summaryrefslogtreecommitdiffstats
path: root/plugins/check_curl.c
diff options
context:
space:
mode:
Diffstat (limited to 'plugins/check_curl.c')
-rw-r--r--plugins/check_curl.c1939
1 files changed, 1939 insertions, 0 deletions
diff --git a/plugins/check_curl.c b/plugins/check_curl.c
new file mode 100644
index 0000000..5f6905f
--- /dev/null
+++ b/plugins/check_curl.c
@@ -0,0 +1,1939 @@
1/*****************************************************************************
2*
3* Monitoring check_curl plugin
4*
5* License: GPL
6* Copyright (c) 1999-2017 Monitoring Plugins Development Team
7*
8* Description:
9*
10* This file contains the check_curl plugin
11*
12* This plugin tests the HTTP service on the specified host. It can test
13* normal (http) and secure (https) servers, follow redirects, search for
14* strings and regular expressions, check connection times, and report on
15* certificate expiration times.
16*
17* This plugin uses functions from the curl library, see
18* http://curl.haxx.se
19*
20* This program is free software: you can redistribute it and/or modify
21* it under the terms of the GNU General Public License as published by
22* the Free Software Foundation, either version 3 of the License, or
23* (at your option) any later version.
24*
25* This program is distributed in the hope that it will be useful,
26* but WITHOUT ANY WARRANTY; without even the implied warranty of
27* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
28* GNU General Public License for more details.
29*
30* You should have received a copy of the GNU General Public License
31* along with this program. If not, see <http://www.gnu.org/licenses/>.
32*
33*
34*****************************************************************************/
35const char *progname = "check_curl";
36
37const char *copyright = "2006-2017";
38const char *email = "devel@monitoring-plugins.org";
39
40#include <ctype.h>
41
42#include "common.h"
43#include "utils.h"
44
45#ifndef LIBCURL_PROTOCOL_HTTP
46#error libcurl compiled without HTTP support, compiling check_curl plugin does not makes a lot of sense
47#endif
48
49#include "curl/curl.h"
50#include "curl/easy.h"
51
52#include "picohttpparser.h"
53
54#define MAKE_LIBCURL_VERSION(major, minor, patch) ((major)*0x10000 + (minor)*0x100 + (patch))
55
56#define DEFAULT_BUFFER_SIZE 2048
57#define DEFAULT_SERVER_URL "/"
58#define HTTP_EXPECT "HTTP/1."
59enum {
60 HTTP_PORT = 80,
61 HTTPS_PORT = 443,
62 MAX_PORT = 65535
63};
64
65/* for buffers for header and body */
66typedef struct {
67 char *buf;
68 size_t buflen;
69 size_t bufsize;
70} curlhelp_write_curlbuf;
71
72/* for buffering the data sent in PUT */
73typedef struct {
74 char *buf;
75 size_t buflen;
76 off_t pos;
77} curlhelp_read_curlbuf;
78
79/* for parsing the HTTP status line */
80typedef struct {
81 int http_major; /* major version of the protocol, always 1 (HTTP/0.9
82 * never reached the big internet most likely) */
83 int http_minor; /* minor version of the protocol, usually 0 or 1 */
84 int http_code; /* HTTP return code as in RFC 2145 */
85 int http_subcode; /* Microsoft IIS extension, HTTP subcodes, see
86 * http://support.microsoft.com/kb/318380/en-us */
87 const char *msg; /* the human readable message */
88 char *first_line; /* a copy of the first line */
89} curlhelp_statusline;
90
91/* to know the underlying SSL library used by libcurl */
92typedef enum curlhelp_ssl_library {
93 CURLHELP_SSL_LIBRARY_UNKNOWN,
94 CURLHELP_SSL_LIBRARY_OPENSSL,
95 CURLHELP_SSL_LIBRARY_LIBRESSL,
96 CURLHELP_SSL_LIBRARY_GNUTLS,
97 CURLHELP_SSL_LIBRARY_NSS
98} curlhelp_ssl_library;
99
100enum {
101 REGS = 2,
102 MAX_RE_SIZE = 256
103};
104#include "regex.h"
105regex_t preg;
106regmatch_t pmatch[REGS];
107char regexp[MAX_RE_SIZE];
108int cflags = REG_NOSUB | REG_EXTENDED | REG_NEWLINE;
109int errcode;
110int invert_regex = 0;
111
112char *server_address;
113char *host_name;
114char *server_url = DEFAULT_SERVER_URL;
115char server_ip[DEFAULT_BUFFER_SIZE];
116struct curl_slist *server_ips = NULL;
117unsigned short server_port = HTTP_PORT;
118int virtual_port = 0;
119int host_name_length;
120char output_header_search[30] = "";
121char output_string_search[30] = "";
122char *warning_thresholds = NULL;
123char *critical_thresholds = NULL;
124int days_till_exp_warn, days_till_exp_crit;
125thresholds *thlds;
126char user_agent[DEFAULT_BUFFER_SIZE];
127int verbose = 0;
128int show_extended_perfdata = FALSE;
129int min_page_len = 0;
130int max_page_len = 0;
131char *http_method = NULL;
132char *http_post_data = NULL;
133char *http_content_type = NULL;
134CURL *curl;
135struct curl_slist *header_list = NULL;
136curlhelp_write_curlbuf body_buf;
137curlhelp_write_curlbuf header_buf;
138curlhelp_statusline status_line;
139curlhelp_read_curlbuf put_buf;
140char http_header[DEFAULT_BUFFER_SIZE];
141long code;
142long socket_timeout = DEFAULT_SOCKET_TIMEOUT;
143double total_time;
144double time_connect;
145double time_appconnect;
146double time_headers;
147double time_firstbyte;
148char errbuf[CURL_ERROR_SIZE+1];
149CURLcode res;
150char url[DEFAULT_BUFFER_SIZE];
151char msg[DEFAULT_BUFFER_SIZE];
152char perfstring[DEFAULT_BUFFER_SIZE];
153char header_expect[MAX_INPUT_BUFFER] = "";
154char string_expect[MAX_INPUT_BUFFER] = "";
155char server_expect[MAX_INPUT_BUFFER] = HTTP_EXPECT;
156int server_expect_yn = 0;
157char user_auth[MAX_INPUT_BUFFER] = "";
158int display_html = FALSE;
159int onredirect = STATE_OK;
160int use_ssl = FALSE;
161int use_sni = TRUE;
162int check_cert = FALSE;
163typedef union {
164 struct curl_slist* to_info;
165 struct curl_certinfo* to_certinfo;
166} cert_ptr_union;
167cert_ptr_union cert_ptr;
168int ssl_version = CURL_SSLVERSION_DEFAULT;
169char *client_cert = NULL;
170char *client_privkey = NULL;
171char *ca_cert = NULL;
172int is_openssl_callback = FALSE;
173#if defined(HAVE_SSL) && defined(USE_OPENSSL)
174X509 *cert = NULL;
175#endif /* defined(HAVE_SSL) && defined(USE_OPENSSL) */
176int no_body = FALSE;
177int maximum_age = -1;
178int address_family = AF_UNSPEC;
179curlhelp_ssl_library ssl_library = CURLHELP_SSL_LIBRARY_UNKNOWN;
180
181int process_arguments (int, char**);
182void handle_curl_option_return_code (CURLcode res, const char* option);
183int check_http (void);
184void print_help (void);
185void print_usage (void);
186void print_curl_version (void);
187int curlhelp_initwritebuffer (curlhelp_write_curlbuf*);
188int curlhelp_buffer_write_callback (void*, size_t , size_t , void*);
189void curlhelp_freewritebuffer (curlhelp_write_curlbuf*);
190int curlhelp_initreadbuffer (curlhelp_read_curlbuf *, const char *, size_t);
191int curlhelp_buffer_read_callback (void *, size_t , size_t , void *);
192void curlhelp_freereadbuffer (curlhelp_read_curlbuf *);
193curlhelp_ssl_library curlhelp_get_ssl_library (CURL*);
194const char* curlhelp_get_ssl_library_string (curlhelp_ssl_library);
195int net_noopenssl_check_certificate (cert_ptr_union*, int, int);
196
197int curlhelp_parse_statusline (const char*, curlhelp_statusline *);
198void curlhelp_free_statusline (curlhelp_statusline *);
199char *perfd_time_ssl (double microsec);
200char *get_header_value (const struct phr_header* headers, const size_t nof_headers, const char* header);
201int check_document_dates (const curlhelp_write_curlbuf *, char (*msg)[DEFAULT_BUFFER_SIZE]);
202int get_content_length (const curlhelp_write_curlbuf* header_buf, const curlhelp_write_curlbuf* body_buf);
203
204#if defined(HAVE_SSL) && defined(USE_OPENSSL)
205int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int days_till_exp_crit);
206#endif /* defined(HAVE_SSL) && defined(USE_OPENSSL) */
207
208void remove_newlines (char *);
209void test_file (char *);
210
211int
212main (int argc, char **argv)
213{
214 int result = STATE_UNKNOWN;
215
216 setlocale (LC_ALL, "");
217 bindtextdomain (PACKAGE, LOCALEDIR);
218 textdomain (PACKAGE);
219
220 /* Parse extra opts if any */
221 argv = np_extra_opts (&argc, argv, progname);
222
223 /* set defaults */
224 snprintf( user_agent, DEFAULT_BUFFER_SIZE, "%s/v%s (monitoring-plugins %s)",
225 progname, NP_VERSION, VERSION);
226
227 /* parse arguments */
228 if (process_arguments (argc, argv) == ERROR)
229 usage4 (_("Could not parse arguments"));
230
231 if (display_html == TRUE)
232 printf ("<A HREF=\"%s://%s:%d%s\" target=\"_blank\">",
233 use_ssl ? "https" : "http", host_name ? host_name : server_address,
234 server_port, server_url);
235
236 result = check_http ();
237 return result;
238}
239
240#ifdef HAVE_SSL
241#ifdef USE_OPENSSL
242
243int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
244{
245 /* TODO: we get all certificates of the chain, so which ones
246 * should we test?
247 * TODO: is the last certificate always the server certificate?
