summaryrefslogtreecommitdiffstats
path: root/plugins/check_curl.c
diff options
context:
space:
mode:
Diffstat (limited to 'plugins/check_curl.c')
-rw-r--r--plugins/check_curl.c2696
1 files changed, 2696 insertions, 0 deletions
diff --git a/plugins/check_curl.c b/plugins/check_curl.c
new file mode 100644
index 0000000..d0871c4
--- /dev/null
+++ b/plugins/check_curl.c
@@ -0,0 +1,2696 @@
1/*****************************************************************************
2*
3* Monitoring check_curl plugin
4*
5* License: GPL
6* Copyright (c) 1999-2019 Monitoring Plugins Development Team
7*
8* Description:
9*
10* This file contains the check_curl plugin
11*
12* This plugin tests the HTTP service on the specified host. It can test
13* normal (http) and secure (https) servers, follow redirects, search for
14* strings and regular expressions, check connection times, and report on
15* certificate expiration times.
16*
17* This plugin uses functions from the curl library, see
18* http://curl.haxx.se
19*
20* This program is free software: you can redistribute it and/or modify
21* it under the terms of the GNU General Public License as published by
22* the Free Software Foundation, either version 3 of the License, or
23* (at your option) any later version.
24*
25* This program is distributed in the hope that it will be useful,
26* but WITHOUT ANY WARRANTY; without even the implied warranty of
27* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
28* GNU General Public License for more details.
29*
30* You should have received a copy of the GNU General Public License
31* along with this program. If not, see <http://www.gnu.org/licenses/>.
32*
33*
34*****************************************************************************/
35const char *progname = "check_curl";
36
37const char *copyright = "2006-2019";
38const char *email = "devel@monitoring-plugins.org";
39
40#include <stdbool.h>
41#include <ctype.h>
42
43#include "common.h"
44#include "utils.h"
45
46#ifndef LIBCURL_PROTOCOL_HTTP
47#error libcurl compiled without HTTP support, compiling check_curl plugin does not makes a lot of sense
48#endif
49
50#include "curl/curl.h"
51#include "curl/easy.h"
52
53#include "picohttpparser.h"
54
55#include "uriparser/Uri.h"
56
57#include <arpa/inet.h>
58#include <netinet/in.h>
59
60#if defined(HAVE_SSL) && defined(USE_OPENSSL)
61#include <openssl/opensslv.h>
62#endif
63
64#include <netdb.h>
65
66#define MAKE_LIBCURL_VERSION(major, minor, patch) ((major)*0x10000 + (minor)*0x100 + (patch))
67
68#define DEFAULT_BUFFER_SIZE 2048
69#define DEFAULT_SERVER_URL "/"
70#define HTTP_EXPECT "HTTP/"
71#define INET_ADDR_MAX_SIZE INET6_ADDRSTRLEN
72enum {
73 MAX_IPV4_HOSTLENGTH = 255,
74 HTTP_PORT = 80,
75 HTTPS_PORT = 443,
76 MAX_PORT = 65535,
77 DEFAULT_MAX_REDIRS = 15
78};
79
80enum {
81 STICKY_NONE = 0,
82 STICKY_HOST = 1,
83 STICKY_PORT = 2
84};
85
86enum {
87 FOLLOW_HTTP_CURL = 0,
88 FOLLOW_LIBCURL = 1
89};
90
91/* for buffers for header and body */
92typedef struct {
93 char *buf;
94 size_t buflen;
95 size_t bufsize;
96} curlhelp_write_curlbuf;
97
98/* for buffering the data sent in PUT */
99typedef struct {
100 char *buf;
101 size_t buflen;
102 off_t pos;
103} curlhelp_read_curlbuf;
104
105/* for parsing the HTTP status line */
106typedef struct {
107 int http_major; /* major version of the protocol, always 1 (HTTP/0.9
108 * never reached the big internet most likely) */
109 int http_minor; /* minor version of the protocol, usually 0 or 1 */
110 int http_code; /* HTTP return code as in RFC 2145 */
111 int http_subcode; /* Microsoft IIS extension, HTTP subcodes, see
112 * http://support.microsoft.com/kb/318380/en-us */
113 const char *msg; /* the human readable message */
114 char *first_line; /* a copy of the first line */
115} curlhelp_statusline;
116
117/* to know the underlying SSL library used by libcurl */
118typedef enum curlhelp_ssl_library {
119 CURLHELP_SSL_LIBRARY_UNKNOWN,
120 CURLHELP_SSL_LIBRARY_OPENSSL,
121 CURLHELP_SSL_LIBRARY_LIBRESSL,
122 CURLHELP_SSL_LIBRARY_GNUTLS,
123 CURLHELP_SSL_LIBRARY_NSS
124} curlhelp_ssl_library;
125
126enum {
127 REGS = 2,
128 MAX_RE_SIZE = 1024
129};
130#include "regex.h"
131regex_t preg;
132regmatch_t pmatch[REGS];
133char regexp[MAX_RE_SIZE];
134int cflags = REG_NOSUB | REG_EXTENDED | REG_NEWLINE;
135int errcode;
136bool invert_regex = false;
137
138char *server_address = NULL;
139char *host_name = NULL;
140char *server_url = 0;
141char server_ip[DEFAULT_BUFFER_SIZE];
142struct curl_slist *server_ips = NULL;
143bool specify_port = false;
144unsigned short server_port = HTTP_PORT;
145unsigned short virtual_port = 0;
146int host_name_length;
147char output_header_search[30] = "";
148char output_string_search[30] = "";
149char *warning_thresholds = NULL;
150char *critical_thresholds = NULL;
151int days_till_exp_warn, days_till_exp_crit;
152thresholds *thlds;
153char user_agent[DEFAULT_BUFFER_SIZE];
154int verbose = 0;
155bool show_extended_perfdata = false;
156bool show_body = false;
157int min_page_len = 0;
158int max_page_len = 0;
159int redir_depth = 0;
160int max_depth = DEFAULT_MAX_REDIRS;
161char *http_method = NULL;
162char *http_post_data = NULL;
163char *http_content_type = NULL;
164CURL *curl;
165bool curl_global_initialized = false;
166bool curl_easy_initialized = false;
167struct curl_slist *header_list = NULL;
168bool body_buf_initialized = false;
169curlhelp_write_curlbuf body_buf;
170bool header_buf_initialized = false;
171curlhelp_write_curlbuf header_buf;
172bool status_line_initialized = false;
173curlhelp_statusline status_line;
174bool put_buf_initialized = false;
175curlhelp_read_curlbuf put_buf;
176char http_header[DEFAULT_BUFFER_SIZE];
177long code;
178long socket_timeout = DEFAULT_SOCKET_TIMEOUT;
179double total_time;
180double time_connect;
181double time_appconnect;
182double time_headers;
183double time_firstbyte;
184char errbuf[MAX_INPUT_BUFFER];
185CURLcode res;
186char url[DEFAULT_BUFFER_SIZE];
187char msg[DEFAULT_BUFFER_SIZE];
188char perfstring[DEFAULT_BUFFER_SIZE];
189char header_expect[MAX_INPUT_BUFFER] = "";
190char string_expect[MAX_INPUT_BUFFER] = "";
191char server_expect[MAX_INPUT_BUFFER] = HTTP_EXPECT;
192int server_expect_yn = 0;
193char user_auth[MAX_INPUT_BUFFER] = "";
194char proxy_auth[MAX_INPUT_BUFFER] = "";
195char **http_opt_headers;
196int http_opt_headers_count = 0;
197bool display_html = false;
198int onredirect = STATE_OK;
199int followmethod = FOLLOW_HTTP_CURL;
200int followsticky = STICKY_NONE;
201bool use_ssl = false;
202bool use_sni = true;
203bool check_cert = false;
204bool continue_after_check_cert = false;
205typedef union {
206 struct curl_slist* to_info;
207 struct curl_certinfo* to_certinfo;
208} cert_ptr_union;
209cert_ptr_union cert_ptr;
210int ssl_version = CURL_SSLVERSION_DEFAULT;
211char *client_cert = NULL;
212char *client_privkey = NULL;
213char *ca_cert = NULL;
214bool verify_peer_and_host = false;
215bool is_openssl_callback = false;
216#if defined(HAVE_SSL) && defined(USE_OPENSSL)
217X509 *cert = NULL;
218#endif /* defined(HAVE_SSL) && defined(USE_OPENSSL) */
219bool no_body = false;
220int maximum_age = -1;
221int address_family = AF_UNSPEC;
222curlhelp_ssl_library ssl_library = CURLHELP_SSL_LIBRARY_UNKNOWN;
223int curl_http_version = CURL_HTTP_VERSION_NONE;
224bool automatic_decompression = false;
225char *cookie_jar_file = NULL;
226
227bool process_arguments (int, char**);
228void handle_curl_option_return_code (CURLcode res, const char* option);
229int check_http (void);
230void redir (curlhelp_write_curlbuf*);
231char *perfd_time (double microsec);
232char *perfd_time_connect (double microsec);
233char *perfd_time_ssl (double microsec);
234char *perfd_time_firstbyte (double microsec);
235char *perfd_time_headers (double microsec);
236char *perfd_time_transfer (double microsec);
237char *perfd_size (int page_len);
238void print_help (void);
239void print_usage (void);
240void print_curl_version (void);
241int curlhelp_initwritebuffer (curlhelp_write_curlbuf*);
242int curlhelp_buffer_write_callback (void*, size_t , size_t , void*);
243void curlhelp_freewritebuffer (curlhelp_write_curlbuf*);
244int curlhelp_initreadbuffer (curlhelp_read_curlbuf *, const char *, size_t);
245int curlhelp_buffer_read_callback (void *, size_t , size_t , void *);
246void curlhelp_freereadbuffer (curlhelp_read_curlbuf *);
247curlhelp_ssl_library curlhelp_get_ssl_library ();
248const char* curlhelp_get_ssl_library_string (curlhelp_ssl_library);
249int net_noopenssl_check_certificate (cert_ptr_union*, int, int);
250
251int curlhelp_parse_statusline (const char*, curlhelp_statusline *);
252void curlhelp_free_statusline (curlhelp_statusline *);
253char *get_header_value (const struct phr_header* headers, const size_t nof_headers, const char* header);
254int check_document_dates (const curlhelp_write_curlbuf *, char (*msg)[DEFAULT_BUFFER_SIZE]);
255int get_content_length (const curlhelp_write_curlbuf* header_buf, const curlhelp_write_curlbuf* body_buf);
256
257#if defined(HAVE_SSL) && defined(USE_OPENSSL)
258int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int days_till_exp_crit);
259#endif /* defined(HAVE_SSL) && defined(USE_OPENSSL) */
260
261void remove_newlines (char *);
262void test_file (char *);
263
264int
265main (int argc, char **argv)
266{
267 int result = STATE_UNKNOWN;
268
269 setlocale (LC_ALL, "");
270 bindtextdomain (PACKAGE, LOCALEDIR);
271 textdomain (PACKAGE);
272
273 /* Parse extra opts if any */
274 argv = np_extra_opts (&argc, argv, progname);
275
276 /* set defaults */
277 snprintf( user_agent, DEFAULT_BUFFER_SIZE, "%s/v%s (monitoring-plugins %s, %s)",
278 progname, NP_VERSION, VERSION, curl_version());
279
280 /* parse arguments */
281 if (process_arguments (argc, argv) == false)
282 usage4 (_("Could not parse arguments"));
283
284 if (display_html)
285 printf ("<A HREF=\"%s://%s:%d%s\" target=\"_blank\">",
286 use_ssl ? "https" : "http",
287 host_name ? host_name : server_address,
288 virtual_port ? virtual_port : server_port,
289 server_url);
290
291 result = check_http ();
292 return result;
293}
294
295#ifdef HAVE_SSL
296#ifdef USE_OPENSSL
297
298int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
299{
300 (void) preverify_ok;
301 /* TODO: we get all certificates of the chain, so which ones
302 * should we test?
303 * TODO: is the last certificate always the server certificate?
