diff options
Diffstat (limited to 'plugins/check_curl.c')
-rw-r--r-- | plugins/check_curl.c | 2696 |
1 files changed, 2696 insertions, 0 deletions
diff --git a/plugins/check_curl.c b/plugins/check_curl.c new file mode 100644 index 00000000..d0871c48 --- /dev/null +++ b/plugins/check_curl.c | |||
@@ -0,0 +1,2696 @@ | |||
1 | /***************************************************************************** | ||
2 | * | ||
3 | * Monitoring check_curl plugin | ||
4 | * | ||
5 | * License: GPL | ||
6 | * Copyright (c) 1999-2019 Monitoring Plugins Development Team | ||
7 | * | ||
8 | * Description: | ||
9 | * | ||
10 | * This file contains the check_curl plugin | ||
11 | * | ||
12 | * This plugin tests the HTTP service on the specified host. It can test | ||
13 | * normal (http) and secure (https) servers, follow redirects, search for | ||
14 | * strings and regular expressions, check connection times, and report on | ||
15 | * certificate expiration times. | ||
16 | * | ||
17 | * This plugin uses functions from the curl library, see | ||
18 | * http://curl.haxx.se | ||
19 | * | ||
20 | * This program is free software: you can redistribute it and/or modify | ||
21 | * it under the terms of the GNU General Public License as published by | ||
22 | * the Free Software Foundation, either version 3 of the License, or | ||
23 | * (at your option) any later version. | ||
24 | * | ||
25 | * This program is distributed in the hope that it will be useful, | ||
26 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
27 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
28 | * GNU General Public License for more details. | ||
29 | * | ||
30 | * You should have received a copy of the GNU General Public License | ||
31 | * along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
32 | * | ||
33 | * | ||
34 | *****************************************************************************/ | ||
35 | const char *progname = "check_curl"; | ||
36 | |||
37 | const char *copyright = "2006-2019"; | ||
38 | const char *email = "devel@monitoring-plugins.org"; | ||
39 | |||
40 | #include <stdbool.h> | ||
41 | #include <ctype.h> | ||
42 | |||
43 | #include "common.h" | ||
44 | #include "utils.h" | ||
45 | |||
46 | #ifndef LIBCURL_PROTOCOL_HTTP | ||
47 | #error libcurl compiled without HTTP support, compiling check_curl plugin does not makes a lot of sense | ||
48 | #endif | ||
49 | |||
50 | #include "curl/curl.h" | ||
51 | #include "curl/easy.h" | ||
52 | |||
53 | #include "picohttpparser.h" | ||
54 | |||
55 | #include "uriparser/Uri.h" | ||
56 | |||
57 | #include <arpa/inet.h> | ||
58 | #include <netinet/in.h> | ||
59 | |||
60 | #if defined(HAVE_SSL) && defined(USE_OPENSSL) | ||
61 | #include <openssl/opensslv.h> | ||
62 | #endif | ||
63 | |||
64 | #include <netdb.h> | ||
65 | |||
66 | #define MAKE_LIBCURL_VERSION(major, minor, patch) ((major)*0x10000 + (minor)*0x100 + (patch)) | ||
67 | |||
68 | #define DEFAULT_BUFFER_SIZE 2048 | ||
69 | #define DEFAULT_SERVER_URL "/" | ||
70 | #define HTTP_EXPECT "HTTP/" | ||
71 | #define INET_ADDR_MAX_SIZE INET6_ADDRSTRLEN | ||
72 | enum { | ||
73 | MAX_IPV4_HOSTLENGTH = 255, | ||
74 | HTTP_PORT = 80, | ||
75 | HTTPS_PORT = 443, | ||
76 | MAX_PORT = 65535, | ||
77 | DEFAULT_MAX_REDIRS = 15 | ||
78 | }; | ||
79 | |||
80 | enum { | ||
81 | STICKY_NONE = 0, | ||
82 | STICKY_HOST = 1, | ||
83 | STICKY_PORT = 2 | ||
84 | }; | ||
85 | |||
86 | enum { | ||
87 | FOLLOW_HTTP_CURL = 0, | ||
88 | FOLLOW_LIBCURL = 1 | ||
89 | }; | ||
90 | |||
91 | /* for buffers for header and body */ | ||
92 | typedef struct { | ||
93 | char *buf; | ||
94 | size_t buflen; | ||
95 | size_t bufsize; | ||
96 | } curlhelp_write_curlbuf; | ||
97 | |||
98 | /* for buffering the data sent in PUT */ | ||
99 | typedef struct { | ||
100 | char *buf; | ||
101 | size_t buflen; | ||
102 | off_t pos; | ||
103 | } curlhelp_read_curlbuf; | ||
104 | |||
105 | /* for parsing the HTTP status line */ | ||
106 | typedef struct { | ||
107 | int http_major; /* major version of the protocol, always 1 (HTTP/0.9 | ||
108 | * never reached the big internet most likely) */ | ||
109 | int http_minor; /* minor version of the protocol, usually 0 or 1 */ | ||
110 | int http_code; /* HTTP return code as in RFC 2145 */ | ||
111 | int http_subcode; /* Microsoft IIS extension, HTTP subcodes, see | ||
112 | * http://support.microsoft.com/kb/318380/en-us */ | ||
113 | const char *msg; /* the human readable message */ | ||
114 | char *first_line; /* a copy of the first line */ | ||
115 | } curlhelp_statusline; | ||
116 | |||
117 | /* to know the underlying SSL library used by libcurl */ | ||
118 | typedef enum curlhelp_ssl_library { | ||
119 | CURLHELP_SSL_LIBRARY_UNKNOWN, | ||
120 | CURLHELP_SSL_LIBRARY_OPENSSL, | ||
121 | CURLHELP_SSL_LIBRARY_LIBRESSL, | ||
122 | CURLHELP_SSL_LIBRARY_GNUTLS, | ||
123 | CURLHELP_SSL_LIBRARY_NSS | ||
124 | } curlhelp_ssl_library; | ||
125 | |||
126 | enum { | ||
127 | REGS = 2, | ||
128 | MAX_RE_SIZE = 1024 | ||
129 | }; | ||
130 | #include "regex.h" | ||
131 | regex_t preg; | ||
132 | regmatch_t pmatch[REGS]; | ||
133 | char regexp[MAX_RE_SIZE]; | ||
134 | int cflags = REG_NOSUB | REG_EXTENDED | REG_NEWLINE; | ||
135 | int errcode; | ||
136 | bool invert_regex = false; | ||
137 | |||
138 | char *server_address = NULL; | ||
139 | char *host_name = NULL; | ||
140 | char *server_url = 0; | ||
141 | char server_ip[DEFAULT_BUFFER_SIZE]; | ||
142 | struct curl_slist *server_ips = NULL; | ||
143 | bool specify_port = false; | ||
144 | unsigned short server_port = HTTP_PORT; | ||
145 | unsigned short virtual_port = 0; | ||
146 | int host_name_length; | ||
147 | char output_header_search[30] = ""; | ||
148 | char output_string_search[30] = ""; | ||
149 | char *warning_thresholds = NULL; | ||
150 | char *critical_thresholds = NULL; | ||
151 | int days_till_exp_warn, days_till_exp_crit; | ||
152 | thresholds *thlds; | ||
153 | char user_agent[DEFAULT_BUFFER_SIZE]; | ||
154 | int verbose = 0; | ||
155 | bool show_extended_perfdata = false; | ||
156 | bool show_body = false; | ||
157 | int min_page_len = 0; | ||
158 | int max_page_len = 0; | ||
159 | int redir_depth = 0; | ||
160 | int max_depth = DEFAULT_MAX_REDIRS; | ||
161 | char *http_method = NULL; | ||
162 | char *http_post_data = NULL; | ||
163 | char *http_content_type = NULL; | ||
164 | CURL *curl; | ||
165 | bool curl_global_initialized = false; | ||
166 | bool curl_easy_initialized = false; | ||
167 | struct curl_slist *header_list = NULL; | ||
168 | bool body_buf_initialized = false; | ||
169 | curlhelp_write_curlbuf body_buf; | ||
170 | bool header_buf_initialized = false; | ||
171 | curlhelp_write_curlbuf header_buf; | ||
172 | bool status_line_initialized = false; | ||
173 | curlhelp_statusline status_line; | ||
174 | bool put_buf_initialized = false; | ||
175 | curlhelp_read_curlbuf put_buf; | ||
176 | char http_header[DEFAULT_BUFFER_SIZE]; | ||
177 | long code; | ||
178 | long socket_timeout = DEFAULT_SOCKET_TIMEOUT; | ||
179 | double total_time; | ||
180 | double time_connect; | ||
181 | double time_appconnect; | ||
182 | double time_headers; | ||
183 | double time_firstbyte; | ||
184 | char errbuf[MAX_INPUT_BUFFER]; | ||
185 | CURLcode res; | ||
186 | char url[DEFAULT_BUFFER_SIZE]; | ||
187 | char msg[DEFAULT_BUFFER_SIZE]; | ||
188 | char perfstring[DEFAULT_BUFFER_SIZE]; | ||
189 | char header_expect[MAX_INPUT_BUFFER] = ""; | ||
190 | char string_expect[MAX_INPUT_BUFFER] = ""; | ||
191 | char server_expect[MAX_INPUT_BUFFER] = HTTP_EXPECT; | ||
192 | int server_expect_yn = 0; | ||
193 | char user_auth[MAX_INPUT_BUFFER] = ""; | ||
194 | char proxy_auth[MAX_INPUT_BUFFER] = ""; | ||
195 | char **http_opt_headers; | ||
196 | int http_opt_headers_count = 0; | ||
197 | bool display_html = false; | ||
198 | int onredirect = STATE_OK; | ||
199 | int followmethod = FOLLOW_HTTP_CURL; | ||
200 | int followsticky = STICKY_NONE; | ||
201 | bool use_ssl = false; | ||
202 | bool use_sni = true; | ||
203 | bool check_cert = false; | ||
204 | bool continue_after_check_cert = false; | ||
205 | typedef union { | ||
206 | struct curl_slist* to_info; | ||
207 | struct curl_certinfo* to_certinfo; | ||
208 | } cert_ptr_union; | ||
209 | cert_ptr_union cert_ptr; | ||
210 | int ssl_version = CURL_SSLVERSION_DEFAULT; | ||
211 | char *client_cert = NULL; | ||
212 | char *client_privkey = NULL; | ||
213 | char *ca_cert = NULL; | ||
214 | bool verify_peer_and_host = false; | ||
215 | bool is_openssl_callback = false; | ||
216 | #if defined(HAVE_SSL) && defined(USE_OPENSSL) | ||
217 | X509 *cert = NULL; | ||
218 | #endif /* defined(HAVE_SSL) && defined(USE_OPENSSL) */ | ||
219 | bool no_body = false; | ||
220 | int maximum_age = -1; | ||
221 | int address_family = AF_UNSPEC; | ||
222 | curlhelp_ssl_library ssl_library = CURLHELP_SSL_LIBRARY_UNKNOWN; | ||
223 | int curl_http_version = CURL_HTTP_VERSION_NONE; | ||
224 | bool automatic_decompression = false; | ||
225 | char *cookie_jar_file = NULL; | ||
226 | |||
227 | bool process_arguments (int, char**); | ||
228 | void handle_curl_option_return_code (CURLcode res, const char* option); | ||
229 | int check_http (void); | ||
230 | void redir (curlhelp_write_curlbuf*); | ||
231 | char *perfd_time (double microsec); | ||
232 | char *perfd_time_connect (double microsec); | ||
233 | char *perfd_time_ssl (double microsec); | ||
234 | char *perfd_time_firstbyte (double microsec); | ||
235 | char *perfd_time_headers (double microsec); | ||
236 | char *perfd_time_transfer (double microsec); | ||
237 | char *perfd_size (int page_len); | ||
238 | void print_help (void); | ||
239 | void print_usage (void); | ||
240 | void print_curl_version (void); | ||
241 | int curlhelp_initwritebuffer (curlhelp_write_curlbuf*); | ||
242 | int curlhelp_buffer_write_callback (void*, size_t , size_t , void*); | ||
243 | void curlhelp_freewritebuffer (curlhelp_write_curlbuf*); | ||
244 | int curlhelp_initreadbuffer (curlhelp_read_curlbuf *, const char *, size_t); | ||
245 | int curlhelp_buffer_read_callback (void *, size_t , size_t , void *); | ||
246 | void curlhelp_freereadbuffer (curlhelp_read_curlbuf *); | ||
247 | curlhelp_ssl_library curlhelp_get_ssl_library (); | ||
248 | const char* curlhelp_get_ssl_library_string (curlhelp_ssl_library); | ||
249 | int net_noopenssl_check_certificate (cert_ptr_union*, int, int); | ||
250 | |||
251 | int curlhelp_parse_statusline (const char*, curlhelp_statusline *); | ||
252 | void curlhelp_free_statusline (curlhelp_statusline *); | ||
253 | char *get_header_value (const struct phr_header* headers, const size_t nof_headers, const char* header); | ||
254 | int check_document_dates (const curlhelp_write_curlbuf *, char (*msg)[DEFAULT_BUFFER_SIZE]); | ||
255 | int get_content_length (const curlhelp_write_curlbuf* header_buf, const curlhelp_write_curlbuf* body_buf); | ||
256 | |||
257 | #if defined(HAVE_SSL) && defined(USE_OPENSSL) | ||
258 | int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int days_till_exp_crit); | ||
259 | #endif /* defined(HAVE_SSL) && defined(USE_OPENSSL) */ | ||
260 | |||
261 | void remove_newlines (char *); | ||
262 | void test_file (char *); | ||
263 | |||
264 | int | ||
265 | main (int argc, char **argv) | ||
266 | { | ||
267 | int result = STATE_UNKNOWN; | ||
268 | |||
269 | setlocale (LC_ALL, ""); | ||
270 | bindtextdomain (PACKAGE, LOCALEDIR); | ||
271 | textdomain (PACKAGE); | ||
272 | |||
273 | /* Parse extra opts if any */ | ||
274 | argv = np_extra_opts (&argc, argv, progname); | ||
275 | |||
276 | /* set defaults */ | ||
277 | snprintf( user_agent, DEFAULT_BUFFER_SIZE, "%s/v%s (monitoring-plugins %s, %s)", | ||
278 | progname, NP_VERSION, VERSION, curl_version()); | ||
279 | |||
280 | /* parse arguments */ | ||
281 | if (process_arguments (argc, argv) == false) | ||
282 | usage4 (_("Could not parse arguments")); | ||
283 | |||
284 | if (display_html) | ||
285 | printf ("<A HREF=\"%s://%s:%d%s\" target=\"_blank\">", | ||
286 | use_ssl ? "https" : "http", | ||
287 | host_name ? host_name : server_address, | ||
288 | virtual_port ? virtual_port : server_port, | ||
289 | server_url); | ||
290 | |||
291 | result = check_http (); | ||
292 | return result; | ||
293 | } | ||
294 | |||
295 | #ifdef HAVE_SSL | ||
296 | #ifdef USE_OPENSSL | ||
297 | |||
298 | int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx) | ||
299 | { | ||
300 | (void) preverify_ok; | ||
301 | /* TODO: we get all certificates of the chain, so which ones | ||
302 | * should we test? | ||
303 | * TODO: is the last certificate always the server certificate? | ||
304 | */ | ||
305 | cert = X509_STORE_CTX_get_current_cert(x509_ctx); | ||
306 | #if OPENSSL_VERSION_NUMBER >= 0x10100000L | ||
307 | X509_up_ref(cert); | ||
308 | #endif | ||
309 | if (verbose>=2) { | ||
310 | puts("* SSL verify callback with certificate:"); | ||
311 | X509_NAME *subject, *issuer; | ||
312 | printf("* issuer:\n"); | ||
313 | issuer = X509_get_issuer_name( cert ); | ||
314 | X509_NAME_print_ex_fp(stdout, issuer, 5, XN_FLAG_MULTILINE); | ||
315 | printf("* curl verify_callback:\n* subject:\n"); | ||
316 | subject = X509_get_subject_name( cert ); | ||
317 | X509_NAME_print_ex_fp(stdout, subject, 5, XN_FLAG_MULTILINE); | ||
318 | puts(""); | ||
319 | } | ||
320 | return 1; | ||
321 | } | ||
322 | |||
323 | CURLcode sslctxfun(CURL *curl, SSL_CTX *sslctx, void *parm) | ||
324 | { | ||
325 | (void) curl; // ignore unused parameter | ||
326 | (void) parm; // ignore unused parameter | ||
327 | SSL_CTX_set_verify(sslctx, SSL_VERIFY_PEER, verify_callback); | ||
328 | |||
329 | return CURLE_OK; | ||
330 | } | ||
331 | |||
332 | #endif /* USE_OPENSSL */ | ||
333 | #endif /* HAVE_SSL */ | ||
334 | |||
335 | /* returns a string "HTTP/1.x" or "HTTP/2" */ | ||
336 | static char *string_statuscode (int major, int minor) | ||
337 | { | ||
338 | static char buf[10]; | ||
339 | |||
340 | switch (major) { | ||
341 | case 1: | ||
342 | snprintf (buf, sizeof (buf), "HTTP/%d.%d", major, minor); | ||
343 | break; | ||
344 | case 2: | ||
345 | case 3: | ||
346 | snprintf (buf, sizeof (buf), "HTTP/%d", major); | ||
347 | break; | ||
348 | default: | ||
349 | /* assuming here HTTP/N with N>=4 */ | ||
350 | snprintf (buf, sizeof (buf), "HTTP/%d", major); | ||
351 | break; | ||
352 | } | ||
353 | |||
354 | return buf; | ||
355 | } | ||
356 | |||
357 | /* Checks if the server 'reply' is one of the expected 'statuscodes' */ | ||
358 | static int | ||
359 | expected_statuscode (const char *reply, const char *statuscodes) | ||
360 | { | ||
361 | char *expected, *code; | ||
362 | int result = 0; | ||
363 | |||
364 | if ((expected = strdup (statuscodes)) == NULL) | ||
365 | die (STATE_UNKNOWN, _("HTTP UNKNOWN - Memory allocation error\n")); | ||
366 | |||
367 | for (code = strtok (expected, ","); code != NULL; code = strtok (NULL, ",")) | ||
