summaryrefslogtreecommitdiffstats
path: root/plugins/check_curl.d
diff options
context:
space:
mode:
Diffstat (limited to 'plugins/check_curl.d')
-rw-r--r--plugins/check_curl.d/check_curl_helpers.c1283
-rw-r--r--plugins/check_curl.d/check_curl_helpers.h124
-rw-r--r--plugins/check_curl.d/config.h116
3 files changed, 1523 insertions, 0 deletions
diff --git a/plugins/check_curl.d/check_curl_helpers.c b/plugins/check_curl.d/check_curl_helpers.c
new file mode 100644
index 00000000..d49d8f07
--- /dev/null
+++ b/plugins/check_curl.d/check_curl_helpers.c
@@ -0,0 +1,1283 @@
1#include "./check_curl_helpers.h"
2#include <stdbool.h>
3#include <arpa/inet.h>
4#include <netinet/in.h>
5#include <netdb.h>
6#include <stdlib.h>
7#include <string.h>
8#include "../utils.h"
9#include "check_curl.d/config.h"
10#include "output.h"
11#include "perfdata.h"
12#include "states.h"
13
14extern int verbose;
15char errbuf[MAX_INPUT_BUFFER];
16bool is_openssl_callback = false;
17bool add_sslctx_verify_fun = false;
18
19check_curl_configure_curl_wrapper
20check_curl_configure_curl(const check_curl_static_curl_config config,
21 check_curl_working_state working_state, bool check_cert,
22 bool on_redirect_dependent, int follow_method, int max_depth) {
23 check_curl_configure_curl_wrapper result = {
24 .errorcode = OK,
25 .curl_state =
26 {
27 .curl_global_initialized = false,
28 .curl_easy_initialized = false,
29 .curl = NULL,
30
31 .body_buf_initialized = false,
32 .body_buf = NULL,
33 .header_buf_initialized = false,
34 .header_buf = NULL,
35 .status_line_initialized = false,
36 .status_line = NULL,
37 .put_buf_initialized = false,
38 .put_buf = NULL,
39
40 .header_list = NULL,
41 .host = NULL,
42 },
43 };
44
45 if ((result.curl_state.status_line = calloc(1, sizeof(curlhelp_statusline))) == NULL) {
46 die(STATE_UNKNOWN, "HTTP UNKNOWN - allocation of statusline failed\n");
47 }
48
49 if (curl_global_init(CURL_GLOBAL_DEFAULT) != CURLE_OK) {
50 die(STATE_UNKNOWN, "HTTP UNKNOWN - curl_global_init failed\n");
51 }
52 result.curl_state.curl_global_initialized = true;
53
54 if ((result.curl_state.curl = curl_easy_init()) == NULL) {
55 die(STATE_UNKNOWN, "HTTP UNKNOWN - curl_easy_init failed\n");
56 }
57 result.curl_state.curl_easy_initialized = true;
58
59 if (verbose >= 1) {
60 handle_curl_option_return_code(curl_easy_setopt(result.curl_state.curl, CURLOPT_VERBOSE, 1),
61 "CURLOPT_VERBOSE");
62 }
63
64 /* print everything on stdout like check_http would do */
65 handle_curl_option_return_code(curl_easy_setopt(result.curl_state.curl, CURLOPT_STDERR, stdout),
66 "CURLOPT_STDERR");
67
68 if (config.automatic_decompression) {
69#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 21, 6)
70 handle_curl_option_return_code(
71 curl_easy_setopt(result.curl_state.curl, CURLOPT_ACCEPT_ENCODING, ""),
72 "CURLOPT_ACCEPT_ENCODING");
73#else
74 handle_curl_option_return_code(
75 curl_easy_setopt(result.curl_state.curl, CURLOPT_ENCODING, ""), "CURLOPT_ENCODING");
76#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 21, 6) */
77 }
78
79 /* initialize buffer for body of the answer */
80 if (curlhelp_initwritebuffer(&result.curl_state.body_buf) < 0) {
81 die(STATE_UNKNOWN, "HTTP CRITICAL - out of memory allocating buffer for body\n");
82 }
83 result.curl_state.body_buf_initialized = true;
84
85 handle_curl_option_return_code(curl_easy_setopt(result.curl_state.curl, CURLOPT_WRITEFUNCTION,
86 curlhelp_buffer_write_callback),
87 "CURLOPT_WRITEFUNCTION");
88 handle_curl_option_return_code(curl_easy_setopt(result.curl_state.curl, CURLOPT_WRITEDATA,
89 (void *)result.curl_state.body_buf),
90 "CURLOPT_WRITEDATA");
91
92 /* initialize buffer for header of the answer */
93 if (curlhelp_initwritebuffer(&result.curl_state.header_buf) < 0) {