304 */
305 cert = X509_STORE_CTX_get_current_cert(x509_ctx);
306#if OPENSSL_VERSION_NUMBER >= 0x10100000L
307 X509_up_ref(cert);
308#endif
309 if (verbose>=2) {
310 puts("* SSL verify callback with certificate:");
311 X509_NAME *subject, *issuer;
312 printf("* issuer:\n");
313 issuer = X509_get_issuer_name( cert );
314 X509_NAME_print_ex_fp(stdout, issuer, 5, XN_FLAG_MULTILINE);
315 printf("* curl verify_callback:\n* subject:\n");
316 subject = X509_get_subject_name( cert );
317 X509_NAME_print_ex_fp(stdout, subject, 5, XN_FLAG_MULTILINE);
318 puts("");
319 }
320 return 1;
321}
322
323CURLcode sslctxfun(CURL *curl, SSL_CTX *sslctx, void *parm)
324{
325 (void) curl; // ignore unused parameter
326 (void) parm; // ignore unused parameter
327 SSL_CTX_set_verify(sslctx, SSL_VERIFY_PEER, verify_callback);
328
329 return CURLE_OK;
330}
331
332#endif /* USE_OPENSSL */
333#endif /* HAVE_SSL */
334
335/* returns a string "HTTP/1.x" or "HTTP/2" */
336static char *string_statuscode (int major, int minor)
337{
338 static char buf[10];
339
340 switch (major) {
341 case 1:
342 snprintf (buf, sizeof (buf), "HTTP/%d.%d", major, minor);
343 break;
344 case 2:
345 case 3:
346 snprintf (buf, sizeof (buf), "HTTP/%d", major);
347 break;
348 default:
349 /* assuming here HTTP/N with N>=4 */
350 snprintf (buf, sizeof (buf), "HTTP/%d", major);
351 break;
352 }
353
354 return buf;
355}
356
357/* Checks if the server 'reply' is one of the expected 'statuscodes' */
358static int
359expected_statuscode (const char *reply, const char *statuscodes)
360{
361 char *expected, *code;
362 int result = 0;
363
364 if ((expected = strdup (statuscodes)) == NULL)
365 die (STATE_UNKNOWN, _("HTTP UNKNOWN - Memory allocation error\n"));
366
367 for (code = strtok (expected, ","); code != NULL; code = strtok (NULL, ","))
368 if (strstr (reply, code) != NULL) {
369 result = 1;
370 break;
371 }
372
373 free (expected);
374 return result;
375}
376
377void
378handle_curl_option_return_code (CURLcode res, const char* option)
379{
380 if (res != CURLE_OK) {
381 snprintf (msg,
382 DEFAULT_BUFFER_SIZE,
383 _("Error while setting cURL option '%s': cURL returned %d - %s"),
384 option,
385 res,
386 curl_easy_strerror(res));
387 die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
388 }
389}
390
391int
392lookup_host (const char *host, char *buf, size_t buflen)
393{
394 struct addrinfo hints, *res, *result;
395 char addrstr[100];
396 size_t addrstr_len;
397 int errcode;
398 void *ptr;
399 size_t buflen_remaining = buflen - 1;
400
401 memset (&hints, 0, sizeof (hints));
402 hints.ai_family = address_family;
403 hints.ai_socktype = SOCK_STREAM;
404 hints.ai_flags |= AI_CANONNAME;
405
406 errcode = getaddrinfo (host, NULL, &hints, &result);
407 if (errcode != 0)
408 return errcode;
409
410 strcpy(buf, "");
411 res = result;
412
413 while (res) {
414 switch (res->ai_family) {
415 case AF_INET:
416 ptr = &((struct sockaddr_in *) res->ai_addr)->sin_addr;
417 break;
418 case AF_INET6:
419 ptr = &((struct sockaddr_in6 *) res->ai_addr)->sin6_addr;
420 break;
421 }
422
423 inet_ntop (res->ai_family, ptr, addrstr, 100);
424 if (verbose >= 1) {
425 printf ("* getaddrinfo IPv%d address: %s\n",
426 res->ai_family == PF_INET6 ? 6 : 4, addrstr);
427 }
428
429 // Append all IPs to buf as a comma-separated string
430 addrstr_len = strlen(addrstr);
431 if (buflen_remaining > addrstr_len + 1) {
432 if (buf[0] != '\0') {
433 strncat(buf, ",", buflen_remaining);
434 buflen_remaining -= 1;
435 }
436 strncat(buf, addrstr, buflen_remaining);
437 buflen_remaining -= addrstr_len;
438 }
439
440 res = res->ai_next;
441 }
442
443 freeaddrinfo(result);
444
445 return 0;
446}
447
448static void
449cleanup (void)
450{
451 if (status_line_initialized) curlhelp_free_statusline(&status_line);
452 status_line_initialized = false;
453 if (curl_easy_initialized) curl_easy_cleanup (curl);
454 curl_easy_initialized = false;
455 if (curl_global_initialized) curl_global_cleanup ();
456 curl_global_initialized = false;
457 if (body_buf_initialized) curlhelp_freewritebuffer (&body_buf);
458 body_buf_initialized = false;
459 if (header_buf_initialized) curlhelp_freewritebuffer (&header_buf);
460 header_buf_initialized = false;
461 if (put_buf_initialized) curlhelp_freereadbuffer (&put_buf);
462 put_buf_initialized = false;
463}
464
465int
466check_http (void)
467{
468 int result = STATE_OK;
469 int page_len = 0;
470 int i;
471 char *force_host_header = NULL;
472 struct curl_slist *host = NULL;
473 char addrstr[DEFAULT_BUFFER_SIZE/2];
474 char dnscache[DEFAULT_BUFFER_SIZE];
475
476 /* initialize curl */
477 if (curl_global_init (CURL_GLOBAL_DEFAULT) != CURLE_OK)
478 die (STATE_UNKNOWN, "HTTP UNKNOWN - curl_global_init failed\n");
479 curl_global_initialized = true;
480
481 if ((curl = curl_easy_init()) == NULL) {
482 die (STATE_UNKNOWN, "HTTP UNKNOWN - curl_easy_init failed\n");
483 }
484 curl_easy_initialized = true;
485
486 /* register cleanup function to shut down libcurl properly */
487 atexit (cleanup);
488
489 if (verbose >= 1)
490 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_VERBOSE, 1), "CURLOPT_VERBOSE");
491
492 /* print everything on stdout like check_http would do */
493 handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_STDERR, stdout), "CURLOPT_STDERR");
494
495 if (automatic_decompression)
496#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 21, 6)
497 handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_ACCEPT_ENCODING, ""), "CURLOPT_ACCEPT_ENCODING");
498#else
499 handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_ENCODING, ""), "CURLOPT_ENCODING");
500#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 21, 6) */
501
502 /* initialize buffer for body of the answer */
503 if (curlhelp_initwritebuffer(&body_buf) < 0)
504 die (STATE_UNKNOWN, "HTTP CRITICAL - out of memory allocating buffer for body\n");
505 body_buf_initialized = true;
506 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_WRITEFUNCTION, (curl_write_callback)curlhelp_buffer_write_callback), "CURLOPT_WRITEFUNCTION");
507 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_WRITEDATA, (void *)&body_buf), "CURLOPT_WRITEDATA");
508
509 /* initialize buffer for header of the answer */
510 if (curlhelp_initwritebuffer( &header_buf ) < 0)
511 die (STATE_UNKNOWN, "HTTP CRITICAL - out of memory allocating buffer for header\n" );
512 header_buf_initialized = true;
513 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_HEADERFUNCTION, (curl_write_callback)curlhelp_buffer_write_callback), "CURLOPT_HEADERFUNCTION");
514 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_WRITEHEADER, (void *)&header_buf), "CURLOPT_WRITEHEADER");
515
516 /* set the error buffer */
517 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_ERRORBUFFER, errbuf), "CURLOPT_ERRORBUFFER");
518
519 /* set timeouts */
520 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CONNECTTIMEOUT, socket_timeout), "CURLOPT_CONNECTTIMEOUT");
521 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_TIMEOUT, socket_timeout), "CURLOPT_TIMEOUT");
522
523 // fill dns resolve cache to make curl connect to the given server_address instead of the host_name, only required for ssl, because we use the host_name later on to make SNI happy
524 if(use_ssl && host_name != NULL) {
525 if ( (res=lookup_host (server_address, addrstr, DEFAULT_BUFFER_SIZE/2)) != 0) {
526 snprintf (msg,
527 DEFAULT_BUFFER_SIZE,
528 _("Unable to lookup IP address for '%s': getaddrinfo returned %d - %s"),
529 server_address,
530 res,
531 gai_strerror (res));
532 die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
533 }
534 snprintf (dnscache, DEFAULT_BUFFER_SIZE, "%s:%d:%s", host_name, server_port, addrstr);
535 host = curl_slist_append(NULL, dnscache);
536 curl_easy_setopt(curl, CURLOPT_RESOLVE, host);
537 if (verbose>=1)
538 printf ("* curl CURLOPT_RESOLVE: %s\n", dnscache);
539 }
540
541 // If server_address is an IPv6 address it must be surround by square brackets
542 struct in6_addr tmp_in_addr;
543 if (inet_pton(AF_INET6, server_address, &tmp_in_addr) == 1) {
544 char *new_server_address = malloc(strlen(server_address) + 3);
545 if (new_server_address == NULL) {
546 die(STATE_UNKNOWN, "HTTP UNKNOWN - Unable to allocate memory\n");
547 }
548 snprintf(new_server_address, strlen(server_address)+3, "[%s]", server_address);
549 free(server_address);
550 server_address = new_server_address;
551 }
552
553 /* compose URL: use the address we want to connect to, set Host: header later */
554 snprintf (url, DEFAULT_BUFFER_SIZE, "%s://%s:%d%s",
555 use_ssl ? "https" : "http",
556 ( use_ssl & ( host_name != NULL ) ) ? host_name : server_address,
557 server_port,
558 server_url
559 );
560
561 if (verbose>=1)
562 printf ("* curl CURLOPT_URL: %s\n", url);
563 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_URL, url), "CURLOPT_URL");
564
565 /* extract proxy information for legacy proxy https requests */
566 if (!strcmp(http_method, "CONNECT") || strstr(server_url, "http") == server_url) {
567 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_PROXY, server_address), "CURLOPT_PROXY");
568 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_PROXYPORT, (long)server_port), "CURLOPT_PROXYPORT");
569 if (verbose>=2)
570 printf ("* curl CURLOPT_PROXY: %s:%d\n", server_address, server_port);
571 http_method = "GET";
572 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_URL, server_url), "CURLOPT_URL");
573 }
574
575 /* disable body for HEAD request */
576 if (http_method && !strcmp (http_method, "HEAD" )) {
577 no_body = true;
578 }
579
580 /* set HTTP protocol version */
581 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_HTTP_VERSION, curl_http_version), "CURLOPT_HTTP_VERSION");
582
583 /* set HTTP method */
584 if (http_method) {
585 if (!strcmp(http_method, "POST"))
586 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_POST, 1), "CURLOPT_POST");
587 else if (!strcmp(http_method, "PUT"))
588 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_UPLOAD, 1), "CURLOPT_UPLOAD");
589 else
590 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CUSTOMREQUEST, http_method), "CURLOPT_CUSTOMREQUEST");
591 }
592
593 /* check if Host header is explicitly set in options */
594 if (http_opt_headers_count) {
595 for (i = 0; i < http_opt_headers_count ; i++) {
596 if (strncmp(http_opt_headers[i], "Host:", 5) == 0) {
597 force_host_header = http_opt_headers[i];
598 }
599 }
600 }
601
602 /* set hostname (virtual hosts), not needed if CURLOPT_CONNECT_TO is used, but left in anyway */
603 if(host_name != NULL && force_host_header == NULL) {
604 if((virtual_port != HTTP_PORT && !use_ssl) || (virtual_port != HTTPS_PORT && use_ssl)) {
605 snprintf(http_header, DEFAULT_BUFFER_SIZE, "Host: %s:%d", host_name, virtual_port);
606 } else {
607 snprintf(http_header, DEFAULT_BUFFER_SIZE, "Host: %s", host_name);
608 }
609 header_list = curl_slist_append (header_list, http_header);
610 }
611
612 /* always close connection, be nice to servers */
613 snprintf (http_header, DEFAULT_BUFFER_SIZE, "Connection: close");
614 header_list = curl_slist_append (header_list, http_header);
615
616 /* attach additional headers supplied by the user */
617 /* optionally send any other header tag */
618 if (http_opt_headers_count) {
619 for (i = 0; i < http_opt_headers_count ; i++) {
620 header_list = curl_slist_append (header_list, http_opt_headers[i]);
621 }
622 /* This cannot be free'd here because a redirection will then try to access this and segfault */
623 /* Covered in a testcase in tests/check_http.t */
624 /* free(http_opt_headers); */
625 }
626
627 /* set HTTP headers */
628 handle_curl_option_return_code (curl_easy_setopt( curl, CURLOPT_HTTPHEADER, header_list ), "CURLOPT_HTTPHEADER");
629
630#ifdef LIBCURL_FEATURE_SSL
631
632 /* set SSL version, warn about insecure or unsupported versions */
633 if (use_ssl) {
634 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_SSLVERSION, ssl_version), "CURLOPT_SSLVERSION");
635 }
636
637 /* client certificate and key to present to server (SSL) */
638 if (client_cert)
639 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_SSLCERT, client_cert), "CURLOPT_SSLCERT");
640 if (client_privkey)
641 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_SSLKEY, client_privkey), "CURLOPT_SSLKEY");
642 if (ca_cert) {
643 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CAINFO, ca_cert), "CURLOPT_CAINFO");
644 }
645 if (ca_cert || verify_peer_and_host) {
646 /* per default if we have a CA verify both the peer and the
647 * hostname in the certificate, can be switched off later */
648 handle_curl_option_return_code (curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 1), "CURLOPT_SSL_VERIFYPEER");
649 handle_curl_option_return_code (curl_easy_setopt( curl, CURLOPT_SSL_VERIFYHOST, 2), "CURLOPT_SSL_VERIFYHOST");
650 } else {
651 /* backward-compatible behaviour, be tolerant in checks
652 * TODO: depending on more options have aspects we want
653 * to be less tolerant about ssl verfications
654 */
655 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0), "CURLOPT_SSL_VERIFYPEER");
656 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0), "CURLOPT_SSL_VERIFYHOST");
657 }
658
659 /* detect SSL library used by libcurl */
660 ssl_library = curlhelp_get_ssl_library ();
661
662 /* try hard to get a stack of certificates to verify against */
663 if (check_cert) {
664#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1)
665 /* inform curl to report back certificates */
666 switch (ssl_library) {
667 case CURLHELP_SSL_LIBRARY_OPENSSL:
668 case CURLHELP_SSL_LIBRARY_LIBRESSL:
669 /* set callback to extract certificate with OpenSSL context function (works with
670 * OpenSSL-style libraries only!) */
671#ifdef USE_OPENSSL
672 /* libcurl and monitoring plugins built with OpenSSL, good */
673 handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun), "CURLOPT_SSL_CTX_FUNCTION");
674 is_openssl_callback = true;
675#else /* USE_OPENSSL */
676#endif /* USE_OPENSSL */
677 /* libcurl is built with OpenSSL, monitoring plugins, so falling
678 * back to manually extracting certificate information */
679 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CERTINFO, 1L), "CURLOPT_CERTINFO");
680 break;
681
682 case CURLHELP_SSL_LIBRARY_NSS:
683#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0)
684 /* NSS: support for CERTINFO is implemented since 7.34.0 */
685 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CERTINFO, 1L), "CURLOPT_CERTINFO");
686#else /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */
687 die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates (libcurl linked with SSL library '%s' is too old)\n", curlhelp_get_ssl_library_string (ssl_library));
688#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */
689 break;
690
691 case CURLHELP_SSL_LIBRARY_GNUTLS:
692#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 42, 0)
693 /* GnuTLS: support for CERTINFO is implemented since 7.42.0 */
694 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CERTINFO, 1L), "CURLOPT_CERTINFO");
695#else /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 42, 0) */
696 die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates (libcurl linked with SSL library '%s' is too old)\n", curlhelp_get_ssl_library_string (ssl_library));
697#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 42, 0) */
698 break;
699
700 case CURLHELP_SSL_LIBRARY_UNKNOWN:
701 default:
702 die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates (unknown SSL library '%s', must implement first)\n", curlhelp_get_ssl_library_string (ssl_library));
703 break;
704 }
705#else /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1) */
706 /* old libcurl, our only hope is OpenSSL, otherwise we are out of luck */
707 if (ssl_library == CURLHELP_SSL_LIBRARY_OPENSSL || ssl_library == CURLHELP_SSL_LIBRARY_LIBRESSL)
708 handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun), "CURLOPT_SSL_CTX_FUNCTION");
709 else
710 die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates (no CURLOPT_SSL_CTX_FUNCTION, no OpenSSL library or libcurl too old and has no CURLOPT_CERTINFO)\n");
711#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1) */
712 }
713
714#endif /* LIBCURL_FEATURE_SSL */
715
716 /* set default or user-given user agent identification */
717 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_USERAGENT, user_agent), "CURLOPT_USERAGENT");
718
719 /* proxy-authentication */
720 if (strcmp(proxy_auth, ""))
721 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_PROXYUSERPWD, proxy_auth), "CURLOPT_PROXYUSERPWD");
722
723 /* authentication */
724 if (strcmp(user_auth, ""))
725 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_USERPWD, user_auth), "CURLOPT_USERPWD");
726
727 /* TODO: parameter auth method, bitfield of following methods:
728 * CURLAUTH_BASIC (default)
729 * CURLAUTH_DIGEST
730 * CURLAUTH_DIGEST_IE
731 * CURLAUTH_NEGOTIATE
732 * CURLAUTH_NTLM
733 * CURLAUTH_NTLM_WB
734 *
735 * convenience tokens for typical sets of methods:
736 * CURLAUTH_ANYSAFE: most secure, without BASIC
737 * or CURLAUTH_ANY: most secure, even BASIC if necessary
738 *
739 * handle_curl_option_return_code (curl_easy_setopt( curl, CURLOPT_HTTPAUTH, (long)CURLAUTH_DIGEST ), "CURLOPT_HTTPAUTH");
740 */
741
742 /* handle redirections */
743 if (onredirect == STATE_DEPENDENT) {
744 if( followmethod == FOLLOW_LIBCURL ) {
745 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_FOLLOWLOCATION, 1), "CURLOPT_FOLLOWLOCATION");
746
747 /* default -1 is infinite, not good, could lead to zombie plugins!
