_client_error_state = STATE_UNKNOWN;
-                        if ( !strcmp( optarg, "ok" ) )
-                                http_client_error_state = STATE_OK;
-                        if ( !strcmp( optarg, "warning" ) )
-                                http_client_error_state = STATE_WARNING;
-                        if ( !strcmp( optarg, "critical" ) )
-                                http_client_error_state = STATE_CRITICAL;
-                        break;
-                case 'm': /* min */
-                        if ( !is_intnonneg( optarg ) )
-                                usage2( "invalid page size", optarg );
-                        min_content_length = atoi( optarg );
-                        use_min_content_length = TRUE;
-                        break;
-                } // end switch 
-        } // end while(1)
-
-        c = optind;
-
-
-        /* Sanity checks on supplied command line arguments */
-
-        /* 1. if both host and hostname are not defined, try to
-         *    fetch one more argument which is possibly supplied
-         *    without an option
-         */
-        if ( ( strcmp( server_host, "" ) ) && (c < argc) ) {
-                xasprintf( &server_host, "%s", argv[c++] );
-        }
-
-        /* 2. check if another artument is supplied
-         */
-        if ( ( strcmp( server_hostname, "" ) == 0 ) && (c < argc) ) {
-               xasprintf( &server_hostname, "%s", argv[c++] ); 
-        }
-
-        /* 3. if host is still not defined, just copy hostname, 
-         *    which is then guaranteed to be defined by now
-         */
-        if ( strcmp( server_host, "") == 0 ) {
-                if ( strcmp( server_hostname, "" ) == 0 ) {
-			usage ("check_http: you must specify a server address or host name\n");
-                } else {
-                        xasprintf( &server_host, "%s", server_hostname );
-                }
-        }
-
-        /* 4. check if content checks for a string and a regex
-         *    are requested for only one of both is possible at
-         *    a time
-         */
-        if ( check_content_string && check_content_regex )
-                usage( "check_http: you can only check for string OR regex at a time\n" );
-
-        /* 5. check for options which require use_ssl */
-        if ( check_server_certificate && !use_ssl ) 
-                usage( "check_http: you must use -S to check server certificate\n" );
-        if ( use_client_certificate && !use_ssl ) 
-                usage( "check_http: you must use -S to authenticate with a client certificate\n" );
-        if ( use_ca_certificate && !use_ssl ) 
-                usage( "check_http: you must use -S to check server certificate against CA certificates\n" );
-
-        /* 6. check for passphrase without client certificate */
-        if ( use_client_certificate_passphrase && !use_client_certificate )
-                usage( "check_http: you must supply a client certificate to use a passphrase\n" );
-
-
-        /* Finally set some default values if necessary */
-        if ( strcmp( http_method, "" ) == 0 )
-                xasprintf( &http_method, "%s", DEFAULT_HTTP_METHOD );
-        if ( strcmp( http_url_path, "" ) == 0 ) {
-                xasprintf( &http_url_path, "%s", DEFAULT_HTTP_URL_PATH );
-        }
-
-        return TRUE;
-}
-
-
-int 
-http_request( int sock, struct pageref *page )
-{
-        char *buffer = "";
-        char recvbuff[MAX_INPUT_BUFFER] = ""; 
-        int buffer_len = 0;
-        int content_len = 0;
-        size_t sendsize = 0;
-        size_t recvsize = 0;
-        char *content = ""; 
-        size_t size = 0;
-        char *basic_auth_encoded = NULL;
-
-        xasprintf( &buffer, HTTP_TEMPLATE_REQUEST, buffer, http_method, http_url_path );
-
-        xasprintf( &buffer, HTTP_TEMPLATE_HEADER_USERAGENT, buffer, progname, REVISION, PACKAGE_VERSION );
-
-        if ( use_server_hostname ) {
-                xasprintf( &buffer, HTTP_TEMPLATE_HEADER_HOST, buffer, server_hostname );
-        }
-
-        if ( use_basic_auth ) {
-                basic_auth_encoded = base64( basic_auth, strlen( basic_auth ) );
-                xasprintf( &buffer, HTTP_TEMPLATE_HEADER_AUTH, buffer, basic_auth_encoded );