94 die(STATE_UNKNOWN, "HTTP CRITICAL - out of memory allocating buffer for header\n");
95 }
96 result.curl_state.header_buf_initialized = true;
97
98 handle_curl_option_return_code(curl_easy_setopt(result.curl_state.curl, CURLOPT_HEADERFUNCTION,
99 curlhelp_buffer_write_callback),
100 "CURLOPT_HEADERFUNCTION");
101 handle_curl_option_return_code(curl_easy_setopt(result.curl_state.curl, CURLOPT_WRITEHEADER,
102 (void *)result.curl_state.header_buf),
103 "CURLOPT_WRITEHEADER");
104
105 /* set the error buffer */
106 handle_curl_option_return_code(
107 curl_easy_setopt(result.curl_state.curl, CURLOPT_ERRORBUFFER, errbuf),
108 "CURLOPT_ERRORBUFFER");
109
110 /* set timeouts */
111 handle_curl_option_return_code(
112 curl_easy_setopt(result.curl_state.curl, CURLOPT_CONNECTTIMEOUT, config.socket_timeout),
113 "CURLOPT_CONNECTTIMEOUT");
114
115 handle_curl_option_return_code(
116 curl_easy_setopt(result.curl_state.curl, CURLOPT_TIMEOUT, config.socket_timeout),
117 "CURLOPT_TIMEOUT");
118
119 /* enable haproxy protocol */
120 if (config.haproxy_protocol) {
121 handle_curl_option_return_code(
122 curl_easy_setopt(result.curl_state.curl, CURLOPT_HAPROXYPROTOCOL, 1L),
123 "CURLOPT_HAPROXYPROTOCOL");
124 }
125
126 // fill dns resolve cache to make curl connect to the given server_address instead of the
127 // host_name, only required for ssl, because we use the host_name later on to make SNI happy
128 char dnscache[DEFAULT_BUFFER_SIZE];
129 char addrstr[DEFAULT_BUFFER_SIZE / 2];
130 if (working_state.use_ssl && working_state.host_name != NULL) {
131 int res;
132 if ((res = lookup_host(working_state.server_address, addrstr, DEFAULT_BUFFER_SIZE / 2,
133 config.sin_family)) != 0) {
134 die(STATE_CRITICAL,
135 _("Unable to lookup IP address for '%s': getaddrinfo returned %d - %s"),
136 working_state.server_address, res, gai_strerror(res));
137 }
138
139 snprintf(dnscache, DEFAULT_BUFFER_SIZE, "%s:%d:%s", working_state.host_name,
140 working_state.serverPort, addrstr);
141 result.curl_state.host = curl_slist_append(NULL, dnscache);
142 curl_easy_setopt(result.curl_state.curl, CURLOPT_RESOLVE, result.curl_state.host);
143
144 if (verbose >= 1) {
145 printf("* curl CURLOPT_RESOLVE: %s\n", dnscache);
146 }
147 }
148
149 // If server_address is an IPv6 address it must be surround by square brackets
150 struct in6_addr tmp_in_addr;
151 if (inet_pton(AF_INET6, working_state.server_address, &tmp_in_addr) == 1) {
152 char *new_server_address = calloc(strlen(working_state.server_address) + 3, sizeof(char));
153 if (new_server_address == NULL) {
154 die(STATE_UNKNOWN, "HTTP UNKNOWN - Unable to allocate memory\n");
155 }
156 snprintf(new_server_address, strlen(working_state.server_address) + 3, "[%s]",
157 working_state.server_address);
158 working_state.server_address = new_server_address;
159 }
160
161 /* compose URL: use the address we want to connect to, set Host: header later */
162 char *url = fmt_url(working_state);
163
164 if (verbose >= 1) {
165 printf("* curl CURLOPT_URL: %s\n", url);
166 }
167 handle_curl_option_return_code(curl_easy_setopt(result.curl_state.curl, CURLOPT_URL, url),
168 "CURLOPT_URL");
169
170 free(url);
171
172 /* extract proxy information for legacy proxy https requests */
173 if (!strcmp(working_state.http_method, "CONNECT") ||
174 strstr(working_state.server_url, "http") == working_state.server_url) {
175 handle_curl_option_return_code(
176 curl_easy_setopt(result.curl_state.curl, CURLOPT_PROXY, working_state.server_address),
177 "CURLOPT_PROXY");
178 handle_curl_option_return_code(curl_easy_setopt(result.curl_state.curl, CURLOPT_PROXYPORT,
179 (long)working_state.serverPort),
180 "CURLOPT_PROXYPORT");
181 if (verbose >= 2) {