748 Setting it to one bigger than maximal limit to handle errors nicely below
749 */
750 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_MAXREDIRS, max_depth+1), "CURLOPT_MAXREDIRS");
751
752 /* for now allow only http and https (we are a http(s) check plugin in the end) */
753#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 85, 0)
754 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_REDIR_PROTOCOLS_STR, "http,https"), "CURLOPT_REDIR_PROTOCOLS_STR");
755#elif LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 4)
756 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS), "CURLOPT_REDIRECT_PROTOCOLS");
757#endif
758
759 /* TODO: handle the following aspects of redirection, make them
760 * command line options too later:
761 CURLOPT_POSTREDIR: method switch
762 CURLINFO_REDIRECT_URL: custom redirect option
763 CURLOPT_REDIRECT_PROTOCOLS: allow people to step outside safe protocols
764 CURLINFO_REDIRECT_COUNT: get the number of redirects, print it, maybe a range option here is nice like for expected page size?
765 */
766 } else {
767 /* old style redirection is handled below */
768 }
769 }
770
771 /* no-body */
772 if (no_body)
773 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_NOBODY, 1), "CURLOPT_NOBODY");
774
775 /* IPv4 or IPv6 forced DNS resolution */
776 if (address_family == AF_UNSPEC)
777 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_WHATEVER), "CURLOPT_IPRESOLVE(CURL_IPRESOLVE_WHATEVER)");
778 else if (address_family == AF_INET)
779 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4), "CURLOPT_IPRESOLVE(CURL_IPRESOLVE_V4)");
780#if defined (USE_IPV6) && defined (LIBCURL_FEATURE_IPV6)
781 else if (address_family == AF_INET6)
782 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V6), "CURLOPT_IPRESOLVE(CURL_IPRESOLVE_V6)");
783#endif
784
785 /* either send http POST data (any data, not only POST)*/
786 if (!strcmp(http_method, "POST") ||!strcmp(http_method, "PUT")) {
787 /* set content of payload for POST and PUT */
788 if (http_content_type) {
789 snprintf (http_header, DEFAULT_BUFFER_SIZE, "Content-Type: %s", http_content_type);
790 header_list = curl_slist_append (header_list, http_header);
791 }
792 /* NULL indicates "HTTP Continue" in libcurl, provide an empty string
793 * in case of no POST/PUT data */
794 if (!http_post_data)
795 http_post_data = "";
796 if (!strcmp(http_method, "POST")) {
797 /* POST method, set payload with CURLOPT_POSTFIELDS */
798 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_POSTFIELDS, http_post_data), "CURLOPT_POSTFIELDS");
799 } else if (!strcmp(http_method, "PUT")) {
800 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_READFUNCTION, (curl_read_callback)curlhelp_buffer_read_callback), "CURLOPT_READFUNCTION");
801 if (curlhelp_initreadbuffer (&put_buf, http_post_data, strlen (http_post_data)) < 0)
802 die (STATE_UNKNOWN, "HTTP CRITICAL - out of memory allocating read buffer for PUT\n");
803 put_buf_initialized = true;
804 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_READDATA, (void *)&put_buf), "CURLOPT_READDATA");
805 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_INFILESIZE, (curl_off_t)strlen (http_post_data)), "CURLOPT_INFILESIZE");
806 }
807 }
808
809 /* cookie handling */
810 if (cookie_jar_file != NULL) {
811 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_COOKIEJAR, cookie_jar_file), "CURLOPT_COOKIEJAR");
812 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_COOKIEFILE, cookie_jar_file), "CURLOPT_COOKIEFILE");
813 }
814
815 /* do the request */
816 res = curl_easy_perform(curl);
817
818 if (verbose>=2 && http_post_data)
819 printf ("**** REQUEST CONTENT ****\n%s\n", http_post_data);
820
821 /* free header and server IP resolve lists, we don't need it anymore */
822 curl_slist_free_all (header_list); header_list = NULL;
823 curl_slist_free_all (server_ips); server_ips = NULL;
824 if (host) {
825 curl_slist_free_all (host); host = NULL;
826 }
827
828 /* Curl errors, result in critical Nagios state */
829 if (res != CURLE_OK) {
830 snprintf (msg,
831 DEFAULT_BUFFER_SIZE,
832 _("Invalid HTTP response received from host on port %d: cURL returned %d - %s"),
833 server_port,
834 res,
835 errbuf[0] ? errbuf : curl_easy_strerror(res));
836 die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
837 }
838
839 /* certificate checks */
840#ifdef LIBCURL_FEATURE_SSL
841 if (use_ssl) {
842 if (check_cert) {
843 if (is_openssl_callback) {
844#ifdef USE_OPENSSL
845 /* check certificate with OpenSSL functions, curl has been built against OpenSSL
846 * and we actually have OpenSSL in the monitoring tools
847 */
848 result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
849 if (!continue_after_check_cert) {
850 return result;
851 }
852#else /* USE_OPENSSL */
853 die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates - OpenSSL callback used and not linked against OpenSSL\n");
854#endif /* USE_OPENSSL */
855 } else {
856 int i;
857 struct curl_slist *slist;
858
859 cert_ptr.to_info = NULL;
860 res = curl_easy_getinfo (curl, CURLINFO_CERTINFO, &cert_ptr.to_info);
861 if (!res && cert_ptr.to_info) {
862#ifdef USE_OPENSSL
863 /* We have no OpenSSL in libcurl, but we can use OpenSSL for X509 cert parsing
864 * We only check the first certificate and assume it's the one of the server
865 */
866 const char* raw_cert = NULL;
867 for (i = 0; i < cert_ptr.to_certinfo->num_of_certs; i++) {
868 for (slist = cert_ptr.to_certinfo->certinfo[i]; slist; slist = slist->next) {
869 if (verbose >= 2)
870 printf ("%d ** %s\n", i, slist->data);
871 if (strncmp (slist->data, "Cert:", 5) == 0) {
872 raw_cert = &slist->data[5];
873 goto GOT_FIRST_CERT;
874 }
875 }
876 }
877GOT_FIRST_CERT:
878 if (!raw_cert) {
879 snprintf (msg,
880 DEFAULT_BUFFER_SIZE,
881 _("Cannot retrieve certificates from CERTINFO information - certificate data was empty"));
882 die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
883 }
884 BIO* cert_BIO = BIO_new (BIO_s_mem());
885 BIO_write (cert_BIO, raw_cert, strlen(raw_cert));
886 cert = PEM_read_bio_X509 (cert_BIO, NULL, NULL, NULL);
887 if (!cert) {
888 snprintf (msg,
889 DEFAULT_BUFFER_SIZE,
890 _("Cannot read certificate from CERTINFO information - BIO error"));
891 die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
892 }
893 BIO_free (cert_BIO);
894 result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
895 if (!continue_after_check_cert) {
896 return result;
897 }
898#else /* USE_OPENSSL */
899 /* We assume we don't have OpenSSL and np_net_ssl_check_certificate at our disposal,
900 * so we use the libcurl CURLINFO data
901 */
902 result = net_noopenssl_check_certificate(&cert_ptr, days_till_exp_warn, days_till_exp_crit);
903 if (!continue_after_check_cert) {
904 return result;
905 }
906#endif /* USE_OPENSSL */
907 } else {
908 snprintf (msg,
909 DEFAULT_BUFFER_SIZE,
910 _("Cannot retrieve certificates - cURL returned %d - %s"),
911 res,
912 curl_easy_strerror(res));
913 die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
914 }
915 }
916 }
917 }
918#endif /* LIBCURL_FEATURE_SSL */
919
920 /* we got the data and we executed the request in a given time, so we can append
921 * performance data to the answer always
922 */
923 handle_curl_option_return_code (curl_easy_getinfo (curl, CURLINFO_TOTAL_TIME, &total_time), "CURLINFO_TOTAL_TIME");
924 page_len = get_content_length(&header_buf, &body_buf);
925 if(show_extended_perfdata) {
926 handle_curl_option_return_code (curl_easy_getinfo(curl, CURLINFO_CONNECT_TIME, &time_connect), "CURLINFO_CONNECT_TIME");
927 handle_curl_option_return_code (curl_easy_getinfo(curl, CURLINFO_APPCONNECT_TIME, &time_appconnect), "CURLINFO_APPCONNECT_TIME");
928 handle_curl_option_return_code (curl_easy_getinfo(curl, CURLINFO_PRETRANSFER_TIME, &time_headers), "CURLINFO_PRETRANSFER_TIME");
929 handle_curl_option_return_code (curl_easy_getinfo(curl, CURLINFO_STARTTRANSFER_TIME, &time_firstbyte), "CURLINFO_STARTTRANSFER_TIME");
930 snprintf(perfstring, DEFAULT_BUFFER_SIZE, "%s %s %s %s %s %s %s",
931 perfd_time(total_time),
932 perfd_size(page_len),
933 perfd_time_connect(time_connect),
934 use_ssl ? perfd_time_ssl (time_appconnect-time_connect) : "",
935 perfd_time_headers(time_headers - time_appconnect),
936 perfd_time_firstbyte(time_firstbyte - time_headers),
937 perfd_time_transfer(total_time-time_firstbyte)
938 );
939 } else {
940 snprintf(perfstring, DEFAULT_BUFFER_SIZE, "%s %s",
941 perfd_time(total_time),
942 perfd_size(page_len)
943 );
944 }
945
946 /* return a CRITICAL status if we couldn't read any data */
947 if (strlen(header_buf.buf) == 0 && strlen(body_buf.buf) == 0)
948 die (STATE_CRITICAL, _("HTTP CRITICAL - No header received from host\n"));
949
950 /* get status line of answer, check sanity of HTTP code */
951 if (curlhelp_parse_statusline (header_buf.buf, &status_line) < 0) {
952 snprintf (msg,
953 DEFAULT_BUFFER_SIZE,
954 "Unparsable status line in %.3g seconds response time|%s\n",
955 total_time,
956 perfstring);
957 /* we cannot know the major/minor version here for sure as we cannot parse the first line */
958 die (STATE_CRITICAL, "HTTP CRITICAL HTTP/x.x %ld unknown - %s", code, msg);
959 }
960 status_line_initialized = true;
961
962 /* get result code from cURL */
963 handle_curl_option_return_code (curl_easy_getinfo (curl, CURLINFO_RESPONSE_CODE, &code), "CURLINFO_RESPONSE_CODE");
964 if (verbose>=2)
965 printf ("* curl CURLINFO_RESPONSE_CODE is %ld\n", code);
966
967 /* print status line, header, body if verbose */
968 if (verbose >= 2) {
969 printf ("**** HEADER ****\n%s\n**** CONTENT ****\n%s\n", header_buf.buf,
970 (no_body ? " [[ skipped ]]" : body_buf.buf));
971 }
972
973 /* make sure the status line matches the response we are looking for */
974 if (!expected_statuscode(status_line.first_line, server_expect)) {
975 if (server_port == HTTP_PORT)
976 snprintf(msg,
977 DEFAULT_BUFFER_SIZE,
978 _("Invalid HTTP response received from host: %s\n"),
979 status_line.first_line);
980 else
981 snprintf(msg,
982 DEFAULT_BUFFER_SIZE,
983 _("Invalid HTTP response received from host on port %d: %s\n"),
984 server_port,
985 status_line.first_line);
986 die (STATE_CRITICAL, "HTTP CRITICAL - %s%s%s", msg,
987 show_body ? "\n" : "",
988 show_body ? body_buf.buf : "");
989 }
990
991 if( server_expect_yn ) {
992 snprintf(msg, DEFAULT_BUFFER_SIZE, _("Status line output matched \"%s\" - "), server_expect);
993 if (verbose)
994 printf ("%s\n",msg);
995 result = STATE_OK;
996 }
997 else {
998 /* illegal return codes result in a critical state */
999 if (code >= 600 || code < 100) {
1000 die (STATE_CRITICAL, _("HTTP CRITICAL: Invalid Status (%d, %.40s)\n"), status_line.http_code, status_line.msg);
1001 /* server errors result in a critical state */
1002 } else if (code >= 500) {
1003 result = STATE_CRITICAL;
1004 /* client errors result in a warning state */
1005 } else if (code >= 400) {
1006 result = STATE_WARNING;
1007 /* check redirected page if specified */
1008 } else if (code >= 300) {
1009 if (onredirect == STATE_DEPENDENT) {
1010 if( followmethod == FOLLOW_LIBCURL ) {
1011 code = status_line.http_code;
1012 } else {
1013 /* old check_http style redirection, if we come
1014 * back here, we are in the same status as with
1015 * the libcurl method
1016 */
1017 redir (&header_buf);
1018 }
1019 } else {
1020 /* this is a specific code in the command line to
1021 * be returned when a redirection is encountered
1022 */
1023 }