-        }
-
-        /* either send http POST data */
-        if ( use_http_post_data ) {
-        /* based on code written by Chris Henesy <lurker at shadowtech.org> */
-                xasprintf( &buffer, "Content-Type: application/x-www-form-urlencoded\r\n" );
-                xasprintf( &buffer, "Content-Length: %i\r\n\r\n", buffer, content_len );
-                xasprintf( &buffer, "%s%s%s", buffer, http_post_data, "\r\n" );
-                sendsize = send( sock, buffer, strlen( buffer ), 0 );
-                if ( sendsize < strlen( buffer ) ) {
-                        printf( "ERROR: Incomplete write\n" );
-                        return STATE_CRITICAL;
-                }
-        /* or just a newline */
-        } else {
-	        xasprintf( &buffer, "%s%s", buffer, "\r\n" );
-	       	sendsize = send( sock, buffer, strlen( buffer ) , 0 );
-	       	if ( sendsize < strlen( buffer ) ) {
-	  	        printf( "ERROR: Incomplete write\n" );
-	                return STATE_CRITICAL;
-	        }
-	}
-
-
-        /* read server's response */
-
-        do {
-                recvsize = recv( sock, recvbuff, MAX_INPUT_BUFFER - 1, 0 );
-                if ( recvsize > (size_t) 0 ) {
-                        recvbuff[recvsize] = '\0';
-                        xasprintf( &content, "%s%s", content, recvbuff );
-                        size += recvsize;
-                }
-        } while ( recvsize > (size_t) 0 );
-
-        xasprintf( &page->content, "%s", content );
-        page->size = size;
-
-        /* return a CRITICAL status if we couldn't read any data */
-        if ( size == (size_t) 0)
-                ssl_terminate( STATE_CRITICAL, "No data received" );
-
-        return STATE_OK;
-}
-
-
-int
-parse_http_response( struct pageref *page )
-{
-	char *content = "";     //local copy of struct member
-        char *status = "";      //local copy of struct member
-        char *header = "";      //local copy of struct member
-        size_t len = 0;         //temporary used
-        char *pos = "";         //temporary used
-
-        xasprintf( &content, "%s", page->content );
-
-        /* find status line and null-terminate it */
-        // copy content to status
-        status = content;
-        
-        // find end of status line and copy pointer to pos
-        content += (size_t) strcspn( content, "\r\n" );
-        pos = content;
-
-        // advance content pointer behind the newline of status line
-        content += (size_t) strspn( content, "\r\n" );
-
-        // null-terminate status line at pos
-        status[strcspn( status, "\r\n")] = 0;
-        strip( status );
-
-        // copy final status to struct member
-        page->status = status;
-
-
-        /* find header and null-terminate it */
-        // copy remaining content to header
-        header = content;
-
-        // loop until line containing only newline is found (end of header)
-        while ( strcspn( content, "\r\n" ) > 0 ) {
-                //find end of line and copy pointer to pos
-                content += (size_t) strcspn( content, "\r\n" );
-                pos = content;
-
-                if ( ( strspn( content, "\r" ) == 1 && strspn( content, "\r\n" ) >= 2 ) ||
-                     ( strspn( content, "\n" ) == 1 && strspn( content, "\r\n" ) >= 2 ) )
-                        content += (size_t) 2;
-                else
-                        content += (size_t) 1;
-        }
-        // advance content pointer behind the newline
-        content += (size_t) strspn( content, "\r\n" );
-
-        // null-terminate header at pos
-        header[pos - header] = 0;
-
-        // copy final header to struct member
-        page->header = header;
-
-
-        // copy remaining content to body
-        page->body = content;
-
-        if ( verbose ) {
-                printf( "STATUS: %s\n", page->status );
-                printf( "HEADER: \n%s\n", page->header );
-                printf( "BODY: \n%s\n", page->body );
-        }
-
-        return STATE_OK;
-}
-
-
-int
-check_http_response( struct pageref *page )
-{
-        char *msg = "";
-
-        /* check response time befor anything else */