182 printf("* curl CURLOPT_PROXY: %s:%d\n", working_state.server_address,
183 working_state.serverPort);
184 }
185 working_state.http_method = "GET";
186 handle_curl_option_return_code(
187 curl_easy_setopt(result.curl_state.curl, CURLOPT_URL, working_state.server_url),
188 "CURLOPT_URL");
189 }
190
191 /* disable body for HEAD request */
192 if (working_state.http_method && !strcmp(working_state.http_method, "HEAD")) {
193 working_state.no_body = true;
194 }
195
196 /* set HTTP protocol version */
197 handle_curl_option_return_code(
198 curl_easy_setopt(result.curl_state.curl, CURLOPT_HTTP_VERSION, config.curl_http_version),
199 "CURLOPT_HTTP_VERSION");
200
201 /* set HTTP method */
202 if (working_state.http_method) {
203 if (!strcmp(working_state.http_method, "POST")) {
204 handle_curl_option_return_code(
205 curl_easy_setopt(result.curl_state.curl, CURLOPT_POST, 1), "CURLOPT_POST");
206 } else if (!strcmp(working_state.http_method, "PUT")) {
207 handle_curl_option_return_code(
208 curl_easy_setopt(result.curl_state.curl, CURLOPT_UPLOAD, 1), "CURLOPT_UPLOAD");
209 } else {
210 handle_curl_option_return_code(curl_easy_setopt(result.curl_state.curl,
211 CURLOPT_CUSTOMREQUEST,
212 working_state.http_method),
213 "CURLOPT_CUSTOMREQUEST");
214 }
215 }
216
217 char *force_host_header = NULL;
218 /* check if Host header is explicitly set in options */
219 if (config.http_opt_headers_count) {
220 for (size_t i = 0; i < config.http_opt_headers_count; i++) {
221 if (strncmp(config.http_opt_headers[i], "Host:", 5) == 0) {
222 force_host_header = config.http_opt_headers[i];
223 }
224 }
225 }
226
227 /* set hostname (virtual hosts), not needed if CURLOPT_CONNECT_TO is used, but left in
228 * anyway */
229 char http_header[DEFAULT_BUFFER_SIZE];
230 if (working_state.host_name != NULL && force_host_header == NULL) {
231 if ((working_state.virtualPort != HTTP_PORT && !working_state.use_ssl) ||
232 (working_state.virtualPort != HTTPS_PORT && working_state.use_ssl)) {
233 snprintf(http_header, DEFAULT_BUFFER_SIZE, "Host: %s:%d", working_state.host_name,
234 working_state.virtualPort);
235 } else {
236 snprintf(http_header, DEFAULT_BUFFER_SIZE, "Host: %s", working_state.host_name);
237 }
238 result.curl_state.header_list =
239 curl_slist_append(result.curl_state.header_list, http_header);
240 }
241
242 /* always close connection, be nice to servers */
243 snprintf(http_header, DEFAULT_BUFFER_SIZE, "Connection: close");
244 result.curl_state.header_list = curl_slist_append(result.curl_state.header_list, http_header);
245
246 /* attach additional headers supplied by the user */
247 /* optionally send any other header tag */
248 if (config.http_opt_headers_count) {
249 for (size_t i = 0; i < config.http_opt_headers_count; i++) {
250 result.curl_state.header_list =
251 curl_slist_append(result.curl_state.header_list, config.http_opt_headers[i]);
252 }
253 }
254
255 /* set HTTP headers */
256 handle_curl_option_return_code(
257 curl_easy_setopt(result.curl_state.curl, CURLOPT_HTTPHEADER, result.curl_state.header_list),
258 "CURLOPT_HTTPHEADER");
259
260#ifdef LIBCURL_FEATURE_SSL
261 /* set SSL version, warn about insecure or unsupported versions */
262 if (working_state.use_ssl) {
263 handle_curl_option_return_code(
264 curl_easy_setopt(result.curl_state.curl, CURLOPT_SSLVERSION, config.ssl_version),
265 "CURLOPT_SSLVERSION");
266 }
267
268 /* client certificate and key to present to server (SSL) */
269 if (config.client_cert) {
270 handle_curl_option_return_code(
271 curl_easy_setopt(result.curl_state.curl, CURLOPT_SSLCERT, config.client_cert),
272 "CURLOPT_SSLCERT");
273 }
274
275 if (config.client_privkey) {
276 handle_curl_option_return_code(
277 curl_easy_setopt(result.curl_state.curl, CURLOPT_SSLKEY, config.client_privkey),