1024 result = max_state_alt (onredirect, result);
1025 /* all other codes are considered ok */
1026 } else {
1027 result = STATE_OK;
1028 }
1029 }
1030
1031 /* libcurl redirection internally, handle error states here */
1032 if( followmethod == FOLLOW_LIBCURL ) {
1033 handle_curl_option_return_code (curl_easy_getinfo (curl, CURLINFO_REDIRECT_COUNT, &redir_depth), "CURLINFO_REDIRECT_COUNT");
1034 if (verbose >= 2)
1035 printf(_("* curl LIBINFO_REDIRECT_COUNT is %d\n"), redir_depth);
1036 if (redir_depth > max_depth) {
1037 snprintf (msg, DEFAULT_BUFFER_SIZE, "maximum redirection depth %d exceeded in libcurl",
1038 max_depth);
1039 die (STATE_WARNING, "HTTP WARNING - %s", msg);
1040 }
1041 }
1042
1043 /* check status codes, set exit status accordingly */
1044 if( status_line.http_code != code ) {
1045 die (STATE_CRITICAL, _("HTTP CRITICAL %s %d %s - different HTTP codes (cUrl has %ld)\n"),
1046 string_statuscode (status_line.http_major, status_line.http_minor),
1047 status_line.http_code, status_line.msg, code);
1048 }
1049
1050 if (maximum_age >= 0) {
1051 result = max_state_alt(check_document_dates(&header_buf, &msg), result);
1052 }
1053
1054 /* Page and Header content checks go here */
1055
1056 if (strlen (header_expect)) {
1057 if (!strstr (header_buf.buf, header_expect)) {
1058
1059 strncpy(&output_header_search[0],header_expect,sizeof(output_header_search));
1060
1061 if(output_header_search[sizeof(output_header_search)-1]!='\0') {
1062 bcopy("...",&output_header_search[sizeof(output_header_search)-4],4);
1063 }
1064
1065 char tmp[DEFAULT_BUFFER_SIZE];
1066
1067 snprintf (tmp,
1068 DEFAULT_BUFFER_SIZE,
1069 _("%sheader '%s' not found on '%s://%s:%d%s', "),
1070 msg,
1071 output_header_search,
1072 use_ssl ? "https" : "http",
1073 host_name ? host_name : server_address,
1074 server_port,
1075 server_url);
1076
1077 strcpy(msg, tmp);
1078
1079 result = STATE_CRITICAL;
1080 }
1081 }
1082
1083 if (strlen (string_expect)) {
1084 if (!strstr (body_buf.buf, string_expect)) {
1085
1086 strncpy(&output_string_search[0],string_expect,sizeof(output_string_search));
1087
1088 if(output_string_search[sizeof(output_string_search)-1]!='\0') {
1089 bcopy("...",&output_string_search[sizeof(output_string_search)-4],4);
1090 }
1091
1092 char tmp[DEFAULT_BUFFER_SIZE];
1093
1094 snprintf (tmp,
1095 DEFAULT_BUFFER_SIZE,
1096 _("%sstring '%s' not found on '%s://%s:%d%s', "),
1097 msg,
1098 output_string_search,
1099 use_ssl ? "https" : "http",
1100 host_name ? host_name : server_address,
1101 server_port,
1102 server_url);
1103
1104 strcpy(msg, tmp);
1105
1106 result = STATE_CRITICAL;
1107 }
1108 }
1109
1110 if (strlen (regexp)) {
1111 errcode = regexec (&preg, body_buf.buf, REGS, pmatch, 0);
1112 if ((errcode == 0 && !invert_regex) || (errcode == REG_NOMATCH && invert_regex)) {
1113 /* OK - No-op to avoid changing the logic around it */
1114 result = max_state_alt(STATE_OK, result);
1115 }
1116 else if ((errcode == REG_NOMATCH && !invert_regex) || (errcode == 0 && invert_regex)) {
1117 if (!invert_regex) {
1118 char tmp[DEFAULT_BUFFER_SIZE];
1119
1120 snprintf (tmp, DEFAULT_BUFFER_SIZE, _("%spattern not found, "), msg);
1121 strcpy(msg, tmp);
1122
1123 } else {
1124 char tmp[DEFAULT_BUFFER_SIZE];
1125
1126 snprintf (tmp, DEFAULT_BUFFER_SIZE, _("%spattern found, "), msg);
1127 strcpy(msg, tmp);
1128
1129 }
1130 result = STATE_CRITICAL;
1131 } else {
1132 regerror (errcode, &preg, errbuf, MAX_INPUT_BUFFER);
1133
1134 char tmp[DEFAULT_BUFFER_SIZE];
1135
1136 snprintf (tmp, DEFAULT_BUFFER_SIZE, _("%sExecute Error: %s, "), msg, errbuf);
1137 strcpy(msg, tmp);
1138 result = STATE_UNKNOWN;
1139 }
1140 }
1141
1142 /* make sure the page is of an appropriate size */
1143 if ((max_page_len > 0) && (page_len > max_page_len)) {
1144 char tmp[DEFAULT_BUFFER_SIZE];
1145
1146 snprintf (tmp, DEFAULT_BUFFER_SIZE, _("%spage size %d too large, "), msg, page_len);
1147
1148 strcpy(msg, tmp);
1149
1150 result = max_state_alt(STATE_WARNING, result);
1151
1152 } else if ((min_page_len > 0) && (page_len < min_page_len)) {
1153 char tmp[DEFAULT_BUFFER_SIZE];
1154
1155 snprintf (tmp, DEFAULT_BUFFER_SIZE, _("%spage size %d too small, "), msg, page_len);
1156 strcpy(msg, tmp);
1157 result = max_state_alt(STATE_WARNING, result);
1158 }
1159
1160 /* -w, -c: check warning and critical level */
1161 result = max_state_alt(get_status(total_time, thlds), result);
1162
1163 /* Cut-off trailing characters */
1164 if (strlen(msg) >= 2) {
1165 if(msg[strlen(msg)-2] == ',')
1166 msg[strlen(msg)-2] = '\0';
1167 else
1168 msg[strlen(msg)-3] = '\0';
1169 }
1170
1171 /* TODO: separate _() msg and status code: die (result, "HTTP %s: %s\n", state_text(result), msg); */
1172 die (result, "HTTP %s: %s %d %s%s%s - %d bytes in %.3f second response time %s|%s\n%s%s",
1173 state_text(result), string_statuscode (status_line.http_major, status_line.http_minor),
1174 status_line.http_code, status_line.msg,
1175 strlen(msg) > 0 ? " - " : "",
1176 msg, page_len, total_time,
1177 (display_html ? "</A>" : ""),
1178 perfstring,
1179 (show_body ? body_buf.buf : ""),
1180 (show_body ? "\n" : "") );
1181
1182 return result;
1183}
1184
1185int
1186uri_strcmp (const UriTextRangeA range, const char* s)
1187{
1188 if (!range.first) return -1;
1189 if (range.afterLast - range.first < strlen (s)) return -1;
1190 return strncmp (s, range.first, min( range.afterLast - range.first, strlen (s)));
1191}
1192
1193char*
1194uri_string (const UriTextRangeA range, char* buf, size_t buflen)
1195{
1196 if (!range.first) return "(null)";
1197 strncpy (buf, range.first, max (buflen-1, range.afterLast - range.first));
1198 buf[max (buflen-1, range.afterLast - range.first)] = '\0';
1199 buf[range.afterLast - range.first] = '\0';
1200 return buf;
1201}
1202
1203void
1204redir (curlhelp_write_curlbuf* header_buf)
1205{
1206 char *location = NULL;
1207 curlhelp_statusline status_line;
1208 struct phr_header headers[255];
1209 size_t nof_headers = 255;
1210 size_t msglen;
1211 char buf[DEFAULT_BUFFER_SIZE];
1212 char ipstr[INET_ADDR_MAX_SIZE];
1213 int new_port;
1214 char *new_host;
1215 char *new_url;
1216
1217 int res = phr_parse_response (header_buf->buf, header_buf->buflen,
1218 &status_line.http_major, &status_line.http_minor, &status_line.http_code, &status_line.msg, &msglen,
1219 headers, &nof_headers, 0);
1220
1221 location = get_header_value (headers, nof_headers, "location");
1222
1223 if (verbose >= 2)
1224 printf(_("* Seen redirect location %s\n"), location);
1225
1226 if (++redir_depth > max_depth)
1227 die (STATE_WARNING,
1228 _("HTTP WARNING - maximum redirection depth %d exceeded - %s%s\n"),
1229 max_depth, location, (display_html ? "</A>" : ""));
1230
1231 UriParserStateA state;
1232 UriUriA uri;
1233 state.uri = &uri;
1234 if (uriParseUriA (&state, location) != URI_SUCCESS) {
1235 if (state.errorCode == URI_ERROR_SYNTAX) {
1236 die (STATE_UNKNOWN,
1237 _("HTTP UNKNOWN - Could not parse redirect location '%s'%s\n"),
1238 location, (display_html ? "</A>" : ""));
1239 } else if (state.errorCode == URI_ERROR_MALLOC) {
1240 die (STATE_UNKNOWN, _("HTTP UNKNOWN - Could not allocate URL\n"));
1241 }
1242 }
1243
1244 if (verbose >= 2) {
1245 printf (_("** scheme: %s\n"),
1246 uri_string (uri.scheme, buf, DEFAULT_BUFFER_SIZE));
1247 printf (_("** host: %s\n"),
1248 uri_string (uri.hostText, buf, DEFAULT_BUFFER_SIZE));
1249 printf (_("** port: %s\n"),
1250 uri_string (uri.portText, buf, DEFAULT_BUFFER_SIZE));
1251 if (uri.hostData.ip4) {
1252 inet_ntop (AF_INET, uri.hostData.ip4->data, ipstr, sizeof (ipstr));
1253 printf (_("** IPv4: %s\n"), ipstr);
1254 }
1255 if (uri.hostData.ip6) {
1256 inet_ntop (AF_INET, uri.hostData.ip6->data, ipstr, sizeof (ipstr));
1257 printf (_("** IPv6: %s\n"), ipstr);
1258 }
1259 if (uri.pathHead) {
1260 printf (_("** path: "));
1261 const UriPathSegmentA* p = uri.pathHead;
1262 for (; p; p = p->next) {
1263 printf ("/%s", uri_string (p->text, buf, DEFAULT_BUFFER_SIZE));
1264 }
1265 puts ("");
1266 }
1267 if (uri.query.first) {
1268 printf (_("** query: %s\n"),
1269 uri_string (uri.query, buf, DEFAULT_BUFFER_SIZE));
1270 }
1271 if (uri.fragment.first) {
1272 printf (_("** fragment: %s\n"),
1273 uri_string (uri.fragment, buf, DEFAULT_BUFFER_SIZE));
1274 }
1275 }
1276
1277 if (!uri_strcmp (uri.scheme, "https"))
1278 use_ssl = true;
1279 else
1280 use_ssl = false;
1281
1282 /* we do a sloppy test here only, because uriparser would have failed
1283 * above, if the port would be invalid, we just check for MAX_PORT
1284 */
1285 if (uri.portText.first) {
1286 new_port = atoi (uri_string (uri.portText, buf, DEFAULT_BUFFER_SIZE));
1287 } else {
1288 new_port = HTTP_PORT;
1289 if (use_ssl)
1290 new_port = HTTPS_PORT;
1291 }
1292 if (new_port > MAX_PORT)
1293 die (STATE_UNKNOWN,
1294 _("HTTP UNKNOWN - Redirection to port above %d - %s%s\n"),
1295 MAX_PORT, location, display_html ? "</A>" : "");
1296
1297 /* by RFC 7231 relative URLs in Location should be taken relative to
1298 * the original URL, so wy try to form a new absolute URL here
1299 */
1300 if (!uri.scheme.first && !uri.hostText.first) {
1301 new_host = strdup (host_name ? host_name : server_address);
1302 } else {
1303 new_host = strdup (uri_string (uri.hostText, buf, DEFAULT_BUFFER_SIZE));
1304 }
1305
1306 /* compose new path */
1307 /* TODO: handle fragments and query part of URL */
1308 new_url = (char *)calloc( 1, DEFAULT_BUFFER_SIZE);
1309 if (uri.pathHead) {
1310 const UriPathSegmentA* p = uri.pathHead;
1311 for (; p; p = p->next) {
1312 strncat (new_url, "/", DEFAULT_BUFFER_SIZE);
1313 strncat (new_url, uri_string (p->text, buf, DEFAULT_BUFFER_SIZE), DEFAULT_BUFFER_SIZE-1);
1314 }
1315 }
1316
1317 if (server_port==new_port &&
1318 !strncmp(server_address, new_host, MAX_IPV4_HOSTLENGTH) &&
1319 (host_name && !strncmp(host_name, new_host, MAX_IPV4_HOSTLENGTH)) &&
1320 !strcmp(server_url, new_url))
1321 die (STATE_CRITICAL,
1322 _("HTTP CRITICAL - redirection creates an infinite loop - %s://%s:%d%s%s\n"),
1323 use_ssl ? "https" : "http", new_host, new_port, new_url, (display_html ? "</A>" : ""));
1324
1325 /* set new values for redirected request */
1326
1327 if (!(followsticky & STICKY_HOST)) {
1328 free (server_address);
1329 server_address = strndup (new_host, MAX_IPV4_HOSTLENGTH);
1330 }
1331 if (!(followsticky & STICKY_PORT)) {
1332 server_port = (unsigned short)new_port;
1333 }
1334
1335 free (host_name);
1336 host_name = strndup (new_host, MAX_IPV4_HOSTLENGTH);
1337
1338 /* reset virtual port */
1339 virtual_port = server_port;
1340
1341 free(new_host);
1342 free (server_url);
1343 server_url = new_url;
1344
1345 uriFreeUriMembersA (&uri);
1346
1347 if (verbose)
1348 printf (_("Redirection to %s://%s:%d%s\n"), use_ssl ? "https" : "http",
1349 host_name ? host_name : server_address, server_port, server_url);
1350
1351 /* TODO: the hash component MUST be taken from the original URL and
1352 * attached to the URL in Location
1353 */
1354
1355 cleanup ();
1356 check_http ();
1357}
1358
1359/* check whether a file exists */
1360void
1361test_file (char *path)
1362{
1363 if (access(path, R_OK) == 0)
1364 return;
1365 usage2 (_("file does not exist or is not readable"), path);
1366}
1367
1368bool
1369process_arguments (int argc, char **argv)
1370{
1371 char *p;
1372 int c = 1;
1373 char *temp;
1374
1375 enum {
1376 INVERT_REGEX = CHAR_MAX + 1,
1377 SNI_OPTION,
1378 MAX_REDIRS_OPTION,
1379 CONTINUE_AFTER_CHECK_CERT,
1380 CA_CERT_OPTION,
1381 HTTP_VERSION_OPTION,