248 */
249 cert = X509_STORE_CTX_get_current_cert(x509_ctx);
250 return 1;
251}
252
253CURLcode sslctxfun(CURL *curl, SSL_CTX *sslctx, void *parm)
254{
255 SSL_CTX_set_verify(sslctx, SSL_VERIFY_PEER, verify_callback);
256
257 return CURLE_OK;
258}
259
260#endif /* USE_OPENSSL */
261#endif /* HAVE_SSL */
262
263/* Checks if the server 'reply' is one of the expected 'statuscodes' */
264static int
265expected_statuscode (const char *reply, const char *statuscodes)
266{
267 char *expected, *code;
268 int result = 0;
269
270 if ((expected = strdup (statuscodes)) == NULL)
271 die (STATE_UNKNOWN, _("HTTP UNKNOWN - Memory allocation error\n"));
272
273 for (code = strtok (expected, ","); code != NULL; code = strtok (NULL, ","))
274 if (strstr (reply, code) != NULL) {
275 result = 1;
276 break;
277 }
278
279 free (expected);
280 return result;
281}
282
283void
284handle_curl_option_return_code (CURLcode res, const char* option)
285{
286 if (res != CURLE_OK) {
287 snprintf (msg, DEFAULT_BUFFER_SIZE, _("Error while setting cURL option '%s': cURL returned %d - %s"),
288 option, res, curl_easy_strerror(res));
289 die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
290 }
291}
292
293int
294check_http (void)
295{
296 int result = STATE_OK;
297 int page_len = 0;
298
299 /* initialize curl */
300 if (curl_global_init (CURL_GLOBAL_DEFAULT) != CURLE_OK)
301 die (STATE_UNKNOWN, "HTTP UNKNOWN - curl_global_init failed\n");
302
303 if ((curl = curl_easy_init()) == NULL)
304 die (STATE_UNKNOWN, "HTTP UNKNOWN - curl_easy_init failed\n");
305
306 if (verbose >= 1)
307 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_VERBOSE, TRUE), "CURLOPT_VERBOSE");
308
309 /* print everything on stdout like check_http would do */
310 handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_STDERR, stdout), "CURLOPT_STDERR");
311
312 /* initialize buffer for body of the answer */
313 if (curlhelp_initwritebuffer(&body_buf) < 0)
314 die (STATE_UNKNOWN, "HTTP CRITICAL - out of memory allocating buffer for body\n");
315 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_WRITEFUNCTION, (curl_write_callback)curlhelp_buffer_write_callback), "CURLOPT_WRITEFUNCTION");
316 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_WRITEDATA, (void *)&body_buf), "CURLOPT_WRITEDATA");
317
318 /* initialize buffer for header of the answer */
319 if (curlhelp_initwritebuffer( &header_buf ) < 0)
320 die (STATE_UNKNOWN, "HTTP CRITICAL - out of memory allocating buffer for header\n" );
321 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_HEADERFUNCTION, (curl_write_callback)curlhelp_buffer_write_callback), "CURLOPT_HEADERFUNCTION");
322 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_WRITEHEADER, (void *)&header_buf), "CURLOPT_WRITEHEADER");
323
324 /* set the error buffer */
325 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_ERRORBUFFER, errbuf), "CURLOPT_ERRORBUFFER");
326
327 /* set timeouts */
328 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CONNECTTIMEOUT, socket_timeout), "CURLOPT_CONNECTTIMEOUT");
329 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_TIMEOUT, socket_timeout), "CURLOPT_TIMEOUT");
330
331 /* compose URL: must be the host_name, only if not given take the IP address. */
332 snprintf (url, DEFAULT_BUFFER_SIZE, "%s://%s%s", use_ssl ? "https" : "http",
333 host_name ? host_name : server_address, server_url);
334 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_URL, url), "CURLOPT_URL");
335
336 /* cURL does certificate checking with this host_name (and not the virtual host?
337 * So we force CURLOPT_RESOLVE to make sure the resolver pickes the right IP
338 * for this hostname. */
339#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 21, 3)
340 if (host_name && strcmp (host_name, server_address)) {
341 snprintf (server_ip, DEFAULT_BUFFER_SIZE, "%s:%d:%s", host_name, server_port, server_address);
342 server_ips = curl_slist_append (server_ips, server_ip);
343 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_RESOLVE, server_ips), "CURLOPT_RESOLVE");
344 }
345#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 21, 3) */
346
347 /* set port */
348 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_PORT, server_port), "CURLOPT_PORT");
349
350 /* set HTTP method */
351 if (http_method) {
352 if (!strcmp(http_method, "POST"))
353 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_POST, 1), "CURLOPT_POST");
354 else if (!strcmp(http_method, "PUT"))
355 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_UPLOAD, 1), "CURLOPT_UPLOAD");
356 else
357 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CUSTOMREQUEST, http_method), "CURLOPT_CUSTOMREQUEST");
358 }
359
360 /* set hostname (virtual hosts) */
361 if(host_name != NULL) {
362 if((virtual_port != HTTP_PORT && !use_ssl) || (virtual_port != HTTPS_PORT && use_ssl)) {
363 snprintf(http_header, DEFAULT_BUFFER_SIZE, "Host: %s:%d", host_name, virtual_port);
364 } else {
365 snprintf(http_header, DEFAULT_BUFFER_SIZE, "Host: %s", host_name);
366 }
367 header_list = curl_slist_append (header_list, http_header);
368 }
369
370 /* always close connection, be nice to servers */
371 snprintf (http_header, DEFAULT_BUFFER_SIZE, "Connection: close");
372 header_list = curl_slist_append (header_list, http_header);
373
374 /* set HTTP headers */
375 handle_curl_option_return_code (curl_easy_setopt( curl, CURLOPT_HTTPHEADER, header_list ), "CURLOPT_HTTPHEADER");
376
377#ifdef LIBCURL_FEATURE_SSL
378
379 /* set SSL version, warn about unsecure or unsupported versions */
380 if (use_ssl) {
381 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_SSLVERSION, ssl_version), "CURLOPT_SSLVERSION");
382 }
383
384 /* client certificate and key to present to server (SSL) */
385 if (client_cert)
386 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_SSLCERT, client_cert), "CURLOPT_SSLCERT");
387 if (client_privkey)
388 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_SSLKEY, client_privkey), "CURLOPT_SSLKEY");
389 if (ca_cert) {
390 /* per default if we have a CA verify both the peer and the
391 * hostname in the certificate, can be switched off later */
392 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CAINFO, ca_cert), "CURLOPT_CAINFO");
393 handle_curl_option_return_code (curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 1), "CURLOPT_SSL_VERIFYPEER");
394 handle_curl_option_return_code (curl_easy_setopt( curl, CURLOPT_SSL_VERIFYHOST, 2), "CURLOPT_SSL_VERIFYHOST");
395 } else {
396 /* backward-compatible behaviour, be tolerant in checks
397 * TODO: depending on more options have aspects we want
398 * to be less tolerant about ssl verfications
399 */
400 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0), "CURLOPT_SSL_VERIFYPEER");
401 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0), "CURLOPT_SSL_VERIFYHOST");
402 }
403
404 /* detect SSL library used by libcurl */
405 ssl_library = curlhelp_get_ssl_library (curl);
406
407 /* try hard to get a stack of certificates to verify against */
408 if (check_cert)
409#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1)
410 /* inform curl to report back certificates */
411 switch (ssl_library) {
412 case CURLHELP_SSL_LIBRARY_OPENSSL:
413 case CURLHELP_SSL_LIBRARY_LIBRESSL:
414 /* set callback to extract certificate with OpenSSL context function (works with
415 * OpenSSL-style libraries only!) */
416#ifdef USE_OPENSSL
417 /* libcurl and monitoring plugins built with OpenSSL, good */
418 handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun), "CURLOPT_SSL_CTX_FUNCTION");
419 is_openssl_callback = TRUE;
420#else /* USE_OPENSSL */
421#endif /* USE_OPENSSL */
422 /* libcurl is built with OpenSSL, monitoring plugins, so falling
423 * back to manually extracting certificate information */
424 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CERTINFO, 1L), "CURLOPT_CERTINFO");
425 break;
426
427 case CURLHELP_SSL_LIBRARY_NSS:
428#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0)
429 /* NSS: support for CERTINFO is implemented since 7.34.0 */
430 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CERTINFO, 1L), "CURLOPT_CERTINFO");
431#else /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */
432 die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates (libcurl linked with SSL library '%s' is too old)\n", curlhelp_get_ssl_library_string (ssl_library));
433#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */
434 break;
435
436 case CURLHELP_SSL_LIBRARY_GNUTLS:
437#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 42, 0)
438 /* GnuTLS: support for CERTINFO is implemented since 7.42.0 */
439 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_CERTINFO, 1L), "CURLOPT_CERTINFO");
440#else /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 42, 0) */
441 die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates (libcurl linked with SSL library '%s' is too old)\n", curlhelp_get_ssl_library_string (ssl_library));
442#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 42, 0) */
443 break;
444
445 case CURLHELP_SSL_LIBRARY_UNKNOWN:
446 default:
447 die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates (unknown SSL library '%s', must implement first)\n", curlhelp_get_ssl_library_string (ssl_library));
448 break;
449 }
450#else /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1) */
451 /* old libcurl, our only hope is OpenSSL, otherwise we are out of luck */
452 if (ssl_library == CURLHELP_SSL_LIBRARY_OPENSSL || ssl_library == CURLHELP_SSL_LIBRARY_LIBRESSL)
453 handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun), "CURLOPT_SSL_CTX_FUNCTION");
454 else
455 die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates (no CURLOPT_SSL_CTX_FUNCTION, no OpenSSL library or libcurl too old and has no CURLOPT_CERTINFO)\n");
456#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1) */
457
458#endif /* LIBCURL_FEATURE_SSL */
459
460 /* set default or user-given user agent identification */
461 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_USERAGENT, user_agent), "CURLOPT_USERAGENT");
462
463 /* authentication */
464 if (strcmp(user_auth, ""))
465 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_USERPWD, user_auth), "CURLOPT_USERPWD");
466
467 /* TODO: parameter auth method, bitfield of following methods:
468 * CURLAUTH_BASIC (default)
469 * CURLAUTH_DIGEST
470 * CURLAUTH_DIGEST_IE
471 * CURLAUTH_NEGOTIATE
472 * CURLAUTH_NTLM
473 * CURLAUTH_NTLM_WB
474 *
475 * convenience tokens for typical sets of methods:
476 * CURLAUTH_ANYSAFE: most secure, without BASIC
477 * or CURLAUTH_ANY: most secure, even BASIC if necessary
478 *
479 * handle_curl_option_return_code (curl_easy_setopt( curl, CURLOPT_HTTPAUTH, (long)CURLAUTH_DIGEST ), "CURLOPT_HTTPAUTH");
480 */
481
482 /* handle redirections */
483 if (onredirect == STATE_DEPENDENT) {
484 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_FOLLOWLOCATION, 1), "CURLOPT_FOLLOWLOCATION");
485 /* TODO: handle the following aspects of redirection
486 CURLOPT_POSTREDIR: method switch
487 CURLINFO_REDIRECT_URL: custom redirect option
488 CURLOPT_REDIRECT_PROTOCOLS
489 CURLINFO_REDIRECT_COUNT
490 */
491 }
492
493 /* no-body */
494 if (no_body)
495 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_NOBODY, 1), "CURLOPT_NOBODY");
496
497 /* IPv4 or IPv6 forced DNS resolution */
498 if (address_family == AF_UNSPEC)
499 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_WHATEVER), "CURLOPT_IPRESOLVE(CURL_IPRESOLVE_WHATEVER)");
500 else if (address_family == AF_INET)
501 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4), "CURLOPT_IPRESOLVE(CURL_IPRESOLVE_V4)");
502#if defined (USE_IPV6) && defined (LIBCURL_FEATURE_IPV6)
503 else if (address_family == AF_INET6)