278 "CURLOPT_SSLKEY");
279 }
280
281 if (config.ca_cert) {
282 handle_curl_option_return_code(
283 curl_easy_setopt(result.curl_state.curl, CURLOPT_CAINFO, config.ca_cert),
284 "CURLOPT_CAINFO");
285 }
286
287 if (config.ca_cert || config.verify_peer_and_host) {
288 /* per default if we have a CA verify both the peer and the
289 * hostname in the certificate, can be switched off later */
290 handle_curl_option_return_code(
291 curl_easy_setopt(result.curl_state.curl, CURLOPT_SSL_VERIFYPEER, 1),
292 "CURLOPT_SSL_VERIFYPEER");
293 handle_curl_option_return_code(
294 curl_easy_setopt(result.curl_state.curl, CURLOPT_SSL_VERIFYHOST, 2),
295 "CURLOPT_SSL_VERIFYHOST");
296 } else {
297 /* backward-compatible behaviour, be tolerant in checks
298 * TODO: depending on more options have aspects we want
299 * to be less tolerant about ssl verfications
300 */
301 handle_curl_option_return_code(
302 curl_easy_setopt(result.curl_state.curl, CURLOPT_SSL_VERIFYPEER, 0),
303 "CURLOPT_SSL_VERIFYPEER");
304 handle_curl_option_return_code(
305 curl_easy_setopt(result.curl_state.curl, CURLOPT_SSL_VERIFYHOST, 0),
306 "CURLOPT_SSL_VERIFYHOST");
307 }
308
309 /* detect SSL library used by libcurl */
310 curlhelp_ssl_library ssl_library = curlhelp_get_ssl_library();
311
312 /* try hard to get a stack of certificates to verify against */
313 if (check_cert) {
314# if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1)
315 /* inform curl to report back certificates */
316 switch (ssl_library) {
317 case CURLHELP_SSL_LIBRARY_OPENSSL:
318 case CURLHELP_SSL_LIBRARY_LIBRESSL:
319 /* set callback to extract certificate with OpenSSL context function (works with
320 * OpenSSL-style libraries only!) */
321# ifdef USE_OPENSSL
322 /* libcurl and monitoring plugins built with OpenSSL, good */
323 add_sslctx_verify_fun = true;
324 is_openssl_callback = true;
325# endif /* USE_OPENSSL */
326 /* libcurl is built with OpenSSL, monitoring plugins, so falling
327 * back to manually extracting certificate information */
328 handle_curl_option_return_code(
329 curl_easy_setopt(result.curl_state.curl, CURLOPT_CERTINFO, 1L), "CURLOPT_CERTINFO");
330 break;
331
332 case CURLHELP_SSL_LIBRARY_NSS:
333# if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0)
334 /* NSS: support for CERTINFO is implemented since 7.34.0 */
335 handle_curl_option_return_code(
336 curl_easy_setopt(result.curl_state.curl, CURLOPT_CERTINFO, 1L), "CURLOPT_CERTINFO");
337# else /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */
338 die(STATE_CRITICAL,
339 "HTTP CRITICAL - Cannot retrieve certificates (libcurl linked with SSL library "
340 "'%s' is too old)\n",
341 curlhelp_get_ssl_library_string(ssl_library));
342# endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */
343 break;
344
345 case CURLHELP_SSL_LIBRARY_GNUTLS:
346# if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 42, 0)
347 /* GnuTLS: support for CERTINFO is implemented since 7.42.0 */
348 handle_curl_option_return_code(
349 curl_easy_setopt(result.curl_state.curl, CURLOPT_CERTINFO, 1L), "CURLOPT_CERTINFO");
350# else /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 42, 0) */
351 die(STATE_CRITICAL,
352 "HTTP CRITICAL - Cannot retrieve certificates (libcurl linked with SSL library "
353 "'%s' is too old)\n",
354 curlhelp_get_ssl_library_string(ssl_library));
355# endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 42, 0) */
356 break;
357
358 case CURLHELP_SSL_LIBRARY_UNKNOWN:
359 default:
360 die(STATE_CRITICAL,
361 "HTTP CRITICAL - Cannot retrieve certificates (unknown SSL library '%s', must "
362 "implement first)\n",
363 curlhelp_get_ssl_library_string(ssl_library));
364 break;
365 }
366# else /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1) */