1382 AUTOMATIC_DECOMPRESSION,
1383 COOKIE_JAR
1384 };
1385
1386 int option = 0;
1387 int got_plus = 0;
1388 static struct option longopts[] = {
1389 STD_LONG_OPTS,
1390 {"link", no_argument, 0, 'L'},
1391 {"nohtml", no_argument, 0, 'n'},
1392 {"ssl", optional_argument, 0, 'S'},
1393 {"sni", no_argument, 0, SNI_OPTION},
1394 {"post", required_argument, 0, 'P'},
1395 {"method", required_argument, 0, 'j'},
1396 {"IP-address", required_argument, 0, 'I'},
1397 {"url", required_argument, 0, 'u'},
1398 {"port", required_argument, 0, 'p'},
1399 {"authorization", required_argument, 0, 'a'},
1400 {"proxy-authorization", required_argument, 0, 'b'},
1401 {"header-string", required_argument, 0, 'd'},
1402 {"string", required_argument, 0, 's'},
1403 {"expect", required_argument, 0, 'e'},
1404 {"regex", required_argument, 0, 'r'},
1405 {"ereg", required_argument, 0, 'r'},
1406 {"eregi", required_argument, 0, 'R'},
1407 {"linespan", no_argument, 0, 'l'},
1408 {"onredirect", required_argument, 0, 'f'},
1409 {"certificate", required_argument, 0, 'C'},
1410 {"client-cert", required_argument, 0, 'J'},
1411 {"private-key", required_argument, 0, 'K'},
1412 {"ca-cert", required_argument, 0, CA_CERT_OPTION},
1413 {"verify-cert", no_argument, 0, 'D'},
1414 {"continue-after-certificate", no_argument, 0, CONTINUE_AFTER_CHECK_CERT},
1415 {"useragent", required_argument, 0, 'A'},
1416 {"header", required_argument, 0, 'k'},
1417 {"no-body", no_argument, 0, 'N'},
1418 {"max-age", required_argument, 0, 'M'},
1419 {"content-type", required_argument, 0, 'T'},
1420 {"pagesize", required_argument, 0, 'm'},
1421 {"invert-regex", no_argument, NULL, INVERT_REGEX},
1422 {"use-ipv4", no_argument, 0, '4'},
1423 {"use-ipv6", no_argument, 0, '6'},
1424 {"extended-perfdata", no_argument, 0, 'E'},
1425 {"show-body", no_argument, 0, 'B'},
1426 {"max-redirs", required_argument, 0, MAX_REDIRS_OPTION},
1427 {"http-version", required_argument, 0, HTTP_VERSION_OPTION},
1428 {"enable-automatic-decompression", no_argument, 0, AUTOMATIC_DECOMPRESSION},
1429 {"cookie-jar", required_argument, 0, COOKIE_JAR},
1430 {0, 0, 0, 0}
1431 };
1432
1433 if (argc < 2)
1434 return false;
1435
1436 /* support check_http compatible arguments */
1437 for (c = 1; c < argc; c++) {
1438 if (strcmp ("-to", argv[c]) == 0)
1439 strcpy (argv[c], "-t");
1440 if (strcmp ("-hn", argv[c]) == 0)
1441 strcpy (argv[c], "-H");
1442 if (strcmp ("-wt", argv[c]) == 0)
1443 strcpy (argv[c], "-w");
1444 if (strcmp ("-ct", argv[c]) == 0)
1445 strcpy (argv[c], "-c");
1446 if (strcmp ("-nohtml", argv[c]) == 0)
1447 strcpy (argv[c], "-n");
1448 }
1449
1450 server_url = strdup(DEFAULT_SERVER_URL);
1451
1452 while (1) {
1453 c = getopt_long (argc, argv, "Vvh46t:c:w:A:k:H:P:j:T:I:a:b:d:e:p:s:R:r:u:f:C:J:K:DnlLS::m:M:NEB", longopts, &option);
1454 if (c == -1 || c == EOF || c == 1)
1455 break;
1456
1457 switch (c) {
1458 case 'h':
1459 print_help();
1460 exit(STATE_UNKNOWN);
1461 break;
1462 case 'V':
1463 print_revision(progname, NP_VERSION);
1464 print_curl_version();
1465 exit(STATE_UNKNOWN);
1466 break;
1467 case 'v':
1468 verbose++;
1469 break;
1470 case 't': /* timeout period */
1471 if (!is_intnonneg (optarg))
1472 usage2 (_("Timeout interval must be a positive integer"), optarg);
1473 else
1474 socket_timeout = (int)strtol (optarg, NULL, 10);
1475 break;
1476 case 'c': /* critical time threshold */
1477 critical_thresholds = optarg;
1478 break;
1479 case 'w': /* warning time threshold */
1480 warning_thresholds = optarg;
1481 break;
1482 case 'H': /* virtual host */
1483 host_name = strdup (optarg);
1484 if (host_name[0] == '[') {
1485 if ((p = strstr (host_name, "]:")) != NULL) { /* [IPv6]:port */
1486 virtual_port = atoi (p + 2);
1487 /* cut off the port */
1488 host_name_length = strlen (host_name) - strlen (p) - 1;
1489 free (host_name);
1490 host_name = strndup (optarg, host_name_length);
1491 }
1492 } else if ((p = strchr (host_name, ':')) != NULL
1493 && strchr (++p, ':') == NULL) { /* IPv4:port or host:port */
1494 virtual_port = atoi (p);
1495 /* cut off the port */
1496 host_name_length = strlen (host_name) - strlen (p) - 1;
1497 free (host_name);
1498 host_name = strndup (optarg, host_name_length);
1499 }
1500 break;
1501 case 'I': /* internet address */
1502 server_address = strdup (optarg);
1503 break;
1504 case 'u': /* URL path */
1505 server_url = strdup (optarg);
1506 break;
1507 case 'p': /* Server port */
1508 if (!is_intnonneg (optarg))
1509 usage2 (_("Invalid port number, expecting a non-negative number"), optarg);
1510 else {
1511 if( strtol(optarg, NULL, 10) > MAX_PORT)
1512 usage2 (_("Invalid port number, supplied port number is too big"), optarg);
1513 server_port = (unsigned short)strtol(optarg, NULL, 10);
1514 specify_port = true;
1515 }
1516 break;
1517 case 'a': /* authorization info */
1518 strncpy (user_auth, optarg, MAX_INPUT_BUFFER - 1);
1519 user_auth[MAX_INPUT_BUFFER - 1] = 0;
1520 break;
1521 case 'b': /* proxy-authorization info */
1522 strncpy (proxy_auth, optarg, MAX_INPUT_BUFFER - 1);
1523 proxy_auth[MAX_INPUT_BUFFER - 1] = 0;
1524 break;
1525 case 'P': /* HTTP POST data in URL encoded format; ignored if settings already */
1526 if (! http_post_data)
1527 http_post_data = strdup (optarg);
1528 if (! http_method)
1529 http_method = strdup("POST");
1530 break;
1531 case 'j': /* Set HTTP method */
1532 if (http_method)
1533 free(http_method);
1534 http_method = strdup (optarg);
1535 break;
1536 case 'A': /* useragent */
1537 strncpy (user_agent, optarg, DEFAULT_BUFFER_SIZE);
1538 user_agent[DEFAULT_BUFFER_SIZE-1] = '\0';
1539 break;
1540 case 'k': /* Additional headers */
1541 if (http_opt_headers_count == 0)
1542 http_opt_headers = malloc (sizeof (char *) * (++http_opt_headers_count));
1543 else
1544 http_opt_headers = realloc (http_opt_headers, sizeof (char *) * (++http_opt_headers_count));
1545 http_opt_headers[http_opt_headers_count - 1] = optarg;
1546 break;
1547 case 'L': /* show html link */
1548 display_html = true;
1549 break;
1550 case 'n': /* do not show html link */
1551 display_html = false;
1552 break;
1553 case 'C': /* Check SSL cert validity */
1554#ifdef LIBCURL_FEATURE_SSL
1555 if ((temp=strchr(optarg,','))!=NULL) {
1556 *temp='\0';
1557 if (!is_intnonneg (optarg))
1558 usage2 (_("Invalid certificate expiration period"), optarg);
1559 days_till_exp_warn = atoi(optarg);
1560 *temp=',';
1561 temp++;
1562 if (!is_intnonneg (temp))
1563 usage2 (_("Invalid certificate expiration period"), temp);
1564 days_till_exp_crit = atoi (temp);
1565 }
1566 else {
1567 days_till_exp_crit=0;
1568 if (!is_intnonneg (optarg))
1569 usage2 (_("Invalid certificate expiration period"), optarg);
1570 days_till_exp_warn = atoi (optarg);
1571 }
1572 check_cert = true;
1573 goto enable_ssl;
1574#endif
1575 case CONTINUE_AFTER_CHECK_CERT: /* don't stop after the certificate is checked */
1576#ifdef HAVE_SSL
1577 continue_after_check_cert = true;
1578 break;
1579#endif
1580 case 'J': /* use client certificate */
1581#ifdef LIBCURL_FEATURE_SSL
1582 test_file(optarg);
1583 client_cert = optarg;
1584 goto enable_ssl;
1585#endif
1586 case 'K': /* use client private key */
1587#ifdef LIBCURL_FEATURE_SSL
1588 test_file(optarg);
1589 client_privkey = optarg;
1590 goto enable_ssl;
1591#endif
1592#ifdef LIBCURL_FEATURE_SSL
1593 case CA_CERT_OPTION: /* use CA chain file */
1594 test_file(optarg);
1595 ca_cert = optarg;
1596 goto enable_ssl;
1597#endif
1598#ifdef LIBCURL_FEATURE_SSL
1599 case 'D': /* verify peer certificate & host */
1600 verify_peer_and_host = true;
1601 break;
1602#endif
1603 case 'S': /* use SSL */
1604#ifdef LIBCURL_FEATURE_SSL
1605 enable_ssl:
1606 use_ssl = true;
1607 /* ssl_version initialized to CURL_SSLVERSION_DEFAULT as a default.
1608 * Only set if it's non-zero. This helps when we include multiple
1609 * parameters, like -S and -C combinations */
1610 ssl_version = CURL_SSLVERSION_DEFAULT;
1611 if (c=='S' && optarg != NULL) {
1612 char *plus_ptr = strchr(optarg, '+');
1613 if (plus_ptr) {
1614 got_plus = 1;
1615 *plus_ptr = '\0';
1616 }
1617
1618 if (optarg[0] == '2')
1619 ssl_version = CURL_SSLVERSION_SSLv2;
1620 else if (optarg[0] == '3')
1621 ssl_version = CURL_SSLVERSION_SSLv3;
1622 else if (!strcmp (optarg, "1") || !strcmp (optarg, "1.0"))
1623#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0)
1624 ssl_version = CURL_SSLVERSION_TLSv1_0;
1625#else
1626 ssl_version = CURL_SSLVERSION_DEFAULT;
1627#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */
1628 else if (!strcmp (optarg, "1.1"))
1629#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0)
1630 ssl_version = CURL_SSLVERSION_TLSv1_1;
1631#else
1632 ssl_version = CURL_SSLVERSION_DEFAULT;
1633#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */
1634 else if (!strcmp (optarg, "1.2"))
1635#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0)
1636 ssl_version = CURL_SSLVERSION_TLSv1_2;
1637#else
1638 ssl_version = CURL_SSLVERSION_DEFAULT;
1639#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */
1640 else if (!strcmp (optarg, "1.3"))
1641#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 52, 0)
1642 ssl_version = CURL_SSLVERSION_TLSv1_3;
1643#else
1644 ssl_version = CURL_SSLVERSION_DEFAULT;
1645#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 52, 0) */
1646 else
1647 usage4 (_("Invalid option - Valid SSL/TLS versions: 2, 3, 1, 1.1, 1.2, 1.3 (with optional '+' suffix)"));
1648 }
1649#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 54, 0)
1650 if (got_plus) {
1651 switch (ssl_version) {
1652 case CURL_SSLVERSION_TLSv1_3:
1653 ssl_version |= CURL_SSLVERSION_MAX_TLSv1_3;
1654 break;
1655 case CURL_SSLVERSION_TLSv1_2:
1656 case CURL_SSLVERSION_TLSv1_1:
1657 case CURL_SSLVERSION_TLSv1_0:
1658 ssl_version |= CURL_SSLVERSION_MAX_DEFAULT;
1659 break;
1660 }
1661 } else {
1662 switch (ssl_version) {
1663 case CURL_SSLVERSION_TLSv1_3:
1664 ssl_version |= CURL_SSLVERSION_MAX_TLSv1_3;
1665 break;
1666 case CURL_SSLVERSION_TLSv1_2:
1667 ssl_version |= CURL_SSLVERSION_MAX_TLSv1_2;
1668 break;
1669 case CURL_SSLVERSION_TLSv1_1:
1670 ssl_version |= CURL_SSLVERSION_MAX_TLSv1_1;
1671 break;
1672 case CURL_SSLVERSION_TLSv1_0:
1673 ssl_version |= CURL_SSLVERSION_MAX_TLSv1_0;
1674 break;
1675 }
1676 }
1677#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 54, 0) */
1678 if (verbose >= 2)
1679 printf(_("* Set SSL/TLS version to %d\n"), ssl_version);
1680 if (!specify_port)
1681 server_port = HTTPS_PORT;
1682 break;
1683#else /* LIBCURL_FEATURE_SSL */
1684 /* -C -J and -K fall through to here without SSL */
1685 usage4 (_("Invalid option - SSL is not available"));
1686 break;
1687 case SNI_OPTION: /* --sni is parsed, but ignored, the default is true with libcurl */
1688 use_sni = true;
1689 break;
1690#endif /* LIBCURL_FEATURE_SSL */
1691 case MAX_REDIRS_OPTION:
1692 if (!is_intnonneg (optarg))
1693 usage2 (_("Invalid max_redirs count"), optarg);
1694 else {
1695 max_depth = atoi (optarg);
1696 }
1697 break;
1698 case 'f': /* onredirect */
1699 if (!strcmp (optarg, "ok"))
1700 onredirect = STATE_OK;
1701 else if (!strcmp (optarg, "warning"))
1702 onredirect = STATE_WARNING;
1703 else if (!strcmp (optarg, "critical"))
1704 onredirect = STATE_CRITICAL;
1705 else if (!strcmp (optarg, "unknown"))
1706 onredirect = STATE_UNKNOWN;
1707 else if (!strcmp (optarg, "follow"))
1708 onredirect = STATE_DEPENDENT;
1709 else if (!strcmp (optarg, "stickyport"))
