summaryrefslogtreecommitdiffstats
path: root/plugins/check_curl.c
diff options
context:
space:
mode:
Diffstat (limited to 'plugins/check_curl.c')
-rw-r--r--plugins/check_curl.c2467
1 files changed, 2467 insertions, 0 deletions
diff --git a/plugins/check_curl.c b/plugins/check_curl.c
new file mode 100644
index 0000000..14cc846
--- /dev/null
+++ b/plugins/check_curl.c
@@ -0,0 +1,2467 @@
1/*****************************************************************************
2*
3* Monitoring check_curl plugin
4*
5* License: GPL
6* Copyright (c) 1999-2019 Monitoring Plugins Development Team
7*
8* Description:
9*
10* This file contains the check_curl plugin
11*
12* This plugin tests the HTTP service on the specified host. It can test
13* normal (http) and secure (https) servers, follow redirects, search for
14* strings and regular expressions, check connection times, and report on
15* certificate expiration times.
16*
17* This plugin uses functions from the curl library, see
18* http://curl.haxx.se
19*
20* This program is free software: you can redistribute it and/or modify
21* it under the terms of the GNU General Public License as published by
22* the Free Software Foundation, either version 3 of the License, or
23* (at your option) any later version.
24*
25* This program is distributed in the hope that it will be useful,
26* but WITHOUT ANY WARRANTY; without even the implied warranty of
27* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
28* GNU General Public License for more details.
29*
30* You should have received a copy of the GNU General Public License
31* along with this program. If not, see <http://www.gnu.org/licenses/>.
32*
33*
34*****************************************************************************/
35const char *progname = "check_curl";
36
37const char *copyright = "2006-2019";
38const char *email = "devel@monitoring-plugins.org";
39
40#include <ctype.h>
41
42#include "common.h"
43#include "utils.h"
44
45#ifndef LIBCURL_PROTOCOL_HTTP
46#error libcurl compiled without HTTP support, compiling check_curl plugin does not makes a lot of sense
47#endif
48
49#include "curl/curl.h"
50#include "curl/easy.h"
51
52#include "picohttpparser.h"
53
54#include "uriparser/Uri.h"
55
56#include <arpa/inet.h>
57
58#if defined(HAVE_SSL) && defined(USE_OPENSSL)
59#include <openssl/opensslv.h>
60#endif
61
62#include <netdb.h>
63
64#define MAKE_LIBCURL_VERSION(major, minor, patch) ((major)*0x10000 + (minor)*0x100 + (patch))
65
66#define DEFAULT_BUFFER_SIZE 2048
67#define DEFAULT_SERVER_URL "/"
68#define HTTP_EXPECT "HTTP/"
69#define DEFAULT_MAX_REDIRS 15
70#define INET_ADDR_MAX_SIZE INET6_ADDRSTRLEN
71enum {
72 MAX_IPV4_HOSTLENGTH = 255,
73 HTTP_PORT = 80,
74 HTTPS_PORT = 443,
75 MAX_PORT = 65535
76};
77
78enum {
79 STICKY_NONE = 0,
80 STICKY_HOST = 1,
81 STICKY_PORT = 2
82};
83
84enum {
85 FOLLOW_HTTP_CURL = 0,
86 FOLLOW_LIBCURL = 1
87};
88
89/* for buffers for header and body */
90typedef struct {
91 char *buf;
92 size_t buflen;
93 size_t bufsize;
94} curlhelp_write_curlbuf;
95
96/* for buffering the data sent in PUT */
97typedef struct {
98 char *buf;
99 size_t buflen;
100 off_t pos;
101} curlhelp_read_curlbuf;
102
103/* for parsing the HTTP status line */
104typedef struct {
105 int http_major; /* major version of the protocol, always 1 (HTTP/0.9
106 * never reached the big internet most likely) */
107 int http_minor; /* minor version of the protocol, usually 0 or 1 */
108 int http_code; /* HTTP return code as in RFC 2145 */
109 int http_subcode; /* Microsoft IIS extension, HTTP subcodes, see
110 * http://support.microsoft.com/kb/318380/en-us */
111 const char *msg; /* the human readable message */
112 char *first_line; /* a copy of the first line */
113} curlhelp_statusline;
114
115/* to know the underlying SSL library used by libcurl */
116typedef enum curlhelp_ssl_library {
117 CURLHELP_SSL_LIBRARY_UNKNOWN,
118 CURLHELP_SSL_LIBRARY_OPENSSL,
119 CURLHELP_SSL_LIBRARY_LIBRESSL,
120 CURLHELP_SSL_LIBRARY_GNUTLS,
121 CURLHELP_SSL_LIBRARY_NSS
122} curlhelp_ssl_library;
123
124enum {
125 REGS = 2,
126 MAX_RE_SIZE = 1024
127};
128#include "regex.h"
129regex_t preg;
130regmatch_t pmatch[REGS];
131char regexp[MAX_RE_SIZE];
132int cflags = REG_NOSUB | REG_EXTENDED | REG_NEWLINE;
133int errcode;
134int invert_regex = 0;
135
136char *server_address = NULL;
137char *host_name = NULL;
138char *server_url = 0;
139char server_ip[DEFAULT_BUFFER_SIZE];
140struct curl_slist *server_ips = NULL;
141int specify_port = FALSE;
142unsigned short server_port = HTTP_PORT;
143unsigned short virtual_port = 0;
144int host_name_length;
145char output_header_search[30] = "";
146char output_string_search[30] = "";
147char *warning_thresholds = NULL;
148char *critical_thresholds = NULL;
149int days_till_exp_warn, days_till_exp_crit;
150thresholds *thlds;
151char user_agent[DEFAULT_BUFFER_SIZE];
152int verbose = 0;
153int show_extended_perfdata = FALSE;
154int show_body = FALSE;
155int min_page_len = 0;
156int max_page_len = 0;
157int redir_depth = 0;
158int max_depth = DEFAULT_MAX_REDIRS;
159char *http_method = NULL;
160char *http_post_data = NULL;
161char *http_content_type = NULL;
162CURL *curl;
163struct curl_slist *header_list = NULL;
164curlhelp_write_curlbuf body_buf;
165curlhelp_write_curlbuf header_buf;
166curlhelp_statusline status_line;
167curlhelp_read_curlbuf put_buf;
168char http_header[DEFAULT_BUFFER_SIZE];
169long code;
170long socket_timeout = DEFAULT_SOCKET_TIMEOUT;
171double total_time;
172double time_connect;
173double time_appconnect;
174double time_headers;
175double time_firstbyte;
176char errbuf[CURL_ERROR_SIZE+1];
177CURLcode res;
178char url[DEFAULT_BUFFER_SIZE];
179char msg[DEFAULT_BUFFER_SIZE];
180char perfstring[DEFAULT_BUFFER_SIZE];
181char header_expect[MAX_INPUT_BUFFER] = "";
182char string_expect[MAX_INPUT_BUFFER] = "";
183char server_expect[MAX_INPUT_BUFFER] = HTTP_EXPECT;
184int server_expect_yn = 0;
185char user_auth[MAX_INPUT_BUFFER] = "";
186char proxy_auth[MAX_INPUT_BUFFER] = "";
187char **http_opt_headers;
188int http_opt_headers_count = 0;
189int display_html = FALSE;
190int onredirect = STATE_OK;
191int followmethod = FOLLOW_HTTP_CURL;
192int followsticky = STICKY_NONE;
193int use_ssl = FALSE;
194int use_sni = TRUE;
195int check_cert = FALSE;
196typedef union {
197 struct curl_slist* to_info;
198 struct curl_certinfo* to_certinfo;
199} cert_ptr_union;
200cert_ptr_union cert_ptr;
201int ssl_version = CURL_SSLVERSION_DEFAULT;
202char *client_cert = NULL;
203char *client_privkey = NULL;
204char *ca_cert = NULL;
205int verify_peer_and_host = FALSE;
206int is_openssl_callback = FALSE;
207#if defined(HAVE_SSL) && defined(USE_OPENSSL)
208X509 *cert = NULL;
209#endif /* defined(HAVE_SSL) && defined(USE_OPENSSL) */
210int no_body = FALSE;
211int maximum_age = -1;
212int address_family = AF_UNSPEC;
213curlhelp_ssl_library ssl_library = CURLHELP_SSL_LIBRARY_UNKNOWN;
214int curl_http_version = CURL_HTTP_VERSION_NONE;
215int automatic_decompression = FALSE;
216
217int process_arguments (int, char**);
218void handle_curl_option_return_code (CURLcode res, const char* option);
219int check_http (void);
220void redir (curlhelp_write_curlbuf*);
221char *perfd_time (double microsec);
222char *perfd_time_connect (double microsec);
223char *perfd_time_ssl (double microsec);
224char *perfd_time_firstbyte (double microsec);
225char *perfd_time_headers (double microsec);
226char *perfd_time_transfer (double microsec);
227char *perfd_size (int page_len);
228void print_help (void);
229void print_usage (void);
230void print_curl_version (void);
231int curlhelp_initwritebuffer (curlhelp_write_curlbuf*);
232int curlhelp_buffer_write_callback (void*, size_t , size_t , void*);
233void curlhelp_freewritebuffer (curlhelp_write_curlbuf*);
234int curlhelp_initreadbuffer (curlhelp_read_curlbuf *, const char *, size_t);
235int curlhelp_buffer_read_callback (void *, size_t , size_t , void *);
236void curlhelp_freereadbuffer (curlhelp_read_curlbuf *);
237curlhelp_ssl_library curlhelp_get_ssl_library (CURL*);
238const char* curlhelp_get_ssl_library_string (curlhelp_ssl_library);
239int net_noopenssl_check_certificate (cert_ptr_union*, int, int);
240
241int curlhelp_parse_statusline (const char*, curlhelp_statusline *);
242void curlhelp_free_statusline (curlhelp_statusline *);
243char *get_header_value (const struct phr_header* headers, const size_t nof_headers, const char* header);
244int check_document_dates (const curlhelp_write_curlbuf *, char (*msg)[DEFAULT_BUFFER_SIZE]);
245int get_content_length (const curlhelp_write_curlbuf* header_buf, const curlhelp_write_curlbuf* body_buf);
246
247#if defined(HAVE_SSL) && defined(USE_OPENSSL)
248int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int days_till_exp_crit);
249#endif /* defined(HAVE_SSL) && defined(USE_OPENSSL) */
250
251void remove_newlines (char *);
252void test_file (char *);
253
254int
255main (int argc, char **argv)
256{
257 int result = STATE_UNKNOWN;
258
259 setlocale (LC_ALL, "");
260 bindtextdomain (PACKAGE, LOCALEDIR);
261 textdomain (PACKAGE);
262
263 /* Parse extra opts if any */
264 argv = np_extra_opts (&argc, argv, progname);
265
266 /* set defaults */
267 snprintf( user_agent, DEFAULT_BUFFER_SIZE, "%s/v%s (monitoring-plugins %s, %s)",
268 progname, NP_VERSION, VERSION, curl_version());
269
270 /* parse arguments */
271 if (process_arguments (argc, argv) == ERROR)
272 usage4 (_("Could not parse arguments"));
273
274 if (display_html == TRUE)
275 printf ("<A HREF=\"%s://%s:%d%s\" target=\"_blank\">",
276 use_ssl ? "https" : "http",
277 host_name ? host_name : server_address,
278 virtual_port ? virtual_port : server_port,
279 server_url);
280
281 result = check_http ();
282 return result;
283}
284
285#ifdef HAVE_SSL
286#ifdef USE_OPENSSL
287
288int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
289{
290 /* TODO: we get all certificates of the chain, so which ones
291 * should we test?
292 * TODO: is the last certificate always the server certificate?