368 | if (strstr (reply, code) != NULL) { | ||
369 | result = 1; | ||
370 | break; | ||
371 | } | ||
372 | |||
373 | free (expected); | ||
374 | return result; | ||
375 | } | ||
376 | |||
377 | void | ||
378 | handle_curl_option_return_code (CURLcode res, const char* option) | ||
379 | { | ||
380 | if (res != CURLE_OK) { | ||
381 | snprintf (msg, | ||
382 | DEFAULT_BUFFER_SIZE, | ||
383 | _("Error while setting cURL option '%s': cURL returned %d - %s"), | ||
384 | option, | ||
385 | res, | ||
386 | curl_easy_strerror(res)); | ||
387 | die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg); | ||
388 | } | ||
389 | } | ||
390 | |||
391 | int | ||
392 | lookup_host (const char *host, char *buf, size_t buflen) | ||
393 | { | ||
394 | struct addrinfo hints, *res, *result; | ||
395 | char addrstr[100]; | ||
396 | size_t addrstr_len; | ||
397 | int errcode; | ||
398 | void *ptr; | ||
399 | size_t buflen_remaining = buflen - 1; | ||
400 | |||
401 | memset (&hints, 0, sizeof (hints)); | ||
402 | hints.ai_family = address_family; | ||
403 | hints.ai_socktype = SOCK_STREAM; | ||
404 | hints.ai_flags |= AI_CANONNAME; | ||
405 | |||
406 | errcode = getaddrinfo (host, NULL, &hints, &result); | ||
407 | if (errcode != 0) | ||
408 | return errcode; | ||
409 | |||
410 | strcpy(buf, ""); | ||
411 | res = result; | ||
412 | |||
413 | while (res) { | ||
414 | switch (res->ai_family) { | ||
415 | case AF_INET: | ||
416 | ptr = &((struct sockaddr_in *) res->ai_addr)->sin_addr; | ||
417 | break; | ||
418 | case AF_INET6: | ||
419 | ptr = &((struct sockaddr_in6 *) res->ai_addr)->sin6_addr; | ||
420 | break; | ||
421 | } | ||
422 | |||
423 | inet_ntop (res->ai_family, ptr, addrstr, 100); | ||
424 | if (verbose >= 1) { | ||
425 | printf ("* getaddrinfo IPv%d address: %s\n", | ||
426 | res->ai_family == PF_INET6 ? 6 : 4, addrstr); | ||
427 | } | ||
428 | |||
429 | // Append all IPs to buf as a comma-separated string | ||
430 | addrstr_len = strlen(addrstr); | ||
431 | if (buflen_remaining > addrstr_len + 1) { | ||
432 | if (buf[0] != '\0') { | ||
433 | strncat(buf, ",", buflen_remaining); | ||
434 | buflen_remaining -= 1; | ||
435 | } | ||
436 | strncat(buf, addrstr, buflen_remaining); | ||
437 | buflen_remaining -= addrstr_len; | ||
438 | } | ||
439 | |||
440 | res = res->ai_next; | ||
441 | } | ||
442 | |||
443 | freeaddrinfo(result); | ||
444 | |||
445 | return 0; | ||
446 | } | ||
447 | |||
448 | static void | ||
449 | cleanup (void) | ||
450 | { | ||
451 | if (status_line_initialized) curlhelp_free_statusline(&status_line); | ||
452 | status_line_initialized = false; | ||
453 | if (curl_easy_initialized) curl_easy_cleanup (curl); | ||
454 | curl_easy_initialized = false; | ||
455 | if (curl_global_initialized) curl_global_cleanup (); | ||
456 | curl_global_initialized = false; | ||
457 | if (body_buf_initialized) curlhelp_freewritebuffer (&body_buf); | ||
458 | body_buf_initialized = false; | ||
459 | if (header_buf_initialized) curlhelp_freewritebuffer (&header_buf); | ||
460 | header_buf_initialized = false; | ||
461 | if (put_buf_initialized) curlhelp_freereadbuffer (&put_buf); | ||
462 | put_buf_initialized = false; | ||
463 | } | ||
464 | |||
465 | int | ||
466 | check_http (void) | ||
467 | { | ||
468 | int result = STATE_OK; | ||
469 | int page_len = 0; | ||
470 | int i; | ||
471 | char *force_host_header = NULL; | ||
472 | struct curl_slist *host = NULL; | ||
473 | char addrstr[DEFAULT_BUFFER_SIZE/2]; | ||
474 | char dnscache[DEFAULT_BUFFER_SIZE]; | ||
475 | |||
476 | /* initialize curl */ | ||
477 | if (curl_global_init (CURL_GLOBAL_DEFAULT) != CURLE_OK) | ||
478 | die (STATE_UNKNOWN, "HTTP UNKNOWN - curl_global_init failed\n"); | ||
479 | curl_global_initialized = true; | ||
480 | |||
481 | if ((curl = curl_easy_init()) == NULL) { | ||
482 | die (STATE_UNKNOWN, "HTTP UNKNOWN - curl_easy_init failed\n"); | ||
483 | } | ||
484 | curl_easy_initialized = true; | ||
485 | |||
486 | /* register cleanup function to shut down libcurl properly */ | ||
487 | atexit (cleanup); | ||
488 | |||
489 | if (verbose >= 1) | ||
490 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_VERBOSE, 1), "CURLOPT_VERBOSE"); | ||
491 | |||
492 | /* print everything on stdout like check_http would do */ | ||
493 | handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_STDERR, stdout), "CURLOPT_STDERR"); | ||
494 | |||
495 | if (automatic_decompression) | ||
496 | #if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 21, 6) | ||
497 | handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_ACCEPT_ENCODING, ""), "CURLOPT_ACCEPT_ENCODING"); | ||
498 | #else | ||
499 | handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_ENCODING, ""), "CURLOPT_ENCODING"); | ||
500 | #endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 21, 6) */ | ||
501 | |||
502 | /* initialize buffer for body of the answer */ | ||
503 | if (curlhelp_initwritebuffer(&body_buf) < 0) | ||
504 | die (STATE_UNKNOWN, "HTTP CRITICAL - out of memory allocating buffer for body\n"); | ||
505 | body_buf_initialized = true; | ||
506 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_WRITEFUNCTION, (curl_write_callback)curlhelp_buffer_write_callback), "CURLOPT_WRITEFUNCTION"); | ||
507 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_WRITEDATA, (void *)&body_buf), "CURLOPT_WRITEDATA"); | ||
508 | |||
509 | /* initialize buffer for header of the answer */ | ||
510 | if (curlhelp_initwritebuffer( &header_buf ) < 0) | ||
511 | die (STATE_UNKNOWN, "HTTP CRITICAL - out of memory allocating buffer for header\n" ); | ||
512 | header_buf_initialized = true; | ||
513 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_HEADERFUNCTION, (curl_write_callback)curlhelp_buffer_write_callback), "CURLOPT_HEADERFUNCTION"); | ||
514 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_WRITEHEADER, (void *)&header_buf), "CURLOPT_WRITEHEADER"); | ||
515 | |||
516 | /* set the error buffer */ | ||
517 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_ERRORBUFFER, errbuf), "CURLOPT_ERRORBUFFER"); | ||
518 | |||
519 | /* set timeouts */ | ||
520 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CONNECTTIMEOUT, socket_timeout), "CURLOPT_CONNECTTIMEOUT"); | ||
521 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_TIMEOUT, socket_timeout), "CURLOPT_TIMEOUT"); | ||
522 | |||
523 | // fill dns resolve cache to make curl connect to the given server_address instead of the host_name, only required for ssl, because we use the host_name later on to make SNI happy | ||
524 | if(use_ssl && host_name != NULL) { | ||
525 | if ( (res=lookup_host (server_address, addrstr, DEFAULT_BUFFER_SIZE/2)) != 0) { | ||
526 | snprintf (msg, | ||
527 | DEFAULT_BUFFER_SIZE, | ||
528 | _("Unable to lookup IP address for '%s': getaddrinfo returned %d - %s"), | ||
529 | server_address, | ||
530 | res, | ||
531 | gai_strerror (res)); | ||
532 | die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg); | ||
533 | } | ||
534 | snprintf (dnscache, DEFAULT_BUFFER_SIZE, "%s:%d:%s", host_name, server_port, addrstr); | ||
535 | host = curl_slist_append(NULL, dnscache); | ||
536 | curl_easy_setopt(curl, CURLOPT_RESOLVE, host); | ||
537 | if (verbose>=1) | ||
538 | printf ("* curl CURLOPT_RESOLVE: %s\n", dnscache); | ||
539 | } | ||
540 | |||
541 | // If server_address is an IPv6 address it must be surround by square brackets | ||
542 | struct in6_addr tmp_in_addr; | ||
543 | if (inet_pton(AF_INET6, server_address, &tmp_in_addr) == 1) { | ||
544 | char *new_server_address = malloc(strlen(server_address) + 3); | ||
545 | if (new_server_address == NULL) { | ||
546 | die(STATE_UNKNOWN, "HTTP UNKNOWN - Unable to allocate memory\n"); | ||
547 | } | ||
548 | snprintf(new_server_address, strlen(server_address)+3, "[%s]", server_address); | ||
549 | free(server_address); | ||
550 | server_address = new_server_address; | ||
551 | } | ||
552 | |||
553 | /* compose URL: use the address we want to connect to, set Host: header later */ | ||
554 | snprintf (url, DEFAULT_BUFFER_SIZE, "%s://%s:%d%s", | ||
555 | use_ssl ? "https" : "http", | ||
556 | ( use_ssl & ( host_name != NULL ) ) ? host_name : server_address, | ||
557 | server_port, | ||
558 | server_url | ||
559 | ); | ||
560 | |||
561 | if (verbose>=1) | ||
562 | printf ("* curl CURLOPT_URL: %s\n", url); | ||
563 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_URL, url), "CURLOPT_URL"); | ||
564 | |||
565 | /* extract proxy information for legacy proxy https requests */ | ||
566 | if (!strcmp(http_method, "CONNECT") || strstr(server_url, "http") == server_url) { | ||
567 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_PROXY, server_address), "CURLOPT_PROXY"); | ||
568 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_PROXYPORT, (long)server_port), "CURLOPT_PROXYPORT"); | ||
569 | if (verbose>=2) | ||
570 | printf ("* curl CURLOPT_PROXY: %s:%d\n", server_address, server_port); | ||
571 | http_method = "GET"; | ||
572 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_URL, server_url), "CURLOPT_URL"); | ||
573 | } | ||
574 | |||
575 | /* disable body for HEAD request */ | ||
576 | if (http_method && !strcmp (http_method, "HEAD" )) { | ||
577 | no_body = true; | ||
578 | } | ||
579 | |||
580 | /* set HTTP protocol version */ | ||
581 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_HTTP_VERSION, curl_http_version), "CURLOPT_HTTP_VERSION"); | ||
582 | |||
583 | /* set HTTP method */ | ||
584 | if (http_method) { | ||
585 | if (!strcmp(http_method, "POST")) | ||
586 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_POST, 1), "CURLOPT_POST"); | ||
587 | else if (!strcmp(http_method, "PUT")) | ||
588 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_UPLOAD, 1), "CURLOPT_UPLOAD"); | ||
589 | else | ||
590 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CUSTOMREQUEST, http_method), "CURLOPT_CUSTOMREQUEST"); | ||
591 | } | ||
592 | |||
593 | /* check if Host header is explicitly set in options */ | ||
594 | if (http_opt_headers_count) { | ||
595 | for (i = 0; i < http_opt_headers_count ; i++) { | ||
596 | if (strncmp(http_opt_headers[i], "Host:", 5) == 0) { | ||
597 | force_host_header = http_opt_headers[i]; | ||
598 | } | ||
599 | } | ||
600 | } | ||
601 | |||
602 | /* set hostname (virtual hosts), not needed if CURLOPT_CONNECT_TO is used, but left in anyway */ | ||
603 | if(host_name != NULL && force_host_header == NULL) { | ||
604 | if((virtual_port != HTTP_PORT && !use_ssl) || (virtual_port != HTTPS_PORT && use_ssl)) { | ||
605 | snprintf(http_header, DEFAULT_BUFFER_SIZE, "Host: %s:%d", host_name, virtual_port); | ||
606 | } else { | ||
607 | snprintf(http_header, DEFAULT_BUFFER_SIZE, "Host: %s", host_name); | ||
608 | } | ||
609 | header_list = curl_slist_append (header_list, http_header); | ||
610 | } | ||
611 | |||
612 | /* always close connection, be nice to servers */ | ||
613 | snprintf (http_header, DEFAULT_BUFFER_SIZE, "Connection: close"); | ||
614 | header_list = curl_slist_append (header_list, http_header); | ||
615 | |||
616 | /* attach additional headers supplied by the user */ | ||
617 | /* optionally send any other header tag */ | ||
618 | if (http_opt_headers_count) { | ||
619 | for (i = 0; i < http_opt_headers_count ; i++) { | ||
620 | header_list = curl_slist_append (header_list, http_opt_headers[i]); | ||
621 | } | ||
622 | /* This cannot be free'd here because a redirection will then try to access this and segfault */ | ||
623 | /* Covered in a testcase in tests/check_http.t */ | ||
624 | /* free(http_opt_headers); */ | ||
625 | } | ||
626 | |||
627 | /* set HTTP headers */ | ||
628 | handle_curl_option_return_code (curl_easy_setopt( curl, CURLOPT_HTTPHEADER, header_list ), "CURLOPT_HTTPHEADER"); | ||
629 | |||
630 | #ifdef LIBCURL_FEATURE_SSL | ||
631 | |||
632 | /* set SSL version, warn about insecure or unsupported versions */ | ||
633 | if (use_ssl) { | ||
634 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_SSLVERSION, ssl_version), "CURLOPT_SSLVERSION"); | ||
635 | } | ||
636 | |||
637 | /* client certificate and key to present to server (SSL) */ | ||
638 | if (client_cert) | ||
639 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_SSLCERT, client_cert), "CURLOPT_SSLCERT"); | ||
640 | if (client_privkey) | ||
641 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_SSLKEY, client_privkey), "CURLOPT_SSLKEY"); | ||
642 | if (ca_cert) { | ||
643 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CAINFO, ca_cert), "CURLOPT_CAINFO"); | ||
644 | } | ||
645 | if (ca_cert || verify_peer_and_host) { | ||
646 | /* per default if we have a CA verify both the peer and the | ||
647 | * hostname in the certificate, can be switched off later */ | ||
648 | handle_curl_option_return_code (curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 1), "CURLOPT_SSL_VERIFYPEER"); | ||
649 | handle_curl_option_return_code (curl_easy_setopt( curl, CURLOPT_SSL_VERIFYHOST, 2), "CURLOPT_SSL_VERIFYHOST"); | ||
650 | } else { | ||
651 | /* backward-compatible behaviour, be tolerant in checks | ||
652 | * TODO: depending on more options have aspects we want | ||
653 | * to be less tolerant about ssl verfications | ||
654 | */ | ||
655 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0), "CURLOPT_SSL_VERIFYPEER"); | ||
656 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0), "CURLOPT_SSL_VERIFYHOST"); | ||
657 | } | ||
658 | |||
659 | /* detect SSL library used by libcurl */ | ||
660 | ssl_library = curlhelp_get_ssl_library (); | ||
661 | |||
662 | /* try hard to get a stack of certificates to verify against */ | ||
663 | if (check_cert) { | ||
664 | #if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1) | ||
665 | /* inform curl to report back certificates */ | ||
666 | switch (ssl_library) { | ||
667 | case CURLHELP_SSL_LIBRARY_OPENSSL: | ||
668 | case CURLHELP_SSL_LIBRARY_LIBRESSL: | ||
669 | /* set callback to extract certificate with OpenSSL context function (works with | ||
670 | * OpenSSL-style libraries only!) */ | ||
671 | #ifdef USE_OPENSSL | ||
672 | /* libcurl and monitoring plugins built with OpenSSL, good */ | ||
673 | handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun), "CURLOPT_SSL_CTX_FUNCTION"); | ||
674 | is_openssl_callback = true; | ||
675 | #else /* USE_OPENSSL */ | ||
676 | #endif /* USE_OPENSSL */ | ||
677 | /* libcurl is built with OpenSSL, monitoring plugins, so falling | ||
678 | * back to manually extracting certificate information */ | ||
679 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CERTINFO, 1L), "CURLOPT_CERTINFO"); | ||
680 | break; | ||
681 | |||
682 | case CURLHELP_SSL_LIBRARY_NSS: | ||
683 | #if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) | ||
684 | /* NSS: support for CERTINFO is implemented since 7.34.0 */ | ||
685 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CERTINFO, 1L), "CURLOPT_CERTINFO"); | ||