1710 onredirect = STATE_DEPENDENT, followmethod = FOLLOW_HTTP_CURL, followsticky = STICKY_HOST|STICKY_PORT;
1711 else if (!strcmp (optarg, "sticky"))
1712 onredirect = STATE_DEPENDENT, followmethod = FOLLOW_HTTP_CURL, followsticky = STICKY_HOST;
1713 else if (!strcmp (optarg, "follow"))
1714 onredirect = STATE_DEPENDENT, followmethod = FOLLOW_HTTP_CURL, followsticky = STICKY_NONE;
1715 else if (!strcmp (optarg, "curl"))
1716 onredirect = STATE_DEPENDENT, followmethod = FOLLOW_LIBCURL;
1717 else usage2 (_("Invalid onredirect option"), optarg);
1718 if (verbose >= 2)
1719 printf(_("* Following redirects set to %s\n"), state_text(onredirect));
1720 break;
1721 case 'd': /* string or substring */
1722 strncpy (header_expect, optarg, MAX_INPUT_BUFFER - 1);
1723 header_expect[MAX_INPUT_BUFFER - 1] = 0;
1724 break;
1725 case 's': /* string or substring */
1726 strncpy (string_expect, optarg, MAX_INPUT_BUFFER - 1);
1727 string_expect[MAX_INPUT_BUFFER - 1] = 0;
1728 break;
1729 case 'e': /* string or substring */
1730 strncpy (server_expect, optarg, MAX_INPUT_BUFFER - 1);
1731 server_expect[MAX_INPUT_BUFFER - 1] = 0;
1732 server_expect_yn = 1;
1733 break;
1734 case 'T': /* Content-type */
1735 http_content_type = strdup (optarg);
1736 break;
1737 case 'l': /* linespan */
1738 cflags &= ~REG_NEWLINE;
1739 break;
1740 case 'R': /* regex */
1741 cflags |= REG_ICASE;
1742 // fall through
1743 case 'r': /* regex */
1744 strncpy (regexp, optarg, MAX_RE_SIZE - 1);
1745 regexp[MAX_RE_SIZE - 1] = 0;
1746 errcode = regcomp (&preg, regexp, cflags);
1747 if (errcode != 0) {
1748 (void) regerror (errcode, &preg, errbuf, MAX_INPUT_BUFFER);
1749 printf (_("Could Not Compile Regular Expression: %s"), errbuf);
1750 return false;
1751 }
1752 break;
1753 case INVERT_REGEX:
1754 invert_regex = true;
1755 break;
1756 case '4':
1757 address_family = AF_INET;
1758 break;
1759 case '6':
1760#if defined (USE_IPV6) && defined (LIBCURL_FEATURE_IPV6)
1761 address_family = AF_INET6;
1762#else
1763 usage4 (_("IPv6 support not available"));
1764#endif
1765 break;
1766 case 'm': /* min_page_length */
1767 {
1768 char *tmp;
1769 if (strchr(optarg, ':') != (char *)NULL) {
1770 /* range, so get two values, min:max */
1771 tmp = strtok(optarg, ":");
1772 if (tmp == NULL) {
1773 printf("Bad format: try \"-m min:max\"\n");
1774 exit (STATE_WARNING);
1775 } else
1776 min_page_len = atoi(tmp);
1777
1778 tmp = strtok(NULL, ":");
1779 if (tmp == NULL) {
1780 printf("Bad format: try \"-m min:max\"\n");
1781 exit (STATE_WARNING);
1782 } else
1783 max_page_len = atoi(tmp);
1784 } else
1785 min_page_len = atoi (optarg);
1786 break;
1787 }
1788 case 'N': /* no-body */
1789 no_body = true;
1790 break;
1791 case 'M': /* max-age */
1792 {
1793 int L = strlen(optarg);
1794 if (L && optarg[L-1] == 'm')
1795 maximum_age = atoi (optarg) * 60;
1796 else if (L && optarg[L-1] == 'h')
1797 maximum_age = atoi (optarg) * 60 * 60;
1798 else if (L && optarg[L-1] == 'd')
1799 maximum_age = atoi (optarg) * 60 * 60 * 24;
1800 else if (L && (optarg[L-1] == 's' ||
1801 isdigit (optarg[L-1])))
1802 maximum_age = atoi (optarg);
1803 else {
1804 fprintf (stderr, "unparsable max-age: %s\n", optarg);
1805 exit (STATE_WARNING);
1806 }
1807 if (verbose >= 2)
1808 printf ("* Maximal age of document set to %d seconds\n", maximum_age);
1809 }
1810 break;
1811 case 'E': /* show extended perfdata */
1812 show_extended_perfdata = true;
1813 break;
1814 case 'B': /* print body content after status line */
1815 show_body = true;
1816 break;
1817 case HTTP_VERSION_OPTION:
1818 curl_http_version = CURL_HTTP_VERSION_NONE;
1819 if (strcmp (optarg, "1.0") == 0) {
1820 curl_http_version = CURL_HTTP_VERSION_1_0;
1821 } else if (strcmp (optarg, "1.1") == 0) {
1822 curl_http_version = CURL_HTTP_VERSION_1_1;
1823 } else if ((strcmp (optarg, "2.0") == 0) || (strcmp (optarg, "2") == 0)) {
1824#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 33, 0)
1825 curl_http_version = CURL_HTTP_VERSION_2_0;
1826#else
1827 curl_http_version = CURL_HTTP_VERSION_NONE;
1828#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 33, 0) */
1829 } else {
1830 fprintf (stderr, "unknown http-version parameter: %s\n", optarg);
1831 exit (STATE_WARNING);
1832 }
1833 break;
1834 case AUTOMATIC_DECOMPRESSION:
1835 automatic_decompression = true;
1836 break;
1837 case COOKIE_JAR:
1838 cookie_jar_file = optarg;
1839 break;
1840 case '?':
1841 /* print short usage statement if args not parsable */
1842 usage5 ();
1843 break;
1844 }
1845 }
1846
1847 c = optind;
1848
1849 if (server_address == NULL && c < argc)
1850 server_address = strdup (argv[c++]);
1851
1852 if (host_name == NULL && c < argc)
1853 host_name = strdup (argv[c++]);
1854
1855 if (server_address == NULL) {
1856 if (host_name == NULL)
1857 usage4 (_("You must specify a server address or host name"));
1858 else
1859 server_address = strdup (host_name);
1860 }
1861
1862 set_thresholds(&thlds, warning_thresholds, critical_thresholds);
1863
1864 if (critical_thresholds && thlds->critical->end>(double)socket_timeout)
1865 socket_timeout = (int)thlds->critical->end + 1;
1866 if (verbose >= 2)
1867 printf ("* Socket timeout set to %ld seconds\n", socket_timeout);
1868
1869 if (http_method == NULL)
1870 http_method = strdup ("GET");
1871
1872 if (client_cert && !client_privkey)
1873 usage4 (_("If you use a client certificate you must also specify a private key file"));
1874
1875 if (virtual_port == 0)
1876 virtual_port = server_port;
1877 else {
1878 if ((use_ssl && server_port == HTTPS_PORT) || (!use_ssl && server_port == HTTP_PORT))
1879 if(!specify_port)
1880 server_port = virtual_port;
1881 }
1882
1883 return true;
1884}
1885
1886char *perfd_time (double elapsed_time)
1887{
1888 return fperfdata ("time", elapsed_time, "s",
1889 thlds->warning?true:false, thlds->warning?thlds->warning->end:0,
1890 thlds->critical?true:false, thlds->critical?thlds->critical->end:0,
1891 true, 0, true, socket_timeout);
1892}
1893
1894char *perfd_time_connect (double elapsed_time_connect)
1895{
1896 return fperfdata ("time_connect", elapsed_time_connect, "s", false, 0, false, 0, false, 0, true, socket_timeout);
1897}
1898
1899char *perfd_time_ssl (double elapsed_time_ssl)
1900{
1901 return fperfdata ("time_ssl", elapsed_time_ssl, "s", false, 0, false, 0, false, 0, true, socket_timeout);
1902}
1903
1904char *perfd_time_headers (double elapsed_time_headers)
1905{
1906 return fperfdata ("time_headers", elapsed_time_headers, "s", false, 0, false, 0, false, 0, true, socket_timeout);
1907}
1908
1909char *perfd_time_firstbyte (double elapsed_time_firstbyte)
1910{
1911 return fperfdata ("time_firstbyte", elapsed_time_firstbyte, "s", false, 0, false, 0, false, 0, true, socket_timeout);
1912}
1913
1914char *perfd_time_transfer (double elapsed_time_transfer)
1915{
1916 return fperfdata ("time_transfer", elapsed_time_transfer, "s", false, 0, false, 0, false, 0, true, socket_timeout);
1917}
1918
1919char *perfd_size (int page_len)
1920{
1921 return perfdata ("size", page_len, "B",
1922 (min_page_len>0?true:false), min_page_len,
1923 (min_page_len>0?true:false), 0,
1924 true, 0, false, 0);
1925}
1926
1927void
1928print_help (void)
1929{
1930 print_revision (progname, NP_VERSION);
1931
1932 printf ("Copyright (c) 1999 Ethan Galstad <nagios@nagios.org>\n");
1933 printf (COPYRIGHT, copyright, email);
1934
1935 printf ("%s\n", _("This plugin tests the HTTP service on the specified host. It can test"));
1936 printf ("%s\n", _("normal (http) and secure (https) servers, follow redirects, search for"));
1937 printf ("%s\n", _("strings and regular expressions, check connection times, and report on"));
1938 printf ("%s\n", _("certificate expiration times."));
1939 printf ("\n");
1940 printf ("%s\n", _("It makes use of libcurl to do so. It tries to be as compatible to check_http"));
1941 printf ("%s\n", _("as possible."));
1942
1943 printf ("\n\n");
1944
1945 print_usage ();
1946
1947 printf (_("NOTE: One or both of -H and -I must be specified"));
1948
1949 printf ("\n");
1950
1951 printf (UT_HELP_VRSN);
1952 printf (UT_EXTRA_OPTS);
1953
1954 printf (" %s\n", "-H, --hostname=ADDRESS");
1955 printf (" %s\n", _("Host name argument for servers using host headers (virtual host)"));
1956 printf (" %s\n", _("Append a port to include it in the header (eg: example.com:5000)"));
1957 printf (" %s\n", "-I, --IP-address=ADDRESS");
1958 printf (" %s\n", _("IP address or name (use numeric address if possible to bypass DNS lookup)."));
1959 printf (" %s\n", "-p, --port=INTEGER");
1960 printf (" %s", _("Port number (default: "));
1961 printf ("%d)\n", HTTP_PORT);
1962
1963 printf (UT_IPv46);
1964
1965#ifdef LIBCURL_FEATURE_SSL
1966 printf (" %s\n", "-S, --ssl=VERSION[+]");
1967 printf (" %s\n", _("Connect via SSL. Port defaults to 443. VERSION is optional, and prevents"));
1968 printf (" %s\n", _("auto-negotiation (2 = SSLv2, 3 = SSLv3, 1 = TLSv1, 1.1 = TLSv1.1,"));
1969 printf (" %s\n", _("1.2 = TLSv1.2, 1.3 = TLSv1.3). With a '+' suffix, newer versions are also accepted."));
1970 printf (" %s\n", _("Note: SSLv2 and SSLv3 are deprecated and are usually disabled in libcurl"));
1971 printf (" %s\n", "--sni");
1972 printf (" %s\n", _("Enable SSL/TLS hostname extension support (SNI)"));
1973#if LIBCURL_VERSION_NUM >= 0x071801
1974 printf (" %s\n", _("Note: --sni is the default in libcurl as SSLv2 and SSLV3 are deprecated and"));
1975 printf (" %s\n", _(" SNI only really works since TLSv1.0"));
1976#else
1977 printf (" %s\n", _("Note: SNI is not supported in libcurl before 7.18.1"));
1978#endif
1979 printf (" %s\n", "-C, --certificate=INTEGER[,INTEGER]");
1980 printf (" %s\n", _("Minimum number of days a certificate has to be valid. Port defaults to 443"));
1981 printf (" %s\n", _("(when this option is used the URL is not checked by default. You can use"));
1982 printf (" %s\n", _(" --continue-after-certificate to override this behavior)"));
1983 printf (" %s\n", "--continue-after-certificate");
1984 printf (" %s\n", _("Allows the HTTP check to continue after performing the certificate check."));
1985 printf (" %s\n", _("Does nothing unless -C is used."));
1986 printf (" %s\n", "-J, --client-cert=FILE");
1987 printf (" %s\n", _("Name of file that contains the client certificate (PEM format)"));
1988 printf (" %s\n", _("to be used in establishing the SSL session"));
1989 printf (" %s\n", "-K, --private-key=FILE");
1990 printf (" %s\n", _("Name of file containing the private key (PEM format)"));
1991 printf (" %s\n", _("matching the client certificate"));
1992 printf (" %s\n", "--ca-cert=FILE");
1993 printf (" %s\n", _("CA certificate file to verify peer against"));
1994 printf (" %s\n", "-D, --verify-cert");
1995 printf (" %s\n", _("Verify the peer's SSL certificate and hostname"));
1996#endif
1997
1998 printf (" %s\n", "-e, --expect=STRING");
1999 printf (" %s\n", _("Comma-delimited list of strings, at least one of them is expected in"));
2000 printf (" %s", _("the first (status) line of the server response (default: "));
2001 printf ("%s)\n", HTTP_EXPECT);
2002 printf (" %s\n", _("If specified skips all other status line logic (ex: 3xx, 4xx, 5xx processing)"));
2003 printf (" %s\n", "-d, --header-string=STRING");
2004 printf (" %s\n", _("String to expect in the response headers"));
2005 printf (" %s\n", "-s, --string=STRING");
2006 printf (" %s\n", _("String to expect in the content"));
2007 printf (" %s\n", "-u, --url=PATH");
2008 printf (" %s\n", _("URL to GET or POST (default: /)"));