367 /* old libcurl, our only hope is OpenSSL, otherwise we are out of luck */
368 if (ssl_library == CURLHELP_SSL_LIBRARY_OPENSSL ||
369 ssl_library == CURLHELP_SSL_LIBRARY_LIBRESSL) {
370 add_sslctx_verify_fun = true;
371 } else {
372 die(STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates (no "
373 "CURLOPT_SSL_CTX_FUNCTION, no OpenSSL library or libcurl "
374 "too old and has no CURLOPT_CERTINFO)\n");
375 }
376# endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1) */
377 }
378
379# if LIBCURL_VERSION_NUM >= \
380 MAKE_LIBCURL_VERSION(7, 10, 6) /* required for CURLOPT_SSL_CTX_FUNCTION */
381 // ssl ctx function is not available with all ssl backends
382 if (curl_easy_setopt(result.curl_state.curl, CURLOPT_SSL_CTX_FUNCTION, NULL) !=
383 CURLE_UNKNOWN_OPTION) {
384 handle_curl_option_return_code(
385 curl_easy_setopt(result.curl_state.curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun),
386 "CURLOPT_SSL_CTX_FUNCTION");
387 }
388# endif
389#endif /* LIBCURL_FEATURE_SSL */
390
391 /* set default or user-given user agent identification */
392 handle_curl_option_return_code(
393 curl_easy_setopt(result.curl_state.curl, CURLOPT_USERAGENT, config.user_agent),
394 "CURLOPT_USERAGENT");
395
396 /* proxy-authentication */
397 if (strcmp(config.proxy_auth, "")) {
398 handle_curl_option_return_code(
399 curl_easy_setopt(result.curl_state.curl, CURLOPT_PROXYUSERPWD, config.proxy_auth),
400 "CURLOPT_PROXYUSERPWD");
401 }
402
403 /* authentication */
404 if (strcmp(config.user_auth, "")) {
405 handle_curl_option_return_code(
406 curl_easy_setopt(result.curl_state.curl, CURLOPT_USERPWD, config.user_auth),
407 "CURLOPT_USERPWD");
408 }
409 /* TODO: parameter auth method, bitfield of following methods:
410 * CURLAUTH_BASIC (default)
411 * CURLAUTH_DIGEST
412 * CURLAUTH_DIGEST_IE
413 * CURLAUTH_NEGOTIATE
414 * CURLAUTH_NTLM
415 * CURLAUTH_NTLM_WB
416 *
417 * convenience tokens for typical sets of methods:
418 * CURLAUTH_ANYSAFE: most secure, without BASIC
419 * or CURLAUTH_ANY: most secure, even BASIC if necessary
420 *
421 * handle_curl_option_return_code (curl_easy_setopt( curl, CURLOPT_HTTPAUTH,
422 * (long)CURLAUTH_DIGEST ), "CURLOPT_HTTPAUTH");
423 */
424
425 /* handle redirections */
426 if (on_redirect_dependent) {
427 if (follow_method == FOLLOW_LIBCURL) {
428 handle_curl_option_return_code(
429 curl_easy_setopt(result.curl_state.curl, CURLOPT_FOLLOWLOCATION, 1),
430 "CURLOPT_FOLLOWLOCATION");
431
432 /* default -1 is infinite, not good, could lead to zombie plugins!
433 Setting it to one bigger than maximal limit to handle errors nicely below
434 */
435 handle_curl_option_return_code(
436 curl_easy_setopt(result.curl_state.curl, CURLOPT_MAXREDIRS, max_depth + 1),
437 "CURLOPT_MAXREDIRS");
438
439 /* for now allow only http and https (we are a http(s) check plugin in the end) */
440#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 85, 0)
441 handle_curl_option_return_code(
442 curl_easy_setopt(result.curl_state.curl, CURLOPT_REDIR_PROTOCOLS_STR, "http,https"),
443 "CURLOPT_REDIR_PROTOCOLS_STR");
444#elif LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 4)
445 handle_curl_option_return_code(curl_easy_setopt(result.curl_state.curl,
446 CURLOPT_REDIR_PROTOCOLS,
447 CURLPROTO_HTTP | CURLPROTO_HTTPS),
448 "CURLOPT_REDIRECT_PROTOCOLS");
449#endif
450
451 /* TODO: handle the following aspects of redirection, make them
452 * command line options too later:
453 CURLOPT_POSTREDIR: method switch
454 CURLINFO_REDIRECT_URL: custom redirect option
455 CURLOPT_REDIRECT_PROTOCOLS: allow people to step outside safe protocols
456 CURLINFO_REDIRECT_COUNT: get the number of redirects, print it, maybe a range
457 option here is nice like for expected page size?