686 | #else /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */ | ||
687 | die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates (libcurl linked with SSL library '%s' is too old)\n", curlhelp_get_ssl_library_string (ssl_library)); | ||
688 | #endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */ | ||
689 | break; | ||
690 | |||
691 | case CURLHELP_SSL_LIBRARY_GNUTLS: | ||
692 | #if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 42, 0) | ||
693 | /* GnuTLS: support for CERTINFO is implemented since 7.42.0 */ | ||
694 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CERTINFO, 1L), "CURLOPT_CERTINFO"); | ||
695 | #else /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 42, 0) */ | ||
696 | die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates (libcurl linked with SSL library '%s' is too old)\n", curlhelp_get_ssl_library_string (ssl_library)); | ||
697 | #endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 42, 0) */ | ||
698 | break; | ||
699 | |||
700 | case CURLHELP_SSL_LIBRARY_UNKNOWN: | ||
701 | default: | ||
702 | die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates (unknown SSL library '%s', must implement first)\n", curlhelp_get_ssl_library_string (ssl_library)); | ||
703 | break; | ||
704 | } | ||
705 | #else /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1) */ | ||
706 | /* old libcurl, our only hope is OpenSSL, otherwise we are out of luck */ | ||
707 | if (ssl_library == CURLHELP_SSL_LIBRARY_OPENSSL || ssl_library == CURLHELP_SSL_LIBRARY_LIBRESSL) | ||
708 | handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun), "CURLOPT_SSL_CTX_FUNCTION"); | ||
709 | else | ||
710 | die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates (no CURLOPT_SSL_CTX_FUNCTION, no OpenSSL library or libcurl too old and has no CURLOPT_CERTINFO)\n"); | ||
711 | #endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1) */ | ||
712 | } | ||
713 | |||
714 | #endif /* LIBCURL_FEATURE_SSL */ | ||
715 | |||
716 | /* set default or user-given user agent identification */ | ||
717 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_USERAGENT, user_agent), "CURLOPT_USERAGENT"); | ||
718 | |||
719 | /* proxy-authentication */ | ||
720 | if (strcmp(proxy_auth, "")) | ||
721 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_PROXYUSERPWD, proxy_auth), "CURLOPT_PROXYUSERPWD"); | ||
722 | |||
723 | /* authentication */ | ||
724 | if (strcmp(user_auth, "")) | ||
725 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_USERPWD, user_auth), "CURLOPT_USERPWD"); | ||
726 | |||
727 | /* TODO: parameter auth method, bitfield of following methods: | ||
728 | * CURLAUTH_BASIC (default) | ||
729 | * CURLAUTH_DIGEST | ||
730 | * CURLAUTH_DIGEST_IE | ||
731 | * CURLAUTH_NEGOTIATE | ||
732 | * CURLAUTH_NTLM | ||
733 | * CURLAUTH_NTLM_WB | ||
734 | * | ||
735 | * convenience tokens for typical sets of methods: | ||
736 | * CURLAUTH_ANYSAFE: most secure, without BASIC | ||
737 | * or CURLAUTH_ANY: most secure, even BASIC if necessary | ||
738 | * | ||
739 | * handle_curl_option_return_code (curl_easy_setopt( curl, CURLOPT_HTTPAUTH, (long)CURLAUTH_DIGEST ), "CURLOPT_HTTPAUTH"); | ||
740 | */ | ||
741 | |||
742 | /* handle redirections */ | ||
743 | if (onredirect == STATE_DEPENDENT) { | ||
744 | if( followmethod == FOLLOW_LIBCURL ) { | ||
745 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_FOLLOWLOCATION, 1), "CURLOPT_FOLLOWLOCATION"); | ||
746 | |||
747 | /* default -1 is infinite, not good, could lead to zombie plugins! | ||
748 | Setting it to one bigger than maximal limit to handle errors nicely below | ||
749 | */ | ||
750 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_MAXREDIRS, max_depth+1), "CURLOPT_MAXREDIRS"); | ||
751 | |||
752 | /* for now allow only http and https (we are a http(s) check plugin in the end) */ | ||
753 | #if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 85, 0) | ||
754 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_REDIR_PROTOCOLS_STR, "http,https"), "CURLOPT_REDIR_PROTOCOLS_STR"); | ||
755 | #elif LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 4) | ||
756 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS), "CURLOPT_REDIRECT_PROTOCOLS"); | ||
757 | #endif | ||
758 | |||
759 | /* TODO: handle the following aspects of redirection, make them | ||
760 | * command line options too later: | ||
761 | CURLOPT_POSTREDIR: method switch | ||
762 | CURLINFO_REDIRECT_URL: custom redirect option | ||
763 | CURLOPT_REDIRECT_PROTOCOLS: allow people to step outside safe protocols | ||
764 | CURLINFO_REDIRECT_COUNT: get the number of redirects, print it, maybe a range option here is nice like for expected page size? | ||
765 | */ | ||
766 | } else { | ||
767 | /* old style redirection is handled below */ | ||
768 | } | ||
769 | } | ||
770 | |||
771 | /* no-body */ | ||
772 | if (no_body) | ||
773 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_NOBODY, 1), "CURLOPT_NOBODY"); | ||
774 | |||
775 | /* IPv4 or IPv6 forced DNS resolution */ | ||
776 | if (address_family == AF_UNSPEC) | ||
777 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_WHATEVER), "CURLOPT_IPRESOLVE(CURL_IPRESOLVE_WHATEVER)"); | ||
778 | else if (address_family == AF_INET) | ||
779 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4), "CURLOPT_IPRESOLVE(CURL_IPRESOLVE_V4)"); | ||
780 | #if defined (USE_IPV6) && defined (LIBCURL_FEATURE_IPV6) | ||
781 | else if (address_family == AF_INET6) | ||
782 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V6), "CURLOPT_IPRESOLVE(CURL_IPRESOLVE_V6)"); | ||
783 | #endif | ||
784 | |||
785 | /* either send http POST data (any data, not only POST)*/ | ||
786 | if (!strcmp(http_method, "POST") ||!strcmp(http_method, "PUT")) { | ||
787 | /* set content of payload for POST and PUT */ | ||
788 | if (http_content_type) { | ||
789 | snprintf (http_header, DEFAULT_BUFFER_SIZE, "Content-Type: %s", http_content_type); | ||
790 | header_list = curl_slist_append (header_list, http_header); | ||
791 | } | ||
792 | /* NULL indicates "HTTP Continue" in libcurl, provide an empty string | ||
793 | * in case of no POST/PUT data */ | ||
794 | if (!http_post_data) | ||
795 | http_post_data = ""; | ||
796 | if (!strcmp(http_method, "POST")) { | ||
797 | /* POST method, set payload with CURLOPT_POSTFIELDS */ | ||
798 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_POSTFIELDS, http_post_data), "CURLOPT_POSTFIELDS"); | ||
799 | } else if (!strcmp(http_method, "PUT")) { | ||
800 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_READFUNCTION, (curl_read_callback)curlhelp_buffer_read_callback), "CURLOPT_READFUNCTION"); | ||
801 | if (curlhelp_initreadbuffer (&put_buf, http_post_data, strlen (http_post_data)) < 0) | ||
802 | die (STATE_UNKNOWN, "HTTP CRITICAL - out of memory allocating read buffer for PUT\n"); | ||
803 | put_buf_initialized = true; | ||
804 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_READDATA, (void *)&put_buf), "CURLOPT_READDATA"); | ||
805 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_INFILESIZE, (curl_off_t)strlen (http_post_data)), "CURLOPT_INFILESIZE"); | ||
806 | } | ||
807 | } | ||
808 | |||
809 | /* cookie handling */ | ||
810 | if (cookie_jar_file != NULL) { | ||
811 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_COOKIEJAR, cookie_jar_file), "CURLOPT_COOKIEJAR"); | ||
812 | handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_COOKIEFILE, cookie_jar_file), "CURLOPT_COOKIEFILE"); | ||
813 | } | ||
814 | |||
815 | /* do the request */ | ||
816 | res = curl_easy_perform(curl); | ||
817 | |||
818 | if (verbose>=2 && http_post_data) | ||
819 | printf ("**** REQUEST CONTENT ****\n%s\n", http_post_data); | ||
820 | |||
821 | /* free header and server IP resolve lists, we don't need it anymore */ | ||
822 | curl_slist_free_all (header_list); header_list = NULL; | ||
823 | curl_slist_free_all (server_ips); server_ips = NULL; | ||
824 | if (host) { | ||
825 | curl_slist_free_all (host); host = NULL; | ||
826 | } | ||
827 | |||
828 | /* Curl errors, result in critical Nagios state */ | ||
829 | if (res != CURLE_OK) { | ||
830 | snprintf (msg, | ||
831 | DEFAULT_BUFFER_SIZE, | ||
832 | _("Invalid HTTP response received from host on port %d: cURL returned %d - %s"), | ||
833 | server_port, | ||
834 | res, | ||
835 | errbuf[0] ? errbuf : curl_easy_strerror(res)); | ||
836 | die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg); | ||
837 | } | ||
838 | |||
839 | /* certificate checks */ | ||
840 | #ifdef LIBCURL_FEATURE_SSL | ||
841 | if (use_ssl) { | ||
842 | if (check_cert) { | ||
843 | if (is_openssl_callback) { | ||
844 | #ifdef USE_OPENSSL | ||
845 | /* check certificate with OpenSSL functions, curl has been built against OpenSSL | ||
846 | * and we actually have OpenSSL in the monitoring tools | ||
847 | */ | ||
848 | result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit); | ||
849 | if (!continue_after_check_cert) { | ||
850 | return result; | ||
851 | } | ||
852 | #else /* USE_OPENSSL */ | ||
853 | die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates - OpenSSL callback used and not linked against OpenSSL\n"); | ||
854 | #endif /* USE_OPENSSL */ | ||
855 | } else { | ||
856 | int i; | ||
857 | struct curl_slist *slist; | ||
858 | |||
859 | cert_ptr.to_info = NULL; | ||
860 | res = curl_easy_getinfo (curl, CURLINFO_CERTINFO, &cert_ptr.to_info); | ||
861 | if (!res && cert_ptr.to_info) { | ||
862 | #ifdef USE_OPENSSL | ||
863 | /* We have no OpenSSL in libcurl, but we can use OpenSSL for X509 cert parsing | ||
864 | * We only check the first certificate and assume it's the one of the server | ||
865 | */ | ||
866 | const char* raw_cert = NULL; | ||
867 | for (i = 0; i < cert_ptr.to_certinfo->num_of_certs; i++) { | ||
868 | for (slist = cert_ptr.to_certinfo->certinfo[i]; slist; slist = slist->next) { | ||
869 | if (verbose >= 2) | ||
870 | printf ("%d ** %s\n", i, slist->data); | ||
871 | if (strncmp (slist->data, "Cert:", 5) == 0) { | ||
872 | raw_cert = &slist->data[5]; | ||
873 | goto GOT_FIRST_CERT; | ||
874 | } | ||
875 | } | ||
876 | } | ||
877 | GOT_FIRST_CERT: | ||
878 | if (!raw_cert) { | ||
879 | snprintf (msg, | ||
880 | DEFAULT_BUFFER_SIZE, | ||
881 | _("Cannot retrieve certificates from CERTINFO information - certificate data was empty")); | ||
882 | die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg); | ||
883 | } | ||
884 | BIO* cert_BIO = BIO_new (BIO_s_mem()); | ||
885 | BIO_write (cert_BIO, raw_cert, strlen(raw_cert)); | ||
886 | cert = PEM_read_bio_X509 (cert_BIO, NULL, NULL, NULL); | ||
887 | if (!cert) { | ||
888 | snprintf (msg, | ||
889 | DEFAULT_BUFFER_SIZE, | ||
890 | _("Cannot read certificate from CERTINFO information - BIO error")); | ||
891 | die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg); | ||
892 | } | ||
893 | BIO_free (cert_BIO); | ||
894 | result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit); | ||
895 | if (!continue_after_check_cert) { | ||
896 | return result; | ||
897 | } | ||
898 | #else /* USE_OPENSSL */ | ||
899 | /* We assume we don't have OpenSSL and np_net_ssl_check_certificate at our disposal, | ||
900 | * so we use the libcurl CURLINFO data | ||
901 | */ | ||
902 | result = net_noopenssl_check_certificate(&cert_ptr, days_till_exp_warn, days_till_exp_crit); | ||
903 | if (!continue_after_check_cert) { | ||
904 | return result; | ||
905 | } | ||
906 | #endif /* USE_OPENSSL */ | ||
907 | } else { | ||
908 | snprintf (msg, | ||
909 | DEFAULT_BUFFER_SIZE, | ||
910 | _("Cannot retrieve certificates - cURL returned %d - %s"), | ||
911 | res, | ||
912 | curl_easy_strerror(res)); | ||
913 | die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg); | ||
914 | } | ||
915 | } | ||
916 | } | ||
917 | } | ||
918 | #endif /* LIBCURL_FEATURE_SSL */ | ||
919 | |||
920 | /* we got the data and we executed the request in a given time, so we can append | ||
921 | * performance data to the answer always | ||
922 | */ | ||
923 | handle_curl_option_return_code (curl_easy_getinfo (curl, CURLINFO_TOTAL_TIME, &total_time), "CURLINFO_TOTAL_TIME"); | ||
924 | page_len = get_content_length(&header_buf, &body_buf); | ||
925 | if(show_extended_perfdata) { | ||
926 | handle_curl_option_return_code (curl_easy_getinfo(curl, CURLINFO_CONNECT_TIME, &time_connect), "CURLINFO_CONNECT_TIME"); | ||
927 | handle_curl_option_return_code (curl_easy_getinfo(curl, CURLINFO_APPCONNECT_TIME, &time_appconnect), "CURLINFO_APPCONNECT_TIME"); | ||
928 | handle_curl_option_return_code (curl_easy_getinfo(curl, CURLINFO_PRETRANSFER_TIME, &time_headers), "CURLINFO_PRETRANSFER_TIME"); | ||
929 | handle_curl_option_return_code (curl_easy_getinfo(curl, CURLINFO_STARTTRANSFER_TIME, &time_firstbyte), "CURLINFO_STARTTRANSFER_TIME"); | ||
930 | snprintf(perfstring, DEFAULT_BUFFER_SIZE, "%s %s %s %s %s %s %s", | ||
931 | perfd_time(total_time), | ||
932 | perfd_size(page_len), | ||
933 | perfd_time_connect(time_connect), | ||
934 | use_ssl ? perfd_time_ssl (time_appconnect-time_connect) : "", | ||
935 | perfd_time_headers(time_headers - time_appconnect), | ||
936 | perfd_time_firstbyte(time_firstbyte - time_headers), | ||
937 | perfd_time_transfer(total_time-time_firstbyte) | ||
938 | ); | ||
939 | } else { | ||
940 | snprintf(perfstring, DEFAULT_BUFFER_SIZE, "%s %s", | ||
941 | perfd_time(total_time), | ||
942 | perfd_size(page_len) | ||
943 | ); | ||
944 | } | ||
945 | |||
946 | /* return a CRITICAL status if we couldn't read any data */ | ||
947 | if (strlen(header_buf.buf) == 0 && strlen(body_buf.buf) == 0) | ||
948 | die (STATE_CRITICAL, _("HTTP CRITICAL - No header received from host\n")); | ||
949 | |||
950 | /* get status line of answer, check sanity of HTTP code */ | ||
951 | if (curlhelp_parse_statusline (header_buf.buf, &status_line) < 0) { | ||
952 | snprintf (msg, | ||
953 | DEFAULT_BUFFER_SIZE, | ||
954 | "Unparsable status line in %.3g seconds response time|%s\n", | ||
955 | total_time, | ||
956 | perfstring); | ||
957 | /* we cannot know the major/minor version here for sure as we cannot parse the first line */ | ||
958 | die (STATE_CRITICAL, "HTTP CRITICAL HTTP/x.x %ld unknown - %s", code, msg); | ||
959 | } | ||
960 | status_line_initialized = true; | ||
961 | |||
962 | /* get result code from cURL */ | ||
963 | handle_curl_option_return_code (curl_easy_getinfo (curl, CURLINFO_RESPONSE_CODE, &code), "CURLINFO_RESPONSE_CODE"); | ||
964 | if (verbose>=2) | ||
965 | printf ("* curl CURLINFO_RESPONSE_CODE is %ld\n", code); | ||
966 | |||
967 | /* print status line, header, body if verbose */ | ||
968 | if (verbose >= 2) { | ||
969 | printf ("**** HEADER ****\n%s\n**** CONTENT ****\n%s\n", header_buf.buf, | ||
970 | (no_body ? " [[ skipped ]]" : body_buf.buf)); | ||
971 | } | ||
972 | |||
973 | /* make sure the status line matches the response we are looking for */ | ||