504 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V6), "CURLOPT_IPRESOLVE(CURL_IPRESOLVE_V6)");
505#endif
506
507 /* either send http POST data (any data, not only POST)*/
508 if (!strcmp(http_method, "POST") ||!strcmp(http_method, "PUT")) {
509 /* set content of payload for POST and PUT */
510 if (http_content_type) {
511 snprintf (http_header, DEFAULT_BUFFER_SIZE, "Content-Type: %s", http_content_type);
512 header_list = curl_slist_append (header_list, http_header);
513 }
514 /* NULL indicates "HTTP Continue" in libcurl, provide an empty string
515 * in case of no POST/PUT data */
516 if (!http_post_data)
517 http_post_data = "";
518 if (!strcmp(http_method, "POST")) {
519 /* POST method, set payload with CURLOPT_POSTFIELDS */
520 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_POSTFIELDS, http_post_data), "CURLOPT_POSTFIELDS");
521 } else if (!strcmp(http_method, "PUT")) {
522 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_READFUNCTION, (curl_read_callback)curlhelp_buffer_read_callback), "CURLOPT_READFUNCTION");
523 curlhelp_initreadbuffer (&put_buf, http_post_data, strlen (http_post_data));
524 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_READDATA, (void *)&put_buf), "CURLOPT_READDATA");
525 handle_curl_option_return_code (curl_easy_setopt (curl, CURLOPT_INFILESIZE, (curl_off_t)strlen (http_post_data)), "CURLOPT_INFILESIZE");
526 }
527 }
528
529 /* do the request */
530 res = curl_easy_perform(curl);
531
532 if (verbose>=2 && http_post_data)
533 printf ("**** REQUEST CONTENT ****\n%s\n", http_post_data);
534
535 /* free header and server IP resolve lists, we don't need it anymore */
536 curl_slist_free_all (header_list);
537 curl_slist_free_all (server_ips);
538
539 /* Curl errors, result in critical Nagios state */
540 if (res != CURLE_OK) {
541 snprintf (msg, DEFAULT_BUFFER_SIZE, _("Invalid HTTP response received from host on port %d: cURL returned %d - %s"),
542 server_port, res, curl_easy_strerror(res));
543 die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
544 }
545
546 /* certificate checks */
547#ifdef LIBCURL_FEATURE_SSL
548 if (use_ssl == TRUE) {
549 if (check_cert == TRUE) {
550 if (is_openssl_callback) {
551#ifdef USE_OPENSSL
552 /* check certificate with OpenSSL functions, curl has been built against OpenSSL
553 * and we actually have OpenSSL in the monitoring tools
554 */
555 result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
556 return result;
557#else /* USE_OPENSSL */
558 die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates - OpenSSL callback used and not linked against OpenSSL\n");
559#endif /* USE_OPENSSL */
560 } else {
561 int i;
562 struct curl_slist *slist;
563
564 cert_ptr.to_info = NULL;
565 res = curl_easy_getinfo (curl, CURLINFO_CERTINFO, &cert_ptr.to_info);
566 if (!res && cert_ptr.to_info) {
567#ifdef USE_OPENSSL
568 /* We have no OpenSSL in libcurl, but we can use OpenSSL for X509 cert parsing
569 * We only check the first certificate and assume it's the one of the server
570 */
571 const char* raw_cert = NULL;
572 for (i = 0; i < cert_ptr.to_certinfo->num_of_certs; i++) {
573 for (slist = cert_ptr.to_certinfo->certinfo[i]; slist; slist = slist->next) {
574 if (verbose >= 2)
575 printf ("%d ** %s\n", i, slist->data);
576 if (strncmp (slist->data, "Cert:", 5) == 0) {
577 raw_cert = &slist->data[5];
578 goto GOT_FIRST_CERT;
579 }
580 }
581 }
582GOT_FIRST_CERT:
583 if (!raw_cert) {
584 snprintf (msg, DEFAULT_BUFFER_SIZE, _("Cannot retrieve certificates from CERTINFO information - certificate data was empty"));
585 die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
586 }
587 BIO* cert_BIO = BIO_new (BIO_s_mem());
588 BIO_write (cert_BIO, raw_cert, strlen(raw_cert));
589 cert = PEM_read_bio_X509 (cert_BIO, NULL, NULL, NULL);
590 if (!cert) {
591 snprintf (msg, DEFAULT_BUFFER_SIZE, _("Cannot read certificate from CERTINFO information - BIO error"));
592 die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
593 }
594 BIO_free (cert_BIO);
595 result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
596 return result;
597#else /* USE_OPENSSL */
598 /* We assume we don't have OpenSSL and np_net_ssl_check_certificate at our disposal,
599 * so we use the libcurl CURLINFO data
600 */
601 result = net_noopenssl_check_certificate(&cert_ptr, days_till_exp_warn, days_till_exp_crit);
602 return result;
603#endif /* USE_OPENSSL */
604 } else {
605 snprintf (msg, DEFAULT_BUFFER_SIZE, _("Cannot retrieve certificates - cURL returned %d - %s"),
606 res, curl_easy_strerror(res));
607 die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
608 }
609 }
610 }
611 }
612#endif /* LIBCURL_FEATURE_SSL */
613
614 /* we got the data and we executed the request in a given time, so we can append
615 * performance data to the answer always
616 */
617 handle_curl_option_return_code (curl_easy_getinfo (curl, CURLINFO_TOTAL_TIME, &total_time), "CURLINFO_TOTAL_TIME");
618 if(show_extended_perfdata) {
619 handle_curl_option_return_code (curl_easy_getinfo(curl, CURLINFO_CONNECT_TIME, &time_connect), "CURLINFO_CONNECT_TIME");
620 handle_curl_option_return_code (curl_easy_getinfo(curl, CURLINFO_APPCONNECT_TIME, &time_appconnect), "CURLINFO_APPCONNECT_TIME");
621 handle_curl_option_return_code (curl_easy_getinfo(curl, CURLINFO_PRETRANSFER_TIME, &time_headers), "CURLINFO_PRETRANSFER_TIME");
622 handle_curl_option_return_code (curl_easy_getinfo(curl, CURLINFO_STARTTRANSFER_TIME, &time_firstbyte), "CURLINFO_STARTTRANSFER_TIME");
623 snprintf(perfstring, DEFAULT_BUFFER_SIZE, "time=%.6gs;%.6g;%.6g;; size=%dB;;; time_connect=%.6gs;;;; %s time_headers=%.6gs;;;; time_firstbyte=%.6gs;;;; time_transfer=%.6gs;;;;",
624 total_time,
625 warning_thresholds != NULL ? (double)thlds->warning->end : 0.0,
626 critical_thresholds != NULL ? (double)thlds->critical->end : 0.0,
627 (int)body_buf.buflen,
628 time_connect,
629 use_ssl == TRUE ? perfd_time_ssl(time_appconnect-time_connect) : "",
630 (time_headers - time_appconnect),
631 (time_firstbyte - time_headers),
632 (total_time-time_firstbyte)
633 );
634 } else {
635 snprintf(perfstring, DEFAULT_BUFFER_SIZE, "time=%.6gs;%.6g;%.6g;; size=%dB;;;",
636 total_time,
637 warning_thresholds != NULL ? (double)thlds->warning->end : 0.0,
638 critical_thresholds != NULL ? (double)thlds->critical->end : 0.0,
639 (int)body_buf.buflen);
640 }
641
642 /* return a CRITICAL status if we couldn't read any data */
643 if (strlen(header_buf.buf) == 0 && strlen(body_buf.buf) == 0)
644 die (STATE_CRITICAL, _("HTTP CRITICAL - No header received from host\n"));
645
646 /* get status line of answer, check sanity of HTTP code */
647 if (curlhelp_parse_statusline (header_buf.buf, &status_line) < 0) {
648 snprintf (msg, DEFAULT_BUFFER_SIZE, "Unparseable status line in %.3g seconds response time|%s\n",
649 code, total_time, perfstring);
650 die (STATE_CRITICAL, "HTTP CRITICAL HTTP/1.x %d unknown - %s", code, msg);
651 }
652
653 /* get result code from cURL */
654 handle_curl_option_return_code (curl_easy_getinfo (curl, CURLINFO_RESPONSE_CODE, &code), "CURLINFO_RESPONSE_CODE");
655 if (verbose>=2)
656 printf ("* curl CURLINFO_RESPONSE_CODE is %d\n", code);
657
658 /* print status line, header, body if verbose */
659 if (verbose >= 2) {
660 printf ("**** HEADER ****\n%s\n**** CONTENT ****\n%s\n", header_buf.buf,
661 (no_body ? " [[ skipped ]]" : body_buf.buf));
662 }
663
664 /* make sure the status line matches the response we are looking for */
665 if (!expected_statuscode(status_line.first_line, server_expect)) {
666 /* TODO: fix first_line being cut off */
667 if (server_port == HTTP_PORT)
668 snprintf(msg, DEFAULT_BUFFER_SIZE, _("Invalid HTTP response received from host: %s\n"), status_line.first_line);
669 else
670 snprintf(msg, DEFAULT_BUFFER_SIZE, _("Invalid HTTP response received from host on port %d: %s\n"), server_port, status_line.first_line);
671 die (STATE_CRITICAL, "HTTP CRITICAL - %s", msg);
672 }
673
674 /* TODO: implement -d header tests */
675 if( server_expect_yn ) {
676 snprintf(msg, DEFAULT_BUFFER_SIZE, _("Status line output matched \"%s\" - "), server_expect);
677 if (verbose)
678 printf ("%s\n",msg);
679 result = STATE_OK;
680 }
681 else {
682 /* illegal return codes result in a critical state */
683 if (code >= 600 || code < 100) {
684 die (STATE_CRITICAL, _("HTTP CRITICAL: Invalid Status (%d, %.40s)\n"), status_line.http_code, status_line.msg);
685 /* server errors result in a critical state */
686 } else if (code >= 500) {
687 result = STATE_CRITICAL;
688 /* client errors result in a warning state */
689 } else if (code >= 400) {
690 result = STATE_WARNING;
691 /* check redirected page if specified */
692 } else if (code >= 300) {
693 if (onredirect == STATE_DEPENDENT) {
694 code = status_line.http_code;
695 }
696 result = max_state_alt (onredirect, result);
697 /* TODO: make sure the last status line has been
698 parsed into the status_line structure
699 */
700 /* all other codes are considered ok */
701 } else {
702 result = STATE_OK;
703 }
704 }
705
706 /* check status codes, set exit status accordingly */
707 if( status_line.http_code != code ) {
708 die (STATE_CRITICAL, _("HTTP CRITICAL HTTP/%d.%d %d %s - different HTTP codes (cUrl has %ld)\n"),
709 status_line.http_major, status_line.http_minor,
710 status_line.http_code, status_line.msg, code);
711 }
712
713 if (maximum_age >= 0) {
714 result = max_state_alt(check_document_dates(&header_buf, &msg), result);
715 }
716
717 /* Page and Header content checks go here */
718
719 if (strlen (header_expect)) {
720 if (!strstr (header_buf.buf, header_expect)) {
721 strncpy(&output_header_search[0],header_expect,sizeof(output_header_search));
722 if(output_header_search[sizeof(output_header_search)-1]!='\0') {
723 bcopy("...",&output_header_search[sizeof(output_header_search)-4],4);
724 }
725 snprintf (msg, DEFAULT_BUFFER_SIZE, _("%sheader '%s' not found on '%s://%s:%d%s', "), msg, output_header_search, use_ssl ? "https" : "http", host_name ? host_name : server_address, server_port, server_url);
726 result = STATE_CRITICAL;
727 }
728 }
729
730 if (strlen (string_expect)) {
731 if (!strstr (body_buf.buf, string_expect)) {
732 strncpy(&output_string_search[0],string_expect,sizeof(output_string_search));
733 if(output_string_search[sizeof(output_string_search)-1]!='\0') {
734 bcopy("...",&output_string_search[sizeof(output_string_search)-4],4);
735 }
736 snprintf (msg, DEFAULT_BUFFER_SIZE, _("%sstring '%s' not found on '%s://%s:%d%s', "), msg, output_string_search, use_ssl ? "https" : "http", host_name ? host_name : server_address, server_port, server_url);
737 result = STATE_CRITICAL;
738 }
739 }
740
741 if (strlen (regexp)) {
742 errcode = regexec (&preg, body_buf.buf, REGS, pmatch, 0);
743 if ((errcode == 0 && invert_regex == 0) || (errcode == REG_NOMATCH && invert_regex == 1)) {
744 /* OK - No-op to avoid changing the logic around it */
745 result = max_state_alt(STATE_OK, result);
746 }
747 else if ((errcode == REG_NOMATCH && invert_regex == 0) || (errcode == 0 && invert_regex == 1)) {
748 if (invert_regex == 0)
749 snprintf (msg, DEFAULT_BUFFER_SIZE, _("%spattern not found, "), msg);
750 else
751 snprintf (msg, DEFAULT_BUFFER_SIZE, _("%spattern found, "), msg);
752 result = STATE_CRITICAL;
753 }
754 else {
755 /* FIXME: Shouldn't that be UNKNOWN? */
756 regerror (errcode, &preg, errbuf, MAX_INPUT_BUFFER);
757 snprintf (msg, DEFAULT_BUFFER_SIZE, _("%sExecute Error: %s, "), msg, errbuf);
758 result = STATE_CRITICAL;
759 }
760 }
761
762 /* make sure the page is of an appropriate size
763 * TODO: as far I can tell check_http gets the full size of header and
764 * if -N is not given header+body. Does this make sense?