293 */
294 cert = X509_STORE_CTX_get_current_cert(x509_ctx);
295#if OPENSSL_VERSION_NUMBER >= 0x10100000L
296 X509_up_ref(cert);
297#endif
298 if (verbose>=2) {
299 puts("* SSL verify callback with certificate:");
300 X509_NAME *subject, *issuer;
301 printf("* issuer:\n");
302 issuer = X509_get_issuer_name( cert );
303 X509_NAME_print_ex_fp(stdout, issuer, 5, XN_FLAG_MULTILINE);
304 printf("* curl verify_callback:\n* subject:\n");
305 subject = X509_get_subject_name( cert );
306 X509_NAME_print_ex_fp(stdout, subject, 5, XN_FLAG_MULTILINE);
307 puts("");
308 }
309 return 1;
310}
311
312CURLcode sslctxfun(CURL *curl, SSL_CTX *sslctx, void *parm)
313{
314 SSL_CTX_set_verify(sslctx, SSL_VERIFY_PEER, verify_callback);
315
316 return CURLE_OK;
317}
318
319#endif /* USE_OPENSSL */
320#endif /* HAVE_SSL */
321
322/* returns a string "HTTP/1.x" or "HTTP/2" */
323static char *string_statuscode (int major, int minor)
324{
325 static char buf[10];
326
327 switch (major) {
328 case 1:
329 snprintf (buf, sizeof (buf), "HTTP/%d.%d", major, minor);
330 break;
331 case 2:
332 case 3:
333 snprintf (buf, sizeof (buf), "HTTP/%d", major);
334 break;
335 default:
336 /* assuming here HTTP/N with N>=4 */
337 snprintf (buf, sizeof (buf), "HTTP/%d", major);
338 break;
339 }
340
341 return buf;
342}
343
344/* Checks if the server 'reply' is one of the expected 'statuscodes' */
345static int
346expected_statuscode (const char *reply, const char *statuscodes)
347{
348 char *expected, *code;
349 int result = 0;
350
351 if ((expected = strdup (statuscodes)) == NULL)
352 die (STATE_UNKNOWN, _("HTTP UNKNOWN - Memory allocation error\n"));
353
354 for (code = strtok (expected, ","); code != NULL; code = strtok (NULL, ","))
355 if (strstr (reply, code) != NULL) {
356 result = 1;
357 break;
358 }
359
360 free (expected);
361 return result;
362}
363
364void
365handle_curl_option_return_code (CURLcode res, const char* option)
366{
367 if (res != CURLE_OK) {
368 snprintf (msg, DEFAULT_BUFFER_SIZE, _("Error while setting cURL option '%s': cURL returned %d - %s"),
369 option, res, curl_easy_strerror(res));
370 die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
371 }
372}
373
374int
375lookup_host (const char *host, char *buf, size_t buflen)
376{
377 struct addrinfo hints, *res, *result;
378 int errcode;
379 void *ptr;
380
381 memset (&hints, 0, sizeof (hints));
382 hints.ai_family = address_family;
383 hints.ai_socktype = SOCK_STREAM;
384 hints.ai_flags |= AI_CANONNAME;
385
386 errcode = getaddrinfo (host, NULL, &hints, &result);
387 if (errcode != 0)
388 return errcode;
389
390 res = result;
391
392 while (res) {
393 inet_ntop (res->ai_family, res->ai_addr->sa_data, buf, buflen);
394 switch (res->ai_family) {
395 case AF_INET:
396 ptr = &((struct sockaddr_in *) res->ai_addr)->sin_addr;
397 break;
398 case AF_INET6:
399 ptr = &((struct sockaddr_in6 *) res->ai_addr)->sin6_addr;
400 break;
401 }
402 inet_ntop (res->ai_family, ptr, buf, buflen);
403 if (verbose >= 1)
404 printf ("* getaddrinfo IPv%d address: %s\n",
405 res->ai_family == PF_INET6 ? 6 : 4, buf);
406 res = res->ai_next;
407 }
408
409 freeaddrinfo(result);
410
411 return 0;
412}
413
414int
415check_http (void)
416{
417 int result = STATE_OK;
418 int page_len = 0;
419 int i;
420 char *force_host_header = NULL;
421 struct curl_slist *host = NULL;
422 char addrstr[100];
423 char dnscache[DEFAULT_BUFFER_SIZE];
424
425 /* initialize curl */
426 if (curl_global_init (CURL_GLOBAL_DEFAULT) != CURLE_OK)
427 die (STATE_UNKNOWN, "HTTP UNKNOWN - curl_global_init failed\n");
428
429 if ((curl = curl_easy_init()) == NULL)
430 die (STATE_UNKNOWN, "HTTP UNKNOWN - curl_easy_init failed\n");
431
432 if (verbose >= 1)
433 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_VERBOSE, TRUE), "CURLOPT_VERBOSE");
434
435 /* print everything on stdout like check_http would do */
436 handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_STDERR, stdout), "CURLOPT_STDERR");
437
438 if (automatic_decompression)
439#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 21, 6)
440 handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_ACCEPT_ENCODING, ""), "CURLOPT_ACCEPT_ENCODING");
441#else
442 handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_ENCODING, ""), "CURLOPT_ENCODING");
443#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 21, 6) */
444
445 /* initialize buffer for body of the answer */
446 if (curlhelp_initwritebuffer(&body_buf) < 0)
447 die (STATE_UNKNOWN, "HTTP CRITICAL - out of memory allocating buffer for body\n");
448 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_WRITEFUNCTION, (curl_write_callback)curlhelp_buffer_write_callback), "CURLOPT_WRITEFUNCTION");
449 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_WRITEDATA, (void *)&body_buf), "CURLOPT_WRITEDATA");
450
451 /* initialize buffer for header of the answer */
452 if (curlhelp_initwritebuffer( &header_buf ) < 0)
453 die (STATE_UNKNOWN, "HTTP CRITICAL - out of memory allocating buffer for header\n" );
454 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_HEADERFUNCTION, (curl_write_callback)curlhelp_buffer_write_callback), "CURLOPT_HEADERFUNCTION");
455 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_WRITEHEADER, (void *)&header_buf), "CURLOPT_WRITEHEADER");
456
457 /* set the error buffer */
458 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_ERRORBUFFER, errbuf), "CURLOPT_ERRORBUFFER");
459
460 /* set timeouts */
461 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CONNECTTIMEOUT, socket_timeout), "CURLOPT_CONNECTTIMEOUT");
462 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_TIMEOUT, socket_timeout), "CURLOPT_TIMEOUT");
463
464 // fill dns resolve cache to make curl connect to the given server_address instead of the host_name, only required for ssl, because we use the host_name later on to make SNI happy
465 if(use_ssl && host_name != NULL) {
466 if ( (res=lookup_host (server_address, addrstr, 100)) != 0) {
467 snprintf (msg, DEFAULT_BUFFER_SIZE, _("Unable to lookup IP address for '%s': getaddrinfo returned %d - %s"),
468 server_address, res, gai_strerror (res));
469 die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
470 }
471 snprintf (dnscache, DEFAULT_BUFFER_SIZE, "%s:%d:%s", host_name, server_port, addrstr);
472 host = curl_slist_append(NULL, dnscache);
473 curl_easy_setopt(curl, CURLOPT_RESOLVE, host);
474 if (verbose>=1)
475 printf ("* curl CURLOPT_RESOLVE: %s\n", dnscache);
476 }
477
478 /* compose URL: use the address we want to connect to, set Host: header later */
479 snprintf (url, DEFAULT_BUFFER_SIZE, "%s://%s:%d%s",
480 use_ssl ? "https" : "http",
481 use_ssl & host_name != NULL ? host_name : server_address,
482 server_port,
483 server_url
484 );
485
486 if (verbose>=1)
487 printf ("* curl CURLOPT_URL: %s\n", url);
488 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_URL, url), "CURLOPT_URL");
489
490 /* extract proxy information for legacy proxy https requests */
491 if (!strcmp(http_method, "CONNECT") || strstr(server_url, "http") == server_url) {
492 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_PROXY, server_address), "CURLOPT_PROXY");
493 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_PROXYPORT, (long)server_port), "CURLOPT_PROXYPORT");
494 if (verbose>=2)
495 printf ("* curl CURLOPT_PROXY: %s:%d\n", server_address, server_port);
496 http_method = "GET";
497 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_URL, server_url), "CURLOPT_URL");
498 }
499
500 /* disable body for HEAD request */
501 if (http_method && !strcmp (http_method, "HEAD" )) {
502 no_body = TRUE;
503 }
504
505 /* set HTTP protocol version */
506 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_HTTP_VERSION, curl_http_version), "CURLOPT_HTTP_VERSION");
507
508 /* set HTTP method */
509 if (http_method) {
510 if (!strcmp(http_method, "POST"))
511 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_POST, 1), "CURLOPT_POST");
512 else if (!strcmp(http_method, "PUT"))
513 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_UPLOAD, 1), "CURLOPT_UPLOAD");
514 else
515 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CUSTOMREQUEST, http_method), "CURLOPT_CUSTOMREQUEST");
516 }
517
518 /* check if Host header is explicitly set in options */
519 if (http_opt_headers_count) {
520 for (i = 0; i < http_opt_headers_count ; i++) {
521 if (strncmp(http_opt_headers[i], "Host:", 5) == 0) {
522 force_host_header = http_opt_headers[i];
523 }
524 }
525 }
526
527 /* set hostname (virtual hosts), not needed if CURLOPT_CONNECT_TO is used, but left in anyway */
528 if(host_name != NULL && force_host_header == NULL) {
529 if((virtual_port != HTTP_PORT && !use_ssl) || (virtual_port != HTTPS_PORT && use_ssl)) {
530 snprintf(http_header, DEFAULT_BUFFER_SIZE, "Host: %s:%d", host_name, virtual_port);
531 } else {
532 snprintf(http_header, DEFAULT_BUFFER_SIZE, "Host: %s", host_name);
533 }
534 header_list = curl_slist_append (header_list, http_header);
535 }
536
537 /* always close connection, be nice to servers */
538 snprintf (http_header, DEFAULT_BUFFER_SIZE, "Connection: close");
539 header_list = curl_slist_append (header_list, http_header);
540
541 /* attach additional headers supplied by the user */
542 /* optionally send any other header tag */
543 if (http_opt_headers_count) {
544 for (i = 0; i < http_opt_headers_count ; i++) {
545 header_list = curl_slist_append (header_list, http_opt_headers[i]);
546 }
547 /* This cannot be free'd here because a redirection will then try to access this and segfault */
548 /* Covered in a testcase in tests/check_http.t */
549 /* free(http_opt_headers); */
550 }
551
552 /* set HTTP headers */
553 handle_curl_option_return_code (curl_easy_setopt( curl, CURLOPT_HTTPHEADER, header_list ), "CURLOPT_HTTPHEADER");
554
555#ifdef LIBCURL_FEATURE_SSL
556
557 /* set SSL version, warn about unsecure or unsupported versions */
558 if (use_ssl) {
559 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_SSLVERSION, ssl_version), "CURLOPT_SSLVERSION");
560 }
561
562 /* client certificate and key to present to server (SSL) */
563 if (client_cert)
564 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_SSLCERT, client_cert), "CURLOPT_SSLCERT");
565 if (client_privkey)
566 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_SSLKEY, client_privkey), "CURLOPT_SSLKEY");
567 if (ca_cert) {
568 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CAINFO, ca_cert), "CURLOPT_CAINFO");
569 }
570 if (ca_cert || verify_peer_and_host) {
571 /* per default if we have a CA verify both the peer and the
572 * hostname in the certificate, can be switched off later */
573 handle_curl_option_return_code (curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 1), "CURLOPT_SSL_VERIFYPEER");
574 handle_curl_option_return_code (curl_easy_setopt( curl, CURLOPT_SSL_VERIFYHOST, 2), "CURLOPT_SSL_VERIFYHOST");
575 } else {
576 /* backward-compatible behaviour, be tolerant in checks
577 * TODO: depending on more options have aspects we want
578 * to be less tolerant about ssl verfications
579 */
580 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0), "CURLOPT_SSL_VERIFYPEER");
581 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0), "CURLOPT_SSL_VERIFYHOST");
582 }
583
584 /* detect SSL library used by libcurl */
585 ssl_library = curlhelp_get_ssl_library (curl);
586
587 /* try hard to get a stack of certificates to verify against */
588 if (check_cert) {
589#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1)
590 /* inform curl to report back certificates */
591 switch (ssl_library) {
592 case CURLHELP_SSL_LIBRARY_OPENSSL:
593 case CURLHELP_SSL_LIBRARY_LIBRESSL:
594 /* set callback to extract certificate with OpenSSL context function (works with
595 * OpenSSL-style libraries only!) */
596#ifdef USE_OPENSSL
597 /* libcurl and monitoring plugins built with OpenSSL, good */
598 handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun), "CURLOPT_SSL_CTX_FUNCTION");
599 is_openssl_callback = TRUE;
600#else /* USE_OPENSSL */
601#endif /* USE_OPENSSL */
602 /* libcurl is built with OpenSSL, monitoring plugins, so falling
603 * back to manually extracting certificate information */
604 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CERTINFO, 1L), "CURLOPT_CERTINFO");
605 break;
606
607 case CURLHELP_SSL_LIBRARY_NSS:
608#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0)
609 /* NSS: support for CERTINFO is implemented since 7.34.0 */
610 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CERTINFO, 1L), "CURLOPT_CERTINFO");
611#else /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */
612 die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates (libcurl linked with SSL library '%s' is too old)\n", curlhelp_get_ssl_library_string (ssl_library));
613#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */
614 break;
615
616 case CURLHELP_SSL_LIBRARY_GNUTLS:
617#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 42, 0)
618 /* GnuTLS: support for CERTINFO is implemented since 7.42.0 */
619 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CERTINFO, 1L), "CURLOPT_CERTINFO");
620#else /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 42, 0) */
621 die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates (libcurl linked with SSL library '%s' is too old)\n", curlhelp_get_ssl_library_string (ssl_library));
622#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 42, 0) */
623 break;
624
625 case CURLHELP_SSL_LIBRARY_UNKNOWN:
626 default:
627 die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates (unknown SSL library '%s', must implement first)\n", curlhelp_get_ssl_library_string (ssl_library));
628 break;
629 }
630#else /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1) */
631 /* old libcurl, our only hope is OpenSSL, otherwise we are out of luck */
632 if (ssl_library == CURLHELP_SSL_LIBRARY_OPENSSL || ssl_library == CURLHELP_SSL_LIBRARY_LIBRESSL)
633 handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun), "CURLOPT_SSL_CTX_FUNCTION");
634 else
635 die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates (no CURLOPT_SSL_CTX_FUNCTION, no OpenSSL library or libcurl too old and has no CURLOPT_CERTINFO)\n");
636#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1) */
637 }
638
639#endif /* LIBCURL_FEATURE_SSL */
640
641 /* set default or user-given user agent identification */
642 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_USERAGENT, user_agent), "CURLOPT_USERAGENT");
643
644 /* proxy-authentication */
645 if (strcmp(proxy_auth, ""))
646 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_PROXYUSERPWD, proxy_auth), "CURLOPT_PROXYUSERPWD");
647
648 /* authentication */
649 if (strcmp(user_auth, ""))
650 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_USERPWD, user_auth), "CURLOPT_USERPWD");
651
652 /* TODO: parameter auth method, bitfield of following methods:
653 * CURLAUTH_BASIC (default)
654 * CURLAUTH_DIGEST
655 * CURLAUTH_DIGEST_IE
656 * CURLAUTH_NEGOTIATE
657 * CURLAUTH_NTLM
658 * CURLAUTH_NTLM_WB
659 *
660 * convenience tokens for typical sets of methods:
661 * CURLAUTH_ANYSAFE: most secure, without BASIC
662 * or CURLAUTH_ANY: most secure, even BASIC if necessary
663 *
664 * handle_curl_option_return_code (curl_easy_setopt( curl, CURLOPT_HTTPAUTH, (long)CURLAUTH_DIGEST ), "CURLOPT_HTTPAUTH");
665 */
666
667 /* handle redirections */
668 if (onredirect == STATE_DEPENDENT) {
669 if( followmethod == FOLLOW_LIBCURL ) {
670 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_FOLLOWLOCATION, 1), "CURLOPT_FOLLOWLOCATION");
671
672 /* default -1 is infinite, not good, could lead to zombie plugins!