974 | if (!expected_statuscode(status_line.first_line, server_expect)) { | ||
975 | if (server_port == HTTP_PORT) | ||
976 | snprintf(msg, | ||
977 | DEFAULT_BUFFER_SIZE, | ||
978 | _("Invalid HTTP response received from host: %s\n"), | ||
979 | status_line.first_line); | ||
980 | else | ||
981 | snprintf(msg, | ||
982 | DEFAULT_BUFFER_SIZE, | ||
983 | _("Invalid HTTP response received from host on port %d: %s\n"), | ||
984 | server_port, | ||
985 | status_line.first_line); | ||
986 | die (STATE_CRITICAL, "HTTP CRITICAL - %s%s%s", msg, | ||
987 | show_body ? "\n" : "", | ||
988 | show_body ? body_buf.buf : ""); | ||
989 | } | ||
990 | |||
991 | if( server_expect_yn ) { | ||
992 | snprintf(msg, DEFAULT_BUFFER_SIZE, _("Status line output matched \"%s\" - "), server_expect); | ||
993 | if (verbose) | ||
994 | printf ("%s\n",msg); | ||
995 | result = STATE_OK; | ||
996 | } | ||
997 | else { | ||
998 | /* illegal return codes result in a critical state */ | ||
999 | if (code >= 600 || code < 100) { | ||
1000 | die (STATE_CRITICAL, _("HTTP CRITICAL: Invalid Status (%d, %.40s)\n"), status_line.http_code, status_line.msg); | ||
1001 | /* server errors result in a critical state */ | ||
1002 | } else if (code >= 500) { | ||
1003 | result = STATE_CRITICAL; | ||
1004 | /* client errors result in a warning state */ | ||
1005 | } else if (code >= 400) { | ||
1006 | result = STATE_WARNING; | ||
1007 | /* check redirected page if specified */ | ||
1008 | } else if (code >= 300) { | ||
1009 | if (onredirect == STATE_DEPENDENT) { | ||
1010 | if( followmethod == FOLLOW_LIBCURL ) { | ||
1011 | code = status_line.http_code; | ||
1012 | } else { | ||
1013 | /* old check_http style redirection, if we come | ||
1014 | * back here, we are in the same status as with | ||
1015 | * the libcurl method | ||
1016 | */ | ||
1017 | redir (&header_buf); | ||
1018 | } | ||
1019 | } else { | ||
1020 | /* this is a specific code in the command line to | ||
1021 | * be returned when a redirection is encountered | ||
1022 | */ | ||
1023 | } | ||
1024 | result = max_state_alt (onredirect, result); | ||
1025 | /* all other codes are considered ok */ | ||
1026 | } else { | ||
1027 | result = STATE_OK; | ||
1028 | } | ||
1029 | } | ||
1030 | |||
1031 | /* libcurl redirection internally, handle error states here */ | ||
1032 | if( followmethod == FOLLOW_LIBCURL ) { | ||
1033 | handle_curl_option_return_code (curl_easy_getinfo (curl, CURLINFO_REDIRECT_COUNT, &redir_depth), "CURLINFO_REDIRECT_COUNT"); | ||
1034 | if (verbose >= 2) | ||
1035 | printf(_("* curl LIBINFO_REDIRECT_COUNT is %d\n"), redir_depth); | ||
1036 | if (redir_depth > max_depth) { | ||
1037 | snprintf (msg, DEFAULT_BUFFER_SIZE, "maximum redirection depth %d exceeded in libcurl", | ||
1038 | max_depth); | ||
1039 | die (STATE_WARNING, "HTTP WARNING - %s", msg); | ||
1040 | } | ||
1041 | } | ||
1042 | |||
1043 | /* check status codes, set exit status accordingly */ | ||
1044 | if( status_line.http_code != code ) { | ||
1045 | die (STATE_CRITICAL, _("HTTP CRITICAL %s %d %s - different HTTP codes (cUrl has %ld)\n"), | ||
1046 | string_statuscode (status_line.http_major, status_line.http_minor), | ||
1047 | status_line.http_code, status_line.msg, code); | ||
1048 | } | ||
1049 | |||
1050 | if (maximum_age >= 0) { | ||
1051 | result = max_state_alt(check_document_dates(&header_buf, &msg), result); | ||
1052 | } | ||
1053 | |||
1054 | /* Page and Header content checks go here */ | ||
1055 | |||
1056 | if (strlen (header_expect)) { | ||
1057 | if (!strstr (header_buf.buf, header_expect)) { | ||
1058 | |||
1059 | strncpy(&output_header_search[0],header_expect,sizeof(output_header_search)); | ||
1060 | |||
1061 | if(output_header_search[sizeof(output_header_search)-1]!='\0') { | ||
1062 | bcopy("...",&output_header_search[sizeof(output_header_search)-4],4); | ||
1063 | } | ||
1064 | |||
1065 | char tmp[DEFAULT_BUFFER_SIZE]; | ||
1066 | |||
1067 | snprintf (tmp, | ||
1068 | DEFAULT_BUFFER_SIZE, | ||
1069 | _("%sheader '%s' not found on '%s://%s:%d%s', "), | ||
1070 | msg, | ||
1071 | output_header_search, | ||
1072 | use_ssl ? "https" : "http", | ||
1073 | host_name ? host_name : server_address, | ||
1074 | server_port, | ||
1075 | server_url); | ||
1076 | |||
1077 | strcpy(msg, tmp); | ||
1078 | |||
1079 | result = STATE_CRITICAL; | ||
1080 | } | ||
1081 | } | ||
1082 | |||
1083 | if (strlen (string_expect)) { | ||
1084 | if (!strstr (body_buf.buf, string_expect)) { | ||
1085 | |||
1086 | strncpy(&output_string_search[0],string_expect,sizeof(output_string_search)); | ||
1087 | |||
1088 | if(output_string_search[sizeof(output_string_search)-1]!='\0') { | ||
1089 | bcopy("...",&output_string_search[sizeof(output_string_search)-4],4); | ||
1090 | } | ||
1091 | |||
1092 | char tmp[DEFAULT_BUFFER_SIZE]; | ||
1093 | |||
1094 | snprintf (tmp, | ||
1095 | DEFAULT_BUFFER_SIZE, | ||
1096 | _("%sstring '%s' not found on '%s://%s:%d%s', "), | ||
1097 | msg, | ||
1098 | output_string_search, | ||
1099 | use_ssl ? "https" : "http", | ||
1100 | host_name ? host_name : server_address, | ||
1101 | server_port, | ||
1102 | server_url); | ||
1103 | |||
1104 | strcpy(msg, tmp); | ||
1105 | |||
1106 | result = STATE_CRITICAL; | ||
1107 | } | ||
1108 | } | ||
1109 | |||
1110 | if (strlen (regexp)) { | ||
1111 | errcode = regexec (&preg, body_buf.buf, REGS, pmatch, 0); | ||
1112 | if ((errcode == 0 && !invert_regex) || (errcode == REG_NOMATCH && invert_regex)) { | ||
1113 | /* OK - No-op to avoid changing the logic around it */ | ||
1114 | result = max_state_alt(STATE_OK, result); | ||
1115 | } | ||
1116 | else if ((errcode == REG_NOMATCH && !invert_regex) || (errcode == 0 && invert_regex)) { | ||
1117 | if (!invert_regex) { | ||
1118 | char tmp[DEFAULT_BUFFER_SIZE]; | ||
1119 | |||
1120 | snprintf (tmp, DEFAULT_BUFFER_SIZE, _("%spattern not found, "), msg); | ||
1121 | strcpy(msg, tmp); | ||
1122 | |||
1123 | } else { | ||
1124 | char tmp[DEFAULT_BUFFER_SIZE]; | ||
1125 | |||
1126 | snprintf (tmp, DEFAULT_BUFFER_SIZE, _("%spattern found, "), msg); | ||
1127 | strcpy(msg, tmp); | ||
1128 | |||
1129 | } | ||
1130 | result = STATE_CRITICAL; | ||
1131 | } else { | ||
1132 | regerror (errcode, &preg, errbuf, MAX_INPUT_BUFFER); | ||
1133 | |||
1134 | char tmp[DEFAULT_BUFFER_SIZE]; | ||
1135 | |||
1136 | snprintf (tmp, DEFAULT_BUFFER_SIZE, _("%sExecute Error: %s, "), msg, errbuf); | ||
1137 | strcpy(msg, tmp); | ||
1138 | result = STATE_UNKNOWN; | ||
1139 | } | ||
1140 | } | ||
1141 | |||
1142 | /* make sure the page is of an appropriate size */ | ||
1143 | if ((max_page_len > 0) && (page_len > max_page_len)) { | ||
1144 | char tmp[DEFAULT_BUFFER_SIZE]; | ||
1145 | |||
1146 | snprintf (tmp, DEFAULT_BUFFER_SIZE, _("%spage size %d too large, "), msg, page_len); | ||
1147 | |||
1148 | strcpy(msg, tmp); | ||
1149 | |||
1150 | result = max_state_alt(STATE_WARNING, result); | ||
1151 | |||
1152 | } else if ((min_page_len > 0) && (page_len < min_page_len)) { | ||
1153 | char tmp[DEFAULT_BUFFER_SIZE]; | ||
1154 | |||
1155 | snprintf (tmp, DEFAULT_BUFFER_SIZE, _("%spage size %d too small, "), msg, page_len); | ||
1156 | strcpy(msg, tmp); | ||
1157 | result = max_state_alt(STATE_WARNING, result); | ||
1158 | } | ||
1159 | |||
1160 | /* -w, -c: check warning and critical level */ | ||
1161 | result = max_state_alt(get_status(total_time, thlds), result); | ||
1162 | |||
1163 | /* Cut-off trailing characters */ | ||
1164 | if (strlen(msg) >= 2) { | ||
1165 | if(msg[strlen(msg)-2] == ',') | ||
1166 | msg[strlen(msg)-2] = '\0'; | ||
1167 | else | ||
1168 | msg[strlen(msg)-3] = '\0'; | ||
1169 | } | ||
1170 | |||
1171 | /* TODO: separate _() msg and status code: die (result, "HTTP %s: %s\n", state_text(result), msg); */ | ||
1172 | die (result, "HTTP %s: %s %d %s%s%s - %d bytes in %.3f second response time %s|%s\n%s%s", | ||
1173 | state_text(result), string_statuscode (status_line.http_major, status_line.http_minor), | ||
1174 | status_line.http_code, status_line.msg, | ||
1175 | strlen(msg) > 0 ? " - " : "", | ||
1176 | msg, page_len, total_time, | ||
1177 | (display_html ? "</A>" : ""), | ||
1178 | perfstring, | ||
1179 | (show_body ? body_buf.buf : ""), | ||
1180 | (show_body ? "\n" : "") ); | ||
1181 | |||
1182 | return result; | ||
1183 | } | ||
1184 | |||
1185 | int | ||
1186 | uri_strcmp (const UriTextRangeA range, const char* s) | ||
1187 | { | ||
1188 | if (!range.first) return -1; | ||
1189 | if (range.afterLast - range.first < strlen (s)) return -1; | ||
1190 | return strncmp (s, range.first, min( range.afterLast - range.first, strlen (s))); | ||
1191 | } | ||
1192 | |||
1193 | char* | ||
1194 | uri_string (const UriTextRangeA range, char* buf, size_t buflen) | ||
1195 | { | ||
1196 | if (!range.first) return "(null)"; | ||
1197 | strncpy (buf, range.first, max (buflen-1, range.afterLast - range.first)); | ||
1198 | buf[max (buflen-1, range.afterLast - range.first)] = '\0'; | ||
1199 | buf[range.afterLast - range.first] = '\0'; | ||
1200 | return buf; | ||
1201 | } | ||
1202 | |||
1203 | void | ||
1204 | redir (curlhelp_write_curlbuf* header_buf) | ||
1205 | { | ||
1206 | char *location = NULL; | ||
1207 | curlhelp_statusline status_line; | ||
1208 | struct phr_header headers[255]; | ||
1209 | size_t nof_headers = 255; | ||
1210 | size_t msglen; | ||
1211 | char buf[DEFAULT_BUFFER_SIZE]; | ||
1212 | char ipstr[INET_ADDR_MAX_SIZE]; | ||
1213 | int new_port; | ||
1214 | char *new_host; | ||
1215 | char *new_url; | ||
1216 | |||
1217 | int res = phr_parse_response (header_buf->buf, header_buf->buflen, | ||
1218 | &status_line.http_major, &status_line.http_minor, &status_line.http_code, &status_line.msg, &msglen, | ||
1219 | headers, &nof_headers, 0); | ||
1220 | |||
1221 | location = get_header_value (headers, nof_headers, "location"); | ||
1222 | |||
1223 | if (verbose >= 2) | ||
1224 | printf(_("* Seen redirect location %s\n"), location); | ||
1225 | |||
1226 | if (++redir_depth > max_depth) | ||
1227 | die (STATE_WARNING, | ||
1228 | _("HTTP WARNING - maximum redirection depth %d exceeded - %s%s\n"), | ||
1229 | max_depth, location, (display_html ? "</A>" : "")); | ||
1230 | |||
1231 | UriParserStateA state; | ||
1232 | UriUriA uri; | ||
1233 | state.uri = &uri; | ||
1234 | if (uriParseUriA (&state, location) != URI_SUCCESS) { | ||
1235 | if (state.errorCode == URI_ERROR_SYNTAX) { | ||
1236 | die (STATE_UNKNOWN, | ||
1237 | _("HTTP UNKNOWN - Could not parse redirect location '%s'%s\n"), | ||
1238 | location, (display_html ? "</A>" : "")); | ||
1239 | } else if (state.errorCode == URI_ERROR_MALLOC) { | ||
1240 | die (STATE_UNKNOWN, _("HTTP UNKNOWN - Could not allocate URL\n")); | ||
1241 | } | ||
1242 | } | ||
1243 | |||
1244 | if (verbose >= 2) { | ||
1245 | printf (_("** scheme: %s\n"), | ||
1246 | uri_string (uri.scheme, buf, DEFAULT_BUFFER_SIZE)); | ||
1247 | printf (_("** host: %s\n"), | ||
1248 | uri_string (uri.hostText, buf, DEFAULT_BUFFER_SIZE)); | ||
1249 | printf (_("** port: %s\n"), | ||
1250 | uri_string (uri.portText, buf, DEFAULT_BUFFER_SIZE)); | ||
1251 | if (uri.hostData.ip4) { | ||
1252 | inet_ntop (AF_INET, uri.hostData.ip4->data, ipstr, sizeof (ipstr)); | ||
1253 | printf (_("** IPv4: %s\n"), ipstr); | ||
1254 | } | ||
1255 | if (uri.hostData.ip6) { | ||
1256 | inet_ntop (AF_INET, uri.hostData.ip6->data, ipstr, sizeof (ipstr)); | ||
1257 | printf (_("** IPv6: %s\n"), ipstr); | ||
1258 | } | ||
1259 | if (uri.pathHead) { | ||
1260 | printf (_("** path: ")); | ||
1261 | const UriPathSegmentA* p = uri.pathHead; | ||
1262 | for (; p; p = p->next) { | ||
1263 | printf ("/%s", uri_string (p->text, buf, DEFAULT_BUFFER_SIZE)); | ||
1264 | } | ||
1265 | puts (""); | ||
1266 | } | ||
1267 | if (uri.query.first) { | ||
1268 | printf (_("** query: %s\n"), | ||
1269 | uri_string (uri.query, buf, DEFAULT_BUFFER_SIZE)); | ||
1270 | } | ||
1271 | if (uri.fragment.first) { | ||
1272 | printf (_("** fragment: %s\n"), | ||
1273 | uri_string (uri.fragment, buf, DEFAULT_BUFFER_SIZE)); | ||
1274 | } | ||
1275 | } | ||
1276 | |||
1277 | if (!uri_strcmp (uri.scheme, "https")) | ||
1278 | use_ssl = true; | ||
1279 | else | ||
1280 | use_ssl = false; | ||
1281 | |||
1282 | /* we do a sloppy test here only, because uriparser would have failed | ||
1283 | * above, if the port would be invalid, we just check for MAX_PORT | ||
1284 | */ | ||
1285 | if (uri.portText.first) { | ||
1286 | new_port = atoi (uri_string (uri.portText, buf, DEFAULT_BUFFER_SIZE)); | ||
1287 | } else { | ||
1288 | new_port = HTTP_PORT; | ||
1289 | if (use_ssl) | ||
1290 | new_port = HTTPS_PORT; | ||
1291 | } | ||
1292 | if (new_port > MAX_PORT) | ||
1293 | die (STATE_UNKNOWN, | ||
1294 | _("HTTP UNKNOWN - Redirection to port above %d - %s%s\n"), | ||
1295 | MAX_PORT, location, display_html ? "</A>" : ""); | ||
1296 | |||
1297 | /* by RFC 7231 relative URLs in Location should be taken relative to | ||
1298 | * the original URL, so wy try to form a new absolute URL here | ||
1299 | */ | ||
1300 | if (!uri.scheme.first && !uri.hostText.first) { | ||
1301 | new_host = strdup (host_name ? host_name : server_address); | ||
1302 | } else { | ||
1303 | new_host = strdup (uri_string (uri.hostText, buf, DEFAULT_BUFFER_SIZE)); | ||
1304 | } | ||
1305 | |||
1306 | /* compose new path */ | ||
1307 | /* TODO: handle fragments and query part of URL */ | ||
1308 | new_url = (char *)calloc( 1, DEFAULT_BUFFER_SIZE); | ||
1309 | if (uri.pathHead) { | ||
1310 | const UriPathSegmentA* p = uri.pathHead; | ||
1311 | for (; p; p = p->next) { | ||
1312 | strncat (new_url, "/", DEFAULT_BUFFER_SIZE); | ||
1313 | strncat (new_url, uri_string (p->text, buf, DEFAULT_BUFFER_SIZE), DEFAULT_BUFFER_SIZE-1); | ||
1314 | } | ||
1315 | } | ||
1316 | |||
1317 | if (server_port==new_port && | ||
1318 | !strncmp(server_address, new_host, MAX_IPV4_HOSTLENGTH) && | ||
1319 | (host_name && !strncmp(host_name, new_host, MAX_IPV4_HOSTLENGTH)) && | ||
1320 | !strcmp(server_url, new_url)) | ||
1321 | die (STATE_CRITICAL, | ||
1322 | _("HTTP CRITICAL - redirection creates an infinite loop - %s://%s:%d%s%s\n"), | ||
1323 | use_ssl ? "https" : "http", new_host, new_port, new_url, (display_html ? "</A>" : "")); | ||
1324 | |||
1325 | /* set new values for redirected request */ | ||
1326 | |||
1327 | if (!(followsticky & STICKY_HOST)) { | ||
1328 | free (server_address); | ||
1329 | server_address = strndup (new_host, MAX_IPV4_HOSTLENGTH); | ||
1330 | } | ||
1331 | if (!(followsticky & STICKY_PORT)) { | ||
1332 | server_port = (unsigned short)new_port; | ||
1333 | } | ||
1334 | |||
1335 | free (host_name); | ||
1336 | host_name = strndup (new_host, MAX_IPV4_HOSTLENGTH); | ||
1337 | |||
1338 | /* reset virtual port */ | ||
1339 | virtual_port = server_port; | ||
1340 | |||
1341 | free(new_host); | ||
1342 | free (server_url); | ||
1343 | server_url = new_url; | ||
1344 | |||
1345 | uriFreeUriMembersA (&uri); | ||