-        if ( use_critical_interval && ( elapsed_time > critical_interval ) ) {
-                xasprintf( &msg, RESULT_TEMPLATE_RESPONSE_TIME, 
-                                protocol_text( use_ssl ),
-                                state_text( STATE_CRITICAL ),
-                                elapsed_time,
-                                elapsed_time ); 
-                terminate( STATE_CRITICAL, msg );
-        }
-        if ( use_warning_interval  && ( elapsed_time > warning_interval ) ) {
-                xasprintf( &msg, RESULT_TEMPLATE_RESPONSE_TIME, 
-                                protocol_text( use_ssl ),
-                                state_text( STATE_WARNING ),
-                                elapsed_time,
-                                elapsed_time );
-                terminate( STATE_WARNING, msg );
-        }
-
-
-        /* make sure the status line matches the response we are looking for */
-        if ( strstr( page->status, http_expect ) ) {
-                /* The result is only checked against the expected HTTP status line,
-                   so exit immediately after this check */
-                if ( use_http_expect_only ) {
-                        if ( ( server_port == HTTP_PORT ) 
-#ifdef HAVE_SSL
-                             || ( server_port == HTTPS_PORT ) )
-#else
-                           )
-#endif 
-                                xasprintf( &msg, "Expected HTTP response received from host\n" );
-                        else
-                                xasprintf( &msg, "Expected HTTP response received from host on port %d\n", server_port );
-                        terminate( STATE_OK, msg );
-                }
-        } else {
-                if ( ( server_port == HTTP_PORT )
-#ifdef HAVE_SSL
-                     || ( server_port == HTTPS_PORT ) )
-#else
-                   )
-#endif
-                        xasprintf( &msg, "Invalid HTTP response received from host\n" );
-                else
-                        xasprintf( &msg, "Invalid HTTP response received from host on port %d\n", server_port );
-                terminate( STATE_CRITICAL, msg );
-        }
-
-        /* check the return code */
-        /* server errors result in a critical state */
-        if ( strstr( page->status, "500" ) ||
-             strstr( page->status, "501" ) ||
-             strstr( page->status, "502" ) ||
-             strstr( page->status, "503" ) ||
-             strstr( page->status, "504" ) ||
-             strstr( page->status, "505" )) {
-                xasprintf( &msg, RESULT_TEMPLATE_STATUS_RESPONSE_TIME,
-                                protocol_text( use_ssl ),
-                                state_text( http_client_error_state ),
-                                page->status,
-                                elapsed_time,
-                                elapsed_time );
-                terminate( STATE_CRITICAL, msg );
-        }
-
-        /* client errors result in a warning state */
-        if ( strstr( page->status, "400" ) ||
-             strstr( page->status, "401" ) ||
-             strstr( page->status, "402" ) ||
-             strstr( page->status, "403" ) ||
-             strstr( page->status, "404" ) ||
-             strstr( page->status, "405" ) ||
-             strstr( page->status, "406" ) ||
-             strstr( page->status, "407" ) ||
-             strstr( page->status, "408" ) ||
-             strstr( page->status, "409" ) ||
-             strstr( page->status, "410" ) ||
-             strstr( page->status, "411" ) ||
-             strstr( page->status, "412" ) ||
-             strstr( page->status, "413" ) ||
-             strstr( page->status, "414" ) ||
-             strstr( page->status, "415" ) ||
-             strstr( page->status, "416" ) ||
-             strstr( page->status, "417" ) ) {
-                xasprintf( &msg, RESULT_TEMPLATE_STATUS_RESPONSE_TIME,
-                                protocol_text( use_ssl ),
-                                state_text( http_client_error_state ),
-                                page->status,
-                                elapsed_time,
-                                elapsed_time );
-                terminate( http_client_error_state, msg );
-        }