458 */
459 } else {
460 /* old style redirection*/
461 }
462 }
463 /* no-body */
464 if (working_state.no_body) {
465 handle_curl_option_return_code(curl_easy_setopt(result.curl_state.curl, CURLOPT_NOBODY, 1),
466 "CURLOPT_NOBODY");
467 }
468
469 /* IPv4 or IPv6 forced DNS resolution */
470 if (config.sin_family == AF_UNSPEC) {
471 handle_curl_option_return_code(
472 curl_easy_setopt(result.curl_state.curl, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_WHATEVER),
473 "CURLOPT_IPRESOLVE(CURL_IPRESOLVE_WHATEVER)");
474 } else if (config.sin_family == AF_INET) {
475 handle_curl_option_return_code(
476 curl_easy_setopt(result.curl_state.curl, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4),
477 "CURLOPT_IPRESOLVE(CURL_IPRESOLVE_V4)");
478 }
479#if defined(USE_IPV6) && defined(LIBCURL_FEATURE_IPV6)
480 else if (config.sin_family == AF_INET6) {
481 handle_curl_option_return_code(
482 curl_easy_setopt(result.curl_state.curl, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V6),
483 "CURLOPT_IPRESOLVE(CURL_IPRESOLVE_V6)");
484 }
485#endif
486
487 /* either send http POST data (any data, not only POST)*/
488 if (!strcmp(working_state.http_method, "POST") || !strcmp(working_state.http_method, "PUT")) {
489 /* set content of payload for POST and PUT */
490 if (config.http_content_type) {
491 snprintf(http_header, DEFAULT_BUFFER_SIZE, "Content-Type: %s",
492 config.http_content_type);
493 result.curl_state.header_list =
494 curl_slist_append(result.curl_state.header_list, http_header);
495 }
496 /* NULL indicates "HTTP Continue" in libcurl, provide an empty string
497 * in case of no POST/PUT data */
498 if (!working_state.http_post_data) {
499 working_state.http_post_data = "";
500 }
501
502 if (!strcmp(working_state.http_method, "POST")) {
503 /* POST method, set payload with CURLOPT_POSTFIELDS */
504 handle_curl_option_return_code(curl_easy_setopt(result.curl_state.curl,
505 CURLOPT_POSTFIELDS,
506 working_state.http_post_data),
507 "CURLOPT_POSTFIELDS");
508 } else if (!strcmp(working_state.http_method, "PUT")) {
509 handle_curl_option_return_code(
510 curl_easy_setopt(result.curl_state.curl, CURLOPT_READFUNCTION,
511 (curl_read_callback)curlhelp_buffer_read_callback),
512 "CURLOPT_READFUNCTION");
513 if (curlhelp_initreadbuffer(&result.curl_state.put_buf, working_state.http_post_data,
514 strlen(working_state.http_post_data)) < 0) {
515 die(STATE_UNKNOWN,
516 "HTTP CRITICAL - out of memory allocating read buffer for PUT\n");
517 }
518 result.curl_state.put_buf_initialized = true;
519 handle_curl_option_return_code(curl_easy_setopt(result.curl_state.curl,
520 CURLOPT_READDATA,
521 (void *)result.curl_state.put_buf),
522 "CURLOPT_READDATA");
523 handle_curl_option_return_code(
524 curl_easy_setopt(result.curl_state.curl, CURLOPT_INFILESIZE,
525 (curl_off_t)strlen(working_state.http_post_data)),
526 "CURLOPT_INFILESIZE");
527 }
528 }
529
530 /* cookie handling */
531 if (config.cookie_jar_file != NULL) {
532 /* enable reading cookies from a file, and if the filename is an empty string, only
533 * enable the curl cookie engine */
534 handle_curl_option_return_code(
535 curl_easy_setopt(result.curl_state.curl, CURLOPT_COOKIEFILE, config.cookie_jar_file),
536 "CURLOPT_COOKIEFILE");
537 /* now enable saving cookies to a file, but only if the filename is not an empty string,
538 * since writing it would fail */
539 if (*config.cookie_jar_file) {
540 handle_curl_option_return_code(
541 curl_easy_setopt(result.curl_state.curl, CURLOPT_COOKIEJAR, config.cookie_jar_file),
542 "CURLOPT_COOKIEJAR");
543 }
544 }
545
546 result.working_state = working_state;
547
548 return result;
549}
550
551void handle_curl_option_return_code(CURLcode res, const char *option) {
552 if (res != CURLE_OK) {