2009 printf (" %s\n", "-P, --post=STRING");
2010 printf (" %s\n", _("URL encoded http POST data"));
2011 printf (" %s\n", "-j, --method=STRING (for example: HEAD, OPTIONS, TRACE, PUT, DELETE, CONNECT)");
2012 printf (" %s\n", _("Set HTTP method."));
2013 printf (" %s\n", "-N, --no-body");
2014 printf (" %s\n", _("Don't wait for document body: stop reading after headers."));
2015 printf (" %s\n", _("(Note that this still does an HTTP GET or POST, not a HEAD.)"));
2016 printf (" %s\n", "-M, --max-age=SECONDS");
2017 printf (" %s\n", _("Warn if document is more than SECONDS old. the number can also be of"));
2018 printf (" %s\n", _("the form \"10m\" for minutes, \"10h\" for hours, or \"10d\" for days."));
2019 printf (" %s\n", "-T, --content-type=STRING");
2020 printf (" %s\n", _("specify Content-Type header media type when POSTing\n"));
2021 printf (" %s\n", "-l, --linespan");
2022 printf (" %s\n", _("Allow regex to span newlines (must precede -r or -R)"));
2023 printf (" %s\n", "-r, --regex, --ereg=STRING");
2024 printf (" %s\n", _("Search page for regex STRING"));
2025 printf (" %s\n", "-R, --eregi=STRING");
2026 printf (" %s\n", _("Search page for case-insensitive regex STRING"));
2027 printf (" %s\n", "--invert-regex");
2028 printf (" %s\n", _("Return CRITICAL if found, OK if not\n"));
2029 printf (" %s\n", "-a, --authorization=AUTH_PAIR");
2030 printf (" %s\n", _("Username:password on sites with basic authentication"));
2031 printf (" %s\n", "-b, --proxy-authorization=AUTH_PAIR");
2032 printf (" %s\n", _("Username:password on proxy-servers with basic authentication"));
2033 printf (" %s\n", "-A, --useragent=STRING");
2034 printf (" %s\n", _("String to be sent in http header as \"User Agent\""));
2035 printf (" %s\n", "-k, --header=STRING");
2036 printf (" %s\n", _("Any other tags to be sent in http header. Use multiple times for additional headers"));
2037 printf (" %s\n", "-E, --extended-perfdata");
2038 printf (" %s\n", _("Print additional performance data"));
2039 printf (" %s\n", "-B, --show-body");
2040 printf (" %s\n", _("Print body content below status line"));
2041 printf (" %s\n", "-L, --link");
2042 printf (" %s\n", _("Wrap output in HTML link (obsoleted by urlize)"));
2043 printf (" %s\n", "-f, --onredirect=<ok|warning|critical|follow|sticky|stickyport|curl>");
2044 printf (" %s\n", _("How to handle redirected pages. sticky is like follow but stick to the"));
2045 printf (" %s\n", _("specified IP address. stickyport also ensures port stays the same."));
2046 printf (" %s\n", _("follow uses the old redirection algorithm of check_http."));
2047 printf (" %s\n", _("curl uses CURL_FOLLOWLOCATION built into libcurl."));
2048 printf (" %s\n", "--max-redirs=INTEGER");
2049 printf (" %s", _("Maximal number of redirects (default: "));
2050 printf ("%d)\n", DEFAULT_MAX_REDIRS);
2051 printf (" %s\n", "-m, --pagesize=INTEGER<:INTEGER>");
2052 printf (" %s\n", _("Minimum page size required (bytes) : Maximum page size required (bytes)"));
2053 printf ("\n");
2054 printf (" %s\n", "--http-version=VERSION");
2055 printf (" %s\n", _("Connect via specific HTTP protocol."));
2056 printf (" %s\n", _("1.0 = HTTP/1.0, 1.1 = HTTP/1.1, 2.0 = HTTP/2 (HTTP/2 will fail without -S)"));
2057 printf (" %s\n", "--enable-automatic-decompression");
2058 printf (" %s\n", _("Enable automatic decompression of body (CURLOPT_ACCEPT_ENCODING)."));
2059 printf (" %s\n", "---cookie-jar=FILE");
2060 printf (" %s\n", _("Store cookies in the cookie jar and send them out when requested."));
2061 printf ("\n");
2062
2063 printf (UT_WARN_CRIT);
2064
2065 printf (UT_CONN_TIMEOUT, DEFAULT_SOCKET_TIMEOUT);
2066
2067 printf (UT_VERBOSE);
2068
2069 printf ("\n");
2070 printf ("%s\n", _("Notes:"));
2071 printf (" %s\n", _("This plugin will attempt to open an HTTP connection with the host."));
2072 printf (" %s\n", _("Successful connects return STATE_OK, refusals and timeouts return STATE_CRITICAL"));
2073 printf (" %s\n", _("other errors return STATE_UNKNOWN. Successful connects, but incorrect response"));
2074 printf (" %s\n", _("messages from the host result in STATE_WARNING return values. If you are"));
2075 printf (" %s\n", _("checking a virtual server that uses 'host headers' you must supply the FQDN"));
2076 printf (" %s\n", _("(fully qualified domain name) as the [host_name] argument."));
2077
2078#ifdef LIBCURL_FEATURE_SSL
2079 printf ("\n");
2080 printf (" %s\n", _("This plugin can also check whether an SSL enabled web server is able to"));
2081 printf (" %s\n", _("serve content (optionally within a specified time) or whether the X509 "));
2082 printf (" %s\n", _("certificate is still valid for the specified number of days."));
2083 printf ("\n");
2084 printf (" %s\n", _("Please note that this plugin does not check if the presented server"));
2085 printf (" %s\n", _("certificate matches the hostname of the server, or if the certificate"));
2086 printf (" %s\n", _("has a valid chain of trust to one of the locally installed CAs."));
2087 printf ("\n");
2088 printf ("%s\n", _("Examples:"));
2089 printf (" %s\n\n", "CHECK CONTENT: check_curl -w 5 -c 10 --ssl -H www.verisign.com");
2090 printf (" %s\n", _("When the 'www.verisign.com' server returns its content within 5 seconds,"));
2091 printf (" %s\n", _("a STATE_OK will be returned. When the server returns its content but exceeds"));
2092 printf (" %s\n", _("the 5-second threshold, a STATE_WARNING will be returned. When an error occurs,"));
2093 printf (" %s\n", _("a STATE_CRITICAL will be returned."));
2094 printf ("\n");
2095 printf (" %s\n\n", "CHECK CERTIFICATE: check_curl -H www.verisign.com -C 14");
2096 printf (" %s\n", _("When the certificate of 'www.verisign.com' is valid for more than 14 days,"));
2097 printf (" %s\n", _("a STATE_OK is returned. When the certificate is still valid, but for less than"));
2098 printf (" %s\n", _("14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when"));
2099 printf (" %s\n\n", _("the certificate is expired."));
2100 printf ("\n");
2101 printf (" %s\n\n", "CHECK CERTIFICATE: check_curl -H www.verisign.com -C 30,14");
2102 printf (" %s\n", _("When the certificate of 'www.verisign.com' is valid for more than 30 days,"));
2103 printf (" %s\n", _("a STATE_OK is returned. When the certificate is still valid, but for less than"));
2104 printf (" %s\n", _("30 days, but more than 14 days, a STATE_WARNING is returned."));
2105 printf (" %s\n", _("A STATE_CRITICAL will be returned when certificate expires in less than 14 days"));
2106#endif
2107
2108 printf ("\n %s\n", "CHECK WEBSERVER CONTENT VIA PROXY:");
2109 printf (" %s\n", _("It is recommended to use an environment proxy like:"));
2110 printf (" %s\n", _("http_proxy=http://192.168.100.35:3128 ./check_curl -H www.monitoring-plugins.org"));
2111 printf (" %s\n", _("legacy proxy requests in check_http style still work:"));
2112 printf (" %s\n", _("check_curl -I 192.168.100.35 -p 3128 -u http://www.monitoring-plugins.org/ -H www.monitoring-plugins.org"));
2113
2114#ifdef LIBCURL_FEATURE_SSL
2115 printf ("\n %s\n", "CHECK SSL WEBSERVER CONTENT VIA PROXY USING HTTP 1.1 CONNECT: ");
2116 printf (" %s\n", _("It is recommended to use an environment proxy like:"));
2117 printf (" %s\n", _("https_proxy=http://192.168.100.35:3128 ./check_curl -H www.verisign.com -S"));
2118 printf (" %s\n", _("legacy proxy requests in check_http style still work:"));
2119 printf (" %s\n", _("check_curl -I 192.168.100.35 -p 3128 -u https://www.verisign.com/ -S -j CONNECT -H www.verisign.com "));
2120 printf (" %s\n", _("all these options are needed: -I <proxy> -p <proxy-port> -u <check-url> -S(sl) -j CONNECT -H <webserver>"));
2121 printf (" %s\n", _("a STATE_OK will be returned. When the server returns its content but exceeds"));
2122 printf (" %s\n", _("the 5-second threshold, a STATE_WARNING will be returned. When an error occurs,"));
2123 printf (" %s\n", _("a STATE_CRITICAL will be returned."));
2124
2125#endif
2126
2127 printf (UT_SUPPORT);
2128
2129}
2130
2131
2132
2133void
2134print_usage (void)
2135{
2136 printf ("%s\n", _("Usage:"));
2137 printf (" %s -H <vhost> | -I <IP-address> [-u <uri>] [-p <port>]\n",progname);
2138 printf (" [-J <client certificate file>] [-K <private key>] [--ca-cert <CA certificate file>] [-D]\n");
2139 printf (" [-w <warn time>] [-c <critical time>] [-t <timeout>] [-L] [-E] [-a auth]\n");
2140 printf (" [-b proxy_auth] [-f <ok|warning|critical|follow|sticky|stickyport|curl>]\n");
2141 printf (" [-e <expect>] [-d string] [-s string] [-l] [-r <regex> | -R <case-insensitive regex>]\n");
2142 printf (" [-P string] [-m <min_pg_size>:<max_pg_size>] [-4|-6] [-N] [-M <age>]\n");
2143 printf (" [-A string] [-k string] [-S <version>] [--sni]\n");
2144 printf (" [-T <content-type>] [-j method]\n");
2145 printf (" [--http-version=<version>] [--enable-automatic-decompression]\n");
2146 printf (" [--cookie-jar=<cookie jar file>\n");
2147 printf (" %s -H <vhost> | -I <IP-address> -C <warn_age>[,<crit_age>]\n",progname);
2148 printf (" [-p <port>] [-t <timeout>] [-4|-6] [--sni]\n");
2149 printf ("\n");
2150#ifdef LIBCURL_FEATURE_SSL
2151 printf ("%s\n", _("In the first form, make an HTTP request."));
2152 printf ("%s\n\n", _("In the second form, connect to the server and check the TLS certificate."));
2153#endif
2154 printf ("%s\n", _("WARNING: check_curl is experimental. Please use"));
2155 printf ("%s\n\n", _("check_http if you need a stable version."));
2156}
2157
2158void
2159print_curl_version (void)
2160{
2161 printf( "%s\n", curl_version());
2162}
2163
2164int
2165curlhelp_initwritebuffer (curlhelp_write_curlbuf *buf)
2166{
2167 buf->bufsize = DEFAULT_BUFFER_SIZE;
2168 buf->buflen = 0;
2169 buf->buf = (char *)malloc ((size_t)buf->bufsize);
2170 if (buf->buf == NULL) return -1;
2171 return 0;
2172}
2173
2174int
2175curlhelp_buffer_write_callback (void *buffer, size_t size, size_t nmemb, void *stream)
2176{
2177 curlhelp_write_curlbuf *buf = (curlhelp_write_curlbuf *)stream;
2178
2179 while (buf->bufsize < buf->buflen + size * nmemb + 1) {
2180 buf->bufsize = buf->bufsize * 2;
2181 buf->buf = (char *)realloc (buf->buf, buf->bufsize);
2182 if (buf->buf == NULL) {
2183 fprintf(stderr, "malloc failed (%d) %s\n", errno, strerror(errno));
2184 return -1;
2185 }
2186 }
2187
2188 memcpy (buf->buf + buf->buflen, buffer, size * nmemb);
2189 buf->buflen += size * nmemb;
2190 buf->buf[buf->buflen] = '\0';
2191
2192 return (int)(size * nmemb);
2193}
2194
2195int
2196curlhelp_buffer_read_callback (void *buffer, size_t size, size_t nmemb, void *stream)
2197{
2198 curlhelp_read_curlbuf *buf = (curlhelp_read_curlbuf *)stream;
2199
2200 size_t n = min (nmemb * size, buf->buflen - buf->pos);
2201
2202 memcpy (buffer, buf->buf + buf->pos, n);
2203 buf->pos += n;
2204
2205 return (int)n;
2206}
2207
2208void
2209curlhelp_freewritebuffer (curlhelp_write_curlbuf *buf)
2210{
2211 free (buf->buf);
2212 buf->buf = NULL;
2213}
2214
2215int
2216curlhelp_initreadbuffer (curlhelp_read_curlbuf *buf, const char *data, size_t datalen)
2217{
2218 buf->buflen = datalen;
2219 buf->buf = (char *)malloc ((size_t)buf->buflen);
2220 if (buf->buf == NULL) return -1;
2221 memcpy (buf->buf, data, datalen);
2222 buf->pos = 0;
2223 return 0;
2224}
2225
2226void
2227curlhelp_freereadbuffer (curlhelp_read_curlbuf *buf)
2228{
2229 free (buf->buf);
2230 buf->buf = NULL;
2231}
2232
2233/* TODO: where to put this, it's actually part of sstrings2 (logically)?