-
-        /* check redirected page if specified */
-        if (strstr( page->status, "300" ) ||
-            strstr( page->status, "301" ) ||
-            strstr( page->status, "302" ) ||
-            strstr( page->status, "303" ) ||
-            strstr( page->status, "304" ) ||
-            strstr( page->status, "305" ) ||
-            strstr( page->status, "306" ) ||
-            strstr( page->status, "307" ) ) {
-                if ( http_redirect_state == STATE_DEPENDENT ) {
-                                /* returning STATE_DEPENDENT means follow redirect */
-                                return STATE_DEPENDENT;
-                } else {
-                        xasprintf( &msg, RESULT_TEMPLATE_STATUS_RESPONSE_TIME,
-                                        protocol_text( use_ssl ),
-                                        state_text( http_redirect_state ),
-                                        page->status,
-                                        elapsed_time,
-                                        elapsed_time );
-                        terminate( http_redirect_state, msg );
-                }
-        }
-
-        return STATE_OK;
-}
-
-int
-check_http_content( struct pageref *page )
-{
-        char *msg = "";
-
-        /* check for string in content */
-        if ( check_content_string ) {
-                if ( strstr( page->content, content_string ) ) {
-                        xasprintf( &msg, RESULT_TEMPLATE_STATUS_RESPONSE_TIME,
-                                        protocol_text( use_ssl ),
-                                        state_text( STATE_OK ),
-                                        page->status,
-                                        elapsed_time,
-                                        elapsed_time );
-                        terminate( STATE_OK, msg );
-                } else {
-                        xasprintf( &msg, RESULT_TEMPLATE_STATUS_RESPONSE_TIME,
-                                        protocol_text( use_ssl ),
-                                        state_text( STATE_CRITICAL ),
-                                        page->status,
-                                        elapsed_time,
-                                        elapsed_time );
-                        terminate( STATE_CRITICAL, msg );
-                }
-        }
-
-#ifdef HAVE_REGEX_H
-        /* check for regex in content */
-        if ( check_content_regex ) {
-                regex_error = regexec( &regex_preg, page->content, REGEX_REGS, regex_pmatch, 0);
-                if ( regex_error == 0 ) {
-                        xasprintf( &msg, RESULT_TEMPLATE_STATUS_RESPONSE_TIME,
-                                        protocol_text( use_ssl ),
-                                        state_text( STATE_OK ),
-                                        page->status,
-                                        elapsed_time,
-                                        elapsed_time );
-                        terminate( STATE_OK, msg );
-                } else {
-                        if ( regex_error == REG_NOMATCH ) {
-                                xasprintf( &msg, "%s, %s: regex pattern not found\n",
-                                                protocol_text( use_ssl) ,
-                                                state_text( STATE_CRITICAL ) );
-                                terminate( STATE_CRITICAL, msg );
-                        } else {
-                                regerror( regex_error, &regex_preg, regex_error_buffer, MAX_INPUT_BUFFER);
-                                xasprintf( &msg, "%s %s: Regex execute Error: %s\n",
-                                                protocol_text( use_ssl) ,
-                                                state_text( STATE_CRITICAL ),
-                                                regex_error_buffer );
-                                terminate( STATE_CRITICAL, msg );
-                        }
-                }
-        }
-#endif
-
-        return STATE_OK;
-}
-
-
-int
-prepare_follow_redirect( struct pageref *page )
-{
-        char *header = NULL;
-        char *msg = "";
-        char protocol[6];
-        char hostname[MAX_IPV4_HOSTLENGTH];
-        char port[6];
