4 files changed, 163 insertions, 161 deletions
diff --git a/plugins/check_curl.c b/plugins/check_curl.c
index 01e2770..d3bddac 100644
--- a/plugins/check_curl.c
+++ b/plugins/check_curl.c
@@ -214,6 +214,7 @@ char *client_privkey = NULL;
 char *ca_cert = NULL;
 bool verify_peer_and_host = false;
 bool is_openssl_callback = false;
+bool add_sslctx_verify_fun = false;
 #if defined(HAVE_SSL) && defined(USE_OPENSSL)
 X509 *cert = NULL;
 #endif /* defined(HAVE_SSL) && defined(USE_OPENSSL) */
@@ -299,7 +300,7 @@ main (int argc, char **argv)
 int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
 {
-        (void) preverify_ok;
+  (void) preverify_ok;
  /* TODO: we get all certificates of the chain, so which ones
   * should we test?
   * TODO: is the last certificate always the server certificate?
@@ -324,9 +325,18 @@ int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
 CURLcode sslctxfun(CURL *curl, SSL_CTX *sslctx, void *parm)
 {
-        (void) curl; // ignore unused parameter
+  (void) curl; // ignore unused parameter
-        (void) parm; // ignore unused parameter
+  (void) parm; // ignore unused parameter
-  SSL_CTX_set_verify(sslctx, SSL_VERIFY_PEER, verify_callback);
+  if(add_sslctx_verify_fun) {
+    SSL_CTX_set_verify(sslctx, SSL_VERIFY_PEER, verify_callback);
+  }
+  // workaround for issue:
+  // OpenSSL SSL_read: error:0A000126:SSL routines::unexpected eof while reading, errno 0
+  // see discussion https://github.com/openssl/openssl/discussions/22690
+#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
+  SSL_CTX_set_options(sslctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
+#endif
  return CURLE_OK;
 }
@@ -468,6 +478,7 @@ int
 check_http (void)
 {
  int result = STATE_OK;
+  int result_ssl = STATE_OK;
  int page_len = 0;
  int i;
  char *force_host_header = NULL;
@@ -677,9 +688,8 @@ check_http (void)
         * OpenSSL-style libraries only!) */
 #ifdef USE_OPENSSL
        /* libcurl and monitoring plugins built with OpenSSL, good */
-        handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun), "CURLOPT_SSL_CTX_FUNCTION");
+        add_sslctx_verify_fun = true;
        is_openssl_callback = true;
-#else /* USE_OPENSSL */
 #endif /* USE_OPENSSL */
        /* libcurl is built with OpenSSL, monitoring plugins, so falling
         * back to manually extracting certificate information */
@@ -712,12 +722,18 @@ check_http (void)
 #else /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1) */
    /* old libcurl, our only hope is OpenSSL, otherwise we are out of luck */
    if (ssl_library == CURLHELP_SSL_LIBRARY_OPENSSL || ssl_library == CURLHELP_SSL_LIBRARY_LIBRESSL)
-      handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun), "CURLOPT_SSL_CTX_FUNCTION");
+      add_sslctx_verify_fun = true;
    else
      die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates (no CURLOPT_SSL_CTX_FUNCTION, no OpenSSL library or libcurl too old and has no CURLOPT_CERTINFO)\n");
 #endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1) */
  }
+#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 10, 6) /* required for CURLOPT_SSL_CTX_FUNCTION */
+  // ssl ctx function is not available with all ssl backends
+  if (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, NULL) != CURLE_UNKNOWN_OPTION)
+    handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun), "CURLOPT_SSL_CTX_FUNCTION");
+#endif
 #endif /* LIBCURL_FEATURE_SSL */
  /* set default or user-given user agent identification */
@@ -852,9 +868,9 @@ check_http (void)
        /* check certificate with OpenSSL functions, curl has been built against OpenSSL
         * and we actually have OpenSSL in the monitoring tools
         */
-        result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
+        result_ssl = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
        if (!continue_after_check_cert) {
-          return result;
+          return result_ssl;
        }
 #else /* USE_OPENSSL */
        die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates - OpenSSL callback used and not linked against OpenSSL\n");
