From ede8defad4f44478f69e148022b542a694498087 Mon Sep 17 00:00:00 2001 From: Andreas Baumann Date: Tue, 19 Jan 2021 18:32:27 +0100 Subject: check_curl: fixed help, usage and errors for TLS 1.3 --- plugins/check_curl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/check_curl.c b/plugins/check_curl.c index 2d69b310..ef77918b 100644 --- a/plugins/check_curl.c +++ b/plugins/check_curl.c @@ -1354,7 +1354,7 @@ process_arguments (int argc, char **argv) ssl_version = CURL_SSLVERSION_DEFAULT; #endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 52, 0) */ else - usage4 (_("Invalid option - Valid SSL/TLS versions: 2, 3, 1, 1.1, 1.2 (with optional '+' suffix)")); + usage4 (_("Invalid option - Valid SSL/TLS versions: 2, 3, 1, 1.1, 1.2, 1.3 (with optional '+' suffix)")); } #if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 54, 0) if (got_plus) { @@ -1659,7 +1659,7 @@ print_help (void) printf (" %s\n", "-S, --ssl=VERSION[+]"); printf (" %s\n", _("Connect via SSL. Port defaults to 443. VERSION is optional, and prevents")); printf (" %s\n", _("auto-negotiation (2 = SSLv2, 3 = SSLv3, 1 = TLSv1, 1.1 = TLSv1.1,")); - printf (" %s\n", _("1.2 = TLSv1.2). With a '+' suffix, newer versions are also accepted.")); + printf (" %s\n", _("1.2 = TLSv1.2, 1.3 = TLSv1.3). With a '+' suffix, newer versions are also accepted.")); printf (" %s\n", _("Note: SSLv2 and SSLv3 are deprecated and are usually disabled in libcurl")); printf (" %s\n", "--sni"); printf (" %s\n", _("Enable SSL/TLS hostname extension support (SNI)")); -- cgit v1.2.3-74-g34f1 From d9a5d1faf0400b9da47dee516c035da1a93dc12c Mon Sep 17 00:00:00 2001 From: Andreas Baumann Date: Tue, 19 Jan 2021 18:35:41 +0100 Subject: check_curl: fixed a potential buffer overflow in url buffer --- plugins/check_curl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/check_curl.c b/plugins/check_curl.c index ef77918b..a3f63f16 100644 --- a/plugins/check_curl.c +++ b/plugins/check_curl.c @@ -1041,7 +1041,7 @@ redir (curlhelp_write_curlbuf* header_buf) const UriPathSegmentA* p = uri.pathHead; for (; p; p = p->next) { strncat (new_url, "/", DEFAULT_BUFFER_SIZE); - strncat (new_url, uri_string (p->text, buf, DEFAULT_BUFFER_SIZE), DEFAULT_BUFFER_SIZE); + strncat (new_url, uri_string (p->text, buf, DEFAULT_BUFFER_SIZE), DEFAULT_BUFFER_SIZE-1); } } -- cgit v1.2.3-74-g34f1 From 0f926a3566fb6f3333f3a24e47e2ad204fd0fba4 Mon Sep 17 00:00:00 2001 From: Andreas Baumann Date: Mon, 8 Mar 2021 19:46:43 +0100 Subject: check_curl: added string_statuscode function for printing HTTP/1.1 and HTTP/2 correctly --- plugins/check_curl.c | 33 ++++++++++++++++++++++++++++----- 1 file changed, 28 insertions(+), 5 deletions(-) diff --git a/plugins/check_curl.c b/plugins/check_curl.c index a3f63f16..8f274c26 100644 --- a/plugins/check_curl.c +++ b/plugins/check_curl.c @@ -296,6 +296,28 @@ CURLcode sslctxfun(CURL *curl, SSL_CTX *sslctx, void *parm) #endif /* USE_OPENSSL */ #endif /* HAVE_SSL */ +/* returns a string "HTTP/1.x" or "HTTP/2" */ +static char *string_statuscode (int major, int minor) +{ + static char buf[10]; + + switch (major) { + case 1: + snprintf (buf, sizeof (buf), "HTTP/%d.%d", major, minor); + break; + case 2: + case 3: + snprintf (buf, sizeof (buf), "HTTP/%d", major); + break; + default: + /* assuming here HTTP/N with N>=4 */ + snprintf (buf, sizeof (buf), "HTTP/%d", major); + break; + } + + return buf; +} + /* Checks if the server 'reply' is one of the expected 'statuscodes' */ static int expected_statuscode (const char *reply, const char *statuscodes) @@ -746,7 +768,8 @@ GOT_FIRST_CERT: if (curlhelp_parse_statusline (header_buf.buf, &status_line) < 0) { snprintf (msg, DEFAULT_BUFFER_SIZE, "Unparsable status line in %.3g seconds response time|%s\n", total_time, perfstring); - die (STATE_CRITICAL, "HTTP CRITICAL HTTP/1.x %ld unknown - %s", code, msg); + /* we cannot know the major/minor version here for sure as we cannot parse the first line */ + die (STATE_CRITICAL, "HTTP CRITICAL HTTP/x.x %ld unknown - %s", code, msg); } /* get result code from cURL */ @@ -823,8 +846,8 @@ GOT_FIRST_CERT: /* check status codes, set exit status accordingly */ if( status_line.http_code != code ) { - die (STATE_CRITICAL, _("HTTP CRITICAL HTTP/%d.%d %d %s - different HTTP codes (cUrl has %ld)\n"), - status_line.http_major, status_line.http_minor, + die (STATE_CRITICAL, _("HTTP CRITICAL %s %d %s - different HTTP codes (cUrl has %ld)\n"), + string_statuscode (status_line.http_major, status_line.http_minor), status_line.http_code, status_line.msg, code); } @@ -895,8 +918,8 @@ GOT_FIRST_CERT: msg[strlen(msg)-3] = '\0'; /* TODO: separate _() msg and status code: die (result, "HTTP %s: %s\n", state_text(result), msg); */ - die (result, "HTTP %s: HTTP/%d.%d %d %s%s%s - %d bytes in %.3f second response time %s|%s\n", - state_text(result), status_line.http_major, status_line.http_minor, + die (result, "HTTP %s: %s %d %s%s%s - %d bytes in %.3f second response time %s|%s\n", + state_text(result), string_statuscode (status_line.http_major, status_line.http_minor), status_line.http_code, status_line.msg, strlen(msg) > 0 ? " - " : "", msg, page_len, total_time, -- cgit v1.2.3-74-g34f1