-        char *url_path = NULL;
-        char *orig_url_path = NULL;
-        char *orig_url_dirname = NULL;
-        size_t len = 0;
-
-        xasprintf( &header, "%s", page->header );
-
-
-        /* restore some default values */
-        use_http_post_data = FALSE;
-        xasprintf( &http_method, "%s", DEFAULT_HTTP_METHOD );
-
-        /* copy url of original request, maybe we need it to compose 
-           absolute url from relative Location: header */
-        xasprintf( &orig_url_path, "%s", http_url_path );
-
-        while ( strcspn( header, "\r\n" ) > (size_t) 0 ) {
-                url_path = realloc( url_path, (size_t) strcspn( header, "\r\n" ) );
-                if ( url_path == NULL )
-                        terminate( STATE_UNKNOWN, "HTTP UNKNOWN: could not reallocate url_path" );
-
-
-                /* Try to find a Location header combination of METHOD HOSTNAME PORT and PATH */
-                /* 1. scan for Location: http[s]://hostname:port/path */
-                if ( sscanf ( header, HTTP_HEADER_LOCATION_MATCH HTTP_HEADER_PROTOCOL_MATCH HTTP_HEADER_HOSTNAME_MATCH HTTP_HEADER_PORT_MATCH HTTP_HEADER_URL_PATH_MATCH, &protocol, &hostname, &port, url_path ) == 4 ) {
-                        xasprintf( &server_hostname, "%s", hostname );
-                        xasprintf( &server_host, "%s", hostname );
-                        use_ssl = chk_protocol(protocol);
-                        server_port = atoi( port );
-                        xasprintf( &http_url_path, "%s", url_path );
-                        return STATE_DEPENDENT;
-                } 
-                else if ( sscanf ( header, HTTP_HEADER_LOCATION_MATCH HTTP_HEADER_PROTOCOL_MATCH HTTP_HEADER_HOSTNAME_MATCH HTTP_HEADER_URL_PATH_MATCH, &protocol, &hostname, url_path ) == 3) {
-                        xasprintf( &server_hostname, "%s", hostname );
-                        xasprintf( &server_host, "%s", hostname );
-                        use_ssl = chk_protocol(protocol);
-                        server_port = protocol_std_port(use_ssl);
-                        xasprintf( &http_url_path, "%s", url_path );
-                        return STATE_DEPENDENT;
-                }
-                else if ( sscanf ( header, HTTP_HEADER_LOCATION_MATCH HTTP_HEADER_PROTOCOL_MATCH HTTP_HEADER_HOSTNAME_MATCH HTTP_HEADER_PORT_MATCH, &protocol, &hostname, &port ) == 3) {
-                        xasprintf( &server_hostname, "%s", hostname );
-                        xasprintf( &server_host, "%s", hostname );
-                        use_ssl = chk_protocol(protocol);
-                        server_port = atoi( port );
-                        xasprintf( &http_url_path, "%s", DEFAULT_HTTP_URL_PATH );
-                        return STATE_DEPENDENT;
-                }
-                else if ( sscanf ( header, HTTP_HEADER_LOCATION_MATCH HTTP_HEADER_PROTOCOL_MATCH HTTP_HEADER_HOSTNAME_MATCH, protocol, hostname ) == 2 ) {
-                        xasprintf( &server_hostname, "%s", hostname );
-                        xasprintf( &server_host, "%s", hostname );
-                        use_ssl = chk_protocol(protocol);
-                        server_port = protocol_std_port(use_ssl);
-                        xasprintf( &http_url_path, "%s", DEFAULT_HTTP_URL_PATH );
-                }
-                else if ( sscanf ( header, HTTP_HEADER_LOCATION_MATCH HTTP_HEADER_URL_PATH_MATCH, url_path ) == 1 ) {
-                        /* check for relative url and prepend path if necessary */
-                        if ( ( url_path[0] != '/' ) && ( orig_url_dirname = strrchr( orig_url_path, '/' ) ) ) {
-                                *orig_url_dirname = '\0';
-                                xasprintf( &http_url_path, "%s%s", orig_url_path, url_path );
-                        } else {
-                                xasprintf( &http_url_path, "%s", url_path );
-                        }
-                        return STATE_DEPENDENT;
-                }
-                header += (size_t) strcspn( header, "\r\n" );
-                header += (size_t) strspn( header, "\r\n" );
-        } /* end while (header) */
-        
-
-        /* default return value is STATE_DEPENDENT to continue looping in main() */