@@ -898,17 +914,17 @@ GOT_FIRST_CERT:
                                                die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
          }
          BIO_free (cert_BIO);
-          result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
+          result_ssl = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
          if (!continue_after_check_cert) {
-            return result;
+            return result_ssl;
          }
 #else /* USE_OPENSSL */
          /* We assume we don't have OpenSSL and np_net_ssl_check_certificate at our disposal,
           * so we use the libcurl CURLINFO data
           */
-          result = net_noopenssl_check_certificate(&cert_ptr, days_till_exp_warn, days_till_exp_crit);
+          result_ssl = net_noopenssl_check_certificate(&cert_ptr, days_till_exp_warn, days_till_exp_crit);
          if (!continue_after_check_cert) {
-            return result;
+            return result_ssl;
          }
 #endif /* USE_OPENSSL */
        } else {
@@ -1176,7 +1192,7 @@ GOT_FIRST_CERT:
    }
  /* TODO: separate _() msg and status code: die (result, "HTTP %s: %s\n", state_text(result), msg); */
-  die (result, "HTTP %s: %s %d %s%s%s - %d bytes in %.3f second response time %s|%s\n%s%s",
+  die (max_state_alt(result, result_ssl), "HTTP %s: %s %d %s%s%s - %d bytes in %.3f second response time %s|%s\n%s%s",
    state_text(result), string_statuscode (status_line.http_major, status_line.http_minor),
    status_line.http_code, status_line.msg,
    strlen(msg) > 0 ? " - " : "",
@@ -1186,7 +1202,7 @@ GOT_FIRST_CERT:
    (show_body ? body_buf.buf : ""),
    (show_body ? "\n" : "") );
-  return result;
+  return max_state_alt(result, result_ssl);
 }
 int
@@ -1774,9 +1790,9 @@ process_arguments (int argc, char **argv)
      invert_regex = true;
      break;
    case STATE_REGEX:
-      if (!strcmp (optarg, "critical"))
+      if (!strcasecmp (optarg, "critical"))
        state_regex = STATE_CRITICAL;
-      else if (!strcmp (optarg, "warning"))
+      else if (!strcasecmp (optarg, "warning"))
        state_regex = STATE_WARNING;
      else usage2 (_("Invalid state-regex option"), optarg);
      break;
@@ -2007,8 +2023,11 @@ print_help (void)
  printf ("    %s\n", _("Note: SNI is not supported in libcurl before 7.18.1"));
 #endif
  printf (" %s\n", "-C, --certificate=INTEGER[,INTEGER]");
-  printf ("    %s\n", _("Minimum number of days a certificate has to be valid. Port defaults to 443"));
+  printf ("    %s\n", _("Minimum number of days a certificate has to be valid. Port defaults to 443."));
-  printf ("    %s\n", _("(when this option is used the URL is not checked by default. You can use"));
+  printf ("    %s\n", _("A STATE_WARNING is returned if the certificate has a validity less than the"));
+  printf ("    %s\n", _("first agument's value. If there is a second argument and the certificate's"));
+  printf ("    %s\n", _("validity is less than its value, a STATE_CRITICAL is returned."));
+  printf ("    %s\n", _("(When this option is used the URL is not checked by default. You can use"));
  printf ("    %s\n", _(" --continue-after-certificate to override this behavior)"));
  printf (" %s\n", "--continue-after-certificate");
  printf ("    %s\n", _("Allows the HTTP check to continue after performing the certificate check."));
@@ -2057,8 +2076,8 @@ print_help (void)
  printf (" %s\n", "--invert-regex");
  printf ("    %s\n", _("Return STATE if found, OK if not (STATE is CRITICAL, per default)"));
  printf ("    %s\n", _("can be changed with --state--regex)"));
-  printf (" %s\n", "--regex-state=STATE");
+  printf (" %s\n", "--state-regex=STATE");
-  printf ("    %s\n", _("Return STATE if regex is found, OK if not\n"));
+  printf ("    %s\n", _("Return STATE if regex is found, OK if not. STATE can be one of \"critical\",\"warning\""));
  printf (" %s\n", "-a, --authorization=AUTH_PAIR");
  printf ("    %s\n", _("Username:password on sites with basic authentication"));
  printf (" %s\n", "-b, --proxy-authorization=AUTH_PAIR");
@@ -2091,7 +2110,7 @@ print_help (void)