673 Setting it to one bigger than maximal limit to handle errors nicely below
674 */
675 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_MAXREDIRS, max_depth+1), "CURLOPT_MAXREDIRS");
676
677 /* for now allow only http and https (we are a http(s) check plugin in the end) */
678#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 4)
679 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS), "CURLOPT_REDIRECT_PROTOCOLS");
680#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 4) */
681
682 /* TODO: handle the following aspects of redirection, make them
683 * command line options too later:
684 CURLOPT_POSTREDIR: method switch
685 CURLINFO_REDIRECT_URL: custom redirect option
686 CURLOPT_REDIRECT_PROTOCOLS: allow people to step outside safe protocols
687 CURLINFO_REDIRECT_COUNT: get the number of redirects, print it, maybe a range option here is nice like for expected page size?
688 */
689 } else {
690 /* old style redirection is handled below */
691 }
692 }
693
694 /* no-body */
695 if (no_body)
696 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_NOBODY, 1), "CURLOPT_NOBODY");
697
698 /* IPv4 or IPv6 forced DNS resolution */
699 if (address_family == AF_UNSPEC)
700 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_WHATEVER), "CURLOPT_IPRESOLVE(CURL_IPRESOLVE_WHATEVER)");
701 else if (address_family == AF_INET)
702 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4), "CURLOPT_IPRESOLVE(CURL_IPRESOLVE_V4)");
703#if defined (USE_IPV6) && defined (LIBCURL_FEATURE_IPV6)
704 else if (address_family == AF_INET6)
705 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V6), "CURLOPT_IPRESOLVE(CURL_IPRESOLVE_V6)");
706#endif
707
708 /* either send http POST data (any data, not only POST)*/
709 if (!strcmp(http_method, "POST") ||!strcmp(http_method, "PUT")) {
710 /* set content of payload for POST and PUT */
711 if (http_content_type) {
712 snprintf (http_header, DEFAULT_BUFFER_SIZE, "Content-Type: %s", http_content_type);
713 header_list = curl_slist_append (header_list, http_header);
714 }
715 /* NULL indicates "HTTP Continue" in libcurl, provide an empty string
716 * in case of no POST/PUT data */
717 if (!http_post_data)
718 http_post_data = "";
719 if (!strcmp(http_method, "POST")) {
720 /* POST method, set payload with CURLOPT_POSTFIELDS */
721 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_POSTFIELDS, http_post_data), "CURLOPT_POSTFIELDS");
722 } else if (!strcmp(http_method, "PUT")) {
723 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_READFUNCTION, (curl_read_callback)curlhelp_buffer_read_callback), "CURLOPT_READFUNCTION");
724 curlhelp_initreadbuffer (&put_buf, http_post_data, strlen (http_post_data));
725 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_READDATA, (void *)&put_buf), "CURLOPT_READDATA");
726 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_INFILESIZE, (curl_off_t)strlen (http_post_data)), "CURLOPT_INFILESIZE");
727 }
728 }
729
730 /* do the request */
731 res = curl_easy_perform(curl);
732
733 if (verbose>=2 && http_post_data)
734 printf ("**** REQUEST CONTENT ****\n%s\n", http_post_data);
735
736 /* free header and server IP resolve lists, we don't need it anymore */
737 curl_slist_free_all (header_list); header_list = NULL;
738 curl_slist_free_all (server_ips); server_ips = NULL;
739
740 /* Curl errors, result in critical Nagios state */
741 if (res != CURLE_OK) {
742 snprintf (msg, DEFAULT_BUFFER_SIZE, _("Invalid HTTP response received from host on port %d: cURL returned %d - %s"),
743 server_port, res, errbuf[0] ? errbuf : curl_easy_strerror(res));
744 die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
745 }
746
747 /* certificate checks */
748#ifdef LIBCURL_FEATURE_SSL
749 if (use_ssl == TRUE) {
750 if (check_cert == TRUE) {
751 if (is_openssl_callback) {
752#ifdef USE_OPENSSL
753 /* check certificate with OpenSSL functions, curl has been built against OpenSSL
754 * and we actually have OpenSSL in the monitoring tools
755 */
756 result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
757 return result;
758#else /* USE_OPENSSL */
759 die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates - OpenSSL callback used and not linked against OpenSSL\n");
760#endif /* USE_OPENSSL */
761 } else {
762 int i;
763 struct curl_slist *slist;
764
765 cert_ptr.to_info = NULL;
766 res = curl_easy_getinfo (curl, CURLINFO_CERTINFO, &cert_ptr.to_info);
767 if (!res && cert_ptr.to_info) {
768#ifdef USE_OPENSSL
769 /* We have no OpenSSL in libcurl, but we can use OpenSSL for X509 cert parsing
770 * We only check the first certificate and assume it's the one of the server
771 */
772 const char* raw_cert = NULL;
773 for (i = 0; i < cert_ptr.to_certinfo->num_of_certs; i++) {
774 for (slist = cert_ptr.to_certinfo->certinfo[i]; slist; slist = slist->next) {
775 if (verbose >= 2)
776 printf ("%d ** %s\n", i, slist->data);
777 if (strncmp (slist->data, "Cert:", 5) == 0) {
778 raw_cert = &slist->data[5];
779 goto GOT_FIRST_CERT;
780 }
781 }
782 }
783GOT_FIRST_CERT:
784 if (!raw_cert) {
785 snprintf (msg, DEFAULT_BUFFER_SIZE, _("Cannot retrieve certificates from CERTINFO information - certificate data was empty"));
786 die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
787 }
788 BIO* cert_BIO = BIO_new (BIO_s_mem());
789 BIO_write (cert_BIO, raw_cert, strlen(raw_cert));
790 cert = PEM_read_bio_X509 (cert_BIO, NULL, NULL, NULL);
791 if (!cert) {
792 snprintf (msg, DEFAULT_BUFFER_SIZE, _("Cannot read certificate from CERTINFO information - BIO error"));
793 die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
794 }
795 BIO_free (cert_BIO);
796 result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
797 return result;
798#else /* USE_OPENSSL */
799 /* We assume we don't have OpenSSL and np_net_ssl_check_certificate at our disposal,
800 * so we use the libcurl CURLINFO data
801 */
802 result = net_noopenssl_check_certificate(&cert_ptr, days_till_exp_warn, days_till_exp_crit);
803 return result;
804#endif /* USE_OPENSSL */
805 } else {
806 snprintf (msg, DEFAULT_BUFFER_SIZE, _("Cannot retrieve certificates - cURL returned %d - %s"),
807 res, curl_easy_strerror(res));
808 die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
809 }
810 }
811 }
812 }
813#endif /* LIBCURL_FEATURE_SSL */
814
815 /* we got the data and we executed the request in a given time, so we can append
816 * performance data to the answer always
817 */
818 handle_curl_option_return_code (curl_easy_getinfo (curl, CURLINFO_TOTAL_TIME, &total_time), "CURLINFO_TOTAL_TIME");
819 page_len = get_content_length(&header_buf, &body_buf);
820 if(show_extended_perfdata) {
821 handle_curl_option_return_code (curl_easy_getinfo(curl, CURLINFO_CONNECT_TIME, &time_connect), "CURLINFO_CONNECT_TIME");
822 handle_curl_option_return_code (curl_easy_getinfo(curl, CURLINFO_APPCONNECT_TIME, &time_appconnect), "CURLINFO_APPCONNECT_TIME");
823 handle_curl_option_return_code (curl_easy_getinfo(curl, CURLINFO_PRETRANSFER_TIME, &time_headers), "CURLINFO_PRETRANSFER_TIME");
824 handle_curl_option_return_code (curl_easy_getinfo(curl, CURLINFO_STARTTRANSFER_TIME, &time_firstbyte), "CURLINFO_STARTTRANSFER_TIME");
825 snprintf(perfstring, DEFAULT_BUFFER_SIZE, "%s %s %s %s %s %s %s",
826 perfd_time(total_time),
827 perfd_size(page_len),
828 perfd_time_connect(time_connect),
829 use_ssl == TRUE ? perfd_time_ssl (time_appconnect-time_connect) : "",
830 perfd_time_headers(time_headers - time_appconnect),
831 perfd_time_firstbyte(time_firstbyte - time_headers),
832 perfd_time_transfer(total_time-time_firstbyte)
833 );
834 } else {
835 snprintf(perfstring, DEFAULT_BUFFER_SIZE, "%s %s",
836 perfd_time(total_time),
837 perfd_size(page_len)
838 );
839 }
840
841 /* return a CRITICAL status if we couldn't read any data */
842 if (strlen(header_buf.buf) == 0 && strlen(body_buf.buf) == 0)
843 die (STATE_CRITICAL, _("HTTP CRITICAL - No header received from host\n"));
844
845 /* get status line of answer, check sanity of HTTP code */
846 if (curlhelp_parse_statusline (header_buf.buf, &status_line) < 0) {
847 snprintf (msg, DEFAULT_BUFFER_SIZE, "Unparsable status line in %.3g seconds response time|%s\n",
848 total_time, perfstring);
849 /* we cannot know the major/minor version here for sure as we cannot parse the first line */
850 die (STATE_CRITICAL, "HTTP CRITICAL HTTP/x.x %ld unknown - %s", code, msg);
851 }
852
853 /* get result code from cURL */
854 handle_curl_option_return_code (curl_easy_getinfo (curl, CURLINFO_RESPONSE_CODE, &code), "CURLINFO_RESPONSE_CODE");
855 if (verbose>=2)
856 printf ("* curl CURLINFO_RESPONSE_CODE is %ld\n", code);
857
858 /* print status line, header, body if verbose */
859 if (verbose >= 2) {
860 printf ("**** HEADER ****\n%s\n**** CONTENT ****\n%s\n", header_buf.buf,
861 (no_body ? " [[ skipped ]]" : body_buf.buf));
862 }
863
864 /* make sure the status line matches the response we are looking for */
865 if (!expected_statuscode(status_line.first_line, server_expect)) {
866 if (server_port == HTTP_PORT)
867 snprintf(msg, DEFAULT_BUFFER_SIZE, _("Invalid HTTP response received from host: %s\n"), status_line.first_line);
868 else
869 snprintf(msg, DEFAULT_BUFFER_SIZE, _("Invalid HTTP response received from host on port %d: %s\n"), server_port, status_line.first_line);
870 die (STATE_CRITICAL, "HTTP CRITICAL - %s%s%s", msg,
871 show_body ? "\n" : "",
872 show_body ? body_buf.buf : "");
873 }
874
875 if( server_expect_yn ) {
876 snprintf(msg, DEFAULT_BUFFER_SIZE, _("Status line output matched \"%s\" - "), server_expect);
877 if (verbose)
878 printf ("%s\n",msg);
879 result = STATE_OK;
880 }
881 else {
882 /* illegal return codes result in a critical state */
883 if (code >= 600 || code < 100) {
884 die (STATE_CRITICAL, _("HTTP CRITICAL: Invalid Status (%d, %.40s)\n"), status_line.http_code, status_line.msg);
885 /* server errors result in a critical state */
886 } else if (code >= 500) {
887 result = STATE_CRITICAL;
888 /* client errors result in a warning state */
889 } else if (code >= 400) {
890 result = STATE_WARNING;
891 /* check redirected page if specified */
892 } else if (code >= 300) {
893 if (onredirect == STATE_DEPENDENT) {
894 if( followmethod == FOLLOW_LIBCURL ) {
895 code = status_line.http_code;
896 } else {
897 /* old check_http style redirection, if we come
898 * back here, we are in the same status as with
899 * the libcurl method
900 */
901 redir (&header_buf);
902 }
903 } else {
904 /* this is a specific code in the command line to
905 * be returned when a redirection is encoutered
906 */
907 }
908 result = max_state_alt (onredirect, result);
909 /* all other codes are considered ok */
910 } else {
911 result = STATE_OK;
912 }
913 }
914
915 /* libcurl redirection internally, handle error states here */
916 if( followmethod == FOLLOW_LIBCURL ) {
917 handle_curl_option_return_code (curl_easy_getinfo (curl, CURLINFO_REDIRECT_COUNT, &redir_depth), "CURLINFO_REDIRECT_COUNT");