-        xasprintf( &msg, "% %: % - Could not find redirect Location",
-                        protocol_text( use_ssl ),
-                        state_text( STATE_UNKNOWN ),
-                        page->status );
-        terminate( STATE_UNKNOWN, msg );
-}
-
-#ifdef HAVE_SSL
-int
-https_request( SSL_CTX *ctx, SSL *ssl, struct pageref *page )
-{
-        char *buffer = "";
-        char recvbuff[MAX_INPUT_BUFFER] = "";
-        int buffer_len = 0;
-        int content_len = 0;
-        size_t sendsize = 0;
-        size_t recvsize = 0;
-        char *content = "";
-        size_t size = 0;
-        char *basic_auth_encoded = NULL;
-
-        xasprintf( &buffer, HTTP_TEMPLATE_REQUEST, buffer, http_method, http_url_path );
-
-        xasprintf( &buffer, HTTP_TEMPLATE_HEADER_USERAGENT, buffer, progname, REVISION, PACKAGE_VERSION );
-        
-        if ( use_server_hostname ) {
-                xasprintf( &buffer, HTTP_TEMPLATE_HEADER_HOST, buffer, server_hostname );
-        }
-
-        if ( use_basic_auth ) {
-                basic_auth_encoded = base64( basic_auth, strlen( basic_auth ) );
-                xasprintf( &buffer, HTTP_TEMPLATE_HEADER_AUTH, buffer, basic_auth_encoded );
-        }
-
-        /* either send http POST data */
-        if ( use_http_post_data ) {
-                xasprintf( &buffer, "%sContent-Type: application/x-www-form-urlencoded\r\n", buffer );
-                xasprintf( &buffer, "%sContent-Length: %i\r\n\r\n", buffer, content_len );
-                xasprintf( &buffer, "%s%s%s", buffer, http_post_data, "\r\n" );
-                sendsize = SSL_write( ssl, buffer, strlen( buffer ) );
-                switch ( SSL_get_error( ssl, sendsize ) ) {
-                        case SSL_ERROR_NONE:
-                                if ( sendsize < strlen( buffer ) )
-                                        ssl_terminate( STATE_CRITICAL, "SSL ERROR: Incomplete write.\n" );
-                                break;
-                        default:
-                                ssl_terminate( STATE_CRITICAL, "SSL ERROR: Write problem.\n" );
-                                break;
-                }
-        /* or just a newline */
-        } else {
-
-                xasprintf( &buffer, "%s\r\n", buffer );
-                sendsize = SSL_write( ssl, buffer, strlen( buffer ) );
-                switch ( SSL_get_error( ssl, sendsize ) ) {
-                        case SSL_ERROR_NONE:
-                                if ( sendsize < strlen( buffer ) )
-                                        ssl_terminate( STATE_CRITICAL, "SSL ERROR: Incomplete write.\n" );
-                                break;
-                        default:
-                                ssl_terminate( STATE_CRITICAL, "SSL ERROR: Write problem.\n" );
-                                break;
-                }
-        }
-
-
-        /* read server's response */
-
-        do {
-                recvsize = SSL_read( ssl, recvbuff, MAX_INPUT_BUFFER - 1 );
-
-                switch ( SSL_get_error( ssl, recvsize ) ) {
-                        case SSL_ERROR_NONE:
-                                if ( recvsize > (size_t) 0 ) {
-                                        recvbuff[recvsize] = '\0';
-                                        xasprintf( &content, "%s%s", content, recvbuff );
-                                        size += recvsize;
-                                }
-                                break;
-                        case SSL_ERROR_WANT_READ:
-                                if ( use_client_certificate ) {
-                                        continue;
-                                } else {
-                                        // workaround while we don't have anonymous client certificates: return OK
-                                        //ssl_terminate( STATE_WARNING, "HTTPS WARNING - Client Certificate required.\n" );
-                                        ssl_terminate( STATE_OK, "HTTPS WARNING - Client Certificate required.\n" );
-                                }
-                                break;
-                        case SSL_ERROR_ZERO_RETURN:
-                                break;