553 die(STATE_CRITICAL, _("Error while setting cURL option '%s': cURL returned %d - %s"),
554 option, res, curl_easy_strerror(res));
555 }
556}
557
558char *get_header_value(const struct phr_header *headers, const size_t nof_headers,
559 const char *header) {
560 for (size_t i = 0; i < nof_headers; i++) {
561 if (headers[i].name != NULL &&
562 strncasecmp(header, headers[i].name, max(headers[i].name_len, 4)) == 0) {
563 return strndup(headers[i].value, headers[i].value_len);
564 }
565 }
566 return NULL;
567}
568
569check_curl_working_state check_curl_working_state_init() {
570 check_curl_working_state result = {
571 .server_address = NULL,
572 .server_url = DEFAULT_SERVER_URL,
573 .host_name = NULL,
574 .http_method = NULL,
575 .http_post_data = NULL,
576 .virtualPort = 0,
577 .serverPort = HTTP_PORT,
578 .use_ssl = false,
579 .no_body = false,
580 };
581 return result;
582}
583
584check_curl_config check_curl_config_init() {
585 check_curl_config tmp = {
586 .initial_config = check_curl_working_state_init(),
587
588 .curl_config =
589 {
590 .automatic_decompression = false,
591 .socket_timeout = DEFAULT_SOCKET_TIMEOUT,
592 .haproxy_protocol = false,
593 .sin_family = AF_UNSPEC,
594 .curl_http_version = CURL_HTTP_VERSION_NONE,
595 .http_opt_headers = NULL,
596 .http_opt_headers_count = 0,
597 .ssl_version = CURL_SSLVERSION_DEFAULT,
598 .client_cert = NULL,
599 .client_privkey = NULL,
600 .ca_cert = NULL,
601 .verify_peer_and_host = false,
602 .user_agent = {'\0'},
603 .proxy_auth = "",
604 .user_auth = "",
605 .http_content_type = NULL,
606 .cookie_jar_file = NULL,
607 },
608 .max_depth = DEFAULT_MAX_REDIRS,
609 .followmethod = FOLLOW_HTTP_CURL,
610 .followsticky = STICKY_NONE,
611
612 .maximum_age = -1,
613 .regexp = {},
614 .compiled_regex = {},
615 .state_regex = STATE_CRITICAL,
616 .invert_regex = false,
617 .check_cert = false,
618 .continue_after_check_cert = false,
619 .days_till_exp_warn = 0,
620 .days_till_exp_crit = 0,
621 .thlds = mp_thresholds_init(),
622 .page_length_limits = mp_range_init(),
623 .page_length_limits_is_set = false,
624 .server_expect =
625 {
626 .string = HTTP_EXPECT,
627 .is_present = false,
628 },
629 .string_expect = "",
630 .header_expect = "",
631 .on_redirect_result_state = STATE_OK,
632 .on_redirect_dependent = false,
633
634 .show_extended_perfdata = false,
635 .show_body = false,
636
637 .output_format_is_set = false,
638 };
639
640 snprintf(tmp.curl_config.user_agent, DEFAULT_BUFFER_SIZE, "%s/v%s (monitoring-plugins %s, %s)",
641 "check_curl", NP_VERSION, VERSION, curl_version());
642
643 return tmp;
644}
645
646/* TODO: is there a better way in libcurl to check for the SSL library? */
647curlhelp_ssl_library curlhelp_get_ssl_library(void) {
648 curlhelp_ssl_library ssl_library = CURLHELP_SSL_LIBRARY_UNKNOWN;
649
650 curl_version_info_data *version_data = curl_version_info(CURLVERSION_NOW);
651 if (version_data == NULL) {
652 return CURLHELP_SSL_LIBRARY_UNKNOWN;
653 }
654
655 char *ssl_version = strdup(version_data->ssl_version);
656 if (ssl_version == NULL) {
657 return CURLHELP_SSL_LIBRARY_UNKNOWN;
658 }
659
660 char *library = strtok(ssl_version, "/");
661 if (library == NULL) {
662 return CURLHELP_SSL_LIBRARY_UNKNOWN;
663 }
664
665 if (strcmp(library, "OpenSSL") == 0) {
666 ssl_library = CURLHELP_SSL_LIBRARY_OPENSSL;
667 } else if (strcmp(library, "LibreSSL") == 0) {
668 ssl_library = CURLHELP_SSL_LIBRARY_LIBRESSL;
669 } else if (strcmp(library, "GnuTLS") == 0) {
670 ssl_library = CURLHELP_SSL_LIBRARY_GNUTLS;
671 } else if (strcmp(library, "NSS") == 0) {
672 ssl_library = CURLHELP_SSL_LIBRARY_NSS;
673 }
674
675 if (verbose >= 2) {
676 printf("* SSL library string is : %s %s (%d)\n", version_data->ssl_version, library,
677 ssl_library);