765 *
766 * TODO: check_http.c had a get_length function, the question is really
767 * here what to use? the raw data size of the header_buf, the value of
768 * Content-Length, both and warn if they differ? Should the length be
769 * header+body or only body?
770 *
771 * One possible policy:
772 * - use header_buf.buflen (warning, if it mismatches to the Content-Length value
773 * - if -N (nobody) is given, use Content-Length only and hope the server set
774 * the value correcly
775 */
776 page_len = get_content_length(&header_buf, &body_buf);
777 if ((max_page_len > 0) && (page_len > max_page_len)) {
778 snprintf (msg, DEFAULT_BUFFER_SIZE, _("%spage size %d too large, "), msg, page_len);
779 result = max_state_alt(STATE_WARNING, result);
780 } else if ((min_page_len > 0) && (page_len < min_page_len)) {
781 snprintf (msg, DEFAULT_BUFFER_SIZE, _("%spage size %d too small, "), msg, page_len);
782 result = max_state_alt(STATE_WARNING, result);
783 }
784
785 /* -w, -c: check warning and critical level */
786 result = max_state_alt(get_status(total_time, thlds), result);
787
788 /* Cut-off trailing characters */
789 if(msg[strlen(msg)-2] == ',')
790 msg[strlen(msg)-2] = '\0';
791 else
792 msg[strlen(msg)-3] = '\0';
793
794 /* TODO: separate _() msg and status code: die (result, "HTTP %s: %s\n", state_text(result), msg); */
795 die (result, "HTTP %s: HTTP/%d.%d %d %s%s%s - %d bytes in %.3f second response time %s|%s\n",
796 state_text(result), status_line.http_major, status_line.http_minor,
797 status_line.http_code, status_line.msg,
798 strlen(msg) > 0 ? " - " : "",
799 msg, page_len, total_time,
800 (display_html ? "</A>" : ""),
801 perfstring);
802
803 /* proper cleanup after die? */
804 curlhelp_free_statusline(&status_line);
805 curl_easy_cleanup (curl);
806 curl_global_cleanup ();
807 curlhelp_freewritebuffer (&body_buf);
808 curlhelp_freewritebuffer (&header_buf);
809 if (!strcmp (http_method, "PUT")) {
810 curlhelp_freereadbuffer (&put_buf);
811 }
812
813 return result;
814}
815
816/* check whether a file exists */
817void
818test_file (char *path)
819{
820 if (access(path, R_OK) == 0)
821 return;
822 usage2 (_("file does not exist or is not readable"), path);
823}
824
825int
826process_arguments (int argc, char **argv)
827{
828 char *p;
829 int c = 1;
830 char *temp;
831
832 enum {
833 INVERT_REGEX = CHAR_MAX + 1,
834 SNI_OPTION,
835 CA_CERT_OPTION
836 };
837
838 int option = 0;
839 int got_plus = 0;
840 static struct option longopts[] = {
841 STD_LONG_OPTS,
842 {"link", no_argument, 0, 'L'},
843 {"nohtml", no_argument, 0, 'n'},
844 {"ssl", optional_argument, 0, 'S'},
845 {"sni", no_argument, 0, SNI_OPTION},
846 {"post", required_argument, 0, 'P'},
847 {"method", required_argument, 0, 'j'},
848 {"IP-address", required_argument, 0, 'I'},
849 {"url", required_argument, 0, 'u'},
850 {"port", required_argument, 0, 'p'},
851 {"authorization", required_argument, 0, 'a'},
852 {"header-string", required_argument, 0, 'd'},
853 {"string", required_argument, 0, 's'},
854 {"expect", required_argument, 0, 'e'},
855 {"regex", required_argument, 0, 'r'},
856 {"ereg", required_argument, 0, 'r'},
857 {"eregi", required_argument, 0, 'R'},
858 {"linespan", no_argument, 0, 'l'},
859 {"onredirect", required_argument, 0, 'f'},
860 {"certificate", required_argument, 0, 'C'},
861 {"client-cert", required_argument, 0, 'J'},
862 {"private-key", required_argument, 0, 'K'},
863 {"ca-cert", required_argument, 0, CA_CERT_OPTION},
864 {"useragent", required_argument, 0, 'A'},
865 {"header", required_argument, 0, 'k'},
866 {"no-body", no_argument, 0, 'N'},
867 {"max-age", required_argument, 0, 'M'},
868 {"content-type", required_argument, 0, 'T'},
869 {"pagesize", required_argument, 0, 'm'},
870 {"invert-regex", no_argument, NULL, INVERT_REGEX},
871 {"use-ipv4", no_argument, 0, '4'},
872 {"use-ipv6", no_argument, 0, '6'},
873 {"extended-perfdata", no_argument, 0, 'E'},
874 {0, 0, 0, 0}
875 };
876
877 if (argc < 2)
878 return ERROR;
879
880 /* support check_http compatible arguments */
881 for (c = 1; c < argc; c++) {
882 if (strcmp ("-to", argv[c]) == 0)
883 strcpy (argv[c], "-t");
884 if (strcmp ("-hn", argv[c]) == 0)
885 strcpy (argv[c], "-H");
886 if (strcmp ("-wt", argv[c]) == 0)
887 strcpy (argv[c], "-w");
888 if (strcmp ("-ct", argv[c]) == 0)
889 strcpy (argv[c], "-c");
890 if (strcmp ("-nohtml", argv[c]) == 0)
891 strcpy (argv[c], "-n");
892 }
893
894 while (1) {
895 c = getopt_long (argc, argv, "Vvh46t:c:w:A:k:H:P:j:T:I:a:d:e:p:s:R:r:u:f:C:J:K:nlLS::m:M:NE", longopts, &option);
896 if (c == -1 || c == EOF || c == 1)
897 break;
898
899 switch (c) {
900 case 'h':
901 print_help();
902 exit(STATE_UNKNOWN);
903 break;
904 case 'V':
905 print_revision(progname, NP_VERSION);
906 print_curl_version();
907 exit(STATE_UNKNOWN);
908 break;
909 case 'v':
910 verbose++;
911 break;
912 case 't': /* timeout period */
913 if (!is_intnonneg (optarg))
914 usage2 (_("Timeout interval must be a positive integer"), optarg);
915 else
916 socket_timeout = (int)strtol (optarg, NULL, 10);
917 break;
918 case 'c': /* critical time threshold */
919 critical_thresholds = optarg;
920 break;
921 case 'w': /* warning time threshold */
922 warning_thresholds = optarg;
923 break;
924 case 'H': /* virtual host */
925 host_name = strdup (optarg);
926 if (host_name[0] == '[') {
927 if ((p = strstr (host_name, "]:")) != NULL) { /* [IPv6]:port */
928 virtual_port = atoi (p + 2);
929 /* cut off the port */
930 host_name_length = strlen (host_name) - strlen (p) - 1;
931 free (host_name);
932 host_name = strndup (optarg, host_name_length);
933 }
934 } else if ((p = strchr (host_name, ':')) != NULL
935 && strchr (++p, ':') == NULL) { /* IPv4:port or host:port */
936 virtual_port = atoi (p);
937 /* cut off the port */
938 host_name_length = strlen (host_name) - strlen (p) - 1;
939 free (host_name);
940 host_name = strndup (optarg, host_name_length);
941 }
942 break;
943 case 'I': /* internet address */
944 server_address = strdup (optarg);
945 break;
946 case 'u': /* URL path */
947 server_url = strdup (optarg);
948 break;
949 case 'p': /* Server port */
950 if (!is_intnonneg (optarg))
951 usage2 (_("Invalid port number, expecting a non-negative number"), optarg);
952 else {
953 if( strtol(optarg, NULL, 10) > MAX_PORT)
954 usage2 (_("Invalid port number, supplied port number is too big"), optarg);
955 server_port = (unsigned short)strtol(optarg, NULL, 10);
956 }
957 break;
958 case 'a': /* authorization info */
959 strncpy (user_auth, optarg, MAX_INPUT_BUFFER - 1);
960 user_auth[MAX_INPUT_BUFFER - 1] = 0;
961 break;
962 case 'P': /* HTTP POST data in URL encoded format; ignored if settings already */
963 if (! http_post_data)
964 http_post_data = strdup (optarg);
965 if (! http_method)
966 http_method = strdup("POST");
967 break;
968 case 'j': /* Set HTTP method */
969 if (http_method)
970 free(http_method);
971 http_method = strdup (optarg);
972 break;
973 case 'A': /* useragent */
974 snprintf (user_agent, DEFAULT_BUFFER_SIZE, optarg);
975 break;
976 case 'k': /* Additional headers */
977 header_list = curl_slist_append(header_list, optarg);
978 break;
979 case 'L': /* show html link */
980 display_html = TRUE;
981 break;
982 case 'n': /* do not show html link */
983 display_html = FALSE;
984 break;
985 case 'C': /* Check SSL cert validity */
986#ifdef LIBCURL_FEATURE_SSL
987 if ((temp=strchr(optarg,','))!=NULL) {
988 *temp='\0';
989 if (!is_intnonneg (optarg))
990 usage2 (_("Invalid certificate expiration period"), optarg);
991 days_till_exp_warn = atoi(optarg);
992 *temp=',';
993 temp++;
994 if (!is_intnonneg (temp))
995 usage2 (_("Invalid certificate expiration period"), temp);
996 days_till_exp_crit = atoi (temp);
997 }
998 else {
999 days_till_exp_crit=0;
1000 if (!is_intnonneg (optarg))
1001 usage2 (_("Invalid certificate expiration period"), optarg);
1002 days_till_exp_warn = atoi (optarg);
1003 }
1004 check_cert = TRUE;
1005 goto enable_ssl;
1006#endif
1007 case 'J': /* use client certificate */
1008#ifdef LIBCURL_FEATURE_SSL
1009 test_file(optarg);
1010 client_cert = optarg;
1011 goto enable_ssl;
1012#endif
1013 case 'K': /* use client private key */
1014#ifdef LIBCURL_FEATURE_SSL
1015 test_file(optarg);
1016 client_privkey = optarg;
1017 goto enable_ssl;
1018#endif
1019#ifdef LIBCURL_FEATURE_SSL
1020 case CA_CERT_OPTION: /* use CA chain file */
1021 test_file(optarg);
1022 ca_cert = optarg;
1023 goto enable_ssl;
1024#endif
1025 case 'S': /* use SSL */
1026#ifdef LIBCURL_FEATURE_SSL
1027 enable_ssl:
1028 use_ssl = TRUE;
1029 /* ssl_version initialized to CURL_SSLVERSION_TLSv1_0 as a default.