-                        case SSL_ERROR_SYSCALL:
-                                ssl_terminate( STATE_CRITICAL, "SSL ERROR: Premature close.\n" );
-                                break;
-                        default:
-                                ssl_terminate( STATE_CRITICAL, "SSL ERROR: Read problem.\n" );
-                                break;
-                }
-        } while ( recvsize > (size_t) 0 );
-
-        xasprintf( &page->content, "%s", content );
-        page->size = size;
-
-        /* return a CRITICAL status if we couldn't read any data */
-        if ( size == (size_t) 0)
-                ssl_terminate( STATE_CRITICAL, "No data received" );
-
-        return STATE_OK;
-}
-#endif
-
-
-#ifdef HAVE_SSL
-int 
-ssl_terminate(int state, char *string ) {
-        ERR_print_errors( bio_err );
-        terminate( state, string );
-}
-#endif
-
-#ifdef HAVE_SSL
-static int 
-password_cb( char *buf, int num, int rwflag, void *userdata )
-{
-        if ( num < strlen( client_certificate_passphrase ) + 1 )
-                return( 0 );
-
-        strcpy( buf, client_certificate_passphrase );
-        return( strlen( client_certificate_passphrase ) );
-}
-#endif
-
-#ifdef HAVE_SSL
-static void 
-sigpipe_handle( int x ) {
-}
-#endif
-
-#ifdef HAVE_SSL
-SSL_CTX *
-initialize_ssl_ctx( void )
-{
-        SSL_METHOD *meth;
-        SSL_CTX *ctx;
-
-        if ( !bio_err ) {
-                /* Global system initialization */
-                SSL_library_init();
-                SSL_load_error_strings();
-
-                /* An error write context */
-                bio_err=BIO_new_fp( stderr, BIO_NOCLOSE );
-        }
-
-        /* set up as SIGPIPE handler */
-        signal( SIGPIPE, sigpipe_handle );
-
-        /* create our context */
-        meth=SSLv3_method();
-        ctx=SSL_CTX_new( meth );
-
-        /* load client certificate and key */
-        if ( use_client_certificate ) {
-                if ( !(SSL_CTX_use_certificate_chain_file( ctx, client_certificate_file )) ) 
-                        ssl_terminate( STATE_CRITICAL, "check_http: can't read client certificate file" );
-
-                /* set client certificate key passphrase */
-                if ( use_client_certificate_passphrase ) {
-                        SSL_CTX_set_default_passwd_cb( ctx, password_cb );
-                }
-
-                if ( !(SSL_CTX_use_PrivateKey_file( ctx, client_certificate_file, SSL_FILETYPE_PEM )) )
-                        ssl_terminate( STATE_CRITICAL, "check_http: can't read client certificate key file" );
-        }
-
-        /* load the CAs we trust */
-        if ( use_ca_certificate ) {
-                if ( !(SSL_CTX_load_verify_locations( ctx, ca_certificate_file, 0 )) )
-                        ssl_terminate( STATE_CRITICAL, "check_http: can't read CA certificate file" );
-
-#if (OPENSSL_VERSION_NUMBER < 0x00905100L)
-                SSL_CTX_set_verify_depth( ctx, 1 );
-#endif
-        }
-
-        return ctx;
-}
-#endif
-
-#ifdef HAVE_SSL
-void destroy_ssl_ctx( SSL_CTX *ctx )
-{
-        SSL_CTX_free( ctx );
-}
-#endif
-
-#ifdef HAVE_SSL
-int
-fetch_server_certificate( SSL *ssl )
-{
-        server_certificate = SSL_get_peer_certificate( ssl );
-        if ( server_certificate == NULL )
-                ssl_terminate( STATE_CRITICAL,  "SSL ERROR: Cannot retrieve server certificate.\n" );
-
-        return STATE_OK;
-}
-#endif
-
-
-#ifdef HAVE_SSL
-int
-check_server_certificate_chain( SSL *ssl )
-{
-        if ( SSL_get_verify_result( ssl ) != X509_V_OK )
-                ssl_terminate( STATE_CRITICAL, "SSL ERROR: Cannot verify server certificate chain.\n" );
-
-        return STATE_OK;
-}
-#endif
-
-
-#ifdef HAVE_SSL
-int
-check_server_certificate_hostname( )
-{
-        char server_CN[256];
-        char *msg = NULL;
-        X509_NAME_get_text_by_NID( X509_get_subject_name( server_certificate ), NID_commonName, server_CN, 256 );
-        if ( strcasecmp( server_CN, server_hostname ) ) {
-                xasprintf( &msg, "SSL ERROR: Server Certificate does not match Hostname %s.\n", server_hostname );
-                ssl_terminate( STATE_WARNING, msg );
-        }
-
-        return STATE_OK;
-}
-#endif
-
-#ifdef HAVE_SSL
-int