1346 | |||
1347 | if (verbose) | ||
1348 | printf (_("Redirection to %s://%s:%d%s\n"), use_ssl ? "https" : "http", | ||
1349 | host_name ? host_name : server_address, server_port, server_url); | ||
1350 | |||
1351 | /* TODO: the hash component MUST be taken from the original URL and | ||
1352 | * attached to the URL in Location | ||
1353 | */ | ||
1354 | |||
1355 | cleanup (); | ||
1356 | check_http (); | ||
1357 | } | ||
1358 | |||
1359 | /* check whether a file exists */ | ||
1360 | void | ||
1361 | test_file (char *path) | ||
1362 | { | ||
1363 | if (access(path, R_OK) == 0) | ||
1364 | return; | ||
1365 | usage2 (_("file does not exist or is not readable"), path); | ||
1366 | } | ||
1367 | |||
1368 | bool | ||
1369 | process_arguments (int argc, char **argv) | ||
1370 | { | ||
1371 | char *p; | ||
1372 | int c = 1; | ||
1373 | char *temp; | ||
1374 | |||
1375 | enum { | ||
1376 | INVERT_REGEX = CHAR_MAX + 1, | ||
1377 | SNI_OPTION, | ||
1378 | MAX_REDIRS_OPTION, | ||
1379 | CONTINUE_AFTER_CHECK_CERT, | ||
1380 | CA_CERT_OPTION, | ||
1381 | HTTP_VERSION_OPTION, | ||
1382 | AUTOMATIC_DECOMPRESSION, | ||
1383 | COOKIE_JAR | ||
1384 | }; | ||
1385 | |||
1386 | int option = 0; | ||
1387 | int got_plus = 0; | ||
1388 | static struct option longopts[] = { | ||
1389 | STD_LONG_OPTS, | ||
1390 | {"link", no_argument, 0, 'L'}, | ||
1391 | {"nohtml", no_argument, 0, 'n'}, | ||
1392 | {"ssl", optional_argument, 0, 'S'}, | ||
1393 | {"sni", no_argument, 0, SNI_OPTION}, | ||
1394 | {"post", required_argument, 0, 'P'}, | ||
1395 | {"method", required_argument, 0, 'j'}, | ||
1396 | {"IP-address", required_argument, 0, 'I'}, | ||
1397 | {"url", required_argument, 0, 'u'}, | ||
1398 | {"port", required_argument, 0, 'p'}, | ||
1399 | {"authorization", required_argument, 0, 'a'}, | ||
1400 | {"proxy-authorization", required_argument, 0, 'b'}, | ||
1401 | {"header-string", required_argument, 0, 'd'}, | ||
1402 | {"string", required_argument, 0, 's'}, | ||
1403 | {"expect", required_argument, 0, 'e'}, | ||
1404 | {"regex", required_argument, 0, 'r'}, | ||
1405 | {"ereg", required_argument, 0, 'r'}, | ||
1406 | {"eregi", required_argument, 0, 'R'}, | ||
1407 | {"linespan", no_argument, 0, 'l'}, | ||
1408 | {"onredirect", required_argument, 0, 'f'}, | ||
1409 | {"certificate", required_argument, 0, 'C'}, | ||
1410 | {"client-cert", required_argument, 0, 'J'}, | ||
1411 | {"private-key", required_argument, 0, 'K'}, | ||
1412 | {"ca-cert", required_argument, 0, CA_CERT_OPTION}, | ||
1413 | {"verify-cert", no_argument, 0, 'D'}, | ||
1414 | {"continue-after-certificate", no_argument, 0, CONTINUE_AFTER_CHECK_CERT}, | ||
1415 | {"useragent", required_argument, 0, 'A'}, | ||
1416 | {"header", required_argument, 0, 'k'}, | ||
1417 | {"no-body", no_argument, 0, 'N'}, | ||
1418 | {"max-age", required_argument, 0, 'M'}, | ||
1419 | {"content-type", required_argument, 0, 'T'}, | ||
1420 | {"pagesize", required_argument, 0, 'm'}, | ||
1421 | {"invert-regex", no_argument, NULL, INVERT_REGEX}, | ||
1422 | {"use-ipv4", no_argument, 0, '4'}, | ||
1423 | {"use-ipv6", no_argument, 0, '6'}, | ||
1424 | {"extended-perfdata", no_argument, 0, 'E'}, | ||
1425 | {"show-body", no_argument, 0, 'B'}, | ||
1426 | {"max-redirs", required_argument, 0, MAX_REDIRS_OPTION}, | ||
1427 | {"http-version", required_argument, 0, HTTP_VERSION_OPTION}, | ||
1428 | {"enable-automatic-decompression", no_argument, 0, AUTOMATIC_DECOMPRESSION}, | ||
1429 | {"cookie-jar", required_argument, 0, COOKIE_JAR}, | ||
1430 | {0, 0, 0, 0} | ||
1431 | }; | ||
1432 | |||
1433 | if (argc < 2) | ||
1434 | return false; | ||
1435 | |||
1436 | /* support check_http compatible arguments */ | ||
1437 | for (c = 1; c < argc; c++) { | ||
1438 | if (strcmp ("-to", argv[c]) == 0) | ||
1439 | strcpy (argv[c], "-t"); | ||
1440 | if (strcmp ("-hn", argv[c]) == 0) | ||
1441 | strcpy (argv[c], "-H"); | ||
1442 | if (strcmp ("-wt", argv[c]) == 0) | ||
1443 | strcpy (argv[c], "-w"); | ||
1444 | if (strcmp ("-ct", argv[c]) == 0) | ||
1445 | strcpy (argv[c], "-c"); | ||
1446 | if (strcmp ("-nohtml", argv[c]) == 0) | ||
1447 | strcpy (argv[c], "-n"); | ||
1448 | } | ||
1449 | |||
1450 | server_url = strdup(DEFAULT_SERVER_URL); | ||
1451 | |||
1452 | while (1) { | ||
1453 | c = getopt_long (argc, argv, "Vvh46t:c:w:A:k:H:P:j:T:I:a:b:d:e:p:s:R:r:u:f:C:J:K:DnlLS::m:M:NEB", longopts, &option); | ||
1454 | if (c == -1 || c == EOF || c == 1) | ||
1455 | break; | ||
1456 | |||
1457 | switch (c) { | ||
1458 | case 'h': | ||
1459 | print_help(); | ||
1460 | exit(STATE_UNKNOWN); | ||
1461 | break; | ||
1462 | case 'V': | ||
1463 | print_revision(progname, NP_VERSION); | ||
1464 | print_curl_version(); | ||
1465 | exit(STATE_UNKNOWN); | ||
1466 | break; | ||
1467 | case 'v': | ||
1468 | verbose++; | ||
1469 | break; | ||
1470 | case 't': /* timeout period */ | ||
1471 | if (!is_intnonneg (optarg)) | ||
1472 | usage2 (_("Timeout interval must be a positive integer"), optarg); | ||
1473 | else | ||
1474 | socket_timeout = (int)strtol (optarg, NULL, 10); | ||
1475 | break; | ||
1476 | case 'c': /* critical time threshold */ | ||
1477 | critical_thresholds = optarg; | ||
1478 | break; | ||
1479 | case 'w': /* warning time threshold */ | ||
1480 | warning_thresholds = optarg; | ||
1481 | break; | ||
1482 | case 'H': /* virtual host */ | ||
1483 | host_name = strdup (optarg); | ||
1484 | if (host_name[0] == '[') { | ||
1485 | if ((p = strstr (host_name, "]:")) != NULL) { /* [IPv6]:port */ | ||
1486 | virtual_port = atoi (p + 2); | ||
1487 | /* cut off the port */ | ||
1488 | host_name_length = strlen (host_name) - strlen (p) - 1; | ||
1489 | free (host_name); | ||
1490 | host_name = strndup (optarg, host_name_length); | ||
1491 | } | ||
1492 | } else if ((p = strchr (host_name, ':')) != NULL | ||
1493 | && strchr (++p, ':') == NULL) { /* IPv4:port or host:port */ | ||
1494 | virtual_port = atoi (p); | ||
1495 | /* cut off the port */ | ||
1496 | host_name_length = strlen (host_name) - strlen (p) - 1; | ||
1497 | free (host_name); | ||
1498 | host_name = strndup (optarg, host_name_length); | ||
1499 | } | ||
1500 | break; | ||
1501 | case 'I': /* internet address */ | ||
1502 | server_address = strdup (optarg); | ||
1503 | break; | ||
1504 | case 'u': /* URL path */ | ||
1505 | server_url = strdup (optarg); | ||
1506 | break; | ||
1507 | case 'p': /* Server port */ | ||
1508 | if (!is_intnonneg (optarg)) | ||
1509 | usage2 (_("Invalid port number, expecting a non-negative number"), optarg); | ||
1510 | else { | ||
1511 | if( strtol(optarg, NULL, 10) > MAX_PORT) | ||
1512 | usage2 (_("Invalid port number, supplied port number is too big"), optarg); | ||
1513 | server_port = (unsigned short)strtol(optarg, NULL, 10); | ||
1514 | specify_port = true; | ||
1515 | } | ||
1516 | break; | ||
1517 | case 'a': /* authorization info */ | ||
1518 | strncpy (user_auth, optarg, MAX_INPUT_BUFFER - 1); | ||
1519 | user_auth[MAX_INPUT_BUFFER - 1] = 0; | ||
1520 | break; | ||
1521 | case 'b': /* proxy-authorization info */ | ||
1522 | strncpy (proxy_auth, optarg, MAX_INPUT_BUFFER - 1); | ||
1523 | proxy_auth[MAX_INPUT_BUFFER - 1] = 0; | ||
1524 | break; | ||
1525 | case 'P': /* HTTP POST data in URL encoded format; ignored if settings already */ | ||
1526 | if (! http_post_data) | ||
1527 | http_post_data = strdup (optarg); | ||
1528 | if (! http_method) | ||
1529 | http_method = strdup("POST"); | ||
1530 | break; | ||
1531 | case 'j': /* Set HTTP method */ | ||
1532 | if (http_method) | ||
1533 | free(http_method); | ||
1534 | http_method = strdup (optarg); | ||
1535 | break; | ||
1536 | case 'A': /* useragent */ | ||
1537 | strncpy (user_agent, optarg, DEFAULT_BUFFER_SIZE); | ||
1538 | user_agent[DEFAULT_BUFFER_SIZE-1] = '\0'; | ||
1539 | break; | ||
1540 | case 'k': /* Additional headers */ | ||
1541 | if (http_opt_headers_count == 0) | ||
1542 | http_opt_headers = malloc (sizeof (char *) * (++http_opt_headers_count)); | ||
1543 | else | ||
1544 | http_opt_headers = realloc (http_opt_headers, sizeof (char *) * (++http_opt_headers_count)); | ||
1545 | http_opt_headers[http_opt_headers_count - 1] = optarg; | ||
1546 | break; | ||
1547 | case 'L': /* show html link */ | ||
1548 | display_html = true; | ||
1549 | break; | ||
1550 | case 'n': /* do not show html link */ | ||
1551 | display_html = false; | ||
1552 | break; | ||
1553 | case 'C': /* Check SSL cert validity */ | ||
1554 | #ifdef LIBCURL_FEATURE_SSL | ||
1555 | if ((temp=strchr(optarg,','))!=NULL) { | ||
1556 | *temp='\0'; | ||
1557 | if (!is_intnonneg (optarg)) | ||
1558 | usage2 (_("Invalid certificate expiration period"), optarg); | ||
1559 | days_till_exp_warn = atoi(optarg); | ||
1560 | *temp=','; | ||
1561 | temp++; | ||
1562 | if (!is_intnonneg (temp)) | ||
1563 | usage2 (_("Invalid certificate expiration period"), temp); | ||
1564 | days_till_exp_crit = atoi (temp); | ||
1565 | } | ||
1566 | else { | ||
1567 | days_till_exp_crit=0; | ||
1568 | if (!is_intnonneg (optarg)) | ||
1569 | usage2 (_("Invalid certificate expiration period"), optarg); | ||
1570 | days_till_exp_warn = atoi (optarg); | ||
1571 | } | ||
1572 | check_cert = true; | ||
1573 | goto enable_ssl; | ||
1574 | #endif | ||
1575 | case CONTINUE_AFTER_CHECK_CERT: /* don't stop after the certificate is checked */ | ||
1576 | #ifdef HAVE_SSL | ||
1577 | continue_after_check_cert = true; | ||
1578 | break; | ||
1579 | #endif | ||
1580 | case 'J': /* use client certificate */ | ||
1581 | #ifdef LIBCURL_FEATURE_SSL | ||
1582 | test_file(optarg); | ||
1583 | client_cert = optarg; | ||
1584 | goto enable_ssl; | ||
1585 | #endif | ||
1586 | case 'K': /* use client private key */ | ||
1587 | #ifdef LIBCURL_FEATURE_SSL | ||
1588 | test_file(optarg); | ||
1589 | client_privkey = optarg; | ||
1590 | goto enable_ssl; | ||
1591 | #endif | ||
1592 | #ifdef LIBCURL_FEATURE_SSL | ||
1593 | case CA_CERT_OPTION: /* use CA chain file */ | ||
1594 | test_file(optarg); | ||
1595 | ca_cert = optarg; | ||
1596 | goto enable_ssl; | ||
1597 | #endif | ||
1598 | #ifdef LIBCURL_FEATURE_SSL | ||
1599 | case 'D': /* verify peer certificate & host */ | ||
1600 | verify_peer_and_host = true; | ||
1601 | break; | ||
1602 | #endif | ||
1603 | case 'S': /* use SSL */ | ||
1604 | #ifdef LIBCURL_FEATURE_SSL | ||
1605 | enable_ssl: | ||
1606 | use_ssl = true; | ||
1607 | /* ssl_version initialized to CURL_SSLVERSION_DEFAULT as a default. | ||
1608 | * Only set if it's non-zero. This helps when we include multiple | ||
1609 | * parameters, like -S and -C combinations */ | ||
1610 | ssl_version = CURL_SSLVERSION_DEFAULT; | ||
1611 | if (c=='S' && optarg != NULL) { | ||
1612 | char *plus_ptr = strchr(optarg, '+'); | ||
1613 | if (plus_ptr) { | ||
1614 | got_plus = 1; | ||
1615 | *plus_ptr = '\0'; | ||
1616 | } | ||
1617 | |||
1618 | if (optarg[0] == '2') | ||
1619 | ssl_version = CURL_SSLVERSION_SSLv2; | ||
1620 | else if (optarg[0] == '3') | ||
1621 | ssl_version = CURL_SSLVERSION_SSLv3; | ||
1622 | else if (!strcmp (optarg, "1") || !strcmp (optarg, "1.0")) | ||
1623 | #if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) | ||
1624 | ssl_version = CURL_SSLVERSION_TLSv1_0; | ||
1625 | #else | ||
1626 | ssl_version = CURL_SSLVERSION_DEFAULT; | ||
1627 | #endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */ | ||
1628 | else if (!strcmp (optarg, "1.1")) | ||
1629 | #if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) | ||
1630 | ssl_version = CURL_SSLVERSION_TLSv1_1; | ||
1631 | #else | ||
1632 | ssl_version = CURL_SSLVERSION_DEFAULT; | ||
1633 | #endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */ | ||
1634 | else if (!strcmp (optarg, "1.2")) | ||
1635 | #if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) | ||
1636 | ssl_version = CURL_SSLVERSION_TLSv1_2; | ||
1637 | #else | ||
1638 | ssl_version = CURL_SSLVERSION_DEFAULT; | ||
1639 | #endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */ | ||
1640 | else if (!strcmp (optarg, "1.3")) | ||
1641 | #if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 52, 0) | ||
1642 | ssl_version = CURL_SSLVERSION_TLSv1_3; | ||
1643 | #else | ||
1644 | ssl_version = CURL_SSLVERSION_DEFAULT; | ||
1645 | #endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 52, 0) */ | ||
1646 | else | ||
1647 | usage4 (_("Invalid option - Valid SSL/TLS versions: 2, 3, 1, 1.1, 1.2, 1.3 (with optional '+' suffix)")); | ||
1648 | } | ||
1649 | #if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 54, 0) | ||
1650 | if (got_plus) { | ||
1651 | switch (ssl_version) { | ||
1652 | case CURL_SSLVERSION_TLSv1_3: | ||
1653 | ssl_version |= CURL_SSLVERSION_MAX_TLSv1_3; | ||
1654 | break; | ||
1655 | case CURL_SSLVERSION_TLSv1_2: | ||
1656 | case CURL_SSLVERSION_TLSv1_1: | ||
1657 | case CURL_SSLVERSION_TLSv1_0: | ||
1658 | ssl_version |= CURL_SSLVERSION_MAX_DEFAULT; | ||
1659 | break; | ||
1660 | } | ||
1661 | } else { | ||
1662 | switch (ssl_version) { | ||
1663 | case CURL_SSLVERSION_TLSv1_3: | ||
1664 | ssl_version |= CURL_SSLVERSION_MAX_TLSv1_3; | ||
1665 | break; | ||
1666 | case CURL_SSLVERSION_TLSv1_2: | ||
1667 | ssl_version |= CURL_SSLVERSION_MAX_TLSv1_2; | ||
1668 | break; | ||
1669 | case CURL_SSLVERSION_TLSv1_1: | ||
1670 | ssl_version |= CURL_SSLVERSION_MAX_TLSv1_1; | ||
1671 | break; | ||
1672 | case CURL_SSLVERSION_TLSv1_0: | ||
1673 | ssl_version |= CURL_SSLVERSION_MAX_TLSv1_0; | ||
1674 | break; | ||
1675 | } | ||
1676 | } | ||
1677 | #endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 54, 0) */ | ||
1678 | if (verbose >= 2) | ||
1679 | printf(_("* Set SSL/TLS version to %d\n"), ssl_version); | ||
1680 | if (!specify_port) | ||
1681 | server_port = HTTPS_PORT; | ||
1682 | break; | ||
1683 | #else /* LIBCURL_FEATURE_SSL */ | ||
1684 | /* -C -J and -K fall through to here without SSL */ | ||
1685 | usage4 (_("Invalid option - SSL is not available")); | ||
1686 | break; | ||
1687 | case SNI_OPTION: /* --sni is parsed, but ignored, the default is true with libcurl */ | ||
1688 | use_sni = true; | ||
1689 | break; | ||
1690 | #endif /* LIBCURL_FEATURE_SSL */ | ||
1691 | case MAX_REDIRS_OPTION: | ||
1692 | if (!is_intnonneg (optarg)) | ||
1693 | usage2 (_("Invalid max_redirs count"), optarg); | ||
1694 | else { | ||
1695 | max_depth = atoi (optarg); | ||
1696 | } | ||
1697 | break; | ||
1698 | case 'f': /* onredirect */ | ||
1699 | if (!strcmp (optarg, "ok")) | ||
1700 | onredirect = STATE_OK; | ||
1701 | else if (!strcmp (optarg, "warning")) | ||
1702 | onredirect = STATE_WARNING; | ||
1703 | else if (!strcmp (optarg, "critical")) | ||
1704 | onredirect = STATE_CRITICAL; | ||
1705 | else if (!strcmp (optarg, "unknown")) | ||
1706 | onredirect = STATE_UNKNOWN; | ||
1707 | else if (!strcmp (optarg, "follow")) | ||
1708 | onredirect = STATE_DEPENDENT; | ||
1709 | else if (!strcmp (optarg, "stickyport")) | ||