1030 * Only set if it's non-zero. This helps when we include multiple
1031 * parameters, like -S and -C combinations */
1032 ssl_version = CURL_SSLVERSION_TLSv1_0;
1033 if (c=='S' && optarg != NULL) {
1034 char *plus_ptr = strchr(optarg, '+');
1035 if (plus_ptr) {
1036 got_plus = 1;
1037 *plus_ptr = '\0';
1038 }
1039
1040 if (optarg[0] == '2')
1041 ssl_version = CURL_SSLVERSION_SSLv2;
1042 else if (optarg[0] == '3')
1043 ssl_version = CURL_SSLVERSION_SSLv3;
1044 else if (!strcmp (optarg, "1") || !strcmp (optarg, "1.0"))
1045#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0)
1046 ssl_version = CURL_SSLVERSION_TLSv1_0;
1047#else
1048 ssl_version = CURL_SSLVERSION_DEFAULT;
1049#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */
1050 else if (!strcmp (optarg, "1.1"))
1051#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0)
1052 ssl_version = CURL_SSLVERSION_TLSv1_1;
1053#else
1054 ssl_version = CURL_SSLVERSION_DEFAULT;
1055#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */
1056 else if (!strcmp (optarg, "1.2"))
1057#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0)
1058 ssl_version = CURL_SSLVERSION_TLSv1_2;
1059#else
1060 ssl_version = CURL_SSLVERSION_DEFAULT;
1061#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */
1062 else if (!strcmp (optarg, "1.3"))
1063#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 52, 0)
1064 ssl_version = CURL_SSLVERSION_TLSv1_3;
1065#else
1066 ssl_version = CURL_SSLVERSION_DEFAULT;
1067#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 52, 0) */
1068 else
1069 usage4 (_("Invalid option - Valid SSL/TLS versions: 2, 3, 1, 1.1, 1.2 (with optional '+' suffix)"));
1070 }
1071#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 54, 0)
1072 if (got_plus) {
1073 switch (ssl_version) {
1074 case CURL_SSLVERSION_TLSv1_3:
1075 ssl_version |= CURL_SSLVERSION_MAX_TLSv1_3;
1076 break;
1077 case CURL_SSLVERSION_TLSv1_2:
1078 case CURL_SSLVERSION_TLSv1_1:
1079 case CURL_SSLVERSION_TLSv1_0:
1080 ssl_version |= CURL_SSLVERSION_MAX_DEFAULT;
1081 break;
1082 }
1083 } else {
1084 switch (ssl_version) {
1085 case CURL_SSLVERSION_TLSv1_3:
1086 ssl_version |= CURL_SSLVERSION_MAX_TLSv1_3;
1087 break;
1088 case CURL_SSLVERSION_TLSv1_2:
1089 ssl_version |= CURL_SSLVERSION_MAX_TLSv1_2;
1090 break;
1091 case CURL_SSLVERSION_TLSv1_1:
1092 ssl_version |= CURL_SSLVERSION_MAX_TLSv1_1;
1093 break;
1094 case CURL_SSLVERSION_TLSv1_0:
1095 ssl_version |= CURL_SSLVERSION_MAX_TLSv1_0;
1096 break;
1097 }
1098 }
1099#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 54, 0) */
1100 if (verbose >= 2)
1101 printf(_("* Set SSL/TLS version to %d\n"), ssl_version);
1102 if (server_port == HTTP_PORT)
1103 server_port = HTTPS_PORT;
1104 break;
1105#else /* LIBCURL_FEATURE_SSL */
1106 /* -C -J and -K fall through to here without SSL */
1107 usage4 (_("Invalid option - SSL is not available"));
1108 break;
1109 case SNI_OPTION: /* --sni is parsed, but ignored, the default is TRUE with libcurl */
1110 use_sni = TRUE;
1111 break;
1112#endif /* LIBCURL_FEATURE_SSL */
1113 case 'f': /* onredirect */
1114 if (!strcmp (optarg, "ok"))
1115 onredirect = STATE_OK;
1116 else if (!strcmp (optarg, "warning"))
1117 onredirect = STATE_WARNING;
1118 else if (!strcmp (optarg, "critical"))
1119 onredirect = STATE_CRITICAL;
1120 else if (!strcmp (optarg, "unknown"))
1121 onredirect = STATE_UNKNOWN;
1122 else if (!strcmp (optarg, "follow"))
1123 onredirect = STATE_DEPENDENT;
1124 else usage2 (_("Invalid onredirect option"), optarg);
1125 if (verbose >= 2)
1126 printf(_("* Following redirects set to %s\n"), state_text(onredirect));
1127 break;
1128 case 'd': /* string or substring */
1129 strncpy (header_expect, optarg, MAX_INPUT_BUFFER - 1);
1130 header_expect[MAX_INPUT_BUFFER - 1] = 0;
1131 break;
1132 case 's': /* string or substring */
1133 strncpy (string_expect, optarg, MAX_INPUT_BUFFER - 1);
1134 string_expect[MAX_INPUT_BUFFER - 1] = 0;
1135 break;
1136 case 'e': /* string or substring */
1137 strncpy (server_expect, optarg, MAX_INPUT_BUFFER - 1);
1138 server_expect[MAX_INPUT_BUFFER - 1] = 0;
1139 server_expect_yn = 1;
1140 break;
1141 case 'T': /* Content-type */
1142 http_content_type = strdup (optarg);
1143 break;
1144 case 'l': /* linespan */
1145 cflags &= ~REG_NEWLINE;
1146 break;
1147 case 'R': /* regex */
1148 cflags |= REG_ICASE;
1149 case 'r': /* regex */
1150 strncpy (regexp, optarg, MAX_RE_SIZE - 1);
1151 regexp[MAX_RE_SIZE - 1] = 0;
1152 errcode = regcomp (&preg, regexp, cflags);
1153 if (errcode != 0) {
1154 (void) regerror (errcode, &preg, errbuf, MAX_INPUT_BUFFER);
1155 printf (_("Could Not Compile Regular Expression: %s"), errbuf);
1156 return ERROR;
1157 }
1158 break;
1159 case INVERT_REGEX:
1160 invert_regex = 1;
1161 break;
1162 case '4':
1163 address_family = AF_INET;
1164 break;
1165 case '6':
1166#if defined (USE_IPV6) && defined (LIBCURL_FEATURE_IPV6)
1167 address_family = AF_INET6;
1168#else
1169 usage4 (_("IPv6 support not available"));
1170#endif
1171 break;
1172 case 'm': /* min_page_length */
1173 {
1174 char *tmp;
1175 if (strchr(optarg, ':') != (char *)NULL) {
1176 /* range, so get two values, min:max */
1177 tmp = strtok(optarg, ":");
1178 if (tmp == NULL) {
1179 printf("Bad format: try \"-m min:max\"\n");
1180 exit (STATE_WARNING);
1181 } else
1182 min_page_len = atoi(tmp);
1183
1184 tmp = strtok(NULL, ":");
1185 if (tmp == NULL) {
1186 printf("Bad format: try \"-m min:max\"\n");
1187 exit (STATE_WARNING);
1188 } else
1189 max_page_len = atoi(tmp);
1190 } else
1191 min_page_len = atoi (optarg);
1192 break;
1193 }
1194 case 'N': /* no-body */
1195 no_body = TRUE;
1196 break;
1197 case 'M': /* max-age */
1198 {
1199 int L = strlen(optarg);
1200 if (L && optarg[L-1] == 'm')
1201 maximum_age = atoi (optarg) * 60;
1202 else if (L && optarg[L-1] == 'h')
1203 maximum_age = atoi (optarg) * 60 * 60;
1204 else if (L && optarg[L-1] == 'd')
1205 maximum_age = atoi (optarg) * 60 * 60 * 24;
1206 else if (L && (optarg[L-1] == 's' ||
1207 isdigit (optarg[L-1])))
1208 maximum_age = atoi (optarg);
1209 else {
1210 fprintf (stderr, "unparsable max-age: %s\n", optarg);
1211 exit (STATE_WARNING);
1212 }
1213 if (verbose >= 2)
1214 printf ("* Maximal age of document set to %d seconds\n", maximum_age);
1215 }
1216 break;
1217 case 'E': /* show extended perfdata */
1218 show_extended_perfdata = TRUE;
1219 break;
1220 case '?':
1221 /* print short usage statement if args not parsable */
1222 usage5 ();
1223 break;
1224 }
1225 }
1226
1227 c = optind;
1228
1229 if (server_address == NULL && c < argc)
1230 server_address = strdup (argv[c++]);
1231
1232 if (host_name == NULL && c < argc)
1233 host_name = strdup (argv[c++]);
1234
1235 if (server_address == NULL) {
1236 if (host_name == NULL)
1237 usage4 (_("You must specify a server address or host name"));
1238 else
1239 server_address = strdup (host_name);
1240 }
1241
1242 set_thresholds(&thlds, warning_thresholds, critical_thresholds);
1243
1244 if (critical_thresholds && thlds->critical->end>(double)socket_timeout)
1245 socket_timeout = (int)thlds->critical->end + 1;
1246 if (verbose >= 2)
1247 printf ("* Socket timeout set to %d seconds\n", socket_timeout);
1248
1249 if (http_method == NULL)
1250 http_method = strdup ("GET");
1251
1252 if (client_cert && !client_privkey)
1253 usage4 (_("If you use a client certificate you must also specify a private key file"));
1254
1255 if (virtual_port == 0)
1256 virtual_port = server_port;
1257
1258 return TRUE;
1259}
1260
1261void
1262print_help (void)
1263{
1264 print_revision (progname, NP_VERSION);
1265
1266 printf ("Copyright (c) 1999 Ethan Galstad <nagios@nagios.org>\n");
1267 printf ("Copyright (c) 2017 Andreas Baumann <mail@andreasbaumann.cc>\n");
1268 printf (COPYRIGHT, copyright, email);
1269
1270 printf ("%s\n", _("This plugin tests the HTTP service on the specified host. It can test"));
1271 printf ("%s\n", _("normal (http) and secure (https) servers, follow redirects, search for"));
1272 printf ("%s\n", _("strings and regular expressions, check connection times, and report on"));
1273 printf ("%s\n", _("certificate expiration times."));
1274 printf ("\n");
1275 printf ("%s\n", _("It makes use of libcurl to do so. It tries to be as compatible to check_http"));
1276 printf ("%s\n", _("as possible."));
1277
1278 printf ("\n\n");
1279
1280 print_usage ();
1281
1282 printf (_("NOTE: One or both of -H and -I must be specified"));
1283
1284 printf ("\n");
1285
1286 printf (UT_HELP_VRSN);
1287 printf (UT_EXTRA_OPTS);