  printf ("    %s\n", _("Enable automatic decompression of body (CURLOPT_ACCEPT_ENCODING)."));
  printf(" %s\n", "--haproxy-protocol");
  printf("    %s\n", _("Send HAProxy proxy protocol v1 header (CURLOPT_HAPROXYPROTOCOL)."));
-  printf (" %s\n", "---cookie-jar=FILE");
+  printf (" %s\n", "--cookie-jar=FILE");
  printf ("    %s\n", _("Store cookies in the cookie jar and send them out when requested."));
  printf ("\n");
@@ -2186,8 +2205,6 @@ print_usage (void)
  printf ("%s\n", _("In the first form, make an HTTP request."));
  printf ("%s\n\n", _("In the second form, connect to the server and check the TLS certificate."));
 #endif
-  printf ("%s\n", _("WARNING: check_curl is experimental. Please use"));
-  printf ("%s\n\n", _("check_http if you need a stable version."));
 }
 void
diff --git a/plugins/check_disk.c b/plugins/check_disk.c
index 24de2d4..b3dd301 100644
--- a/plugins/check_disk.c
+++ b/plugins/check_disk.c
@@ -119,44 +119,41 @@ enum
 #pragma alloca
 #endif
-int process_arguments (int, char **);
+static int process_arguments (int, char **);
-void print_path (const char *mypath);
+static void set_all_thresholds (struct parameter_list *path);
-void set_all_thresholds (struct parameter_list *path);
+static void print_help (void);
-int validate_arguments (uintmax_t, uintmax_t, double, double, double, double, char *);
-void print_help (void);
 void print_usage (void);
-double calculate_percent(uintmax_t, uintmax_t);
+static double calculate_percent(uintmax_t, uintmax_t);
-bool stat_path (struct parameter_list *p);
+static bool stat_path (struct parameter_list *p);
-void get_stats (struct parameter_list *p, struct fs_usage *fsp);
+static void get_stats (struct parameter_list *p, struct fs_usage *fsp);
-void get_path_stats (struct parameter_list *p, struct fs_usage *fsp);
+static void get_path_stats (struct parameter_list *p, struct fs_usage *fsp);
-char *exclude_device;
+static char *units;
-char *units;
+static uintmax_t mult = 1024 * 1024;
-uintmax_t mult = 1024 * 1024;
+static int verbose = 0;
-int verbose = 0;
+static bool erronly = false;
-bool erronly = false;
+static bool display_mntp = false;
-bool display_mntp = false;
+static bool exact_match = false;
-bool exact_match = false;
+static bool ignore_missing = false;
-bool ignore_missing = false;
+static bool freespace_ignore_reserved = false;
-bool freespace_ignore_reserved = false;
+static bool display_inodes_perfdata = false;
-bool display_inodes_perfdata = false;
+static char *warn_freespace_units = NULL;
-char *warn_freespace_units = NULL;
+static char *crit_freespace_units = NULL;
-char *crit_freespace_units = NULL;
+static char *warn_freespace_percent = NULL;
-char *warn_freespace_percent = NULL;
+static char *crit_freespace_percent = NULL;
-char *crit_freespace_percent = NULL;
+static char *warn_usedspace_units = NULL;
-char *warn_usedspace_units = NULL;
+static char *crit_usedspace_units = NULL;
-char *crit_usedspace_units = NULL;
+static char *warn_usedspace_percent = NULL;
-char *warn_usedspace_percent = NULL;
+static char *crit_usedspace_percent = NULL;
-char *crit_usedspace_percent = NULL;
+static char *warn_usedinodes_percent = NULL;
-char *warn_usedinodes_percent = NULL;
+static char *crit_usedinodes_percent = NULL;
-char *crit_usedinodes_percent = NULL;
+static char *warn_freeinodes_percent = NULL;
-char *warn_freeinodes_percent = NULL;
+static char *crit_freeinodes_percent = NULL;
-char *crit_freeinodes_percent = NULL;
+static bool path_selected = false;
-bool path_selected = false;
+static bool path_ignored = false;
-bool path_ignored = false;
+static char *group = NULL;
-char *group = NULL;
+static struct stat *stat_buf;
-struct stat *stat_buf;
+static struct name_list *seen = NULL;
-struct name_list *seen = NULL;
 int
@@ -899,18 +896,6 @@ process_arguments (int argc, char **argv)
  return true;
 }
-void
-print_path (const char *mypath)
-{
-  if (mypath == NULL)
-    printf ("\n");
-  else
-    printf (_(" for %s\n"), mypath);
-}
 void
 set_all_thresholds (struct parameter_list *path)
 {
diff --git a/plugins/check_mysql.c b/plugins/check_mysql.c