2234 */
2235const char*
2236strrstr2(const char *haystack, const char *needle)
2237{
2238 int counter;
2239 size_t len;
2240 const char *prev_pos;
2241 const char *pos;
2242
2243 if (haystack == NULL || needle == NULL)
2244 return NULL;
2245
2246 if (haystack[0] == '\0' || needle[0] == '\0')
2247 return NULL;
2248
2249 counter = 0;
2250 prev_pos = NULL;
2251 pos = haystack;
2252 len = strlen (needle);
2253 for (;;) {
2254 pos = strstr (pos, needle);
2255 if (pos == NULL) {
2256 if (counter == 0)
2257 return NULL;
2258 else
2259 return prev_pos;
2260 }
2261 counter++;
2262 prev_pos = pos;
2263 pos += len;
2264 if (*pos == '\0') return prev_pos;
2265 }
2266}
2267
2268int
2269curlhelp_parse_statusline (const char *buf, curlhelp_statusline *status_line)
2270{
2271 char *first_line_end;
2272 char *p;
2273 size_t first_line_len;
2274 char *pp;
2275 const char *start;
2276 char *first_line_buf;
2277
2278 /* find last start of a new header */
2279 start = strrstr2 (buf, "\r\nHTTP/");
2280 if (start != NULL) {
2281 start += 2;
2282 buf = start;
2283 }
2284
2285 first_line_end = strstr(buf, "\r\n");
2286 if (first_line_end == NULL) return -1;
2287
2288 first_line_len = (size_t)(first_line_end - buf);
2289 status_line->first_line = (char *)malloc (first_line_len + 1);
2290 if (status_line->first_line == NULL) return -1;
2291 memcpy (status_line->first_line, buf, first_line_len);
2292 status_line->first_line[first_line_len] = '\0';
2293 first_line_buf = strdup( status_line->first_line );
2294
2295 /* protocol and version: "HTTP/x.x" SP or "HTTP/2" SP */
2296
2297 p = strtok(first_line_buf, "/");
2298 if( p == NULL ) { free( first_line_buf ); return -1; }
2299 if( strcmp( p, "HTTP" ) != 0 ) { free( first_line_buf ); return -1; }
2300
2301 p = strtok( NULL, " " );
2302 if( p == NULL ) { free( first_line_buf ); return -1; }
2303 if( strchr( p, '.' ) != NULL ) {
2304
2305 /* HTTP 1.x case */
2306 strtok( p, "." );
2307 status_line->http_major = (int)strtol( p, &pp, 10 );
2308 if( *pp != '\0' ) { free( first_line_buf ); return -1; }
2309 strtok( NULL, " " );
2310 status_line->http_minor = (int)strtol( p, &pp, 10 );
2311 if( *pp != '\0' ) { free( first_line_buf ); return -1; }
2312 p += 4; /* 1.x SP */
2313 } else {
2314 /* HTTP 2 case */
2315 status_line->http_major = (int)strtol( p, &pp, 10 );
2316 status_line->http_minor = 0;
2317 p += 2; /* 2 SP */
2318 }
2319
2320 /* status code: "404" or "404.1", then SP */
2321
2322 p = strtok( p, " " );
2323 if( p == NULL ) { free( first_line_buf ); return -1; }
2324 if( strchr( p, '.' ) != NULL ) {
2325 char *ppp;
2326 ppp = strtok( p, "." );
2327 status_line->http_code = (int)strtol( ppp, &pp, 10 );
2328 if( *pp != '\0' ) { free( first_line_buf ); return -1; }
2329 ppp = strtok( NULL, "" );
2330 status_line->http_subcode = (int)strtol( ppp, &pp, 10 );
2331 if( *pp != '\0' ) { free( first_line_buf ); return -1; }
2332 p += 6; /* 400.1 SP */
2333 } else {
2334 status_line->http_code = (int)strtol( p, &pp, 10 );
2335 status_line->http_subcode = -1;
2336 if( *pp != '\0' ) { free( first_line_buf ); return -1; }
2337 p += 4; /* 400 SP */
2338 }
2339
2340 /* Human readable message: "Not Found" CRLF */
2341
2342 p = strtok( p, "" );
2343 if( p == NULL ) { status_line->msg = ""; return 0; }
2344 status_line->msg = status_line->first_line + ( p - first_line_buf );
2345 free( first_line_buf );
2346
2347 return 0;
2348}
2349
2350void
2351curlhelp_free_statusline (curlhelp_statusline *status_line)
2352{
2353 free (status_line->first_line);
2354}
2355
2356void
2357remove_newlines (char *s)
2358{
2359 char *p;
2360
2361 for (p = s; *p != '\0'; p++)
2362 if (*p == '\r' || *p == '\n')
2363 *p = ' ';
2364}
2365
2366char *
2367get_header_value (const struct phr_header* headers, const size_t nof_headers, const char* header)
2368{
2369 int i;
2370 for( i = 0; i < nof_headers; i++ ) {
2371 if(headers[i].name != NULL && strncasecmp( header, headers[i].name, max( headers[i].name_len, 4 ) ) == 0 ) {
2372 return strndup( headers[i].value, headers[i].value_len );
2373 }
2374 }
2375 return NULL;
2376}
2377
2378int
2379check_document_dates (const curlhelp_write_curlbuf *header_buf, char (*msg)[DEFAULT_BUFFER_SIZE])
2380{
2381 char *server_date = NULL;
2382 char *document_date = NULL;
2383 int date_result = STATE_OK;
2384 curlhelp_statusline status_line;
2385 struct phr_header headers[255];
2386 size_t nof_headers = 255;
2387 size_t msglen;
2388
2389 int res = phr_parse_response (header_buf->buf, header_buf->buflen,
2390 &status_line.http_major, &status_line.http_minor, &status_line.http_code, &status_line.msg, &msglen,
2391 headers, &nof_headers, 0);
2392
2393 server_date = get_header_value (headers, nof_headers, "date");
2394 document_date = get_header_value (headers, nof_headers, "last-modified");
2395
2396 if (!server_date || !*server_date) {
2397 char tmp[DEFAULT_BUFFER_SIZE];
2398
2399 snprintf (tmp, DEFAULT_BUFFER_SIZE, _("%sServer date unknown, "), *msg);
2400 strcpy(*msg, tmp);
2401
2402 date_result = max_state_alt(STATE_UNKNOWN, date_result);
2403
2404 } else if (!document_date || !*document_date) {
2405 char tmp[DEFAULT_BUFFER_SIZE];
2406
2407 snprintf (tmp, DEFAULT_BUFFER_SIZE, _("%sDocument modification date unknown, "), *msg);
2408 strcpy(*msg, tmp);
2409
2410 date_result = max_state_alt(STATE_CRITICAL, date_result);
2411
2412 } else {
2413 time_t srv_data = curl_getdate (server_date, NULL);
2414 time_t doc_data = curl_getdate (document_date, NULL);
2415 if (verbose >= 2)
2416 printf ("* server date: '%s' (%d), doc_date: '%s' (%d)\n", server_date, (int)srv_data, document_date, (int)doc_data);
2417 if (srv_data <= 0) {
2418 char tmp[DEFAULT_BUFFER_SIZE];
2419
2420 snprintf (tmp, DEFAULT_BUFFER_SIZE, _("%sServer date \"%100s\" unparsable, "), *msg, server_date);
2421 strcpy(*msg, tmp);
2422
2423 date_result = max_state_alt(STATE_CRITICAL, date_result);
2424 } else if (doc_data <= 0) {
2425 char tmp[DEFAULT_BUFFER_SIZE];
2426
2427 snprintf (tmp, DEFAULT_BUFFER_SIZE, _("%sDocument date \"%100s\" unparsable, "), *msg, document_date);
2428 strcpy(*msg, tmp);
2429
2430 date_result = max_state_alt(STATE_CRITICAL, date_result);
2431 } else if (doc_data > srv_data + 30) {
2432 char tmp[DEFAULT_BUFFER_SIZE];
2433
2434 snprintf (tmp, DEFAULT_BUFFER_SIZE, _("%sDocument is %d seconds in the future, "), *msg, (int)doc_data - (int)srv_data);
2435 strcpy(*msg, tmp);
2436
2437 date_result = max_state_alt(STATE_CRITICAL, date_result);
2438 } else if (doc_data < srv_data - maximum_age) {
2439 int n = (srv_data - doc_data);
2440 if (n > (60 * 60 * 24 * 2)) {
2441 char tmp[DEFAULT_BUFFER_SIZE];
2442
2443 snprintf (tmp, DEFAULT_BUFFER_SIZE, _("%sLast modified %.1f days ago, "), *msg, ((float) n) / (60 * 60 * 24));
2444 strcpy(*msg, tmp);
2445
2446 date_result = max_state_alt(STATE_CRITICAL, date_result);
2447 } else {
2448 char tmp[DEFAULT_BUFFER_SIZE];
2449
2450 snprintf (tmp, DEFAULT_BUFFER_SIZE, _("%sLast modified %d:%02d:%02d ago, "), *msg, n / (60 * 60), (n / 60) % 60, n % 60);
2451 strcpy(*msg, tmp);
2452
2453 date_result = max_state_alt(STATE_CRITICAL, date_result);
2454 }
2455 }
2456 }
2457
2458 if (server_date) free (server_date);
2459 if (document_date) free (document_date);
2460
2461 return date_result;
2462}
2463
2464
2465int
2466get_content_length (const curlhelp_write_curlbuf* header_buf, const curlhelp_write_curlbuf* body_buf)
2467{
2468 const char *s;
2469 int content_length = 0;
2470 char *copy;
2471 struct phr_header headers[255];
2472 size_t nof_headers = 255;
2473 size_t msglen;
2474 char *content_length_s = NULL;
2475 curlhelp_statusline status_line;
2476
2477 int res = phr_parse_response (header_buf->buf, header_buf->buflen,
2478 &status_line.http_major, &status_line.http_minor, &status_line.http_code, &status_line.msg, &msglen,
2479 headers, &nof_headers, 0);
2480
2481 content_length_s = get_header_value (headers, nof_headers, "content-length");
2482 if (!content_length_s) {
2483 return header_buf->buflen + body_buf->buflen;
2484 }
2485 content_length_s += strspn (content_length_s, " \t");
2486 content_length = atoi (content_length_s);
2487 if (content_length != body_buf->buflen) {
2488 /* TODO: should we warn if the actual and the reported body length don't match? */
2489 }
2490
2491 if (content_length_s) free (content_length_s);
2492
2493 return header_buf->buflen + body_buf->buflen;
2494}
2495
2496/* TODO: is there a better way in libcurl to check for the SSL library? */
2497curlhelp_ssl_library
2498curlhelp_get_ssl_library ()
2499{
2500 curl_version_info_data* version_data;
2501 char *ssl_version;
2502 char *library;
2503 curlhelp_ssl_library ssl_library = CURLHELP_SSL_LIBRARY_UNKNOWN;
2504
2505 version_data = curl_version_info (CURLVERSION_NOW);
2506 if (version_data == NULL) return CURLHELP_SSL_LIBRARY_UNKNOWN;
2507
2508 ssl_version = strdup (version_data->ssl_version);
2509 if (ssl_version == NULL ) return CURLHELP_SSL_LIBRARY_UNKNOWN;
2510
2511 library = strtok (ssl_version, "/");
2512 if (library == NULL) return CURLHELP_SSL_LIBRARY_UNKNOWN;
2513
2514 if (strcmp (library, "OpenSSL") == 0)
2515 ssl_library = CURLHELP_SSL_LIBRARY_OPENSSL;
2516 else if (strcmp (library, "LibreSSL") == 0)
2517 ssl_library = CURLHELP_SSL_LIBRARY_LIBRESSL;
2518 else if (strcmp (library, "GnuTLS") == 0)
2519 ssl_library = CURLHELP_SSL_LIBRARY_GNUTLS;
2520 else if (strcmp (library, "NSS") == 0)
2521 ssl_library = CURLHELP_SSL_LIBRARY_NSS;
2522
2523 if (verbose >= 2)
2524 printf ("* SSL library string is : %s %s (%d)\n", version_data->ssl_version, library, ssl_library);
2525
2526 free (ssl_version);
2527
2528 return ssl_library;
2529}
2530
2531const char*
2532curlhelp_get_ssl_library_string (curlhelp_ssl_library ssl_library)
2533{
2534 switch (ssl_library) {
2535 case CURLHELP_SSL_LIBRARY_OPENSSL:
2536 return "OpenSSL";
2537 case CURLHELP_SSL_LIBRARY_LIBRESSL:
2538 return "LibreSSL";
2539 case CURLHELP_SSL_LIBRARY_GNUTLS:
2540 return "GnuTLS";
2541 case CURLHELP_SSL_LIBRARY_NSS:
2542 return "NSS";
2543 case CURLHELP_SSL_LIBRARY_UNKNOWN:
2544 default:
2545 return "unknown";
2546 }
2547}
2548
2549#ifdef LIBCURL_FEATURE_SSL
2550#ifndef USE_OPENSSL
2551time_t
2552parse_cert_date (const char *s)
2553{
2554 struct tm tm;
2555 time_t date;
2556 char *res;
2557
2558 if (!s) return -1;
2559
2560 /* Jan 17 14:25:12 2020 GMT */
2561 res = strptime (s, "%Y-%m-%d %H:%M:%S GMT", &tm);
2562 /* Sep 11 12:00:00 2020 GMT */
2563 if (res == NULL) strptime (s, "%Y %m %d %H:%M:%S GMT", &tm);
2564 date = mktime (&tm);
2565
2566 return date;
2567}
2568
2569/* TODO: this needs cleanup in the sslutils.c, maybe we the #else case to
2570 * OpenSSL could be this function
2571 */
2572int
2573net_noopenssl_check_certificate (cert_ptr_union* cert_ptr, int days_till_exp_warn, int days_till_exp_crit)
2574{
2575 int i;
2576 struct curl_slist* slist;
2577 int cname_found = 0;
2578 char* start_date_str = NULL;
2579 char* end_date_str = NULL;
2580 time_t start_date;
2581 time_t end_date;
2582 char *tz;
2583 float time_left;
2584 int days_left;
2585 int time_remaining;
2586 char timestamp[50] = "";
2587 int status = STATE_UNKNOWN;
2588
2589 if (verbose >= 2)
2590 printf ("**** REQUEST CERTIFICATES ****\n");
2591
2592 for (i = 0; i < cert_ptr->to_certinfo->num_of_certs; i++) {
2593 for (slist = cert_ptr->to_certinfo->certinfo[i]; slist; slist = slist->next) {
2594 /* find first common name in subject,
2595 * TODO: check alternative subjects for
2596 * TODO: have a decent parser here and not a hack
2597 * multi-host certificate, check wildcards
2598 */
2599 if (strncasecmp (slist->data, "Subject:", 8) == 0) {
2600 int d = 3;
2601 char* p = strstr (slist->data, "CN=");
2602 if (p == NULL) {
2603 d = 5;
2604 p = strstr (slist->data, "CN = ");
2605 }
2606 if (p != NULL) {
2607 if (strncmp (host_name, p+d, strlen (host_name)) == 0) {
2608 cname_found = 1;
2609 }
2610 }
2611 } else if (strncasecmp (slist->data, "Start Date:", 11) == 0) {
2612 start_date_str = &slist->data[11];
2613 } else if (strncasecmp (slist->data, "Expire Date:", 12) == 0) {
2614 end_date_str = &slist->data[12];
2615 } else if (strncasecmp (slist->data, "Cert:", 5) == 0) {
2616 goto HAVE_FIRST_CERT;
2617 }
2618 if (verbose >= 2)
2619 printf ("%d ** %s\n", i, slist->data);
2620 }
2621 }
2622HAVE_FIRST_CERT:
2623
2624 if (verbose >= 2)
2625 printf ("**** REQUEST CERTIFICATES ****\n");
2626
2627 if (!cname_found) {
2628 printf("%s\n",_("CRITICAL - Cannot retrieve certificate subject."));
2629 return STATE_CRITICAL;
2630 }
2631
2632 start_date = parse_cert_date (start_date_str);
2633 if (start_date <= 0) {
2634 snprintf (msg, DEFAULT_BUFFER_SIZE, _("WARNING - Unparsable 'Start Date' in certificate: '%s'"),
2635 start_date_str);
2636 puts (msg);
2637 return STATE_WARNING;
2638 }
2639
2640 end_date = parse_cert_date (end_date_str);
2641 if (end_date <= 0) {
2642 snprintf (msg, DEFAULT_BUFFER_SIZE, _("WARNING - Unparsable 'Expire Date' in certificate: '%s'"),
2643 start_date_str);
2644 puts (msg);
2645 return STATE_WARNING;
2646 }
2647
2648 time_left = difftime (end_date, time(NULL));
2649 days_left = time_left / 86400;
2650 tz = getenv("TZ");
2651 setenv("TZ", "GMT", 1);
2652 tzset();
2653 strftime(timestamp, 50, "%c %z", localtime(&end_date));
2654 if (tz)
2655 setenv("TZ", tz, 1);
2656 else
2657 unsetenv("TZ");
2658 tzset();
2659
2660 if (days_left > 0 && days_left <= days_till_exp_warn) {
2661 printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", host_name, days_left, timestamp);
2662 if (days_left > days_till_exp_crit)
2663 status = STATE_WARNING;
2664 else
2665 status = STATE_CRITICAL;
2666 } else if (days_left == 0 && time_left > 0) {
2667 if (time_left >= 3600)
2668 time_remaining = (int) time_left / 3600;
2669 else
2670 time_remaining = (int) time_left / 60;
2671
2672 printf (_("%s - Certificate '%s' expires in %u %s (%s)\n"),
2673 (days_left>days_till_exp_crit) ? "WARNING" : "CRITICAL", host_name, time_remaining,
2674 time_left >= 3600 ? "hours" : "minutes", timestamp);
2675
2676 if ( days_left > days_till_exp_crit)
2677 status = STATE_WARNING;
2678 else
2679 status = STATE_CRITICAL;
2680 } else if (time_left < 0) {
2681 printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), host_name, timestamp);
2682 status=STATE_CRITICAL;
2683 } else if (days_left == 0) {
2684 printf (_("%s - Certificate '%s' just expired (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", host_name, timestamp);
2685 if (days_left > days_till_exp_crit)
2686 status = STATE_WARNING;
2687 else
2688 status = STATE_CRITICAL;
2689 } else {
2690 printf(_("OK - Certificate '%s' will expire on %s.\n"), host_name, timestamp);
2691 status = STATE_OK;
2692 }
2693 return status;
2694}
2695#endif /* USE_OPENSSL */
2696#endif /* LIBCURL_FEATURE_SSL */