1288
1289 printf (" %s\n", "-H, --hostname=ADDRESS");
1290 printf (" %s\n", _("Host name argument for servers using host headers (virtual host)"));
1291 printf (" %s\n", _("Append a port to include it in the header (eg: example.com:5000)"));
1292 printf (" %s\n", "-I, --IP-address=ADDRESS");
1293 printf (" %s\n", _("IP address or name (use numeric address if possible to bypass DNS lookup)."));
1294 printf (" %s\n", "-p, --port=INTEGER");
1295 printf (" %s", _("Port number (default: "));
1296 printf ("%d)\n", HTTP_PORT);
1297
1298 printf (UT_IPv46);
1299
1300#ifdef LIBCURL_FEATURE_SSL
1301 printf (" %s\n", "-S, --ssl=VERSION[+]");
1302 printf (" %s\n", _("Connect via SSL. Port defaults to 443. VERSION is optional, and prevents"));
1303 printf (" %s\n", _("auto-negotiation (2 = SSLv2, 3 = SSLv3, 1 = TLSv1, 1.1 = TLSv1.1,"));
1304 printf (" %s\n", _("1.2 = TLSv1.2). With a '+' suffix, newer versions are also accepted."));
1305 printf (" %s\n", _("Note: SSLv2 and SSLv3 are deprecated and are usually disabled in libcurl"));
1306 printf (" %s\n", "--sni");
1307 printf (" %s\n", _("Enable SSL/TLS hostname extension support (SNI)"));
1308#if LIBCURL_VERSION_NUM >= 0x071801
1309 printf (" %s\n", _("Note: --sni is the default in libcurl as SSLv2 and SSLV3 are deprecated and"));
1310 printf (" %s\n", _(" SNI only really works since TLSv1.0"));
1311#else
1312 printf (" %s\n", _("Note: SNI is not supported in libcurl before 7.18.1"));
1313#endif
1314 printf (" %s\n", "-C, --certificate=INTEGER[,INTEGER]");
1315 printf (" %s\n", _("Minimum number of days a certificate has to be valid. Port defaults to 443"));
1316 printf (" %s\n", _("(when this option is used the URL is not checked.)"));
1317 printf (" %s\n", "-J, --client-cert=FILE");
1318 printf (" %s\n", _("Name of file that contains the client certificate (PEM format)"));
1319 printf (" %s\n", _("to be used in establishing the SSL session"));
1320 printf (" %s\n", "-K, --private-key=FILE");
1321 printf (" %s\n", _("Name of file containing the private key (PEM format)"));
1322 printf (" %s\n", _("matching the client certificate"));
1323 printf (" %s\n", "--ca-cert=FILE");
1324 printf (" %s\n", _("CA certificate file to verify peer against"));
1325#endif
1326
1327 printf (" %s\n", "-e, --expect=STRING");
1328 printf (" %s\n", _("Comma-delimited list of strings, at least one of them is expected in"));
1329 printf (" %s", _("the first (status) line of the server response (default: "));
1330 printf ("%s)\n", HTTP_EXPECT);
1331 printf (" %s\n", _("If specified skips all other status line logic (ex: 3xx, 4xx, 5xx processing)"));
1332 printf (" %s\n", "-d, --header-string=STRING");
1333 printf (" %s\n", _("String to expect in the response headers"));
1334 printf (" %s\n", "-s, --string=STRING");
1335 printf (" %s\n", _("String to expect in the content"));
1336 printf (" %s\n", "-u, --url=PATH");
1337 printf (" %s\n", _("URL to GET or POST (default: /)"));
1338 printf (" %s\n", "-P, --post=STRING");
1339 printf (" %s\n", _("URL encoded http POST data"));
1340 printf (" %s\n", "-j, --method=STRING (for example: HEAD, OPTIONS, TRACE, PUT, DELETE, CONNECT)");
1341 printf (" %s\n", _("Set HTTP method."));
1342 printf (" %s\n", "-N, --no-body");
1343 printf (" %s\n", _("Don't wait for document body: stop reading after headers."));
1344 printf (" %s\n", _("(Note that this still does an HTTP GET or POST, not a HEAD.)"));
1345 printf (" %s\n", "-M, --max-age=SECONDS");
1346 printf (" %s\n", _("Warn if document is more than SECONDS old. the number can also be of"));
1347 printf (" %s\n", _("the form \"10m\" for minutes, \"10h\" for hours, or \"10d\" for days."));
1348 printf (" %s\n", "-T, --content-type=STRING");
1349 printf (" %s\n", _("specify Content-Type header media type when POSTing\n"));
1350 printf (" %s\n", "-l, --linespan");
1351 printf (" %s\n", _("Allow regex to span newlines (must precede -r or -R)"));
1352 printf (" %s\n", "-r, --regex, --ereg=STRING");
1353 printf (" %s\n", _("Search page for regex STRING"));
1354 printf (" %s\n", "-R, --eregi=STRING");
1355 printf (" %s\n", _("Search page for case-insensitive regex STRING"));
1356 printf (" %s\n", "--invert-regex");
1357 printf (" %s\n", _("Return CRITICAL if found, OK if not\n"));
1358 printf (" %s\n", "-a, --authorization=AUTH_PAIR");
1359 printf (" %s\n", _("Username:password on sites with basic authentication"));
1360 printf (" %s\n", "-A, --useragent=STRING");
1361 printf (" %s\n", _("String to be sent in http header as \"User Agent\""));
1362 printf (" %s\n", "-k, --header=STRING");
1363 printf (" %s\n", _("Any other tags to be sent in http header. Use multiple times for additional headers"));
1364 printf (" %s\n", "-E, --extended-perfdata");
1365 printf (" %s\n", _("Print additional performance data"));
1366 printf (" %s\n", "-L, --link");
1367 printf (" %s\n", _("Wrap output in HTML link (obsoleted by urlize)"));
1368 printf (" %s\n", "-f, --onredirect=<ok|warning|critical|follow>");
1369 printf (" %s\n", _("How to handle redirected pages."));
1370 printf (" %s\n", "-m, --pagesize=INTEGER<:INTEGER>");
1371 printf (" %s\n", _("Minimum page size required (bytes) : Maximum page size required (bytes)"));
1372
1373 printf (UT_WARN_CRIT);
1374
1375 printf (UT_CONN_TIMEOUT, DEFAULT_SOCKET_TIMEOUT);
1376
1377 printf (UT_VERBOSE);
1378
1379 printf ("\n");
1380 printf ("%s\n", _("Notes:"));
1381 printf (" %s\n", _("This plugin will attempt to open an HTTP connection with the host."));
1382 printf (" %s\n", _("Successful connects return STATE_OK, refusals and timeouts return STATE_CRITICAL"));
1383 printf (" %s\n", _("other errors return STATE_UNKNOWN. Successful connects, but incorrect response"));
1384 printf (" %s\n", _("messages from the host result in STATE_WARNING return values. If you are"));
1385 printf (" %s\n", _("checking a virtual server that uses 'host headers' you must supply the FQDN"));
1386 printf (" %s\n", _("(fully qualified domain name) as the [host_name] argument."));
1387
1388#ifdef LIBCURL_FEATURE_SSL
1389 printf ("\n");
1390 printf (" %s\n", _("This plugin can also check whether an SSL enabled web server is able to"));
1391 printf (" %s\n", _("serve content (optionally within a specified time) or whether the X509 "));
1392 printf (" %s\n", _("certificate is still valid for the specified number of days."));
1393 printf ("\n");
1394 printf (" %s\n", _("Please note that this plugin does not check if the presented server"));
1395 printf (" %s\n", _("certificate matches the hostname of the server, or if the certificate"));
1396 printf (" %s\n", _("has a valid chain of trust to one of the locally installed CAs."));
1397 printf ("\n");
1398 printf ("%s\n", _("Examples:"));
1399 printf (" %s\n\n", "CHECK CONTENT: check_curl -w 5 -c 10 --ssl -H www.verisign.com");
1400 printf (" %s\n", _("When the 'www.verisign.com' server returns its content within 5 seconds,"));
1401 printf (" %s\n", _("a STATE_OK will be returned. When the server returns its content but exceeds"));
1402 printf (" %s\n", _("the 5-second threshold, a STATE_WARNING will be returned. When an error occurs,"));
1403 printf (" %s\n", _("a STATE_CRITICAL will be returned."));
1404 printf ("\n");
1405 printf (" %s\n\n", "CHECK CERTIFICATE: check_curl -H www.verisign.com -C 14");
1406 printf (" %s\n", _("When the certificate of 'www.verisign.com' is valid for more than 14 days,"));
1407 printf (" %s\n", _("a STATE_OK is returned. When the certificate is still valid, but for less than"));
1408 printf (" %s\n", _("14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when"));
1409 printf (" %s\n\n", _("the certificate is expired."));
1410 printf ("\n");
1411 printf (" %s\n\n", "CHECK CERTIFICATE: check_curl -H www.verisign.com -C 30,14");
1412 printf (" %s\n", _("When the certificate of 'www.verisign.com' is valid for more than 30 days,"));
1413 printf (" %s\n", _("a STATE_OK is returned. When the certificate is still valid, but for less than"));
1414 printf (" %s\n", _("30 days, but more than 14 days, a STATE_WARNING is returned."));
1415 printf (" %s\n", _("A STATE_CRITICAL will be returned when certificate expires in less than 14 days"));
1416
1417 printf (" %s\n\n", "CHECK SSL WEBSERVER CONTENT VIA PROXY USING HTTP 1.1 CONNECT: ");
1418 printf (" %s\n", _("check_curl -I 192.168.100.35 -p 80 -u https://www.verisign.com/ -S -j CONNECT -H www.verisign.com "));
1419 printf (" %s\n", _("all these options are needed: -I <proxy> -p <proxy-port> -u <check-url> -S(sl) -j CONNECT -H <webserver>"));