1710 | onredirect = STATE_DEPENDENT, followmethod = FOLLOW_HTTP_CURL, followsticky = STICKY_HOST|STICKY_PORT; | ||
1711 | else if (!strcmp (optarg, "sticky")) | ||
1712 | onredirect = STATE_DEPENDENT, followmethod = FOLLOW_HTTP_CURL, followsticky = STICKY_HOST; | ||
1713 | else if (!strcmp (optarg, "follow")) | ||
1714 | onredirect = STATE_DEPENDENT, followmethod = FOLLOW_HTTP_CURL, followsticky = STICKY_NONE; | ||
1715 | else if (!strcmp (optarg, "curl")) | ||
1716 | onredirect = STATE_DEPENDENT, followmethod = FOLLOW_LIBCURL; | ||
1717 | else usage2 (_("Invalid onredirect option"), optarg); | ||
1718 | if (verbose >= 2) | ||
1719 | printf(_("* Following redirects set to %s\n"), state_text(onredirect)); | ||
1720 | break; | ||
1721 | case 'd': /* string or substring */ | ||
1722 | strncpy (header_expect, optarg, MAX_INPUT_BUFFER - 1); | ||
1723 | header_expect[MAX_INPUT_BUFFER - 1] = 0; | ||
1724 | break; | ||
1725 | case 's': /* string or substring */ | ||
1726 | strncpy (string_expect, optarg, MAX_INPUT_BUFFER - 1); | ||
1727 | string_expect[MAX_INPUT_BUFFER - 1] = 0; | ||
1728 | break; | ||
1729 | case 'e': /* string or substring */ | ||
1730 | strncpy (server_expect, optarg, MAX_INPUT_BUFFER - 1); | ||
1731 | server_expect[MAX_INPUT_BUFFER - 1] = 0; | ||
1732 | server_expect_yn = 1; | ||
1733 | break; | ||
1734 | case 'T': /* Content-type */ | ||
1735 | http_content_type = strdup (optarg); | ||
1736 | break; | ||
1737 | case 'l': /* linespan */ | ||
1738 | cflags &= ~REG_NEWLINE; | ||
1739 | break; | ||
1740 | case 'R': /* regex */ | ||
1741 | cflags |= REG_ICASE; | ||
1742 | // fall through | ||
1743 | case 'r': /* regex */ | ||
1744 | strncpy (regexp, optarg, MAX_RE_SIZE - 1); | ||
1745 | regexp[MAX_RE_SIZE - 1] = 0; | ||
1746 | errcode = regcomp (&preg, regexp, cflags); | ||
1747 | if (errcode != 0) { | ||
1748 | (void) regerror (errcode, &preg, errbuf, MAX_INPUT_BUFFER); | ||
1749 | printf (_("Could Not Compile Regular Expression: %s"), errbuf); | ||
1750 | return false; | ||
1751 | } | ||
1752 | break; | ||
1753 | case INVERT_REGEX: | ||
1754 | invert_regex = true; | ||
1755 | break; | ||
1756 | case '4': | ||
1757 | address_family = AF_INET; | ||
1758 | break; | ||
1759 | case '6': | ||
1760 | #if defined (USE_IPV6) && defined (LIBCURL_FEATURE_IPV6) | ||
1761 | address_family = AF_INET6; | ||
1762 | #else | ||
1763 | usage4 (_("IPv6 support not available")); | ||
1764 | #endif | ||
1765 | break; | ||
1766 | case 'm': /* min_page_length */ | ||
1767 | { | ||
1768 | char *tmp; | ||
1769 | if (strchr(optarg, ':') != (char *)NULL) { | ||
1770 | /* range, so get two values, min:max */ | ||
1771 | tmp = strtok(optarg, ":"); | ||
1772 | if (tmp == NULL) { | ||
1773 | printf("Bad format: try \"-m min:max\"\n"); | ||
1774 | exit (STATE_WARNING); | ||
1775 | } else | ||
1776 | min_page_len = atoi(tmp); | ||
1777 | |||
1778 | tmp = strtok(NULL, ":"); | ||
1779 | if (tmp == NULL) { | ||
1780 | printf("Bad format: try \"-m min:max\"\n"); | ||
1781 | exit (STATE_WARNING); | ||
1782 | } else | ||
1783 | max_page_len = atoi(tmp); | ||
1784 | } else | ||
1785 | min_page_len = atoi (optarg); | ||
1786 | break; | ||
1787 | } | ||
1788 | case 'N': /* no-body */ | ||
1789 | no_body = true; | ||
1790 | break; | ||
1791 | case 'M': /* max-age */ | ||
1792 | { | ||
1793 | int L = strlen(optarg); | ||
1794 | if (L && optarg[L-1] == 'm') | ||
1795 | maximum_age = atoi (optarg) * 60; | ||
1796 | else if (L && optarg[L-1] == 'h') | ||
1797 | maximum_age = atoi (optarg) * 60 * 60; | ||
1798 | else if (L && optarg[L-1] == 'd') | ||
1799 | maximum_age = atoi (optarg) * 60 * 60 * 24; | ||
1800 | else if (L && (optarg[L-1] == 's' || | ||
1801 | isdigit (optarg[L-1]))) | ||
1802 | maximum_age = atoi (optarg); | ||
1803 | else { | ||
1804 | fprintf (stderr, "unparsable max-age: %s\n", optarg); | ||
1805 | exit (STATE_WARNING); | ||
1806 | } | ||
1807 | if (verbose >= 2) | ||
1808 | printf ("* Maximal age of document set to %d seconds\n", maximum_age); | ||
1809 | } | ||
1810 | break; | ||
1811 | case 'E': /* show extended perfdata */ | ||
1812 | show_extended_perfdata = true; | ||
1813 | break; | ||
1814 | case 'B': /* print body content after status line */ | ||
1815 | show_body = true; | ||
1816 | break; | ||
1817 | case HTTP_VERSION_OPTION: | ||
1818 | curl_http_version = CURL_HTTP_VERSION_NONE; | ||
1819 | if (strcmp (optarg, "1.0") == 0) { | ||
1820 | curl_http_version = CURL_HTTP_VERSION_1_0; | ||
1821 | } else if (strcmp (optarg, "1.1") == 0) { | ||
1822 | curl_http_version = CURL_HTTP_VERSION_1_1; | ||
1823 | } else if ((strcmp (optarg, "2.0") == 0) || (strcmp (optarg, "2") == 0)) { | ||
1824 | #if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 33, 0) | ||
1825 | curl_http_version = CURL_HTTP_VERSION_2_0; | ||
1826 | #else | ||
1827 | curl_http_version = CURL_HTTP_VERSION_NONE; | ||
1828 | #endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 33, 0) */ | ||
1829 | } else { | ||
1830 | fprintf (stderr, "unknown http-version parameter: %s\n", optarg); | ||
1831 | exit (STATE_WARNING); | ||
1832 | } | ||
1833 | break; | ||
1834 | case AUTOMATIC_DECOMPRESSION: | ||
1835 | automatic_decompression = true; | ||
1836 | break; | ||
1837 | case COOKIE_JAR: | ||
1838 | cookie_jar_file = optarg; | ||
1839 | break; | ||
1840 | case '?': | ||
1841 | /* print short usage statement if args not parsable */ | ||
1842 | usage5 (); | ||
1843 | break; | ||
1844 | } | ||
1845 | } | ||
1846 | |||
1847 | c = optind; | ||
1848 | |||
1849 | if (server_address == NULL && c < argc) | ||
1850 | server_address = strdup (argv[c++]); | ||
1851 | |||
1852 | if (host_name == NULL && c < argc) | ||
1853 | host_name = strdup (argv[c++]); | ||
1854 | |||
1855 | if (server_address == NULL) { | ||
1856 | if (host_name == NULL) | ||
1857 | usage4 (_("You must specify a server address or host name")); | ||
1858 | else | ||
1859 | server_address = strdup (host_name); | ||
1860 | } | ||
1861 | |||
1862 | set_thresholds(&thlds, warning_thresholds, critical_thresholds); | ||
1863 | |||
1864 | if (critical_thresholds && thlds->critical->end>(double)socket_timeout) | ||
1865 | socket_timeout = (int)thlds->critical->end + 1; | ||
1866 | if (verbose >= 2) | ||
1867 | printf ("* Socket timeout set to %ld seconds\n", socket_timeout); | ||
1868 | |||
1869 | if (http_method == NULL) | ||
1870 | http_method = strdup ("GET"); | ||
1871 | |||
1872 | if (client_cert && !client_privkey) | ||
1873 | usage4 (_("If you use a client certificate you must also specify a private key file")); | ||
1874 | |||
1875 | if (virtual_port == 0) | ||
1876 | virtual_port = server_port; | ||
1877 | else { | ||
1878 | if ((use_ssl && server_port == HTTPS_PORT) || (!use_ssl && server_port == HTTP_PORT)) | ||
1879 | if(!specify_port) | ||
1880 | server_port = virtual_port; | ||
1881 | } | ||
1882 | |||
1883 | return true; | ||
1884 | } | ||
1885 | |||
1886 | char *perfd_time (double elapsed_time) | ||
1887 | { | ||
1888 | return fperfdata ("time", elapsed_time, "s", | ||
1889 | thlds->warning?true:false, thlds->warning?thlds->warning->end:0, | ||
1890 | thlds->critical?true:false, thlds->critical?thlds->critical->end:0, | ||
1891 | true, 0, true, socket_timeout); | ||
1892 | } | ||
1893 | |||
1894 | char *perfd_time_connect (double elapsed_time_connect) | ||
1895 | { | ||
1896 | return fperfdata ("time_connect", elapsed_time_connect, "s", false, 0, false, 0, false, 0, true, socket_timeout); | ||
1897 | } | ||
1898 | |||
1899 | char *perfd_time_ssl (double elapsed_time_ssl) | ||
1900 | { | ||
1901 | return fperfdata ("time_ssl", elapsed_time_ssl, "s", false, 0, false, 0, false, 0, true, socket_timeout); | ||
1902 | } | ||
1903 | |||
1904 | char *perfd_time_headers (double elapsed_time_headers) | ||
1905 | { | ||
1906 | return fperfdata ("time_headers", elapsed_time_headers, "s", false, 0, false, 0, false, 0, true, socket_timeout); | ||
1907 | } | ||
1908 | |||
1909 | char *perfd_time_firstbyte (double elapsed_time_firstbyte) | ||
1910 | { | ||
1911 | return fperfdata ("time_firstbyte", elapsed_time_firstbyte, "s", false, 0, false, 0, false, 0, true, socket_timeout); | ||
1912 | } | ||
1913 | |||
1914 | char *perfd_time_transfer (double elapsed_time_transfer) | ||
1915 | { | ||
1916 | return fperfdata ("time_transfer", elapsed_time_transfer, "s", false, 0, false, 0, false, 0, true, socket_timeout); | ||
1917 | } | ||
1918 | |||
1919 | char *perfd_size (int page_len) | ||
1920 | { | ||
1921 | return perfdata ("size", page_len, "B", | ||
1922 | (min_page_len>0?true:false), min_page_len, | ||
1923 | (min_page_len>0?true:false), 0, | ||
1924 | true, 0, false, 0); | ||
1925 | } | ||
1926 | |||
1927 | void | ||
1928 | print_help (void) | ||
1929 | { | ||
1930 | print_revision (progname, NP_VERSION); | ||
1931 | |||
1932 | printf ("Copyright (c) 1999 Ethan Galstad <nagios@nagios.org>\n"); | ||
1933 | printf (COPYRIGHT, copyright, email); | ||
1934 | |||
1935 | printf ("%s\n", _("This plugin tests the HTTP service on the specified host. It can test")); | ||
1936 | printf ("%s\n", _("normal (http) and secure (https) servers, follow redirects, search for")); | ||
1937 | printf ("%s\n", _("strings and regular expressions, check connection times, and report on")); | ||
1938 | printf ("%s\n", _("certificate expiration times.")); | ||
1939 | printf ("\n"); | ||
1940 | printf ("%s\n", _("It makes use of libcurl to do so. It tries to be as compatible to check_http")); | ||
1941 | printf ("%s\n", _("as possible.")); | ||
1942 | |||
1943 | printf ("\n\n"); | ||
1944 | |||
1945 | print_usage (); | ||
1946 | |||
1947 | printf (_("NOTE: One or both of -H and -I must be specified")); | ||
1948 | |||
1949 | printf ("\n"); | ||
1950 | |||
1951 | printf (UT_HELP_VRSN); | ||
1952 | printf (UT_EXTRA_OPTS); | ||
1953 | |||
1954 | printf (" %s\n", "-H, --hostname=ADDRESS"); | ||
1955 | printf (" %s\n", _("Host name argument for servers using host headers (virtual host)")); | ||
1956 | printf (" %s\n", _("Append a port to include it in the header (eg: example.com:5000)")); | ||
1957 | printf (" %s\n", "-I, --IP-address=ADDRESS"); | ||
1958 | printf (" %s\n", _("IP address or name (use numeric address if possible to bypass DNS lookup).")); | ||
1959 | printf (" %s\n", "-p, --port=INTEGER"); | ||
1960 | printf (" %s", _("Port number (default: ")); | ||
1961 | printf ("%d)\n", HTTP_PORT); | ||
1962 | |||
1963 | printf (UT_IPv46); | ||
1964 | |||
1965 | #ifdef LIBCURL_FEATURE_SSL | ||
1966 | printf (" %s\n", "-S, --ssl=VERSION[+]"); | ||
1967 | printf (" %s\n", _("Connect via SSL. Port defaults to 443. VERSION is optional, and prevents")); | ||
1968 | printf (" %s\n", _("auto-negotiation (2 = SSLv2, 3 = SSLv3, 1 = TLSv1, 1.1 = TLSv1.1,")); | ||
1969 | printf (" %s\n", _("1.2 = TLSv1.2, 1.3 = TLSv1.3). With a '+' suffix, newer versions are also accepted.")); | ||
1970 | printf (" %s\n", _("Note: SSLv2 and SSLv3 are deprecated and are usually disabled in libcurl")); | ||
1971 | printf (" %s\n", "--sni"); | ||
1972 | printf (" %s\n", _("Enable SSL/TLS hostname extension support (SNI)")); | ||
1973 | #if LIBCURL_VERSION_NUM >= 0x071801 | ||
1974 | printf (" %s\n", _("Note: --sni is the default in libcurl as SSLv2 and SSLV3 are deprecated and")); | ||
1975 | printf (" %s\n", _(" SNI only really works since TLSv1.0")); | ||
1976 | #else | ||
1977 | printf (" %s\n", _("Note: SNI is not supported in libcurl before 7.18.1")); | ||
1978 | #endif | ||
1979 | printf (" %s\n", "-C, --certificate=INTEGER[,INTEGER]"); | ||
1980 | printf (" %s\n", _("Minimum number of days a certificate has to be valid. Port defaults to 443")); | ||
1981 | printf (" %s\n", _("(when this option is used the URL is not checked by default. You can use")); | ||
1982 | printf (" %s\n", _(" --continue-after-certificate to override this behavior)")); | ||
1983 | printf (" %s\n", "--continue-after-certificate"); | ||
1984 | printf (" %s\n", _("Allows the HTTP check to continue after performing the certificate check.")); | ||
1985 | printf (" %s\n", _("Does nothing unless -C is used.")); | ||
1986 | printf (" %s\n", "-J, --client-cert=FILE"); | ||
1987 | printf (" %s\n", _("Name of file that contains the client certificate (PEM format)")); | ||
1988 | printf (" %s\n", _("to be used in establishing the SSL session")); | ||
1989 | printf (" %s\n", "-K, --private-key=FILE"); | ||
1990 | printf (" %s\n", _("Name of file containing the private key (PEM format)")); | ||
1991 | printf (" %s\n", _("matching the client certificate")); | ||
1992 | printf (" %s\n", "--ca-cert=FILE"); | ||
1993 | printf (" %s\n", _("CA certificate file to verify peer against")); | ||
1994 | printf (" %s\n", "-D, --verify-cert"); | ||
1995 | printf (" %s\n", _("Verify the peer's SSL certificate and hostname")); | ||
1996 | #endif | ||
1997 | |||
1998 | printf (" %s\n", "-e, --expect=STRING"); | ||
1999 | printf (" %s\n", _("Comma-delimited list of strings, at least one of them is expected in")); | ||
2000 | printf (" %s", _("the first (status) line of the server response (default: ")); | ||
2001 | printf ("%s)\n", HTTP_EXPECT); | ||
2002 | printf (" %s\n", _("If specified skips all other status line logic (ex: 3xx, 4xx, 5xx processing)")); | ||
2003 | printf (" %s\n", "-d, --header-string=STRING"); | ||
2004 | printf (" %s\n", _("String to expect in the response headers")); | ||
2005 | printf (" %s\n", "-s, --string=STRING"); | ||
2006 | printf (" %s\n", _("String to expect in the content")); | ||
2007 | printf (" %s\n", "-u, --url=PATH"); | ||
2008 | printf (" %s\n", _("URL to GET or POST (default: /)")); | ||
2009 | printf (" %s\n", "-P, --post=STRING"); | ||
2010 | printf (" %s\n", _("URL encoded http POST data")); | ||
2011 | printf (" %s\n", "-j, --method=STRING (for example: HEAD, OPTIONS, TRACE, PUT, DELETE, CONNECT)"); | ||
2012 | printf (" %s\n", _("Set HTTP method.")); | ||
2013 | printf (" %s\n", "-N, --no-body"); | ||
2014 | printf (" %s\n", _("Don't wait for document body: stop reading after headers.")); | ||
2015 | printf (" %s\n", _("(Note that this still does an HTTP GET or POST, not a HEAD.)")); | ||
2016 | printf (" %s\n", "-M, --max-age=SECONDS"); | ||
2017 | printf (" %s\n", _("Warn if document is more than SECONDS old. the number can also be of")); | ||
2018 | printf (" %s\n", _("the form \"10m\" for minutes, \"10h\" for hours, or \"10d\" for days.")); | ||
2019 | printf (" %s\n", "-T, --content-type=STRING"); | ||
2020 | printf (" %s\n", _("specify Content-Type header media type when POSTing\n")); | ||
2021 | printf (" %s\n", "-l, --linespan"); | ||
2022 | printf (" %s\n", _("Allow regex to span newlines (must precede -r or -R)")); | ||
2023 | printf (" %s\n", "-r, --regex, --ereg=STRING"); | ||
2024 | printf (" %s\n", _("Search page for regex STRING")); | ||
2025 | printf (" %s\n", "-R, --eregi=STRING"); | ||