-check_server_certificate_expires( )
-{
-        ASN1_STRING *tm;
-        int offset;
-        struct tm stamp;
-        int days_left;
-        char timestamp[17] = "";
-        char *msg = NULL;
-
-        /* Retrieve timestamp of certificate */
-        tm = X509_get_notAfter( server_certificate );
-
-        /* Generate tm structure to process timestamp */
-        if ( tm->type == V_ASN1_UTCTIME ) {
-                if ( tm->length < 10 ) {
-                        ssl_terminate( STATE_CRITICAL, "ERROR: Wrong time format in certificate.\n" );
-                } else {
-                        stamp.tm_year = ( tm->data[0] - '0' ) * 10 + ( tm->data[1] - '0' );
-                        if ( stamp.tm_year < 50 )
-                                stamp.tm_year += 100;
-                        offset = 0;
-                }
-        } else {
-                if ( tm->length < 12 ) {
-                        ssl_terminate( STATE_CRITICAL, "ERROR: Wrong time format in certificate.\n" );
-                } else {
-                        stamp.tm_year =
-                                ( tm->data[0] - '0' ) * 1000 + ( tm->data[1] - '0' ) * 100 +
-                                ( tm->data[2] - '0' ) * 10 + ( tm->data[3] - '0' );
-                        stamp.tm_year -= 1900;
-                        offset = 2;
-                }
-        }
-        stamp.tm_mon =
-                ( tm->data[2 + offset] - '0' ) * 10 + ( tm->data[3 + offset] - '0' ) - 1;
-        stamp.tm_mday =
-                ( tm->data[4 + offset] - '0' ) * 10 + ( tm->data[5 + offset] - '0' );
-        stamp.tm_hour =
-                ( tm->data[6 + offset] - '0' ) * 10 + ( tm->data[7 + offset] - '0' );
-        stamp.tm_min =
-                ( tm->data[8 + offset] - '0' ) * 10 + ( tm->data[9 + offset] - '0' );
-        stamp.tm_sec = 0;
-        stamp.tm_isdst = -1;
-
-        days_left = ( mktime( &stamp ) - time( NULL ) ) / 86400;
-        snprintf
-                ( timestamp, 17, "%02d.%02d.%04d %02d:%02d",
-                 stamp.tm_mday, stamp.tm_mon +1, stamp.tm_year + 1900, 
-                 stamp.tm_hour, stamp.tm_min );
-
-        if ( ( days_left > 0 ) && ( days_left <= server_certificate_min_days_valid ) ) {
-                xasprintf( &msg, "Certificate expires in %d day(s) (%s).\n", days_left, timestamp );
-                ssl_terminate( STATE_WARNING, msg );
-        }
-        if ( days_left < 0 ) {
-                xasprintf( &msg, "Certificate expired on %s.\n", timestamp );
-                ssl_terminate( STATE_CRITICAL, msg );
-        }
-
-        if (days_left == 0) {
-                xasprintf( &msg, "Certificate expires today (%s).\n", timestamp );
-                ssl_terminate( STATE_WARNING, msg );
-        }
-
-        xasprintf( &msg, "Certificate will expire on %s.\n", timestamp );
-        ssl_terminate( STATE_OK, msg );
-}
-#endif
-
-/* written by lauri alanko */
-static char *
-base64 (char *bin, int len)
-{
-
-        char *buf = (char *) malloc ((len + 2) / 3 * 4 + 1);
-        int i = 0, j = 0;
-
-        char BASE64_END = '=';
-        char base64_table[64] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
-
-        while (j < len - 2) {
-                buf[i++] = base64_table[bin[j] >> 2];
-                buf[i++] = base64_table[((bin[j] & 3) << 4) | (bin[j + 1] >> 4)];
-                buf[i++] = base64_table[((bin[j + 1] & 15) << 2) | (bin[j + 2] >> 6)];
-                buf[i++] = base64_table[bin[j + 2] & 63];
-                j += 3;
-        }
-
-        switch (len - j) {
-        case 1:
-                buf[i++] = base64_table[bin[j] >> 2];
-                buf[i++] = base64_table[(bin[j] & 3) << 4];
-                buf[i++] = BASE64_END;
-                buf[i++] = BASE64_END;
-                break;
-        case 2:
-                buf[i++] = base64_table[bin[j] >> 2];
-                buf[i++] = base64_table[((bin[j] & 3) << 4) | (bin[j + 1] >> 4)];
-                buf[i++] = base64_table[(bin[j + 1] & 15) << 2];
-                buf[i++] = BASE64_END;
-                break;
-        case 0:
-                break;
-        }
-
-        buf[i] = '\0';
-        return buf;
-}
-





More information about the Commits mailing list