1420 printf (" %s\n", _("a STATE_OK will be returned. When the server returns its content but exceeds"));
1421 printf (" %s\n", _("the 5-second threshold, a STATE_WARNING will be returned. When an error occurs,"));
1422 printf (" %s\n", _("a STATE_CRITICAL will be returned."));
1423
1424#endif
1425
1426 printf (UT_SUPPORT);
1427
1428}
1429
1430
1431
1432void
1433print_usage (void)
1434{
1435 printf ("%s\n", _("Usage:"));
1436 printf (" %s -H <vhost> | -I <IP-address> [-u <uri>] [-p <port>]\n",progname);
1437 printf (" [-J <client certificate file>] [-K <private key>] [--ca-cert <CA certificate file>]\n");
1438 printf (" [-w <warn time>] [-c <critical time>] [-t <timeout>] [-L] [-E] [-a auth]\n");
1439 printf (" [-f <ok|warning|critcal|follow>]\n");
1440 printf (" [-e <expect>] [-d string] [-s string] [-l] [-r <regex> | -R <case-insensitive regex>]\n");
1441 printf (" [-P string] [-m <min_pg_size>:<max_pg_size>] [-4|-6] [-N] [-M <age>]\n");
1442 printf (" [-A string] [-k string] [-S <version>] [--sni] [-C <warn_age>[,<crit_age>]]\n");
1443 printf (" [-T <content-type>] [-j method]\n", progname);
1444 printf ("\n");
1445 printf ("%s\n", _("WARNING: check_curl is experimental. Please use"));
1446 printf ("%s\n\n", _("check_http if you need a stable version."));
1447}
1448
1449void
1450print_curl_version (void)
1451{
1452 printf( "%s\n", curl_version());
1453}
1454
1455int
1456curlhelp_initwritebuffer (curlhelp_write_curlbuf *buf)
1457{
1458 buf->bufsize = DEFAULT_BUFFER_SIZE;
1459 buf->buflen = 0;
1460 buf->buf = (char *)malloc ((size_t)buf->bufsize);
1461 if (buf->buf == NULL) return -1;
1462 return 0;
1463}
1464
1465int
1466curlhelp_buffer_write_callback (void *buffer, size_t size, size_t nmemb, void *stream)
1467{
1468 curlhelp_write_curlbuf *buf = (curlhelp_write_curlbuf *)stream;
1469
1470 while (buf->bufsize < buf->buflen + size * nmemb + 1) {
1471 buf->bufsize *= buf->bufsize * 2;
1472 buf->buf = (char *)realloc (buf->buf, buf->bufsize);
1473 if (buf->buf == NULL) return -1;
1474 }
1475
1476 memcpy (buf->buf + buf->buflen, buffer, size * nmemb);
1477 buf->buflen += size * nmemb;
1478 buf->buf[buf->buflen] = '\0';
1479
1480 return (int)(size * nmemb);
1481}
1482
1483int
1484curlhelp_buffer_read_callback (void *buffer, size_t size, size_t nmemb, void *stream)
1485{
1486 curlhelp_read_curlbuf *buf = (curlhelp_read_curlbuf *)stream;
1487
1488 size_t n = min (nmemb * size, buf->buflen - buf->pos);
1489
1490 memcpy (buffer, buf->buf + buf->pos, n);
1491 buf->pos += n;
1492
1493 return (int)n;
1494}
1495
1496void
1497curlhelp_freewritebuffer (curlhelp_write_curlbuf *buf)
1498{
1499 free (buf->buf);
1500 buf->buf = NULL;
1501}
1502
1503int
1504curlhelp_initreadbuffer (curlhelp_read_curlbuf *buf, const char *data, size_t datalen)
1505{
1506 buf->buflen = datalen;
1507 buf->buf = (char *)malloc ((size_t)buf->buflen);
1508 if (buf->buf == NULL) return -1;
1509 memcpy (buf->buf, data, datalen);
1510 buf->pos = 0;
1511 return 0;
1512}
1513
1514void
1515curlhelp_freereadbuffer (curlhelp_read_curlbuf *buf)
1516{
1517 free (buf->buf);
1518 buf->buf = NULL;
1519}
1520
1521/* TODO: where to put this, it's actually part of sstrings2 (logically)?
1522 */
1523const char*
1524strrstr2(const char *haystack, const char *needle)
1525{
1526 int counter;
1527 size_t len;
1528 const char *prev_pos;
1529 const char *pos;
1530
1531 if (haystack == NULL || needle == NULL)
1532 return NULL;
1533
1534 if (haystack[0] == '\0' || needle[0] == '\0')
1535 return NULL;
1536
1537 counter = 0;
1538 prev_pos = NULL;
1539 pos = haystack;
1540 len = strlen (needle);
1541 for (;;) {
1542 pos = strstr (pos, needle);
1543 if (pos == NULL) {
1544 if (counter == 0)
1545 return NULL;
1546 else
1547 return prev_pos;
1548 }
1549 counter++;
1550 prev_pos = pos;
1551 pos += len;
1552 if (*pos == '\0') return prev_pos;
1553 }
1554}
1555
1556int
1557curlhelp_parse_statusline (const char *buf, curlhelp_statusline *status_line)
1558{
1559 char *first_line_end;
1560 char *p;
1561 size_t first_line_len;
1562 char *pp;
1563 const char *start;
1564 char *first_line_buf;
1565
1566 /* find last start of a new header */
1567 start = strrstr2 (buf, "\r\nHTTP");
1568 if (start != NULL) {
1569 start += 2;
1570 buf = start;
1571 }
1572
1573 first_line_end = strstr(buf, "\r\n");
1574 if (first_line_end == NULL) return -1;
1575
1576 first_line_len = (size_t)(first_line_end - buf);
1577 status_line->first_line = (char *)malloc (first_line_len + 1);
1578 if (status_line->first_line == NULL) return -1;
1579 memcpy (status_line->first_line, buf, first_line_len);
1580 status_line->first_line[first_line_len] = '\0';
1581 first_line_buf = strdup( status_line->first_line );
1582
1583 /* protocol and version: "HTTP/x.x" SP */
1584
1585 p = strtok(first_line_buf, "/");
1586 if( p == NULL ) { free( first_line_buf ); return -1; }
1587 if( strcmp( p, "HTTP" ) != 0 ) { free( first_line_buf ); return -1; }
1588
1589 p = strtok( NULL, "." );
1590 if( p == NULL ) { free( first_line_buf ); return -1; }
1591 status_line->http_major = (int)strtol( p, &pp, 10 );
1592 if( *pp != '\0' ) { free( first_line_buf ); return -1; }
1593
1594 p = strtok( NULL, " " );
1595 if( p == NULL ) { free( first_line_buf ); return -1; }
1596 status_line->http_minor = (int)strtol( p, &pp, 10 );
1597 if( *pp != '\0' ) { free( first_line_buf ); return -1; }
1598
1599 /* status code: "404" or "404.1", then SP */
1600
1601 p = strtok( NULL, " ." );
1602 if( p == NULL ) { free( first_line_buf ); return -1; }
1603 if( strchr( p, '.' ) != NULL ) {
1604 char *ppp;
1605 ppp = strtok( p, "." );
1606 status_line->http_code = (int)strtol( ppp, &pp, 10 );
1607 if( *pp != '\0' ) { free( first_line_buf ); return -1; }
1608
1609 ppp = strtok( NULL, "" );
1610 status_line->http_subcode = (int)strtol( ppp, &pp, 10 );
1611 if( *pp != '\0' ) { free( first_line_buf ); return -1; }
1612 } else {
1613 status_line->http_code = (int)strtol( p, &pp, 10 );
1614 status_line->http_subcode = -1;
1615 if( *pp != '\0' ) { free( first_line_buf ); return -1; }
1616 }
1617
1618 /* Human readable message: "Not Found" CRLF */
1619
1620 free( first_line_buf );
1621 p = strtok( NULL, "" );
1622 if( p == NULL ) { free( status_line->first_line ); return -1; }
1623 status_line->msg = status_line->first_line + ( p - first_line_buf );
1624
1625 return 0;
1626}
1627
1628void
1629curlhelp_free_statusline (curlhelp_statusline *status_line)
1630{
1631 free (status_line->first_line);
1632}
1633
1634void
1635remove_newlines (char *s)
1636{
1637 char *p;
1638
1639 for (p = s; *p != '\0'; p++)
1640 if (*p == '\r' || *p == '\n')
1641 *p = ' ';
1642}
1643
1644char *
1645perfd_time_ssl (double elapsed_time_ssl)
1646{
1647 return fperfdata ("time_ssl", elapsed_time_ssl, "s", FALSE, 0, FALSE, 0, FALSE, 0, FALSE, 0);
1648}
1649
1650char *
1651get_header_value (const struct phr_header* headers, const size_t nof_headers, const char* header)
1652{
1653 int i;
1654 for( i = 0; i < nof_headers; i++ ) {
1655 if( strncasecmp( header, headers[i].name, max( headers[i].name_len, 4 ) ) == 0 ) {
1656 return strndup( headers[i].value, headers[i].value_len );
1657 }
1658 }
1659 return NULL;
1660}
1661
1662int
1663check_document_dates (const curlhelp_write_curlbuf *header_buf, char (*msg)[DEFAULT_BUFFER_SIZE])
1664{
1665 char *server_date = NULL;
1666 char *document_date = NULL;
1667 int date_result = STATE_OK;
1668 curlhelp_statusline status_line;
1669 struct phr_header headers[255];
1670 size_t nof_headers = 255;
1671 size_t msglen;
1672
1673 int res = phr_parse_response (header_buf->buf, header_buf->buflen,
1674 &status_line.http_minor, &status_line.http_code, &status_line.msg, &msglen,
1675 headers, &nof_headers, 0);
1676
1677 server_date = get_header_value (headers, nof_headers, "date");
1678 document_date = get_header_value (headers, nof_headers, "last-modified");
1679
1680 if (!server_date || !*server_date) {
1681 snprintf (*msg, DEFAULT_BUFFER_SIZE, _("%sServer date unknown, "), *msg);
1682 date_result = max_state_alt(STATE_UNKNOWN, date_result);
1683 } else if (!document_date || !*document_date) {
1684 snprintf (*msg, DEFAULT_BUFFER_SIZE, _("%sDocument modification date unknown, "), *msg);
1685 date_result = max_state_alt(STATE_CRITICAL, date_result);
1686 } else {
1687 time_t srv_data = curl_getdate (server_date, NULL);
1688 time_t doc_data = curl_getdate (document_date, NULL);
1689 if (verbose >= 2)
1690 printf ("* server date: '%s' (%d), doc_date: '%s' (%d)\n", server_date, srv_data, document_date, doc_data);