918 if (verbose >= 2)
919 printf(_("* curl LIBINFO_REDIRECT_COUNT is %d\n"), redir_depth);
920 if (redir_depth > max_depth) {
921 snprintf (msg, DEFAULT_BUFFER_SIZE, "maximum redirection depth %d exceeded in libcurl",
922 max_depth);
923 die (STATE_WARNING, "HTTP WARNING - %s", msg);
924 }
925 }
926
927 /* check status codes, set exit status accordingly */
928 if( status_line.http_code != code ) {
929 die (STATE_CRITICAL, _("HTTP CRITICAL %s %d %s - different HTTP codes (cUrl has %ld)\n"),
930 string_statuscode (status_line.http_major, status_line.http_minor),
931 status_line.http_code, status_line.msg, code);
932 }
933
934 if (maximum_age >= 0) {
935 result = max_state_alt(check_document_dates(&header_buf, &msg), result);
936 }
937
938 /* Page and Header content checks go here */
939
940 if (strlen (header_expect)) {
941 if (!strstr (header_buf.buf, header_expect)) {
942 strncpy(&output_header_search[0],header_expect,sizeof(output_header_search));
943 if(output_header_search[sizeof(output_header_search)-1]!='\0') {
944 bcopy("...",&output_header_search[sizeof(output_header_search)-4],4);
945 }
946 snprintf (msg, DEFAULT_BUFFER_SIZE, _("%sheader '%s' not found on '%s://%s:%d%s', "), msg, output_header_search, use_ssl ? "https" : "http", host_name ? host_name : server_address, server_port, server_url);
947 result = STATE_CRITICAL;
948 }
949 }
950
951 if (strlen (string_expect)) {
952 if (!strstr (body_buf.buf, string_expect)) {
953 strncpy(&output_string_search[0],string_expect,sizeof(output_string_search));
954 if(output_string_search[sizeof(output_string_search)-1]!='\0') {
955 bcopy("...",&output_string_search[sizeof(output_string_search)-4],4);
956 }
957 snprintf (msg, DEFAULT_BUFFER_SIZE, _("%sstring '%s' not found on '%s://%s:%d%s', "), msg, output_string_search, use_ssl ? "https" : "http", host_name ? host_name : server_address, server_port, server_url);
958 result = STATE_CRITICAL;
959 }
960 }
961
962 if (strlen (regexp)) {
963 errcode = regexec (&preg, body_buf.buf, REGS, pmatch, 0);
964 if ((errcode == 0 && invert_regex == 0) || (errcode == REG_NOMATCH && invert_regex == 1)) {
965 /* OK - No-op to avoid changing the logic around it */
966 result = max_state_alt(STATE_OK, result);
967 }
968 else if ((errcode == REG_NOMATCH && invert_regex == 0) || (errcode == 0 && invert_regex == 1)) {
969 if (invert_regex == 0)
970 snprintf (msg, DEFAULT_BUFFER_SIZE, _("%spattern not found, "), msg);
971 else
972 snprintf (msg, DEFAULT_BUFFER_SIZE, _("%spattern found, "), msg);
973 result = STATE_CRITICAL;
974 }
975 else {
976 regerror (errcode, &preg, errbuf, MAX_INPUT_BUFFER);
977 snprintf (msg, DEFAULT_BUFFER_SIZE, _("%sExecute Error: %s, "), msg, errbuf);
978 result = STATE_UNKNOWN;
979 }
980 }
981
982 /* make sure the page is of an appropriate size */
983 if ((max_page_len > 0) && (page_len > max_page_len)) {
984 snprintf (msg, DEFAULT_BUFFER_SIZE, _("%spage size %d too large, "), msg, page_len);
985 result = max_state_alt(STATE_WARNING, result);
986 } else if ((min_page_len > 0) && (page_len < min_page_len)) {
987 snprintf (msg, DEFAULT_BUFFER_SIZE, _("%spage size %d too small, "), msg, page_len);
988 result = max_state_alt(STATE_WARNING, result);
989 }
990
991 /* -w, -c: check warning and critical level */
992 result = max_state_alt(get_status(total_time, thlds), result);
993
994 /* Cut-off trailing characters */
995 if(msg[strlen(msg)-2] == ',')
996 msg[strlen(msg)-2] = '\0';
997 else
998 msg[strlen(msg)-3] = '\0';
999
1000 /* TODO: separate _() msg and status code: die (result, "HTTP %s: %s\n", state_text(result), msg); */
1001 die (result, "HTTP %s: %s %d %s%s%s - %d bytes in %.3f second response time %s|%s\n%s%s",
1002 state_text(result), string_statuscode (status_line.http_major, status_line.http_minor),
1003 status_line.http_code, status_line.msg,
1004 strlen(msg) > 0 ? " - " : "",
1005 msg, page_len, total_time,
1006 (display_html ? "</A>" : ""),
1007 perfstring,
1008 (show_body ? body_buf.buf : ""),
1009 (show_body ? "\n" : "") );
1010
1011 /* proper cleanup after die? */
1012 curlhelp_free_statusline(&status_line);
1013 curl_easy_cleanup (curl);
1014 curl_global_cleanup ();
1015 curlhelp_freewritebuffer (&body_buf);
1016 curlhelp_freewritebuffer (&header_buf);
1017 if (!strcmp (http_method, "PUT")) {
1018 curlhelp_freereadbuffer (&put_buf);
1019 }
1020
1021 return result;
1022}
1023
1024int
1025uri_strcmp (const UriTextRangeA range, const char* s)
1026{
1027 if (!range.first) return -1;
1028 if (range.afterLast - range.first < strlen (s)) return -1;
1029 return strncmp (s, range.first, min( range.afterLast - range.first, strlen (s)));
1030}
1031
1032char*
1033uri_string (const UriTextRangeA range, char* buf, size_t buflen)
1034{
1035 if (!range.first) return "(null)";
1036 strncpy (buf, range.first, max (buflen-1, range.afterLast - range.first));
1037 buf[max (buflen-1, range.afterLast - range.first)] = '\0';
1038 buf[range.afterLast - range.first] = '\0';
1039 return buf;
1040}
1041
1042void
1043redir (curlhelp_write_curlbuf* header_buf)
1044{
1045 char *location = NULL;
1046 curlhelp_statusline status_line;
1047 struct phr_header headers[255];
1048 size_t nof_headers = 255;
1049 size_t msglen;
1050 char buf[DEFAULT_BUFFER_SIZE];
1051 char ipstr[INET_ADDR_MAX_SIZE];
1052 int new_port;
1053 char *new_host;
1054 char *new_url;
1055
1056 int res = phr_parse_response (header_buf->buf, header_buf->buflen,
1057 &status_line.http_minor, &status_line.http_code, &status_line.msg, &msglen,
1058 headers, &nof_headers, 0);
1059
1060 location = get_header_value (headers, nof_headers, "location");
1061
1062 if (verbose >= 2)
1063 printf(_("* Seen redirect location %s\n"), location);
1064
1065 if (++redir_depth > max_depth)
1066 die (STATE_WARNING,
1067 _("HTTP WARNING - maximum redirection depth %d exceeded - %s%s\n"),
1068 max_depth, location, (display_html ? "</A>" : ""));
1069
1070 UriParserStateA state;
1071 UriUriA uri;
1072 state.uri = &uri;
1073 if (uriParseUriA (&state, location) != URI_SUCCESS) {
1074 if (state.errorCode == URI_ERROR_SYNTAX) {
1075 die (STATE_UNKNOWN,
1076 _("HTTP UNKNOWN - Could not parse redirect location '%s'%s\n"),
1077 location, (display_html ? "</A>" : ""));
1078 } else if (state.errorCode == URI_ERROR_MALLOC) {
1079 die (STATE_UNKNOWN, _("HTTP UNKNOWN - Could not allocate URL\n"));
1080 }
1081 }
1082
1083 if (verbose >= 2) {
1084 printf (_("** scheme: %s\n"),
1085 uri_string (uri.scheme, buf, DEFAULT_BUFFER_SIZE));
1086 printf (_("** host: %s\n"),
1087 uri_string (uri.hostText, buf, DEFAULT_BUFFER_SIZE));
1088 printf (_("** port: %s\n"),
1089 uri_string (uri.portText, buf, DEFAULT_BUFFER_SIZE));
1090 if (uri.hostData.ip4) {
1091 inet_ntop (AF_INET, uri.hostData.ip4->data, ipstr, sizeof (ipstr));
1092 printf (_("** IPv4: %s\n"), ipstr);
1093 }
1094 if (uri.hostData.ip6) {
1095 inet_ntop (AF_INET, uri.hostData.ip6->data, ipstr, sizeof (ipstr));
1096 printf (_("** IPv6: %s\n"), ipstr);
1097 }
1098 if (uri.pathHead) {
1099 printf (_("** path: "));
1100 const UriPathSegmentA* p = uri.pathHead;
1101 for (; p; p = p->next) {
1102 printf ("/%s", uri_string (p->text, buf, DEFAULT_BUFFER_SIZE));
1103 }
1104 puts ("");
1105 }
1106 if (uri.query.first) {
1107 printf (_("** query: %s\n"),
1108 uri_string (uri.query, buf, DEFAULT_BUFFER_SIZE));
1109 }
1110 if (uri.fragment.first) {
1111 printf (_("** fragment: %s\n"),
1112 uri_string (uri.fragment, buf, DEFAULT_BUFFER_SIZE));
1113 }
1114 }
1115
1116 use_ssl = !uri_strcmp (uri.scheme, "https");
1117
1118 /* we do a sloppy test here only, because uriparser would have failed
1119 * above, if the port would be invalid, we just check for MAX_PORT
1120 */
1121 if (uri.portText.first) {
1122 new_port = atoi (uri_string (uri.portText, buf, DEFAULT_BUFFER_SIZE));
1123 } else {
1124 new_port = HTTP_PORT;
1125 if (use_ssl)
1126 new_port = HTTPS_PORT;
1127 }
1128 if (new_port > MAX_PORT)
1129 die (STATE_UNKNOWN,
1130 _("HTTP UNKNOWN - Redirection to port above %d - %s%s\n"),
1131 MAX_PORT, location, display_html ? "</A>" : "");
1132
1133 /* by RFC 7231 relative URLs in Location should be taken relative to
1134 * the original URL, so wy try to form a new absolute URL here
1135 */
1136 if (!uri.scheme.first && !uri.hostText.first) {
1137 new_host = strdup (host_name ? host_name : server_address);
1138 } else {
1139 new_host = strdup (uri_string (uri.hostText, buf, DEFAULT_BUFFER_SIZE));
1140 }
1141
1142 /* compose new path */
1143 /* TODO: handle fragments and query part of URL */
1144 new_url = (char *)calloc( 1, DEFAULT_BUFFER_SIZE);
1145 if (uri.pathHead) {
1146 const UriPathSegmentA* p = uri.pathHead;
1147 for (; p; p = p->next) {
1148 strncat (new_url, "/", DEFAULT_BUFFER_SIZE);
1149 strncat (new_url, uri_string (p->text, buf, DEFAULT_BUFFER_SIZE), DEFAULT_BUFFER_SIZE-1);
1150 }
1151 }
1152
1153 if (server_port==new_port &&
1154 !strncmp(server_address, new_host, MAX_IPV4_HOSTLENGTH) &&
1155 (host_name && !strncmp(host_name, new_host, MAX_IPV4_HOSTLENGTH)) &&
1156 !strcmp(server_url, new_url))
1157 die (STATE_CRITICAL,
1158 _("HTTP CRITICAL - redirection creates an infinite loop - %s://%s:%d%s%s\n"),
1159 use_ssl ? "https" : "http", new_host, new_port, new_url, (display_html ? "</A>" : ""));
1160
1161 /* set new values for redirected request */
1162
1163 if (!(followsticky & STICKY_HOST)) {
1164 free (server_address);
1165 server_address = strndup (new_host, MAX_IPV4_HOSTLENGTH);
1166 }
1167 if (!(followsticky & STICKY_PORT)) {
1168 server_port = (unsigned short)new_port;
1169 }
1170
1171 free (host_name);
1172 host_name = strndup (new_host, MAX_IPV4_HOSTLENGTH);
1173
1174 /* reset virtual port */
1175 virtual_port = server_port;
1176
1177 free(new_host);
1178 free (server_url);
1179 server_url = new_url;
1180
1181 uriFreeUriMembersA (&uri);
1182
1183 if (verbose)
1184 printf (_("Redirection to %s://%s:%d%s\n"), use_ssl ? "https" : "http",
1185 host_name ? host_name : server_address, server_port, server_url);
1186
1187 /* TODO: the hash component MUST be taken from the original URL and
1188 * attached to the URL in Location
1189 */
1190
1191 check_http ();
1192}
1193
1194/* check whether a file exists */
1195void
1196test_file (char *path)
1197{
1198 if (access(path, R_OK) == 0)
1199 return;
1200 usage2 (_("file does not exist or is not readable"), path);
1201}
1202
1203int
1204process_arguments (int argc, char **argv)
1205{
1206 char *p;
1207 int c = 1;
1208 char *temp;
1209
1210 enum {
1211 INVERT_REGEX = CHAR_MAX + 1,
1212 SNI_OPTION,
1213 CA_CERT_OPTION,
1214 HTTP_VERSION_OPTION,
1215 AUTOMATIC_DECOMPRESSION
1216 };
1217
1218 int option = 0;
1219 int got_plus = 0;
1220 static struct option longopts[] = {
1221 STD_LONG_OPTS,
1222 {"link", no_argument, 0, 'L'},
1223 {"nohtml", no_argument, 0, 'n'},
1224 {"ssl", optional_argument, 0, 'S'},