2026 | printf (" %s\n", _("Search page for case-insensitive regex STRING")); | ||
2027 | printf (" %s\n", "--invert-regex"); | ||
2028 | printf (" %s\n", _("Return CRITICAL if found, OK if not\n")); | ||
2029 | printf (" %s\n", "-a, --authorization=AUTH_PAIR"); | ||
2030 | printf (" %s\n", _("Username:password on sites with basic authentication")); | ||
2031 | printf (" %s\n", "-b, --proxy-authorization=AUTH_PAIR"); | ||
2032 | printf (" %s\n", _("Username:password on proxy-servers with basic authentication")); | ||
2033 | printf (" %s\n", "-A, --useragent=STRING"); | ||
2034 | printf (" %s\n", _("String to be sent in http header as \"User Agent\"")); | ||
2035 | printf (" %s\n", "-k, --header=STRING"); | ||
2036 | printf (" %s\n", _("Any other tags to be sent in http header. Use multiple times for additional headers")); | ||
2037 | printf (" %s\n", "-E, --extended-perfdata"); | ||
2038 | printf (" %s\n", _("Print additional performance data")); | ||
2039 | printf (" %s\n", "-B, --show-body"); | ||
2040 | printf (" %s\n", _("Print body content below status line")); | ||
2041 | printf (" %s\n", "-L, --link"); | ||
2042 | printf (" %s\n", _("Wrap output in HTML link (obsoleted by urlize)")); | ||
2043 | printf (" %s\n", "-f, --onredirect=<ok|warning|critical|follow|sticky|stickyport|curl>"); | ||
2044 | printf (" %s\n", _("How to handle redirected pages. sticky is like follow but stick to the")); | ||
2045 | printf (" %s\n", _("specified IP address. stickyport also ensures port stays the same.")); | ||
2046 | printf (" %s\n", _("follow uses the old redirection algorithm of check_http.")); | ||
2047 | printf (" %s\n", _("curl uses CURL_FOLLOWLOCATION built into libcurl.")); | ||
2048 | printf (" %s\n", "--max-redirs=INTEGER"); | ||
2049 | printf (" %s", _("Maximal number of redirects (default: ")); | ||
2050 | printf ("%d)\n", DEFAULT_MAX_REDIRS); | ||
2051 | printf (" %s\n", "-m, --pagesize=INTEGER<:INTEGER>"); | ||
2052 | printf (" %s\n", _("Minimum page size required (bytes) : Maximum page size required (bytes)")); | ||
2053 | printf ("\n"); | ||
2054 | printf (" %s\n", "--http-version=VERSION"); | ||
2055 | printf (" %s\n", _("Connect via specific HTTP protocol.")); | ||
2056 | printf (" %s\n", _("1.0 = HTTP/1.0, 1.1 = HTTP/1.1, 2.0 = HTTP/2 (HTTP/2 will fail without -S)")); | ||
2057 | printf (" %s\n", "--enable-automatic-decompression"); | ||
2058 | printf (" %s\n", _("Enable automatic decompression of body (CURLOPT_ACCEPT_ENCODING).")); | ||
2059 | printf (" %s\n", "---cookie-jar=FILE"); | ||
2060 | printf (" %s\n", _("Store cookies in the cookie jar and send them out when requested.")); | ||
2061 | printf ("\n"); | ||
2062 | |||
2063 | printf (UT_WARN_CRIT); | ||
2064 | |||
2065 | printf (UT_CONN_TIMEOUT, DEFAULT_SOCKET_TIMEOUT); | ||
2066 | |||
2067 | printf (UT_VERBOSE); | ||
2068 | |||
2069 | printf ("\n"); | ||
2070 | printf ("%s\n", _("Notes:")); | ||
2071 | printf (" %s\n", _("This plugin will attempt to open an HTTP connection with the host.")); | ||
2072 | printf (" %s\n", _("Successful connects return STATE_OK, refusals and timeouts return STATE_CRITICAL")); | ||
2073 | printf (" %s\n", _("other errors return STATE_UNKNOWN. Successful connects, but incorrect response")); | ||
2074 | printf (" %s\n", _("messages from the host result in STATE_WARNING return values. If you are")); | ||
2075 | printf (" %s\n", _("checking a virtual server that uses 'host headers' you must supply the FQDN")); | ||
2076 | printf (" %s\n", _("(fully qualified domain name) as the [host_name] argument.")); | ||
2077 | |||
2078 | #ifdef LIBCURL_FEATURE_SSL | ||
2079 | printf ("\n"); | ||
2080 | printf (" %s\n", _("This plugin can also check whether an SSL enabled web server is able to")); | ||
2081 | printf (" %s\n", _("serve content (optionally within a specified time) or whether the X509 ")); | ||
2082 | printf (" %s\n", _("certificate is still valid for the specified number of days.")); | ||
2083 | printf ("\n"); | ||
2084 | printf (" %s\n", _("Please note that this plugin does not check if the presented server")); | ||
2085 | printf (" %s\n", _("certificate matches the hostname of the server, or if the certificate")); | ||
2086 | printf (" %s\n", _("has a valid chain of trust to one of the locally installed CAs.")); | ||
2087 | printf ("\n"); | ||
2088 | printf ("%s\n", _("Examples:")); | ||
2089 | printf (" %s\n\n", "CHECK CONTENT: check_curl -w 5 -c 10 --ssl -H www.verisign.com"); | ||
2090 | printf (" %s\n", _("When the 'www.verisign.com' server returns its content within 5 seconds,")); | ||
2091 | printf (" %s\n", _("a STATE_OK will be returned. When the server returns its content but exceeds")); | ||
2092 | printf (" %s\n", _("the 5-second threshold, a STATE_WARNING will be returned. When an error occurs,")); | ||
2093 | printf (" %s\n", _("a STATE_CRITICAL will be returned.")); | ||
2094 | printf ("\n"); | ||
2095 | printf (" %s\n\n", "CHECK CERTIFICATE: check_curl -H www.verisign.com -C 14"); | ||
2096 | printf (" %s\n", _("When the certificate of 'www.verisign.com' is valid for more than 14 days,")); | ||
2097 | printf (" %s\n", _("a STATE_OK is returned. When the certificate is still valid, but for less than")); | ||
2098 | printf (" %s\n", _("14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when")); | ||
2099 | printf (" %s\n\n", _("the certificate is expired.")); | ||
2100 | printf ("\n"); | ||
2101 | printf (" %s\n\n", "CHECK CERTIFICATE: check_curl -H www.verisign.com -C 30,14"); | ||
2102 | printf (" %s\n", _("When the certificate of 'www.verisign.com' is valid for more than 30 days,")); | ||
2103 | printf (" %s\n", _("a STATE_OK is returned. When the certificate is still valid, but for less than")); | ||
2104 | printf (" %s\n", _("30 days, but more than 14 days, a STATE_WARNING is returned.")); | ||
2105 | printf (" %s\n", _("A STATE_CRITICAL will be returned when certificate expires in less than 14 days")); | ||
2106 | #endif | ||
2107 | |||
2108 | printf ("\n %s\n", "CHECK WEBSERVER CONTENT VIA PROXY:"); | ||
2109 | printf (" %s\n", _("It is recommended to use an environment proxy like:")); | ||
2110 | printf (" %s\n", _("http_proxy=http://192.168.100.35:3128 ./check_curl -H www.monitoring-plugins.org")); | ||
2111 | printf (" %s\n", _("legacy proxy requests in check_http style still work:")); | ||
2112 | printf (" %s\n", _("check_curl -I 192.168.100.35 -p 3128 -u http://www.monitoring-plugins.org/ -H www.monitoring-plugins.org")); | ||
2113 | |||
2114 | #ifdef LIBCURL_FEATURE_SSL | ||
2115 | printf ("\n %s\n", "CHECK SSL WEBSERVER CONTENT VIA PROXY USING HTTP 1.1 CONNECT: "); | ||
2116 | printf (" %s\n", _("It is recommended to use an environment proxy like:")); | ||
2117 | printf (" %s\n", _("https_proxy=http://192.168.100.35:3128 ./check_curl -H www.verisign.com -S")); | ||
2118 | printf (" %s\n", _("legacy proxy requests in check_http style still work:")); | ||
2119 | printf (" %s\n", _("check_curl -I 192.168.100.35 -p 3128 -u https://www.verisign.com/ -S -j CONNECT -H www.verisign.com ")); | ||
2120 | printf (" %s\n", _("all these options are needed: -I <proxy> -p <proxy-port> -u <check-url> -S(sl) -j CONNECT -H <webserver>")); | ||
2121 | printf (" %s\n", _("a STATE_OK will be returned. When the server returns its content but exceeds")); | ||
2122 | printf (" %s\n", _("the 5-second threshold, a STATE_WARNING will be returned. When an error occurs,")); | ||
2123 | printf (" %s\n", _("a STATE_CRITICAL will be returned.")); | ||
2124 | |||
2125 | #endif | ||
2126 | |||
2127 | printf (UT_SUPPORT); | ||
2128 | |||
2129 | } | ||
2130 | |||
2131 | |||
2132 | |||
2133 | void | ||
2134 | print_usage (void) | ||
2135 | { | ||
2136 | printf ("%s\n", _("Usage:")); | ||
2137 | printf (" %s -H <vhost> | -I <IP-address> [-u <uri>] [-p <port>]\n",progname); | ||
2138 | printf (" [-J <client certificate file>] [-K <private key>] [--ca-cert <CA certificate file>] [-D]\n"); | ||
2139 | printf (" [-w <warn time>] [-c <critical time>] [-t <timeout>] [-L] [-E] [-a auth]\n"); | ||
2140 | printf (" [-b proxy_auth] [-f <ok|warning|critical|follow|sticky|stickyport|curl>]\n"); | ||
2141 | printf (" [-e <expect>] [-d string] [-s string] [-l] [-r <regex> | -R <case-insensitive regex>]\n"); | ||
2142 | printf (" [-P string] [-m <min_pg_size>:<max_pg_size>] [-4|-6] [-N] [-M <age>]\n"); | ||
2143 | printf (" [-A string] [-k string] [-S <version>] [--sni]\n"); | ||
2144 | printf (" [-T <content-type>] [-j method]\n"); | ||
2145 | printf (" [--http-version=<version>] [--enable-automatic-decompression]\n"); | ||
2146 | printf (" [--cookie-jar=<cookie jar file>\n"); | ||
2147 | printf (" %s -H <vhost> | -I <IP-address> -C <warn_age>[,<crit_age>]\n",progname); | ||
2148 | printf (" [-p <port>] [-t <timeout>] [-4|-6] [--sni]\n"); | ||
2149 | printf ("\n"); | ||
2150 | #ifdef LIBCURL_FEATURE_SSL | ||
2151 | printf ("%s\n", _("In the first form, make an HTTP request.")); | ||
2152 | printf ("%s\n\n", _("In the second form, connect to the server and check the TLS certificate.")); | ||
2153 | #endif | ||
2154 | printf ("%s\n", _("WARNING: check_curl is experimental. Please use")); | ||
2155 | printf ("%s\n\n", _("check_http if you need a stable version.")); | ||
2156 | } | ||
2157 | |||
2158 | void | ||
2159 | print_curl_version (void) | ||
2160 | { | ||
2161 | printf( "%s\n", curl_version()); | ||
2162 | } | ||
2163 | |||
2164 | int | ||
2165 | curlhelp_initwritebuffer (curlhelp_write_curlbuf *buf) | ||
2166 | { | ||
2167 | buf->bufsize = DEFAULT_BUFFER_SIZE; | ||
2168 | buf->buflen = 0; | ||
2169 | buf->buf = (char *)malloc ((size_t)buf->bufsize); | ||
2170 | if (buf->buf == NULL) return -1; | ||
2171 | return 0; | ||
2172 | } | ||
2173 | |||
2174 | int | ||
2175 | curlhelp_buffer_write_callback (void *buffer, size_t size, size_t nmemb, void *stream) | ||
2176 | { | ||
2177 | curlhelp_write_curlbuf *buf = (curlhelp_write_curlbuf *)stream; | ||
2178 | |||
2179 | while (buf->bufsize < buf->buflen + size * nmemb + 1) { | ||
2180 | buf->bufsize = buf->bufsize * 2; | ||
2181 | buf->buf = (char *)realloc (buf->buf, buf->bufsize); | ||
2182 | if (buf->buf == NULL) { | ||
2183 | fprintf(stderr, "malloc failed (%d) %s\n", errno, strerror(errno)); | ||
2184 | return -1; | ||
2185 | } | ||
2186 | } | ||
2187 | |||
2188 | memcpy (buf->buf + buf->buflen, buffer, size * nmemb); | ||
2189 | buf->buflen += size * nmemb; | ||
2190 | buf->buf[buf->buflen] = '\0'; | ||
2191 | |||
2192 | return (int)(size * nmemb); | ||
2193 | } | ||
2194 | |||
2195 | int | ||
2196 | curlhelp_buffer_read_callback (void *buffer, size_t size, size_t nmemb, void *stream) | ||
2197 | { | ||
2198 | curlhelp_read_curlbuf *buf = (curlhelp_read_curlbuf *)stream; | ||
2199 | |||
2200 | size_t n = min (nmemb * size, buf->buflen - buf->pos); | ||
2201 | |||
2202 | memcpy (buffer, buf->buf + buf->pos, n); | ||
2203 | buf->pos += n; | ||
2204 | |||
2205 | return (int)n; | ||
2206 | } | ||
2207 | |||
2208 | void | ||
2209 | curlhelp_freewritebuffer (curlhelp_write_curlbuf *buf) | ||
2210 | { | ||
2211 | free (buf->buf); | ||
2212 | buf->buf = NULL; | ||
2213 | } | ||
2214 | |||
2215 | int | ||
2216 | curlhelp_initreadbuffer (curlhelp_read_curlbuf *buf, const char *data, size_t datalen) | ||
2217 | { | ||
2218 | buf->buflen = datalen; | ||
2219 | buf->buf = (char *)malloc ((size_t)buf->buflen); | ||
2220 | if (buf->buf == NULL) return -1; | ||
2221 | memcpy (buf->buf, data, datalen); | ||
2222 | buf->pos = 0; | ||
2223 | return 0; | ||
2224 | } | ||
2225 | |||
2226 | void | ||
2227 | curlhelp_freereadbuffer (curlhelp_read_curlbuf *buf) | ||
2228 | { | ||
2229 | free (buf->buf); | ||
2230 | buf->buf = NULL; | ||
2231 | } | ||
2232 | |||
2233 | /* TODO: where to put this, it's actually part of sstrings2 (logically)? | ||
2234 | */ | ||
2235 | const char* | ||
2236 | strrstr2(const char *haystack, const char *needle) | ||
2237 | { | ||
2238 | int counter; | ||
2239 | size_t len; | ||
2240 | const char *prev_pos; | ||
2241 | const char *pos; | ||
2242 | |||
2243 | if (haystack == NULL || needle == NULL) | ||
2244 | return NULL; | ||
2245 | |||
2246 | if (haystack[0] == '\0' || needle[0] == '\0') | ||
2247 | return NULL; | ||
2248 | |||
2249 | counter = 0; | ||
2250 | prev_pos = NULL; | ||
2251 | pos = haystack; | ||
2252 | len = strlen (needle); | ||
2253 | for (;;) { | ||
2254 | pos = strstr (pos, needle); | ||
2255 | if (pos == NULL) { | ||
2256 | if (counter == 0) | ||
2257 | return NULL; | ||
2258 | else | ||
2259 | return prev_pos; | ||
2260 | } | ||
2261 | counter++; | ||
2262 | prev_pos = pos; | ||
2263 | pos += len; | ||
2264 | if (*pos == '\0') return prev_pos; | ||
2265 | } | ||
2266 | } | ||
2267 | |||
2268 | int | ||
2269 | curlhelp_parse_statusline (const char *buf, curlhelp_statusline *status_line) | ||
2270 | { | ||
2271 | char *first_line_end; | ||
2272 | char *p; | ||
2273 | size_t first_line_len; | ||
2274 | char *pp; | ||
2275 | const char *start; | ||
2276 | char *first_line_buf; | ||
2277 | |||
2278 | /* find last start of a new header */ | ||
2279 | start = strrstr2 (buf, "\r\nHTTP/"); | ||
2280 | if (start != NULL) { | ||
2281 | start += 2; | ||
2282 | buf = start; | ||
2283 | } | ||
2284 | |||
2285 | first_line_end = strstr(buf, "\r\n"); | ||
2286 | if (first_line_end == NULL) return -1; | ||
2287 | |||
2288 | first_line_len = (size_t)(first_line_end - buf); | ||
2289 | status_line->first_line = (char *)malloc (first_line_len + 1); | ||
2290 | if (status_line->first_line == NULL) return -1; | ||
2291 | memcpy (status_line->first_line, buf, first_line_len); | ||
2292 | status_line->first_line[first_line_len] = '\0'; | ||
2293 | first_line_buf = strdup( status_line->first_line ); | ||
2294 | |||
2295 | /* protocol and version: "HTTP/x.x" SP or "HTTP/2" SP */ | ||
2296 | |||
2297 | p = strtok(first_line_buf, "/"); | ||
2298 | if( p == NULL ) { free( first_line_buf ); return -1; } | ||
2299 | if( strcmp( p, "HTTP" ) != 0 ) { free( first_line_buf ); return -1; } | ||
2300 | |||
2301 | p = strtok( NULL, " " ); | ||
2302 | if( p == NULL ) { free( first_line_buf ); return -1; } | ||
2303 | if( strchr( p, '.' ) != NULL ) { | ||
2304 | |||
2305 | /* HTTP 1.x case */ | ||
2306 | strtok( p, "." ); | ||
2307 | status_line->http_major = (int)strtol( p, &pp, 10 ); | ||
2308 | if( *pp != '\0' ) { free( first_line_buf ); return -1; } | ||
2309 | strtok( NULL, " " ); | ||
2310 | status_line->http_minor = (int)strtol( p, &pp, 10 ); | ||
2311 | if( *pp != '\0' ) { free( first_line_buf ); return -1; } | ||
2312 | p += 4; /* 1.x SP */ | ||
2313 | } else { | ||
2314 | /* HTTP 2 case */ | ||
2315 | status_line->http_major = (int)strtol( p, &pp, 10 ); | ||
2316 | status_line->http_minor = 0; | ||
2317 | p += 2; /* 2 SP */ | ||
2318 | } | ||
2319 | |||
2320 | /* status code: "404" or "404.1", then SP */ | ||
2321 | |||
2322 | p = strtok( p, " " ); | ||