1691 if (srv_data <= 0) {
1692 snprintf (*msg, DEFAULT_BUFFER_SIZE, _("%sServer date \"%100s\" unparsable, "), *msg, server_date);
1693 date_result = max_state_alt(STATE_CRITICAL, date_result);
1694 } else if (doc_data <= 0) {
1695 snprintf (*msg, DEFAULT_BUFFER_SIZE, _("%sDocument date \"%100s\" unparsable, "), *msg, document_date);
1696 date_result = max_state_alt(STATE_CRITICAL, date_result);
1697 } else if (doc_data > srv_data + 30) {
1698 snprintf (*msg, DEFAULT_BUFFER_SIZE, _("%sDocument is %d seconds in the future, "), *msg, (int)doc_data - (int)srv_data);
1699 date_result = max_state_alt(STATE_CRITICAL, date_result);
1700 } else if (doc_data < srv_data - maximum_age) {
1701 int n = (srv_data - doc_data);
1702 if (n > (60 * 60 * 24 * 2)) {
1703 snprintf (*msg, DEFAULT_BUFFER_SIZE, _("%sLast modified %.1f days ago, "), *msg, ((float) n) / (60 * 60 * 24));
1704 date_result = max_state_alt(STATE_CRITICAL, date_result);
1705 } else {
1706 snprintf (*msg, DEFAULT_BUFFER_SIZE, _("%sLast modified %d:%02d:%02d ago, "), *msg, n / (60 * 60), (n / 60) % 60, n % 60);
1707 date_result = max_state_alt(STATE_CRITICAL, date_result);
1708 }
1709 }
1710 }
1711
1712 if (server_date) free (server_date);
1713 if (document_date) free (document_date);
1714
1715 return date_result;
1716}
1717
1718
1719int
1720get_content_length (const curlhelp_write_curlbuf* header_buf, const curlhelp_write_curlbuf* body_buf)
1721{
1722 const char *s;
1723 int content_length = 0;
1724 char *copy;
1725 struct phr_header headers[255];
1726 size_t nof_headers = 255;
1727 size_t msglen;
1728 char *content_length_s = NULL;
1729 curlhelp_statusline status_line;
1730
1731 int res = phr_parse_response (header_buf->buf, header_buf->buflen,
1732 &status_line.http_minor, &status_line.http_code, &status_line.msg, &msglen,
1733 headers, &nof_headers, 0);
1734
1735 content_length_s = get_header_value (headers, nof_headers, "content-length");
1736 if (!content_length_s) {
1737 return header_buf->buflen + body_buf->buflen;
1738 }
1739 content_length_s += strspn (content_length_s, " \t");
1740 content_length = atoi (content_length_s);
1741 if (content_length != body_buf->buflen) {
1742 /* TODO: should we warn if the actual and the reported body length doen't match? */
1743 }
1744
1745 if (content_length_s) free (content_length_s);
1746
1747 return header_buf->buflen + body_buf->buflen;
1748}
1749
1750/* TODO: is there a better way in libcurl to check for the SSL library? */
1751curlhelp_ssl_library
1752curlhelp_get_ssl_library (CURL* curl)
1753{
1754 curl_version_info_data* version_data;
1755 char *ssl_version;
1756 char *library;
1757 curlhelp_ssl_library ssl_library = CURLHELP_SSL_LIBRARY_UNKNOWN;
1758
1759 version_data = curl_version_info (CURLVERSION_NOW);
1760 if (version_data == NULL) return CURLHELP_SSL_LIBRARY_UNKNOWN;
1761
1762 ssl_version = strdup (version_data->ssl_version);
1763 if (ssl_version == NULL ) return CURLHELP_SSL_LIBRARY_UNKNOWN;
1764
1765 library = strtok (ssl_version, "/");
1766 if (library == NULL) return CURLHELP_SSL_LIBRARY_UNKNOWN;
1767
1768 if (strcmp (library, "OpenSSL") == 0)
1769 ssl_library = CURLHELP_SSL_LIBRARY_OPENSSL;
1770 else if (strcmp (library, "LibreSSL") == 0)
1771 ssl_library = CURLHELP_SSL_LIBRARY_LIBRESSL;
1772 else if (strcmp (library, "GnuTLS") == 0)
1773 ssl_library = CURLHELP_SSL_LIBRARY_GNUTLS;
1774 else if (strcmp (library, "NSS") == 0)
1775 ssl_library = CURLHELP_SSL_LIBRARY_NSS;
1776
1777 if (verbose >= 2)
1778 printf ("* SSL library string is : %s %s (%d)\n", version_data->ssl_version, library, ssl_library);
1779
1780 free (ssl_version);
1781
1782 return ssl_library;
1783}
1784
1785const char*
1786curlhelp_get_ssl_library_string (curlhelp_ssl_library ssl_library)
1787{
1788 switch (ssl_library) {
1789 case CURLHELP_SSL_LIBRARY_OPENSSL:
1790 return "OpenSSL";
1791 case CURLHELP_SSL_LIBRARY_LIBRESSL:
1792 return "LibreSSL";
1793 case CURLHELP_SSL_LIBRARY_GNUTLS:
1794 return "GnuTLS";
1795 case CURLHELP_SSL_LIBRARY_NSS:
1796 return "NSS";
1797 case CURLHELP_SSL_LIBRARY_UNKNOWN:
1798 default:
1799 return "unknown";
1800 }
1801}
1802
1803#ifdef LIBCURL_FEATURE_SSL
1804#ifndef USE_OPENSSL
1805time_t
1806parse_cert_date (const char *s)
1807{
1808 struct tm tm;
1809 time_t date;
1810
1811 if (!s) return -1;
1812
1813 strptime (s, "%Y-%m-%d %H:%M:%S GMT", &tm);
1814 date = mktime (&tm);
1815
1816 return date;
1817}
1818
1819/* TODO: this needs cleanup in the sslutils.c, maybe we the #else case to
1820 * OpenSSL could be this function
1821 */
1822int
1823net_noopenssl_check_certificate (cert_ptr_union* cert_ptr, int days_till_exp_warn, int days_till_exp_crit)
1824{
1825 int i;
1826 struct curl_slist* slist;
1827 int cname_found = 0;
1828 char* start_date_str = NULL;
1829 char* end_date_str = NULL;
1830 time_t start_date;
1831 time_t end_date;
1832 char *tz;
1833 float time_left;
1834 int days_left;
1835 int time_remaining;
1836 char timestamp[50] = "";
1837 int status = STATE_UNKNOWN;
1838
1839 if (verbose >= 2)
1840 printf ("**** REQUEST CERTIFICATES ****\n");
1841
1842 for (i = 0; i < cert_ptr->to_certinfo->num_of_certs; i++) {
1843 for (slist = cert_ptr->to_certinfo->certinfo[i]; slist; slist = slist->next) {
1844 /* find first common name in subject, TODO: check alternative subjects for
1845 * multi-host certificate, check wildcards
1846 */
1847 if (strncasecmp (slist->data, "Subject:", 8) == 0) {
1848 char* p = strstr (slist->data, "CN=");
1849 if (p != NULL) {
1850 if (strncmp (host_name, p+3, strlen (host_name)) == 0) {
1851 cname_found = 1;
1852 }
1853 }
1854 } else if (strncasecmp (slist->data, "Start Date:", 11) == 0) {
1855 start_date_str = &slist->data[11];
1856 } else if (strncasecmp (slist->data, "Expire Date:", 12) == 0) {
1857 end_date_str = &slist->data[12];
1858 } else if (strncasecmp (slist->data, "Cert:", 5) == 0) {
1859 goto HAVE_FIRST_CERT;
1860 }
1861 if (verbose >= 2)
1862 printf ("%d ** %s\n", i, slist->data);
1863 }
1864 }
1865HAVE_FIRST_CERT:
1866
1867 if (verbose >= 2)
1868 printf ("**** REQUEST CERTIFICATES ****\n");
1869
1870 if (!cname_found) {
1871 printf("%s\n",_("CRITICAL - Cannot retrieve certificate subject."));
1872 return STATE_CRITICAL;
1873 }
1874
1875 start_date = parse_cert_date (start_date_str);
1876 if (start_date <= 0) {
1877 snprintf (msg, DEFAULT_BUFFER_SIZE, _("WARNING - Unparsable 'Start Date' in certificate: '%s'"),
1878 start_date_str);
1879 puts (msg);
1880 return STATE_WARNING;
1881 }
1882
1883 end_date = parse_cert_date (end_date_str);
1884 if (end_date <= 0) {
1885 snprintf (msg, DEFAULT_BUFFER_SIZE, _("WARNING - Unparsable 'Expire Date' in certificate: '%s'"),
1886 start_date_str);
1887 puts (msg);
1888 return STATE_WARNING;
1889 }
1890
1891 time_left = difftime (end_date, time(NULL));
1892 days_left = time_left / 86400;
1893 tz = getenv("TZ");
1894 setenv("TZ", "GMT", 1);
1895 tzset();
1896 strftime(timestamp, 50, "%c %z", localtime(&end_date));
1897 if (tz)
1898 setenv("TZ", tz, 1);
1899 else
1900 unsetenv("TZ");
1901 tzset();
1902
1903 if (days_left > 0 && days_left <= days_till_exp_warn) {
1904 printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", host_name, days_left, timestamp);
1905 if (days_left > days_till_exp_crit)
1906 status = STATE_WARNING;
1907 else
1908 status = STATE_CRITICAL;
1909 } else if (days_left == 0 && time_left > 0) {
1910 if (time_left >= 3600)
1911 time_remaining = (int) time_left / 3600;
1912 else
1913 time_remaining = (int) time_left / 60;
1914
1915 printf (_("%s - Certificate '%s' expires in %u %s (%s)\n"),
1916 (days_left>days_till_exp_crit) ? "WARNING" : "CRITICAL", host_name, time_remaining,
1917 time_left >= 3600 ? "hours" : "minutes", timestamp);
1918
1919 if ( days_left > days_till_exp_crit)
1920 status = STATE_WARNING;
1921 else
1922 status = STATE_CRITICAL;
1923 } else if (time_left < 0) {
1924 printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), host_name, timestamp);
1925 status=STATE_CRITICAL;
1926 } else if (days_left == 0) {
1927 printf (_("%s - Certificate '%s' just expired (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", host_name, timestamp);
1928 if (days_left > days_till_exp_crit)
1929 status = STATE_WARNING;
1930 else
1931 status = STATE_CRITICAL;
1932 } else {
1933 printf(_("OK - Certificate '%s' will expire on %s.\n"), host_name, timestamp);
1934 status = STATE_OK;
1935 }
1936 return status;
1937}
1938#endif /* USE_OPENSSL */
1939#endif /* LIBCURL_FEATURE_SSL */