1225 {"sni", no_argument, 0, SNI_OPTION},
1226 {"post", required_argument, 0, 'P'},
1227 {"method", required_argument, 0, 'j'},
1228 {"IP-address", required_argument, 0, 'I'},
1229 {"url", required_argument, 0, 'u'},
1230 {"port", required_argument, 0, 'p'},
1231 {"authorization", required_argument, 0, 'a'},
1232 {"proxy-authorization", required_argument, 0, 'b'},
1233 {"header-string", required_argument, 0, 'd'},
1234 {"string", required_argument, 0, 's'},
1235 {"expect", required_argument, 0, 'e'},
1236 {"regex", required_argument, 0, 'r'},
1237 {"ereg", required_argument, 0, 'r'},
1238 {"eregi", required_argument, 0, 'R'},
1239 {"linespan", no_argument, 0, 'l'},
1240 {"onredirect", required_argument, 0, 'f'},
1241 {"certificate", required_argument, 0, 'C'},
1242 {"client-cert", required_argument, 0, 'J'},
1243 {"private-key", required_argument, 0, 'K'},
1244 {"ca-cert", required_argument, 0, CA_CERT_OPTION},
1245 {"verify-cert", no_argument, 0, 'D'},
1246 {"useragent", required_argument, 0, 'A'},
1247 {"header", required_argument, 0, 'k'},
1248 {"no-body", no_argument, 0, 'N'},
1249 {"max-age", required_argument, 0, 'M'},
1250 {"content-type", required_argument, 0, 'T'},
1251 {"pagesize", required_argument, 0, 'm'},
1252 {"invert-regex", no_argument, NULL, INVERT_REGEX},
1253 {"use-ipv4", no_argument, 0, '4'},
1254 {"use-ipv6", no_argument, 0, '6'},
1255 {"extended-perfdata", no_argument, 0, 'E'},
1256 {"show-body", no_argument, 0, 'B'},
1257 {"http-version", required_argument, 0, HTTP_VERSION_OPTION},
1258 {"enable-automatic-decompression", no_argument, 0, AUTOMATIC_DECOMPRESSION},
1259 {0, 0, 0, 0}
1260 };
1261
1262 if (argc < 2)
1263 return ERROR;
1264
1265 /* support check_http compatible arguments */
1266 for (c = 1; c < argc; c++) {
1267 if (strcmp ("-to", argv[c]) == 0)
1268 strcpy (argv[c], "-t");
1269 if (strcmp ("-hn", argv[c]) == 0)
1270 strcpy (argv[c], "-H");
1271 if (strcmp ("-wt", argv[c]) == 0)
1272 strcpy (argv[c], "-w");
1273 if (strcmp ("-ct", argv[c]) == 0)
1274 strcpy (argv[c], "-c");
1275 if (strcmp ("-nohtml", argv[c]) == 0)
1276 strcpy (argv[c], "-n");
1277 }
1278
1279 server_url = strdup(DEFAULT_SERVER_URL);
1280
1281 while (1) {
1282 c = getopt_long (argc, argv, "Vvh46t:c:w:A:k:H:P:j:T:I:a:b:d:e:p:s:R:r:u:f:C:J:K:DnlLS::m:M:NEB", longopts, &option);
1283 if (c == -1 || c == EOF || c == 1)
1284 break;
1285
1286 switch (c) {
1287 case 'h':
1288 print_help();
1289 exit(STATE_UNKNOWN);
1290 break;
1291 case 'V':
1292 print_revision(progname, NP_VERSION);
1293 print_curl_version();
1294 exit(STATE_UNKNOWN);
1295 break;
1296 case 'v':
1297 verbose++;
1298 break;
1299 case 't': /* timeout period */
1300 if (!is_intnonneg (optarg))
1301 usage2 (_("Timeout interval must be a positive integer"), optarg);
1302 else
1303 socket_timeout = (int)strtol (optarg, NULL, 10);
1304 break;
1305 case 'c': /* critical time threshold */
1306 critical_thresholds = optarg;
1307 break;
1308 case 'w': /* warning time threshold */
1309 warning_thresholds = optarg;
1310 break;
1311 case 'H': /* virtual host */
1312 host_name = strdup (optarg);
1313 if (host_name[0] == '[') {
1314 if ((p = strstr (host_name, "]:")) != NULL) { /* [IPv6]:port */
1315 virtual_port = atoi (p + 2);
1316 /* cut off the port */
1317 host_name_length = strlen (host_name) - strlen (p) - 1;
1318 free (host_name);
1319 host_name = strndup (optarg, host_name_length);
1320 }
1321 } else if ((p = strchr (host_name, ':')) != NULL
1322 && strchr (++p, ':') == NULL) { /* IPv4:port or host:port */
1323 virtual_port = atoi (p);
1324 /* cut off the port */
1325 host_name_length = strlen (host_name) - strlen (p) - 1;
1326 free (host_name);
1327 host_name = strndup (optarg, host_name_length);
1328 }
1329 break;
1330 case 'I': /* internet address */
1331 server_address = strdup (optarg);
1332 break;
1333 case 'u': /* URL path */
1334 server_url = strdup (optarg);
1335 break;
1336 case 'p': /* Server port */
1337 if (!is_intnonneg (optarg))
1338 usage2 (_("Invalid port number, expecting a non-negative number"), optarg);
1339 else {
1340 if( strtol(optarg, NULL, 10) > MAX_PORT)
1341 usage2 (_("Invalid port number, supplied port number is too big"), optarg);
1342 server_port = (unsigned short)strtol(optarg, NULL, 10);
1343 specify_port = TRUE;
1344 }
1345 break;
1346 case 'a': /* authorization info */
1347 strncpy (user_auth, optarg, MAX_INPUT_BUFFER - 1);
1348 user_auth[MAX_INPUT_BUFFER - 1] = 0;
1349 break;
1350 case 'b': /* proxy-authorization info */
1351 strncpy (proxy_auth, optarg, MAX_INPUT_BUFFER - 1);
1352 proxy_auth[MAX_INPUT_BUFFER - 1] = 0;
1353 break;
1354 case 'P': /* HTTP POST data in URL encoded format; ignored if settings already */
1355 if (! http_post_data)
1356 http_post_data = strdup (optarg);
1357 if (! http_method)
1358 http_method = strdup("POST");
1359 break;
1360 case 'j': /* Set HTTP method */
1361 if (http_method)
1362 free(http_method);
1363 http_method = strdup (optarg);
1364 break;
1365 case 'A': /* useragent */
1366 strncpy (user_agent, optarg, DEFAULT_BUFFER_SIZE);
1367 user_agent[DEFAULT_BUFFER_SIZE-1] = '\0';
1368 break;
1369 case 'k': /* Additional headers */
1370 if (http_opt_headers_count == 0)
1371 http_opt_headers = malloc (sizeof (char *) * (++http_opt_headers_count));
1372 else
1373 http_opt_headers = realloc (http_opt_headers, sizeof (char *) * (++http_opt_headers_count));
1374 http_opt_headers[http_opt_headers_count - 1] = optarg;
1375 break;
1376 case 'L': /* show html link */
1377 display_html = TRUE;
1378 break;
1379 case 'n': /* do not show html link */
1380 display_html = FALSE;
1381 break;
1382 case 'C': /* Check SSL cert validity */
1383#ifdef LIBCURL_FEATURE_SSL
1384 if ((temp=strchr(optarg,','))!=NULL) {
1385 *temp='\0';
1386 if (!is_intnonneg (optarg))
1387 usage2 (_("Invalid certificate expiration period"), optarg);
1388 days_till_exp_warn = atoi(optarg);
1389 *temp=',';
1390 temp++;
1391 if (!is_intnonneg (temp))
1392 usage2 (_("Invalid certificate expiration period"), temp);
1393 days_till_exp_crit = atoi (temp);
1394 }
1395 else {
1396 days_till_exp_crit=0;
1397 if (!is_intnonneg (optarg))
1398 usage2 (_("Invalid certificate expiration period"), optarg);
1399 days_till_exp_warn = atoi (optarg);
1400 }
1401 check_cert = TRUE;
1402 goto enable_ssl;
1403#endif
1404 case 'J': /* use client certificate */
1405#ifdef LIBCURL_FEATURE_SSL
1406 test_file(optarg);
1407 client_cert = optarg;
1408 goto enable_ssl;
1409#endif
1410 case 'K': /* use client private key */
1411#ifdef LIBCURL_FEATURE_SSL
1412 test_file(optarg);
1413 client_privkey = optarg;
1414 goto enable_ssl;
1415#endif
1416#ifdef LIBCURL_FEATURE_SSL
1417 case CA_CERT_OPTION: /* use CA chain file */
1418 test_file(optarg);
1419 ca_cert = optarg;
1420 goto enable_ssl;
1421#endif
1422#ifdef LIBCURL_FEATURE_SSL
1423 case 'D': /* verify peer certificate & host */
1424 verify_peer_and_host = TRUE;
1425 break;
1426#endif
1427 case 'S': /* use SSL */
1428#ifdef LIBCURL_FEATURE_SSL
1429 enable_ssl:
1430 use_ssl = TRUE;
1431 /* ssl_version initialized to CURL_SSLVERSION_DEFAULT as a default.
1432 * Only set if it's non-zero. This helps when we include multiple
1433 * parameters, like -S and -C combinations */
1434 ssl_version = CURL_SSLVERSION_DEFAULT;
1435 if (c=='S' && optarg != NULL) {
1436 char *plus_ptr = strchr(optarg, '+');
1437 if (plus_ptr) {
1438 got_plus = 1;
1439 *plus_ptr = '\0';
1440 }
1441
1442 if (optarg[0] == '2')
1443 ssl_version = CURL_SSLVERSION_SSLv2;
1444 else if (optarg[0] == '3')
1445 ssl_version = CURL_SSLVERSION_SSLv3;
1446 else if (!strcmp (optarg, "1") || !strcmp (optarg, "1.0"))
1447#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0)
1448 ssl_version = CURL_SSLVERSION_TLSv1_0;
1449#else
1450 ssl_version = CURL_SSLVERSION_DEFAULT;
1451#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */
1452 else if (!strcmp (optarg, "1.1"))
1453#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0)
1454 ssl_version = CURL_SSLVERSION_TLSv1_1;
1455#else
1456 ssl_version = CURL_SSLVERSION_DEFAULT;
1457#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */
1458 else if (!strcmp (optarg, "1.2"))
1459#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0)
1460 ssl_version = CURL_SSLVERSION_TLSv1_2;
1461#else
1462 ssl_version = CURL_SSLVERSION_DEFAULT;
1463#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */
1464 else if (!strcmp (optarg, "1.3"))
1465#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 52, 0)
1466 ssl_version = CURL_SSLVERSION_TLSv1_3;
1467#else
1468 ssl_version = CURL_SSLVERSION_DEFAULT;
1469#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 52, 0) */
1470 else
1471 usage4 (_("Invalid option - Valid SSL/TLS versions: 2, 3, 1, 1.1, 1.2, 1.3 (with optional '+' suffix)"));
1472 }
1473#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 54, 0)
1474 if (got_plus) {
1475 switch (ssl_version) {
1476 case CURL_SSLVERSION_TLSv1_3:
1477 ssl_version |= CURL_SSLVERSION_MAX_TLSv1_3;
1478 break;
1479 case CURL_SSLVERSION_TLSv1_2:
1480 case CURL_SSLVERSION_TLSv1_1:
1481 case CURL_SSLVERSION_TLSv1_0:
1482 ssl_version |= CURL_SSLVERSION_MAX_DEFAULT;
1483 break;
1484 }
1485 } else {
1486 switch (ssl_version) {
1487 case CURL_SSLVERSION_TLSv1_3:
1488 ssl_version |= CURL_SSLVERSION_MAX_TLSv1_3;
1489 break;
1490 case CURL_SSLVERSION_TLSv1_2:
1491 ssl_version |= CURL_SSLVERSION_MAX_TLSv1_2;
1492 break;
1493 case CURL_SSLVERSION_TLSv1_1:
1494 ssl_version |= CURL_SSLVERSION_MAX_TLSv1_1;
1495 break;
1496 case CURL_SSLVERSION_TLSv1_0:
1497 ssl_version |= CURL_SSLVERSION_MAX_TLSv1_0;
1498 break;
1499 }
1500 }
1501#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 54, 0) */
1502 if (verbose >= 2)
1503 printf(_("* Set SSL/TLS version to %d\n"), ssl_version);
1504 if (specify_port == FALSE)
1505 server_port = HTTPS_PORT;
1506 break;
1507#else /* LIBCURL_FEATURE_SSL */
1508 /* -C -J and -K fall through to here without SSL */
1509 usage4 (_("Invalid option - SSL is not available"));
1510 break;
1511 case SNI_OPTION: /* --sni is parsed, but ignored, the default is TRUE with libcurl */
1512 use_sni = TRUE;
1513 break;
1514#endif /* LIBCURL_FEATURE_SSL */
1515 case 'f': /* onredirect */
1516 if (!strcmp (optarg, "ok"))
1517 onredirect = STATE_OK;
1518 else if (!strcmp (optarg, "warning"))
1519 onredirect = STATE_WARNING;
1520 else if (!strcmp (optarg, "critical"))
1521 onredirect = STATE_CRITICAL;
1522 else if (!strcmp (optarg, "unknown"))
1523 onredirect = STATE_UNKNOWN;
1524 else if (!strcmp (optarg, "follow"))
1525 onredirect = STATE_DEPENDENT;
1526 else if (!strcmp (optarg, "stickyport"))
1527 onredirect = STATE_DEPENDENT, followmethod = FOLLOW_HTTP_CURL, followsticky = STICKY_HOST|STICKY_PORT;
1528 else if (!strcmp (optarg, "sticky"))
1529 onredirect = STATE_DEPENDENT, followmethod = FOLLOW_HTTP_CURL, followsticky = STICKY_HOST;
1530 else if (!strcmp (optarg, "follow"))