index 6a7daf1..15ec04c 100644
--- a/plugins/check_mysql.c
+++ b/plugins/check_mysql.c
@@ -59,8 +59,8 @@ bool ssl = false;
 char *opt_file = NULL;
 char *opt_group = NULL;
 unsigned int db_port = MYSQL_PORT;
-int check_slave = 0, warn_sec = 0, crit_sec = 0;
+bool check_slave = false;
-int ignore_auth = 0;
+bool ignore_auth = false;
 int verbose = 0;
 static double warning_time = 0;
@@ -456,10 +456,10 @@ process_arguments (int argc, char **argv)
                        db_port = atoi (optarg);
                        break;
                case 'S':
-                        check_slave = 1;                                                        /* check-slave */
+                        check_slave = true;                                                     /* check-slave */
                        break;
                case 'n':
-                        ignore_auth = 1;                                                        /* ignore-auth */
+                        ignore_auth = true;                                                     /* ignore-auth */
                        break;
                case 'w':
                        warning = optarg;
diff --git a/plugins/check_snmp.c b/plugins/check_snmp.c
index 295aa9b..90a0402 100644
--- a/plugins/check_snmp.c
+++ b/plugins/check_snmp.c
@@ -55,8 +55,6 @@ const char *email = "devel@monitoring-plugins.org";
 #define CRIT_STRING 2
 #define CRIT_REGEX 4
 #define WARN_PRESENT 8
-#define WARN_STRING 16
-#define WARN_REGEX 32
 #define OID_COUNT_STEP 8
@@ -86,82 +84,82 @@ const char *email = "devel@monitoring-plugins.org";
-int process_arguments (int, char **);
+static int process_arguments (int, char **);
-int validate_arguments (void);
+static int validate_arguments (void);
-char *thisarg (char *str);
+static char *thisarg (char *str);
-char *nextarg (char *str);
+static char *nextarg (char *str);
 void print_usage (void);
-void print_help (void);
+static void print_help (void);
-char *multiply (char *str);
+static char *multiply (char *str);
 #include "regex.h"
-char regex_expect[MAX_INPUT_BUFFER] = "";
+static char regex_expect[MAX_INPUT_BUFFER] = "";
-regex_t preg;
+static regex_t preg;
-regmatch_t pmatch[10];
+static regmatch_t pmatch[10];
-char errbuf[MAX_INPUT_BUFFER] = "";
+static char errbuf[MAX_INPUT_BUFFER] = "";
-char perfstr[MAX_INPUT_BUFFER] = "| ";
+static char perfstr[MAX_INPUT_BUFFER] = "| ";
-int cflags = REG_EXTENDED | REG_NOSUB | REG_NEWLINE;
+static int cflags = REG_EXTENDED | REG_NOSUB | REG_NEWLINE;
-int eflags = 0;
+static int eflags = 0;
-int errcode, excode;
+static int errcode, excode;
-char *server_address = NULL;
+static char *server_address = NULL;
-char *community = NULL;
+static char *community = NULL;
-char **contextargs = NULL;
+static char **contextargs = NULL;
-char *context = NULL;
+static char *context = NULL;
-char **authpriv = NULL;
+static char **authpriv = NULL;
-char *proto = NULL;
+static char *proto = NULL;
-char *seclevel = NULL;
+static char *seclevel = NULL;
-char *secname = NULL;
+static char *secname = NULL;
-char *authproto = NULL;
+static char *authproto = NULL;
-char *privproto = NULL;
+static char *privproto = NULL;
-char *authpasswd = NULL;
+static char *authpasswd = NULL;
-char *privpasswd = NULL;
+static char *privpasswd = NULL;
-int nulloid = STATE_UNKNOWN;
+static int nulloid = STATE_UNKNOWN;
-char **oids = NULL;
+static char **oids = NULL;
-size_t oids_size = 0;
+static size_t oids_size = 0;
-char *label;
+static char *label;
-char *units;
+static char *units;
-char *port;
+static char *port;
-char *snmpcmd;
+static char *snmpcmd;
-char string_value[MAX_INPUT_BUFFER] = "";
+static char string_value[MAX_INPUT_BUFFER] = "";
-int  invert_search=0;
+static int  invert_search=0;
-char **labels = NULL;
+static char **labels = NULL;
-char **unitv = NULL;
+static char **unitv = NULL;
-size_t nlabels = 0;
+static size_t nlabels = 0;
-size_t labels_size = OID_COUNT_STEP;
+static size_t labels_size = OID_COUNT_STEP;
-size_t nunits = 0;
+static size_t nunits = 0;
-size_t unitv_size = OID_COUNT_STEP;
+static size_t unitv_size = OID_COUNT_STEP;