2323 | if( p == NULL ) { free( first_line_buf ); return -1; } | ||
2324 | if( strchr( p, '.' ) != NULL ) { | ||
2325 | char *ppp; | ||
2326 | ppp = strtok( p, "." ); | ||
2327 | status_line->http_code = (int)strtol( ppp, &pp, 10 ); | ||
2328 | if( *pp != '\0' ) { free( first_line_buf ); return -1; } | ||
2329 | ppp = strtok( NULL, "" ); | ||
2330 | status_line->http_subcode = (int)strtol( ppp, &pp, 10 ); | ||
2331 | if( *pp != '\0' ) { free( first_line_buf ); return -1; } | ||
2332 | p += 6; /* 400.1 SP */ | ||
2333 | } else { | ||
2334 | status_line->http_code = (int)strtol( p, &pp, 10 ); | ||
2335 | status_line->http_subcode = -1; | ||
2336 | if( *pp != '\0' ) { free( first_line_buf ); return -1; } | ||
2337 | p += 4; /* 400 SP */ | ||
2338 | } | ||
2339 | |||
2340 | /* Human readable message: "Not Found" CRLF */ | ||
2341 | |||
2342 | p = strtok( p, "" ); | ||
2343 | if( p == NULL ) { status_line->msg = ""; return 0; } | ||
2344 | status_line->msg = status_line->first_line + ( p - first_line_buf ); | ||
2345 | free( first_line_buf ); | ||
2346 | |||
2347 | return 0; | ||
2348 | } | ||
2349 | |||
2350 | void | ||
2351 | curlhelp_free_statusline (curlhelp_statusline *status_line) | ||
2352 | { | ||
2353 | free (status_line->first_line); | ||
2354 | } | ||
2355 | |||
2356 | void | ||
2357 | remove_newlines (char *s) | ||
2358 | { | ||
2359 | char *p; | ||
2360 | |||
2361 | for (p = s; *p != '\0'; p++) | ||
2362 | if (*p == '\r' || *p == '\n') | ||
2363 | *p = ' '; | ||
2364 | } | ||
2365 | |||
2366 | char * | ||
2367 | get_header_value (const struct phr_header* headers, const size_t nof_headers, const char* header) | ||
2368 | { | ||
2369 | int i; | ||
2370 | for( i = 0; i < nof_headers; i++ ) { | ||
2371 | if(headers[i].name != NULL && strncasecmp( header, headers[i].name, max( headers[i].name_len, 4 ) ) == 0 ) { | ||
2372 | return strndup( headers[i].value, headers[i].value_len ); | ||
2373 | } | ||
2374 | } | ||
2375 | return NULL; | ||
2376 | } | ||
2377 | |||
2378 | int | ||
2379 | check_document_dates (const curlhelp_write_curlbuf *header_buf, char (*msg)[DEFAULT_BUFFER_SIZE]) | ||
2380 | { | ||
2381 | char *server_date = NULL; | ||
2382 | char *document_date = NULL; | ||
2383 | int date_result = STATE_OK; | ||
2384 | curlhelp_statusline status_line; | ||
2385 | struct phr_header headers[255]; | ||
2386 | size_t nof_headers = 255; | ||
2387 | size_t msglen; | ||
2388 | |||
2389 | int res = phr_parse_response (header_buf->buf, header_buf->buflen, | ||
2390 | &status_line.http_major, &status_line.http_minor, &status_line.http_code, &status_line.msg, &msglen, | ||
2391 | headers, &nof_headers, 0); | ||
2392 | |||
2393 | server_date = get_header_value (headers, nof_headers, "date"); | ||
2394 | document_date = get_header_value (headers, nof_headers, "last-modified"); | ||
2395 | |||
2396 | if (!server_date || !*server_date) { | ||
2397 | char tmp[DEFAULT_BUFFER_SIZE]; | ||
2398 | |||
2399 | snprintf (tmp, DEFAULT_BUFFER_SIZE, _("%sServer date unknown, "), *msg); | ||
2400 | strcpy(*msg, tmp); | ||
2401 | |||
2402 | date_result = max_state_alt(STATE_UNKNOWN, date_result); | ||
2403 | |||
2404 | } else if (!document_date || !*document_date) { | ||
2405 | char tmp[DEFAULT_BUFFER_SIZE]; | ||
2406 | |||
2407 | snprintf (tmp, DEFAULT_BUFFER_SIZE, _("%sDocument modification date unknown, "), *msg); | ||
2408 | strcpy(*msg, tmp); | ||
2409 | |||
2410 | date_result = max_state_alt(STATE_CRITICAL, date_result); | ||
2411 | |||
2412 | } else { | ||
2413 | time_t srv_data = curl_getdate (server_date, NULL); | ||
2414 | time_t doc_data = curl_getdate (document_date, NULL); | ||
2415 | if (verbose >= 2) | ||
2416 | printf ("* server date: '%s' (%d), doc_date: '%s' (%d)\n", server_date, (int)srv_data, document_date, (int)doc_data); | ||
2417 | if (srv_data <= 0) { | ||
2418 | char tmp[DEFAULT_BUFFER_SIZE]; | ||
2419 | |||
2420 | snprintf (tmp, DEFAULT_BUFFER_SIZE, _("%sServer date \"%100s\" unparsable, "), *msg, server_date); | ||
2421 | strcpy(*msg, tmp); | ||
2422 | |||
2423 | date_result = max_state_alt(STATE_CRITICAL, date_result); | ||
2424 | } else if (doc_data <= 0) { | ||
2425 | char tmp[DEFAULT_BUFFER_SIZE]; | ||
2426 | |||
2427 | snprintf (tmp, DEFAULT_BUFFER_SIZE, _("%sDocument date \"%100s\" unparsable, "), *msg, document_date); | ||
2428 | strcpy(*msg, tmp); | ||
2429 | |||
2430 | date_result = max_state_alt(STATE_CRITICAL, date_result); | ||
2431 | } else if (doc_data > srv_data + 30) { | ||
2432 | char tmp[DEFAULT_BUFFER_SIZE]; | ||
2433 | |||
2434 | snprintf (tmp, DEFAULT_BUFFER_SIZE, _("%sDocument is %d seconds in the future, "), *msg, (int)doc_data - (int)srv_data); | ||
2435 | strcpy(*msg, tmp); | ||
2436 | |||
2437 | date_result = max_state_alt(STATE_CRITICAL, date_result); | ||
2438 | } else if (doc_data < srv_data - maximum_age) { | ||
2439 | int n = (srv_data - doc_data); | ||
2440 | if (n > (60 * 60 * 24 * 2)) { | ||
2441 | char tmp[DEFAULT_BUFFER_SIZE]; | ||
2442 | |||
2443 | snprintf (tmp, DEFAULT_BUFFER_SIZE, _("%sLast modified %.1f days ago, "), *msg, ((float) n) / (60 * 60 * 24)); | ||
2444 | strcpy(*msg, tmp); | ||
2445 | |||
2446 | date_result = max_state_alt(STATE_CRITICAL, date_result); | ||
2447 | } else { | ||
2448 | char tmp[DEFAULT_BUFFER_SIZE]; | ||
2449 | |||
2450 | snprintf (tmp, DEFAULT_BUFFER_SIZE, _("%sLast modified %d:%02d:%02d ago, "), *msg, n / (60 * 60), (n / 60) % 60, n % 60); | ||
2451 | strcpy(*msg, tmp); | ||
2452 | |||
2453 | date_result = max_state_alt(STATE_CRITICAL, date_result); | ||
2454 | } | ||
2455 | } | ||
2456 | } | ||
2457 | |||
2458 | if (server_date) free (server_date); | ||
2459 | if (document_date) free (document_date); | ||
2460 | |||
2461 | return date_result; | ||
2462 | } | ||
2463 | |||
2464 | |||
2465 | int | ||
2466 | get_content_length (const curlhelp_write_curlbuf* header_buf, const curlhelp_write_curlbuf* body_buf) | ||
2467 | { | ||
2468 | const char *s; | ||
2469 | int content_length = 0; | ||
2470 | char *copy; | ||
2471 | struct phr_header headers[255]; | ||
2472 | size_t nof_headers = 255; | ||
2473 | size_t msglen; | ||
2474 | char *content_length_s = NULL; | ||
2475 | curlhelp_statusline status_line; | ||
2476 | |||
2477 | int res = phr_parse_response (header_buf->buf, header_buf->buflen, | ||
2478 | &status_line.http_major, &status_line.http_minor, &status_line.http_code, &status_line.msg, &msglen, | ||
2479 | headers, &nof_headers, 0); | ||
2480 | |||
2481 | content_length_s = get_header_value (headers, nof_headers, "content-length"); | ||
2482 | if (!content_length_s) { | ||
2483 | return header_buf->buflen + body_buf->buflen; | ||
2484 | } | ||
2485 | content_length_s += strspn (content_length_s, " \t"); | ||
2486 | content_length = atoi (content_length_s); | ||
2487 | if (content_length != body_buf->buflen) { | ||
2488 | /* TODO: should we warn if the actual and the reported body length don't match? */ | ||
2489 | } | ||
2490 | |||
2491 | if (content_length_s) free (content_length_s); | ||
2492 | |||
2493 | return header_buf->buflen + body_buf->buflen; | ||
2494 | } | ||
2495 | |||
2496 | /* TODO: is there a better way in libcurl to check for the SSL library? */ | ||
2497 | curlhelp_ssl_library | ||
2498 | curlhelp_get_ssl_library () | ||
2499 | { | ||
2500 | curl_version_info_data* version_data; | ||
2501 | char *ssl_version; | ||
2502 | char *library; | ||
2503 | curlhelp_ssl_library ssl_library = CURLHELP_SSL_LIBRARY_UNKNOWN; | ||
2504 | |||
2505 | version_data = curl_version_info (CURLVERSION_NOW); | ||
2506 | if (version_data == NULL) return CURLHELP_SSL_LIBRARY_UNKNOWN; | ||
2507 | |||
2508 | ssl_version = strdup (version_data->ssl_version); | ||
2509 | if (ssl_version == NULL ) return CURLHELP_SSL_LIBRARY_UNKNOWN; | ||
2510 | |||
2511 | library = strtok (ssl_version, "/"); | ||
2512 | if (library == NULL) return CURLHELP_SSL_LIBRARY_UNKNOWN; | ||
2513 | |||
2514 | if (strcmp (library, "OpenSSL") == 0) | ||
2515 | ssl_library = CURLHELP_SSL_LIBRARY_OPENSSL; | ||
2516 | else if (strcmp (library, "LibreSSL") == 0) | ||
2517 | ssl_library = CURLHELP_SSL_LIBRARY_LIBRESSL; | ||
2518 | else if (strcmp (library, "GnuTLS") == 0) | ||
2519 | ssl_library = CURLHELP_SSL_LIBRARY_GNUTLS; | ||
2520 | else if (strcmp (library, "NSS") == 0) | ||
2521 | ssl_library = CURLHELP_SSL_LIBRARY_NSS; | ||
2522 | |||
2523 | if (verbose >= 2) | ||
2524 | printf ("* SSL library string is : %s %s (%d)\n", version_data->ssl_version, library, ssl_library); | ||
2525 | |||
2526 | free (ssl_version); | ||
2527 | |||
2528 | return ssl_library; | ||
2529 | } | ||
2530 | |||
2531 | const char* | ||
2532 | curlhelp_get_ssl_library_string (curlhelp_ssl_library ssl_library) | ||
2533 | { | ||
2534 | switch (ssl_library) { | ||
2535 | case CURLHELP_SSL_LIBRARY_OPENSSL: | ||
2536 | return "OpenSSL"; | ||
2537 | case CURLHELP_SSL_LIBRARY_LIBRESSL: | ||
2538 | return "LibreSSL"; | ||
2539 | case CURLHELP_SSL_LIBRARY_GNUTLS: | ||
2540 | return "GnuTLS"; | ||
2541 | case CURLHELP_SSL_LIBRARY_NSS: | ||
2542 | return "NSS"; | ||
2543 | case CURLHELP_SSL_LIBRARY_UNKNOWN: | ||
2544 | default: | ||
2545 | return "unknown"; | ||
2546 | } | ||
2547 | } | ||
2548 | |||
2549 | #ifdef LIBCURL_FEATURE_SSL | ||
2550 | #ifndef USE_OPENSSL | ||
2551 | time_t | ||
2552 | parse_cert_date (const char *s) | ||
2553 | { | ||
2554 | struct tm tm; | ||
2555 | time_t date; | ||
2556 | char *res; | ||
2557 | |||
2558 | if (!s) return -1; | ||
2559 | |||
2560 | /* Jan 17 14:25:12 2020 GMT */ | ||
2561 | res = strptime (s, "%Y-%m-%d %H:%M:%S GMT", &tm); | ||
2562 | /* Sep 11 12:00:00 2020 GMT */ | ||
2563 | if (res == NULL) strptime (s, "%Y %m %d %H:%M:%S GMT", &tm); | ||
2564 | date = mktime (&tm); | ||
2565 | |||
2566 | return date; | ||
2567 | } | ||
2568 | |||
2569 | /* TODO: this needs cleanup in the sslutils.c, maybe we the #else case to | ||
2570 | * OpenSSL could be this function | ||
2571 | */ | ||
2572 | int | ||
2573 | net_noopenssl_check_certificate (cert_ptr_union* cert_ptr, int days_till_exp_warn, int days_till_exp_crit) | ||
2574 | { | ||
2575 | int i; | ||
2576 | struct curl_slist* slist; | ||
2577 | int cname_found = 0; | ||
2578 | char* start_date_str = NULL; | ||
2579 | char* end_date_str = NULL; | ||
2580 | time_t start_date; | ||
2581 | time_t end_date; | ||
2582 | char *tz; | ||
2583 | float time_left; | ||
2584 | int days_left; | ||
2585 | int time_remaining; | ||
2586 | char timestamp[50] = ""; | ||
2587 | int status = STATE_UNKNOWN; | ||
2588 | |||
2589 | if (verbose >= 2) | ||
2590 | printf ("**** REQUEST CERTIFICATES ****\n"); | ||
2591 | |||
2592 | for (i = 0; i < cert_ptr->to_certinfo->num_of_certs; i++) { | ||
2593 | for (slist = cert_ptr->to_certinfo->certinfo[i]; slist; slist = slist->next) { | ||
2594 | /* find first common name in subject, | ||
2595 | * TODO: check alternative subjects for | ||
2596 | * TODO: have a decent parser here and not a hack | ||
2597 | * multi-host certificate, check wildcards | ||
2598 | */ | ||
2599 | if (strncasecmp (slist->data, "Subject:", 8) == 0) { | ||
2600 | int d = 3; | ||
2601 | char* p = strstr (slist->data, "CN="); | ||
2602 | if (p == NULL) { | ||
2603 | d = 5; | ||
2604 | p = strstr (slist->data, "CN = "); | ||
2605 | } | ||
2606 | if (p != NULL) { | ||
2607 | if (strncmp (host_name, p+d, strlen (host_name)) == 0) { | ||
2608 | cname_found = 1; | ||
2609 | } | ||
2610 | } | ||
2611 | } else if (strncasecmp (slist->data, "Start Date:", 11) == 0) { | ||
2612 | start_date_str = &slist->data[11]; | ||
2613 | } else if (strncasecmp (slist->data, "Expire Date:", 12) == 0) { | ||
2614 | end_date_str = &slist->data[12]; | ||
2615 | } else if (strncasecmp (slist->data, "Cert:", 5) == 0) { | ||
2616 | goto HAVE_FIRST_CERT; | ||
2617 | } | ||
2618 | if (verbose >= 2) | ||
2619 | printf ("%d ** %s\n", i, slist->data); | ||
2620 | } | ||
2621 | } | ||
2622 | HAVE_FIRST_CERT: | ||
2623 | |||
2624 | if (verbose >= 2) | ||
2625 | printf ("**** REQUEST CERTIFICATES ****\n"); | ||
2626 | |||
2627 | if (!cname_found) { | ||
2628 | printf("%s\n",_("CRITICAL - Cannot retrieve certificate subject.")); | ||
2629 | return STATE_CRITICAL; | ||
2630 | } | ||
2631 | |||
2632 | start_date = parse_cert_date (start_date_str); | ||
2633 | if (start_date <= 0) { | ||
2634 | snprintf (msg, DEFAULT_BUFFER_SIZE, _("WARNING - Unparsable 'Start Date' in certificate: '%s'"), | ||
2635 | start_date_str); | ||
2636 | puts (msg); | ||
2637 | return STATE_WARNING; | ||
2638 | } | ||
2639 | |||
2640 | end_date = parse_cert_date (end_date_str); | ||
2641 | if (end_date <= 0) { | ||
2642 | snprintf (msg, DEFAULT_BUFFER_SIZE, _("WARNING - Unparsable 'Expire Date' in certificate: '%s'"), | ||
2643 | start_date_str); | ||
2644 | puts (msg); | ||
2645 | return STATE_WARNING; | ||
2646 | } | ||
2647 | |||
2648 | time_left = difftime (end_date, time(NULL)); | ||
2649 | days_left = time_left / 86400; | ||
2650 | tz = getenv("TZ"); | ||
2651 | setenv("TZ", "GMT", 1); | ||
2652 | tzset(); | ||
2653 | strftime(timestamp, 50, "%c %z", localtime(&end_date)); | ||
2654 | if (tz) | ||
2655 | setenv("TZ", tz, 1); | ||
2656 | else | ||
2657 | unsetenv("TZ"); | ||
2658 | tzset(); | ||
2659 | |||
2660 | if (days_left > 0 && days_left <= days_till_exp_warn) { | ||
2661 | printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", host_name, days_left, timestamp); | ||
2662 | if (days_left > days_till_exp_crit) | ||
2663 | status = STATE_WARNING; | ||
2664 | else | ||
2665 | status = STATE_CRITICAL; | ||
2666 | } else if (days_left == 0 && time_left > 0) { | ||
2667 | if (time_left >= 3600) | ||
2668 | time_remaining = (int) time_left / 3600; | ||
2669 | else | ||
2670 | time_remaining = (int) time_left / 60; | ||
2671 | |||
2672 | printf (_("%s - Certificate '%s' expires in %u %s (%s)\n"), | ||
2673 | (days_left>days_till_exp_crit) ? "WARNING" : "CRITICAL", host_name, time_remaining, | ||
2674 | time_left >= 3600 ? "hours" : "minutes", timestamp); | ||
2675 | |||
2676 | if ( days_left > days_till_exp_crit) | ||
2677 | status = STATE_WARNING; | ||
2678 | else | ||
2679 | status = STATE_CRITICAL; | ||
2680 | } else if (time_left < 0) { | ||
2681 | printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), host_name, timestamp); | ||
2682 | status=STATE_CRITICAL; | ||
2683 | } else if (days_left == 0) { | ||
2684 | printf (_("%s - Certificate '%s' just expired (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", host_name, timestamp); | ||
2685 | if (days_left > days_till_exp_crit) | ||
2686 | status = STATE_WARNING; | ||
2687 | else | ||
2688 | status = STATE_CRITICAL; | ||
2689 | } else { | ||
2690 | printf(_("OK - Certificate '%s' will expire on %s.\n"), host_name, timestamp); | ||
2691 | status = STATE_OK; | ||
2692 | } | ||
2693 | return status; | ||
2694 | } | ||
2695 | #endif /* USE_OPENSSL */ | ||
2696 | #endif /* LIBCURL_FEATURE_SSL */ | ||