1531 onredirect = STATE_DEPENDENT, followmethod = FOLLOW_HTTP_CURL, followsticky = STICKY_NONE;
1532 else if (!strcmp (optarg, "curl"))
1533 onredirect = STATE_DEPENDENT, followmethod = FOLLOW_LIBCURL;
1534 else usage2 (_("Invalid onredirect option"), optarg);
1535 if (verbose >= 2)
1536 printf(_("* Following redirects set to %s\n"), state_text(onredirect));
1537 break;
1538 case 'd': /* string or substring */
1539 strncpy (header_expect, optarg, MAX_INPUT_BUFFER - 1);
1540 header_expect[MAX_INPUT_BUFFER - 1] = 0;
1541 break;
1542 case 's': /* string or substring */
1543 strncpy (string_expect, optarg, MAX_INPUT_BUFFER - 1);
1544 string_expect[MAX_INPUT_BUFFER - 1] = 0;
1545 break;
1546 case 'e': /* string or substring */
1547 strncpy (server_expect, optarg, MAX_INPUT_BUFFER - 1);
1548 server_expect[MAX_INPUT_BUFFER - 1] = 0;
1549 server_expect_yn = 1;
1550 break;
1551 case 'T': /* Content-type */
1552 http_content_type = strdup (optarg);
1553 break;
1554 case 'l': /* linespan */
1555 cflags &= ~REG_NEWLINE;
1556 break;
1557 case 'R': /* regex */
1558 cflags |= REG_ICASE;
1559 case 'r': /* regex */
1560 strncpy (regexp, optarg, MAX_RE_SIZE - 1);
1561 regexp[MAX_RE_SIZE - 1] = 0;
1562 errcode = regcomp (&preg, regexp, cflags);
1563 if (errcode != 0) {
1564 (void) regerror (errcode, &preg, errbuf, MAX_INPUT_BUFFER);
1565 printf (_("Could Not Compile Regular Expression: %s"), errbuf);
1566 return ERROR;
1567 }
1568 break;
1569 case INVERT_REGEX:
1570 invert_regex = 1;
1571 break;
1572 case '4':
1573 address_family = AF_INET;
1574 break;
1575 case '6':
1576#if defined (USE_IPV6) && defined (LIBCURL_FEATURE_IPV6)
1577 address_family = AF_INET6;
1578#else
1579 usage4 (_("IPv6 support not available"));
1580#endif
1581 break;
1582 case 'm': /* min_page_length */
1583 {
1584 char *tmp;
1585 if (strchr(optarg, ':') != (char *)NULL) {
1586 /* range, so get two values, min:max */
1587 tmp = strtok(optarg, ":");
1588 if (tmp == NULL) {
1589 printf("Bad format: try \"-m min:max\"\n");
1590 exit (STATE_WARNING);
1591 } else
1592 min_page_len = atoi(tmp);
1593
1594 tmp = strtok(NULL, ":");
1595 if (tmp == NULL) {
1596 printf("Bad format: try \"-m min:max\"\n");
1597 exit (STATE_WARNING);
1598 } else
1599 max_page_len = atoi(tmp);
1600 } else
1601 min_page_len = atoi (optarg);
1602 break;
1603 }
1604 case 'N': /* no-body */
1605 no_body = TRUE;
1606 break;
1607 case 'M': /* max-age */
1608 {
1609 int L = strlen(optarg);
1610 if (L && optarg[L-1] == 'm')
1611 maximum_age = atoi (optarg) * 60;
1612 else if (L && optarg[L-1] == 'h')
1613 maximum_age = atoi (optarg) * 60 * 60;
1614 else if (L && optarg[L-1] == 'd')
1615 maximum_age = atoi (optarg) * 60 * 60 * 24;
1616 else if (L && (optarg[L-1] == 's' ||
1617 isdigit (optarg[L-1])))
1618 maximum_age = atoi (optarg);
1619 else {
1620 fprintf (stderr, "unparsable max-age: %s\n", optarg);
1621 exit (STATE_WARNING);
1622 }
1623 if (verbose >= 2)
1624 printf ("* Maximal age of document set to %d seconds\n", maximum_age);
1625 }
1626 break;
1627 case 'E': /* show extended perfdata */
1628 show_extended_perfdata = TRUE;
1629 break;
1630 case 'B': /* print body content after status line */
1631 show_body = TRUE;
1632 break;
1633 case HTTP_VERSION_OPTION:
1634 curl_http_version = CURL_HTTP_VERSION_NONE;
1635 if (strcmp (optarg, "1.0") == 0) {
1636 curl_http_version = CURL_HTTP_VERSION_1_0;
1637 } else if (strcmp (optarg, "1.1") == 0) {
1638 curl_http_version = CURL_HTTP_VERSION_1_1;
1639 } else if ((strcmp (optarg, "2.0") == 0) || (strcmp (optarg, "2") == 0)) {
1640#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 33, 0)
1641 curl_http_version = CURL_HTTP_VERSION_2_0;
1642#else
1643 curl_http_version = CURL_HTTP_VERSION_NONE;
1644#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 33, 0) */
1645 } else {
1646 fprintf (stderr, "unkown http-version parameter: %s\n", optarg);
1647 exit (STATE_WARNING);
1648 }
1649 break;
1650 case AUTOMATIC_DECOMPRESSION:
1651 automatic_decompression = TRUE;
1652 break;
1653 case '?':
1654 /* print short usage statement if args not parsable */
1655 usage5 ();
1656 break;
1657 }
1658 }
1659
1660 c = optind;
1661
1662 if (server_address == NULL && c < argc)
1663 server_address = strdup (argv[c++]);
1664
1665 if (host_name == NULL && c < argc)
1666 host_name = strdup (argv[c++]);
1667
1668 if (server_address == NULL) {
1669 if (host_name == NULL)
1670 usage4 (_("You must specify a server address or host name"));
1671 else
1672 server_address = strdup (host_name);
1673 }
1674
1675 set_thresholds(&thlds, warning_thresholds, critical_thresholds);
1676
1677 if (critical_thresholds && thlds->critical->end>(double)socket_timeout)
1678 socket_timeout = (int)thlds->critical->end + 1;
1679 if (verbose >= 2)
1680 printf ("* Socket timeout set to %ld seconds\n", socket_timeout);
1681
1682 if (http_method == NULL)
1683 http_method = strdup ("GET");
1684
1685 if (client_cert && !client_privkey)
1686 usage4 (_("If you use a client certificate you must also specify a private key file"));
1687
1688 if (virtual_port == 0)
1689 virtual_port = server_port;
1690 else {
1691 if ((use_ssl && server_port == HTTPS_PORT) || (!use_ssl && server_port == HTTP_PORT))
1692 if(specify_port == FALSE)
1693 server_port = virtual_port;
1694 }
1695
1696 return TRUE;
1697}
1698
1699char *perfd_time (double elapsed_time)
1700{
1701 return fperfdata ("time", elapsed_time, "s",
1702 thlds->warning?TRUE:FALSE, thlds->warning?thlds->warning->end:0,
1703 thlds->critical?TRUE:FALSE, thlds->critical?thlds->critical->end:0,
1704 TRUE, 0, TRUE, socket_timeout);
1705}
1706
1707char *perfd_time_connect (double elapsed_time_connect)
1708{
1709 return fperfdata ("time_connect", elapsed_time_connect, "s", FALSE, 0, FALSE, 0, FALSE, 0, TRUE, socket_timeout);
1710}
1711
1712char *perfd_time_ssl (double elapsed_time_ssl)
1713{
1714 return fperfdata ("time_ssl", elapsed_time_ssl, "s", FALSE, 0, FALSE, 0, FALSE, 0, TRUE, socket_timeout);
1715}
1716
1717char *perfd_time_headers (double elapsed_time_headers)
1718{
1719 return fperfdata ("time_headers", elapsed_time_headers, "s", FALSE, 0, FALSE, 0, FALSE, 0, TRUE, socket_timeout);
1720}
1721
1722char *perfd_time_firstbyte (double elapsed_time_firstbyte)
1723{
1724 return fperfdata ("time_firstbyte", elapsed_time_firstbyte, "s", FALSE, 0, FALSE, 0, FALSE, 0, TRUE, socket_timeout);
1725}
1726
1727char *perfd_time_transfer (double elapsed_time_transfer)
1728{
1729 return fperfdata ("time_transfer", elapsed_time_transfer, "s", FALSE, 0, FALSE, 0, FALSE, 0, TRUE, socket_timeout);
1730}
1731
1732char *perfd_size (int page_len)
1733{
1734 return perfdata ("size", page_len, "B",
1735 (min_page_len>0?TRUE:FALSE), min_page_len,
1736 (min_page_len>0?TRUE:FALSE), 0,
1737 TRUE, 0, FALSE, 0);
1738}
1739
1740void
1741print_help (void)
1742{
1743 print_revision (progname, NP_VERSION);
1744
1745 printf ("Copyright (c) 1999 Ethan Galstad <nagios@nagios.org>\n");
1746 printf (COPYRIGHT, copyright, email);
1747
1748 printf ("%s\n", _("This plugin tests the HTTP service on the specified host. It can test"));
1749 printf ("%s\n", _("normal (http) and secure (https) servers, follow redirects, search for"));
1750 printf ("%s\n", _("strings and regular expressions, check connection times, and report on"));
1751 printf ("%s\n", _("certificate expiration times."));
1752 printf ("\n");
1753 printf ("%s\n", _("It makes use of libcurl to do so. It tries to be as compatible to check_http"));
1754 printf ("%s\n", _("as possible."));
1755
1756 printf ("\n\n");
1757
1758 print_usage ();
1759
1760 printf (_("NOTE: One or both of -H and -I must be specified"));
1761
1762 printf ("\n");
1763
1764 printf (UT_HELP_VRSN);
1765 printf (UT_EXTRA_OPTS);
1766
1767 printf (" %s\n", "-H, --hostname=ADDRESS");
1768 printf (" %s\n", _("Host name argument for servers using host headers (virtual host)"));
1769 printf (" %s\n", _("Append a port to include it in the header (eg: example.com:5000)"));
1770 printf (" %s\n", "-I, --IP-address=ADDRESS");
1771 printf (" %s\n", _("IP address or name (use numeric address if possible to bypass DNS lookup)."));
1772 printf (" %s\n", "-p, --port=INTEGER");
1773 printf (" %s", _("Port number (default: "));
1774 printf ("%d)\n", HTTP_PORT);
1775
1776 printf (UT_IPv46);
1777
1778#ifdef LIBCURL_FEATURE_SSL
1779 printf (" %s\n", "-S, --ssl=VERSION[+]");
1780 printf (" %s\n", _("Connect via SSL. Port defaults to 443. VERSION is optional, and prevents"));
1781 printf (" %s\n", _("auto-negotiation (2 = SSLv2, 3 = SSLv3, 1 = TLSv1, 1.1 = TLSv1.1,"));
1782 printf (" %s\n", _("1.2 = TLSv1.2, 1.3 = TLSv1.3). With a '+' suffix, newer versions are also accepted."));
1783 printf (" %s\n", _("Note: SSLv2 and SSLv3 are deprecated and are usually disabled in libcurl"));
1784 printf (" %s\n", "--sni");
1785 printf (" %s\n", _("Enable SSL/TLS hostname extension support (SNI)"));
1786#if LIBCURL_VERSION_NUM >= 0x071801
1787 printf (" %s\n", _("Note: --sni is the default in libcurl as SSLv2 and SSLV3 are deprecated and"));
1788 printf (" %s\n", _(" SNI only really works since TLSv1.0"));
1789#else
1790 printf (" %s\n", _("Note: SNI is not supported in libcurl before 7.18.1"));
1791#endif
1792 printf (" %s\n", "-C, --certificate=INTEGER[,INTEGER]");
1793 printf (" %s\n", _("Minimum number of days a certificate has to be valid. Port defaults to 443"));
1794 printf (" %s\n", _("(when this option is used the URL is not checked.)"));
1795 printf (" %s\n", "-J, --client-cert=FILE");
1796 printf (" %s\n", _("Name of file that contains the client certificate (PEM format)"));
1797 printf (" %s\n", _("to be used in establishing the SSL session"));
1798 printf (" %s\n", "-K, --private-key=FILE");
1799 printf (" %s\n", _("Name of file containing the private key (PEM format)"));
1800 printf (" %s\n", _("matching the client certificate"));
1801 printf (" %s\n", "--ca-cert=FILE");
1802 printf (" %s\n", _("CA certificate file to verify peer against"));
1803 printf (" %s\n", "-D, --verify-cert");
1804 printf (" %s\n", _("Verify the peer's SSL certificate and hostname"));
1805#endif
1806
1807 printf (" %s\n", "-e, --expect=STRING");
1808 printf (" %s\n", _("Comma-delimited list of strings, at least one of them is expected in"));
1809 printf (" %s", _("the first (status) line of the server response (default: "));
1810 printf ("%s)\n", HTTP_EXPECT);
1811 printf (" %s\n", _("If specified skips all other status line logic (ex: 3xx, 4xx, 5xx processing)"));
1812 printf (" %s\n", "-d, --header-string=STRING");
1813 printf (" %s\n", _("String to expect in the response headers"));
1814 printf (" %s\n", "-s, --string=STRING");
1815 printf (" %s\n", _("String to expect in the content"));
1816 printf (" %s\n", "-u, --url=PATH");
1817 printf (" %s\n", _("URL to GET or POST (default: /)"));
1818 printf (" %s\n", "-P, --post=STRING");
1819 printf (" %s\n", _("URL encoded http POST data"));