-size_t numoids = 0;
+static size_t numoids = 0;
-int numauthpriv = 0;
+static int numauthpriv = 0;
-int numcontext = 0;
+static int numcontext = 0;
-int verbose = 0;
+static int verbose = 0;
-bool usesnmpgetnext = false;
+static bool usesnmpgetnext = false;
-char *warning_thresholds = NULL;
+static char *warning_thresholds = NULL;
-char *critical_thresholds = NULL;
+static char *critical_thresholds = NULL;
-thresholds **thlds;
+static thresholds **thlds;
-size_t thlds_size = OID_COUNT_STEP;
+static size_t thlds_size = OID_COUNT_STEP;
-double *response_value;
+static double *response_value;
-size_t response_size = OID_COUNT_STEP;
+static size_t response_size = OID_COUNT_STEP;
-int retries = 0;
+static int retries = 0;
-int *eval_method;
+static int *eval_method;
-size_t eval_size = OID_COUNT_STEP;
+static size_t eval_size = OID_COUNT_STEP;
-char *delimiter;
+static char *delimiter;
-char *output_delim;
+static char *output_delim;
-char *miblist = NULL;
+static char *miblist = NULL;
-bool needmibs = false;
+static bool needmibs = false;
-int calculate_rate = 0;
+static int calculate_rate = 0;
-double offset = 0.0;
+static double offset = 0.0;
-int rate_multiplier = 1;
+static int rate_multiplier = 1;
-state_data *previous_state;
+static state_data *previous_state;
-double *previous_value;
+static double *previous_value;
-size_t previous_size = OID_COUNT_STEP;
+static size_t previous_size = OID_COUNT_STEP;
-int perf_labels = 1;
+static int perf_labels = 1;
-char* ip_version = "";
+static char* ip_version = "";
-double multiplier = 1.0;
+static double multiplier = 1.0;
-char *fmtstr = "";
+static char *fmtstr = "";
-bool fmtstr_set = false;
+static bool fmtstr_set = false;
-char buffer[DEFAULT_BUFFER_SIZE];
+static char buffer[DEFAULT_BUFFER_SIZE];
-bool ignore_mib_parsing_errors = false;
+static bool ignore_mib_parsing_errors = false;
 static char *fix_snmp_range(char *th)
 {
@@ -1030,7 +1028,7 @@ selected.</para>
-int
+static int
 validate_arguments ()
 {
        /* check whether to load locally installed MIBS (CPU/disk intensive) */
@@ -1139,7 +1137,7 @@ validate_arguments ()
 /* trim leading whitespace
         if there is a leading quote, make sure it balances */
-char *
+static char *
 thisarg (char *str)
 {
        str += strspn (str, " \t\r\n"); /* trim any leading whitespace */
@@ -1156,7 +1154,7 @@ thisarg (char *str)
         set the trailing quote to '\x0'
         if the string continues, advance beyond the comma */
-char *
+static char *
 nextarg (char *str)
 {
        if (str[0] == '\'') {
@@ -1188,7 +1186,7 @@ nextarg (char *str)
 /* multiply result (values 0 < n < 1 work as divider) */
-char *
+static char *
 multiply (char *str)
 {
        char *endptr;
@@ -1225,7 +1223,7 @@ multiply (char *str)
 }
-void
+static void
 print_help (void)
 {
        print_revision (progname, NP_VERSION);
@@ -1253,10 +1251,12 @@ print_help (void)
        printf ("    %s\n", _("SNMPv3 context"));
        printf (" %s\n", "-L, --seclevel=[noAuthNoPriv|authNoPriv|authPriv]");
        printf ("    %s\n", _("SNMPv3 securityLevel"));
-        printf (" %s\n", "-a, --authproto=[MD5|SHA]");
+        printf (" %s\n", "-a, --authproto=AUTHENTICATION_PROTOCOL");
-        printf ("    %s\n", _("SNMPv3 auth proto"));
+        printf ("    %s\n", _("SNMPv3 authentication protocol (default MD5), available options depend on the specific version of the net-snmp tools"));
-        printf (" %s\n", "-x, --privproto=[DES|AES]");
+        printf ("    %s\n", _("if < 5.8 SHA (1) and MD5 should be available, if >= 5.8 additionally SHA-224, SHA-256, SHA-384 and SHA-512"));
-        printf ("    %s\n", _("SNMPv3 priv proto (default DES)"));
+        printf (" %s\n", "-x, --privproto=PRIVACY_PROTOCOL");
+        printf ("    %s\n", _("SNMPv3 privacy protocol (default DES), available options depend on the specific version of the net-snmp tools"));
+        printf ("    %s\n", _("if < 5.8 DES and AES should be available, if >= 5.8 additionally AES-192 and AES-256"));
        /* Authentication Tokens*/
        printf (" %s\n", "-C, --community=STRING");