1820 printf (" %s\n", "-j, --method=STRING (for example: HEAD, OPTIONS, TRACE, PUT, DELETE, CONNECT)");
1821 printf (" %s\n", _("Set HTTP method."));
1822 printf (" %s\n", "-N, --no-body");
1823 printf (" %s\n", _("Don't wait for document body: stop reading after headers."));
1824 printf (" %s\n", _("(Note that this still does an HTTP GET or POST, not a HEAD.)"));
1825 printf (" %s\n", "-M, --max-age=SECONDS");
1826 printf (" %s\n", _("Warn if document is more than SECONDS old. the number can also be of"));
1827 printf (" %s\n", _("the form \"10m\" for minutes, \"10h\" for hours, or \"10d\" for days."));
1828 printf (" %s\n", "-T, --content-type=STRING");
1829 printf (" %s\n", _("specify Content-Type header media type when POSTing\n"));
1830 printf (" %s\n", "-l, --linespan");
1831 printf (" %s\n", _("Allow regex to span newlines (must precede -r or -R)"));
1832 printf (" %s\n", "-r, --regex, --ereg=STRING");
1833 printf (" %s\n", _("Search page for regex STRING"));
1834 printf (" %s\n", "-R, --eregi=STRING");
1835 printf (" %s\n", _("Search page for case-insensitive regex STRING"));
1836 printf (" %s\n", "--invert-regex");
1837 printf (" %s\n", _("Return CRITICAL if found, OK if not\n"));
1838 printf (" %s\n", "-a, --authorization=AUTH_PAIR");
1839 printf (" %s\n", _("Username:password on sites with basic authentication"));
1840 printf (" %s\n", "-b, --proxy-authorization=AUTH_PAIR");
1841 printf (" %s\n", _("Username:password on proxy-servers with basic authentication"));
1842 printf (" %s\n", "-A, --useragent=STRING");
1843 printf (" %s\n", _("String to be sent in http header as \"User Agent\""));
1844 printf (" %s\n", "-k, --header=STRING");
1845 printf (" %s\n", _("Any other tags to be sent in http header. Use multiple times for additional headers"));
1846 printf (" %s\n", "-E, --extended-perfdata");
1847 printf (" %s\n", _("Print additional performance data"));
1848 printf (" %s\n", "-B, --show-body");
1849 printf (" %s\n", _("Print body content below status line"));
1850 printf (" %s\n", "-L, --link");
1851 printf (" %s\n", _("Wrap output in HTML link (obsoleted by urlize)"));
1852 printf (" %s\n", "-f, --onredirect=<ok|warning|critical|follow|sticky|stickyport|curl>");
1853 printf (" %s\n", _("How to handle redirected pages. sticky is like follow but stick to the"));
1854 printf (" %s\n", _("specified IP address. stickyport also ensures port stays the same."));
1855 printf (" %s\n", _("follow uses the old redirection algorithm of check_http."));
1856 printf (" %s\n", _("curl uses CURL_FOLLOWLOCATION built into libcurl."));
1857 printf (" %s\n", "-m, --pagesize=INTEGER<:INTEGER>");
1858 printf (" %s\n", _("Minimum page size required (bytes) : Maximum page size required (bytes)"));
1859 printf ("\n");
1860 printf (" %s\n", "--http-version=VERSION");
1861 printf (" %s\n", _("Connect via specific HTTP protocol."));
1862 printf (" %s\n", _("1.0 = HTTP/1.0, 1.1 = HTTP/1.1, 2.0 = HTTP/2 (HTTP/2 will fail without -S)"));
1863 printf (" %s\n", "--enable-automatic-decompression");
1864 printf (" %s\n", _("Enable automatic decompression of body (CURLOPT_ACCEPT_ENCODING)."));
1865 printf ("\n");
1866
1867 printf (UT_WARN_CRIT);
1868
1869 printf (UT_CONN_TIMEOUT, DEFAULT_SOCKET_TIMEOUT);
1870
1871 printf (UT_VERBOSE);
1872
1873 printf ("\n");
1874 printf ("%s\n", _("Notes:"));
1875 printf (" %s\n", _("This plugin will attempt to open an HTTP connection with the host."));
1876 printf (" %s\n", _("Successful connects return STATE_OK, refusals and timeouts return STATE_CRITICAL"));
1877 printf (" %s\n", _("other errors return STATE_UNKNOWN. Successful connects, but incorrect response"));
1878 printf (" %s\n", _("messages from the host result in STATE_WARNING return values. If you are"));
1879 printf (" %s\n", _("checking a virtual server that uses 'host headers' you must supply the FQDN"));
1880 printf (" %s\n", _("(fully qualified domain name) as the [host_name] argument."));
1881
1882#ifdef LIBCURL_FEATURE_SSL
1883 printf ("\n");
1884 printf (" %s\n", _("This plugin can also check whether an SSL enabled web server is able to"));
1885 printf (" %s\n", _("serve content (optionally within a specified time) or whether the X509 "));
1886 printf (" %s\n", _("certificate is still valid for the specified number of days."));
1887 printf ("\n");
1888 printf (" %s\n", _("Please note that this plugin does not check if the presented server"));
1889 printf (" %s\n", _("certificate matches the hostname of the server, or if the certificate"));
1890 printf (" %s\n", _("has a valid chain of trust to one of the locally installed CAs."));
1891 printf ("\n");
1892 printf ("%s\n", _("Examples:"));
1893 printf (" %s\n\n", "CHECK CONTENT: check_curl -w 5 -c 10 --ssl -H www.verisign.com");
1894 printf (" %s\n", _("When the 'www.verisign.com' server returns its content within 5 seconds,"));
1895 printf (" %s\n", _("a STATE_OK will be returned. When the server returns its content but exceeds"));
1896 printf (" %s\n", _("the 5-second threshold, a STATE_WARNING will be returned. When an error occurs,"));
1897 printf (" %s\n", _("a STATE_CRITICAL will be returned."));
1898 printf ("\n");
1899 printf (" %s\n\n", "CHECK CERTIFICATE: check_curl -H www.verisign.com -C 14");
1900 printf (" %s\n", _("When the certificate of 'www.verisign.com' is valid for more than 14 days,"));
1901 printf (" %s\n", _("a STATE_OK is returned. When the certificate is still valid, but for less than"));
1902 printf (" %s\n", _("14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when"));
1903 printf (" %s\n\n", _("the certificate is expired."));
1904 printf ("\n");
1905 printf (" %s\n\n", "CHECK CERTIFICATE: check_curl -H www.verisign.com -C 30,14");
1906 printf (" %s\n", _("When the certificate of 'www.verisign.com' is valid for more than 30 days,"));
1907 printf (" %s\n", _("a STATE_OK is returned. When the certificate is still valid, but for less than"));
1908 printf (" %s\n", _("30 days, but more than 14 days, a STATE_WARNING is returned."));
1909 printf (" %s\n", _("A STATE_CRITICAL will be returned when certificate expires in less than 14 days"));
1910#endif
1911
1912 printf ("\n %s\n", "CHECK WEBSERVER CONTENT VIA PROXY:");
1913 printf (" %s\n", _("It is recommended to use an environment proxy like:"));
1914 printf (" %s\n", _("http_proxy=http://192.168.100.35:3128 ./check_curl -H www.monitoring-plugins.org"));
1915 printf (" %s\n", _("legacy proxy requests in check_http style still work:"));
1916 printf (" %s\n", _("check_curl -I 192.168.100.35 -p 3128 -u http://www.monitoring-plugins.org/ -H www.monitoring-plugins.org"));
1917
1918#ifdef LIBCURL_FEATURE_SSL
1919 printf ("\n %s\n", "CHECK SSL WEBSERVER CONTENT VIA PROXY USING HTTP 1.1 CONNECT: ");
1920 printf (" %s\n", _("It is recommended to use an environment proxy like:"));
1921 printf (" %s\n", _("https_proxy=http://192.168.100.35:3128 ./check_curl -H www.verisign.com -S"));
1922 printf (" %s\n", _("legacy proxy requests in check_http style still work:"));
1923 printf (" %s\n", _("check_curl -I 192.168.100.35 -p 3128 -u https://www.verisign.com/ -S -j CONNECT -H www.verisign.com "));
1924 printf (" %s\n", _("all these options are needed: -I <proxy> -p <proxy-port> -u <check-url> -S(sl) -j CONNECT -H <webserver>"));
1925 printf (" %s\n", _("a STATE_OK will be returned. When the server returns its content but exceeds"));
1926 printf (" %s\n", _("the 5-second threshold, a STATE_WARNING will be returned. When an error occurs,"));
1927 printf (" %s\n", _("a STATE_CRITICAL will be returned."));
1928
1929#endif
1930
1931 printf (UT_SUPPORT);
1932
1933}
1934
1935
1936
1937void
1938print_usage (void)
1939{
1940 printf ("%s\n", _("Usage:"));
1941 printf (" %s -H <vhost> | -I <IP-address> [-u <uri>] [-p <port>]\n",progname);
1942 printf (" [-J <client certificate file>] [-K <private key>] [--ca-cert <CA certificate file>] [-D]\n");
1943 printf (" [-w <warn time>] [-c <critical time>] [-t <timeout>] [-L] [-E] [-a auth]\n");
1944 printf (" [-b proxy_auth] [-f <ok|warning|critcal|follow|sticky|stickyport|curl>]\n");
1945 printf (" [-e <expect>] [-d string] [-s string] [-l] [-r <regex> | -R <case-insensitive regex>]\n");
1946 printf (" [-P string] [-m <min_pg_size>:<max_pg_size>] [-4|-6] [-N] [-M <age>]\n");
1947 printf (" [-A string] [-k string] [-S <version>] [--sni]\n");
1948 printf (" [-T <content-type>] [-j method]\n");
1949 printf (" [--http-version=<version>]\n");
1950 printf (" %s -H <vhost> | -I <IP-address> -C <warn_age>[,<crit_age>]\n",progname);
1951 printf (" [-p <port>] [-t <timeout>] [-4|-6] [--sni]\n");
1952 printf ("\n");
1953#ifdef LIBCURL_FEATURE_SSL
1954 printf ("%s\n", _("In the first form, make an HTTP request."));
1955 printf ("%s\n\n", _("In the second form, connect to the server and check the TLS certificate."));
1956#endif
1957 printf ("%s\n", _("WARNING: check_curl is experimental. Please use"));
1958 printf ("%s\n\n", _("check_http if you need a stable version."));
1959}
1960
1961void
1962print_curl_version (void)
1963{
1964 printf( "%s\n", curl_version());
1965}
1966
1967int
1968curlhelp_initwritebuffer (curlhelp_write_curlbuf *buf)
1969{
1970 buf->bufsize = DEFAULT_BUFFER_SIZE;
1971 buf->buflen = 0;
1972 buf->buf = (char *)malloc ((size_t)buf->bufsize);
1973 if (buf->buf == NULL) return -1;
1974 return 0;
1975}
1976
1977int
1978curlhelp_buffer_write_callback (void *buffer, size_t size, size_t nmemb, void *stream)
1979{
1980 curlhelp_write_curlbuf *buf = (curlhelp_write_curlbuf *)stream;
1981
1982 while (buf->bufsize < buf->buflen + size * nmemb + 1) {
1983 buf->bufsize *= buf->bufsize * 2;
1984 buf->buf = (char *)realloc (buf->buf, buf->bufsize);
1985 if (buf->buf == NULL) return -1;
1986 }
1987
1988 memcpy (buf->buf + buf->buflen, buffer, size * nmemb);
1989 buf->buflen += size * nmemb;
1990 buf->buf[buf->buflen] = '\0';
1991
1992 return (int)(size * nmemb);
1993}
1994
1995int
1996curlhelp_buffer_read_callback (void *buffer, size_t size, size_t nmemb, void *stream)
1997{
1998 curlhelp_read_curlbuf *buf = (curlhelp_read_curlbuf *)stream;
1999
2000 size_t n = min (nmemb * size, buf->buflen - buf->pos);
2001
2002 memcpy (buffer, buf->buf + buf->pos, n);
2003 buf->pos += n;
2004
2005 return (int)n;
2006}
2007
2008void
2009curlhelp_freewritebuffer (curlhelp_write_curlbuf *buf)
2010{
2011 free (buf->buf);
2012 buf->buf = NULL;
2013}
2014
2015int
2016curlhelp_initreadbuffer (curlhelp_read_curlbuf *buf, const char *data, size_t datalen)
2017{
2018 buf->buflen = datalen;
2019 buf->buf = (char *)malloc ((size_t)buf->buflen);
2020 if (buf->buf == NULL) return -1;
2021 memcpy (buf->buf, data, datalen);
2022 buf->pos = 0;
2023 return 0;
2024}
2025
2026void
2027curlhelp_freereadbuffer (curlhelp_read_curlbuf *buf)
2028{
2029 free (buf->buf);
2030 buf->buf = NULL;
2031}
2032
2033/* TODO: where to put this, it's actually part of sstrings2 (logically)?
2034 */
2035const char*
2036strrstr2(const char *haystack, const char *needle)
2037{
2038 int counter;
2039 size_t len;
2040 const char *prev_pos;
2041 const char *pos;
2042
2043 if (haystack == NULL || needle == NULL)
2044 return NULL;
2045
2046 if (haystack[0] == '\0' || needle[0] == '\0')
2047 return NULL;
2048
2049 counter = 0;
2050 prev_pos = NULL;
2051 pos = haystack;
2052 len = strlen (needle);
2053 for (;;) {
2054 pos = strstr (pos, needle);
2055 if (pos == NULL) {
2056 if (counter == 0)
2057 return NULL;
2058 else
2059 return prev_pos;
2060 }
2061 counter++;
2062 prev_pos = pos;
2063 pos += len;
2064 if (*pos == '\0') return prev_pos;
2065 }
2066}
2067
2068int
2069curlhelp_parse_statusline (const char *buf, curlhelp_statusline *status_line)
2070{
2071 char *first_line_end;
2072 char *p;
2073 size_t first_line_len;
2074 char *pp;
2075 const char *start;
2076 char *first_line_buf;
2077
2078 /* find last start of a new header */
2079 start = strrstr2 (buf, "\r\nHTTP/");
2080 if (start != NULL) {
2081 start += 2;
2082 buf = start;
2083 }
2084
2085 first_line_end = strstr(buf, "\r\n");
2086 if (first_line_end == NULL) return -1;
2087
2088 first_line_len = (size_t)(first_line_end - buf);
2089 status_line->first_line = (char *)malloc (first_line_len + 1);
2090 if (status_line->first_line == NULL) return -1;
2091 memcpy (status_line->first_line, buf, first_line_len);
2092 status_line->first_line[first_line_len] = '\0';
2093 first_line_buf = strdup( status_line->first_line );
2094
2095 /* protocol and version: "HTTP/x.x" SP or "HTTP/2" SP */
2096
2097 p = strtok(first_line_buf, "/");
2098 if( p == NULL ) { free( first_line_buf ); return -1; }
2099 if( strcmp( p, "HTTP" ) != 0 ) { free( first_line_buf ); return -1; }
2100
2101 p = strtok( NULL, " " );
2102 if( p == NULL ) { free( first_line_buf ); return -1; }
2103 if( strchr( p, '.' ) != NULL ) {
2104
2105 /* HTTP 1.x case */
2106 char *ppp;
2107 ppp = strtok( p, "." );
2108 status_line->http_major = (int)strtol( p, &pp, 10 );
2109 if( *pp != '\0' ) { free( first_line_buf ); return -1; }
2110 ppp = strtok( NULL, " " );
2111 status_line->http_minor = (int)strtol( p, &pp, 10 );
2112 if( *pp != '\0' ) { free( first_line_buf ); return -1; }
2113 p += 4; /* 1.x SP */
2114 } else {
2115 /* HTTP 2 case */
2116 status_line->http_major = (int)strtol( p, &pp, 10 );
2117 status_line->http_minor = 0;
2118 p += 2; /* 2 SP */
2119 }
2120
2121 /* status code: "404" or "404.1", then SP */
2122
2123 p = strtok( p, " " );
2124 if( p == NULL ) { free( first_line_buf ); return -1; }
2125 if( strchr( p, '.' ) != NULL ) {
2126 char *ppp;
2127 ppp = strtok( p, "." );
2128 status_line->http_code = (int)strtol( ppp, &pp, 10 );
2129 if( *pp != '\0' ) { free( first_line_buf ); return -1; }
2130 ppp = strtok( NULL, "" );
2131 status_line->http_subcode = (int)strtol( ppp, &pp, 10 );
2132 if( *pp != '\0' ) { free( first_line_buf ); return -1; }
2133 p += 6; /* 400.1 SP */
2134 } else {
2135 status_line->http_code = (int)strtol( p, &pp, 10 );
2136 status_line->http_subcode = -1;
2137 if( *pp != '\0' ) { free( first_line_buf ); return -1; }
2138 p += 4; /* 400 SP */
2139 }
2140
2141 /* Human readable message: "Not Found" CRLF */
2142
2143 p = strtok( p, "" );
2144 if( p == NULL ) { status_line->msg = ""; return 0; }
2145 status_line->msg = status_line->first_line + ( p - first_line_buf );
2146 free( first_line_buf );
2147
2148 return 0;
2149}
2150
2151void
2152curlhelp_free_statusline (curlhelp_statusline *status_line)
2153{
2154 free (status_line->first_line);
2155}
2156
2157void
2158remove_newlines (char *s)
2159{
2160 char *p;
2161
2162 for (p = s; *p != '\0'; p++)
2163 if (*p == '\r' || *p == '\n')
2164 *p = ' ';
2165}
2166
2167char *
2168get_header_value (const struct phr_header* headers, const size_t nof_headers, const char* header)
2169{
2170 int i;
2171 for( i = 0; i < nof_headers; i++ ) {
2172 if(headers[i].name != NULL && strncasecmp( header, headers[i].name, max( headers[i].name_len, 4 ) ) == 0 ) {
2173 return strndup( headers[i].value, headers[i].value_len );
2174 }
2175 }
2176 return NULL;
2177}
2178
2179int
2180check_document_dates (const curlhelp_write_curlbuf *header_buf, char (*msg)[DEFAULT_BUFFER_SIZE])
2181{
2182 char *server_date = NULL;
2183 char *document_date = NULL;
2184 int date_result = STATE_OK;
2185 curlhelp_statusline status_line;
2186 struct phr_header headers[255];
2187 size_t nof_headers = 255;
2188 size_t msglen;
2189
2190 int res = phr_parse_response (header_buf->buf, header_buf->buflen,
2191 &status_line.http_minor, &status_line.http_code, &status_line.msg, &msglen,
2192 headers, &nof_headers, 0);
2193
2194 server_date = get_header_value (headers, nof_headers, "date");
2195 document_date = get_header_value (headers, nof_headers, "last-modified");
2196
2197 if (!server_date || !*server_date) {
2198 snprintf (*msg, DEFAULT_BUFFER_SIZE, _("%sServer date unknown, "), *msg);
2199 date_result = max_state_alt(STATE_UNKNOWN, date_result);
2200 } else if (!document_date || !*document_date) {
2201 snprintf (*msg, DEFAULT_BUFFER_SIZE, _("%sDocument modification date unknown, "), *msg);
2202 date_result = max_state_alt(STATE_CRITICAL, date_result);
2203 } else {
2204 time_t srv_data = curl_getdate (server_date, NULL);
2205 time_t doc_data = curl_getdate (document_date, NULL);
2206 if (verbose >= 2)
2207 printf ("* server date: '%s' (%d), doc_date: '%s' (%d)\n", server_date, (int)srv_data, document_date, (int)doc_data);
2208 if (srv_data <= 0) {
2209 snprintf (*msg, DEFAULT_BUFFER_SIZE, _("%sServer date \"%100s\" unparsable, "), *msg, server_date);
2210 date_result = max_state_alt(STATE_CRITICAL, date_result);
2211 } else if (doc_data <= 0) {
2212 snprintf (*msg, DEFAULT_BUFFER_SIZE, _("%sDocument date \"%100s\" unparsable, "), *msg, document_date);
2213 date_result = max_state_alt(STATE_CRITICAL, date_result);
2214 } else if (doc_data > srv_data + 30) {
2215 snprintf (*msg, DEFAULT_BUFFER_SIZE, _("%sDocument is %d seconds in the future, "), *msg, (int)doc_data - (int)srv_data);
2216 date_result = max_state_alt(STATE_CRITICAL, date_result);
2217 } else if (doc_data < srv_data - maximum_age) {
2218 int n = (srv_data - doc_data);
2219 if (n > (60 * 60 * 24 * 2)) {
2220 snprintf (*msg, DEFAULT_BUFFER_SIZE, _("%sLast modified %.1f days ago, "), *msg, ((float) n) / (60 * 60 * 24));
2221 date_result = max_state_alt(STATE_CRITICAL, date_result);
2222 } else {
2223 snprintf (*msg, DEFAULT_BUFFER_SIZE, _("%sLast modified %d:%02d:%02d ago, "), *msg, n / (60 * 60), (n / 60) % 60, n % 60);
2224 date_result = max_state_alt(STATE_CRITICAL, date_result);
2225 }
2226 }
2227 }
2228
2229 if (server_date) free (server_date);
2230 if (document_date) free (document_date);
2231
2232 return date_result;
2233}
2234
2235
2236int
2237get_content_length (const curlhelp_write_curlbuf* header_buf, const curlhelp_write_curlbuf* body_buf)
2238{
2239 const char *s;
2240 int content_length = 0;
2241 char *copy;
2242 struct phr_header headers[255];
2243 size_t nof_headers = 255;
2244 size_t msglen;
2245 char *content_length_s = NULL;
2246 curlhelp_statusline status_line;
2247
2248 int res = phr_parse_response (header_buf->buf, header_buf->buflen,
2249 &status_line.http_minor, &status_line.http_code, &status_line.msg, &msglen,
2250 headers, &nof_headers, 0);
2251
2252 content_length_s = get_header_value (headers, nof_headers, "content-length");
2253 if (!content_length_s) {
2254 return header_buf->buflen + body_buf->buflen;
2255 }
2256 content_length_s += strspn (content_length_s, " \t");
2257 content_length = atoi (content_length_s);
2258 if (content_length != body_buf->buflen) {
2259 /* TODO: should we warn if the actual and the reported body length don't match? */
2260 }
2261
2262 if (content_length_s) free (content_length_s);
2263
2264 return header_buf->buflen + body_buf->buflen;
2265}
2266
2267/* TODO: is there a better way in libcurl to check for the SSL library? */
2268curlhelp_ssl_library
2269curlhelp_get_ssl_library (CURL* curl)
2270{
2271 curl_version_info_data* version_data;
2272 char *ssl_version;
2273 char *library;
2274 curlhelp_ssl_library ssl_library = CURLHELP_SSL_LIBRARY_UNKNOWN;
2275
2276 version_data = curl_version_info (CURLVERSION_NOW);
2277 if (version_data == NULL) return CURLHELP_SSL_LIBRARY_UNKNOWN;
2278
2279 ssl_version = strdup (version_data->ssl_version);
2280 if (ssl_version == NULL ) return CURLHELP_SSL_LIBRARY_UNKNOWN;
2281
2282 library = strtok (ssl_version, "/");
2283 if (library == NULL) return CURLHELP_SSL_LIBRARY_UNKNOWN;
2284
2285 if (strcmp (library, "OpenSSL") == 0)
2286 ssl_library = CURLHELP_SSL_LIBRARY_OPENSSL;
2287 else if (strcmp (library, "LibreSSL") == 0)
2288 ssl_library = CURLHELP_SSL_LIBRARY_LIBRESSL;
2289 else if (strcmp (library, "GnuTLS") == 0)
2290 ssl_library = CURLHELP_SSL_LIBRARY_GNUTLS;
2291 else if (strcmp (library, "NSS") == 0)
2292 ssl_library = CURLHELP_SSL_LIBRARY_NSS;
2293
2294 if (verbose >= 2)
2295 printf ("* SSL library string is : %s %s (%d)\n", version_data->ssl_version, library, ssl_library);
2296
2297 free (ssl_version);
2298
2299 return ssl_library;
2300}
2301
2302const char*
2303curlhelp_get_ssl_library_string (curlhelp_ssl_library ssl_library)
2304{
2305 switch (ssl_library) {
2306 case CURLHELP_SSL_LIBRARY_OPENSSL:
2307 return "OpenSSL";
2308 case CURLHELP_SSL_LIBRARY_LIBRESSL:
2309 return "LibreSSL";
2310 case CURLHELP_SSL_LIBRARY_GNUTLS:
2311 return "GnuTLS";
2312 case CURLHELP_SSL_LIBRARY_NSS:
2313 return "NSS";
2314 case CURLHELP_SSL_LIBRARY_UNKNOWN:
2315 default:
2316 return "unknown";
2317 }
2318}
2319
2320#ifdef LIBCURL_FEATURE_SSL
2321#ifndef USE_OPENSSL
2322time_t
2323parse_cert_date (const char *s)
2324{
2325 struct tm tm;
2326 time_t date;
2327 char *res;
2328
2329 if (!s) return -1;
2330
2331 /* Jan 17 14:25:12 2020 GMT */
2332 res = strptime (s, "%Y-%m-%d %H:%M:%S GMT", &tm);
2333 /* Sep 11 12:00:00 2020 GMT */
2334 if (res == NULL) strptime (s, "%Y %m %d %H:%M:%S GMT", &tm);
2335 date = mktime (&tm);
2336
2337 return date;
2338}
2339
2340/* TODO: this needs cleanup in the sslutils.c, maybe we the #else case to
2341 * OpenSSL could be this function
2342 */
2343int
2344net_noopenssl_check_certificate (cert_ptr_union* cert_ptr, int days_till_exp_warn, int days_till_exp_crit)
2345{
2346 int i;
2347 struct curl_slist* slist;
2348 int cname_found = 0;
2349 char* start_date_str = NULL;
2350 char* end_date_str = NULL;
2351 time_t start_date;
2352 time_t end_date;
2353 char *tz;
2354 float time_left;
2355 int days_left;
2356 int time_remaining;
2357 char timestamp[50] = "";
2358 int status = STATE_UNKNOWN;
2359
2360 if (verbose >= 2)
2361 printf ("**** REQUEST CERTIFICATES ****\n");
2362
2363 for (i = 0; i < cert_ptr->to_certinfo->num_of_certs; i++) {
2364 for (slist = cert_ptr->to_certinfo->certinfo[i]; slist; slist = slist->next) {
2365 /* find first common name in subject,
2366 * TODO: check alternative subjects for
2367 * TODO: have a decent parser here and not a hack
2368 * multi-host certificate, check wildcards
2369 */
2370 if (strncasecmp (slist->data, "Subject:", 8) == 0) {
2371 int d = 3;
2372 char* p = strstr (slist->data, "CN=");
2373 if (p == NULL) {
2374 d = 5;
2375 p = strstr (slist->data, "CN = ");
2376 }
2377 if (p != NULL) {
2378 if (strncmp (host_name, p+d, strlen (host_name)) == 0) {
2379 cname_found = 1;
2380 }
2381 }
2382 } else if (strncasecmp (slist->data, "Start Date:", 11) == 0) {
2383 start_date_str = &slist->data[11];
2384 } else if (strncasecmp (slist->data, "Expire Date:", 12) == 0) {
2385 end_date_str = &slist->data[12];
2386 } else if (strncasecmp (slist->data, "Cert:", 5) == 0) {
2387 goto HAVE_FIRST_CERT;
2388 }
2389 if (verbose >= 2)
2390 printf ("%d ** %s\n", i, slist->data);
2391 }
2392 }
2393HAVE_FIRST_CERT:
2394
2395 if (verbose >= 2)
2396 printf ("**** REQUEST CERTIFICATES ****\n");
2397
2398 if (!cname_found) {
2399 printf("%s\n",_("CRITICAL - Cannot retrieve certificate subject."));
2400 return STATE_CRITICAL;
2401 }
2402
2403 start_date = parse_cert_date (start_date_str);
2404 if (start_date <= 0) {
2405 snprintf (msg, DEFAULT_BUFFER_SIZE, _("WARNING - Unparsable 'Start Date' in certificate: '%s'"),
2406 start_date_str);
2407 puts (msg);
2408 return STATE_WARNING;
2409 }
2410
2411 end_date = parse_cert_date (end_date_str);
2412 if (end_date <= 0) {
2413 snprintf (msg, DEFAULT_BUFFER_SIZE, _("WARNING - Unparsable 'Expire Date' in certificate: '%s'"),
2414 start_date_str);
2415 puts (msg);
2416 return STATE_WARNING;
2417 }
2418
2419 time_left = difftime (end_date, time(NULL));
2420 days_left = time_left / 86400;
2421 tz = getenv("TZ");
2422 setenv("TZ", "GMT", 1);
2423 tzset();
2424 strftime(timestamp, 50, "%c %z", localtime(&end_date));
2425 if (tz)
2426 setenv("TZ", tz, 1);
2427 else
2428 unsetenv("TZ");
2429 tzset();
2430
2431 if (days_left > 0 && days_left <= days_till_exp_warn) {
2432 printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", host_name, days_left, timestamp);
2433 if (days_left > days_till_exp_crit)
2434 status = STATE_WARNING;
2435 else
2436 status = STATE_CRITICAL;
2437 } else if (days_left == 0 && time_left > 0) {
2438 if (time_left >= 3600)
2439 time_remaining = (int) time_left / 3600;
2440 else
2441 time_remaining = (int) time_left / 60;
2442
2443 printf (_("%s - Certificate '%s' expires in %u %s (%s)\n"),
2444 (days_left>days_till_exp_crit) ? "WARNING" : "CRITICAL", host_name, time_remaining,
2445 time_left >= 3600 ? "hours" : "minutes", timestamp);
2446
2447 if ( days_left > days_till_exp_crit)
2448 status = STATE_WARNING;
2449 else
2450 status = STATE_CRITICAL;
2451 } else if (time_left < 0) {
2452 printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), host_name, timestamp);
2453 status=STATE_CRITICAL;
2454 } else if (days_left == 0) {
2455 printf (_("%s - Certificate '%s' just expired (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", host_name, timestamp);
2456 if (days_left > days_till_exp_crit)
2457 status = STATE_WARNING;
2458 else
2459 status = STATE_CRITICAL;
2460 } else {
2461 printf(_("OK - Certificate '%s' will expire on %s.\n"), host_name, timestamp);
2462 status = STATE_OK;
2463 }
2464 return status;
2465}
2466#endif /* USE_OPENSSL */
2467#endif /* LIBCURL_FEATURE_SSL */