678 }
679
680 free(ssl_version);
681
682 return ssl_library;
683}
684
685const char *curlhelp_get_ssl_library_string(const curlhelp_ssl_library ssl_library) {
686 switch (ssl_library) {
687 case CURLHELP_SSL_LIBRARY_OPENSSL:
688 return "OpenSSL";
689 case CURLHELP_SSL_LIBRARY_LIBRESSL:
690 return "LibreSSL";
691 case CURLHELP_SSL_LIBRARY_GNUTLS:
692 return "GnuTLS";
693 case CURLHELP_SSL_LIBRARY_NSS:
694 return "NSS";
695 case CURLHELP_SSL_LIBRARY_UNKNOWN:
696 default:
697 return "unknown";
698 }
699}
700
701size_t get_content_length(const curlhelp_write_curlbuf *header_buf,
702 const curlhelp_write_curlbuf *body_buf) {
703 struct phr_header headers[255];
704 size_t nof_headers = 255;
705 size_t msglen;
706 curlhelp_statusline status_line;
707 int res = phr_parse_response(header_buf->buf, header_buf->buflen, &status_line.http_major,
708 &status_line.http_minor, &status_line.http_code, &status_line.msg,
709 &msglen, headers, &nof_headers, 0);
710
711 if (res == -1) {
712 die(STATE_UNKNOWN, _("HTTP UNKNOWN - Failed to parse Response\n"));
713 }
714
715 char *content_length_s = get_header_value(headers, nof_headers, "content-length");
716 if (!content_length_s) {
717 return header_buf->buflen + body_buf->buflen;
718 }
719
720 content_length_s += strspn(content_length_s, " \t");
721 size_t content_length = atoi(content_length_s);
722 if (content_length != body_buf->buflen) {
723 /* TODO: should we warn if the actual and the reported body length don't match? */
724 }
725
726 if (content_length_s) {
727 free(content_length_s);
728 }
729
730 return header_buf->buflen + body_buf->buflen;
731}
732
733mp_subcheck check_document_dates(const curlhelp_write_curlbuf *header_buf, const int maximum_age) {
734 struct phr_header headers[255];
735 size_t nof_headers = 255;
736 curlhelp_statusline status_line;
737 size_t msglen;
738 int res = phr_parse_response(header_buf->buf, header_buf->buflen, &status_line.http_major,
739 &status_line.http_minor, &status_line.http_code, &status_line.msg,
740 &msglen, headers, &nof_headers, 0);
741
742 if (res == -1) {
743 die(STATE_UNKNOWN, _("HTTP UNKNOWN - Failed to parse Response\n"));
744 }
745
746 char *server_date = get_header_value(headers, nof_headers, "date");
747 char *document_date = get_header_value(headers, nof_headers, "last-modified");
748
749 mp_subcheck sc_document_dates = mp_subcheck_init();
750 if (!server_date || !*server_date) {
751 xasprintf(&sc_document_dates.output, _("Server date unknown"));
752 sc_document_dates = mp_set_subcheck_state(sc_document_dates, STATE_UNKNOWN);
753 } else if (!document_date || !*document_date) {
754 xasprintf(&sc_document_dates.output, _("Document modification date unknown, "));
755 sc_document_dates = mp_set_subcheck_state(sc_document_dates, STATE_CRITICAL);
756 } else {
757 time_t srv_data = curl_getdate(server_date, NULL);
758 time_t doc_data = curl_getdate(document_date, NULL);
759
760 if (verbose >= 2) {
761 printf("* server date: '%s' (%d), doc_date: '%s' (%d)\n", server_date, (int)srv_data,
762 document_date, (int)doc_data);
763 }
764
765 if (srv_data <= 0) {
766 xasprintf(&sc_document_dates.output, _("Server date \"%100s\" unparsable"),
767 server_date);
768 sc_document_dates = mp_set_subcheck_state(sc_document_dates, STATE_CRITICAL);
769 } else if (doc_data <= 0) {
770
771 xasprintf(&sc_document_dates.output, _("Document date \"%100s\" unparsable"),
772 document_date);
773 sc_document_dates = mp_set_subcheck_state(sc_document_dates, STATE_CRITICAL);
774 } else if (doc_data > srv_data + 30) {
775
776 xasprintf(&sc_document_dates.output, _("Document is %d seconds in the future"),
777 (int)doc_data - (int)srv_data);
778
779 sc_document_dates = mp_set_subcheck_state(sc_document_dates, STATE_CRITICAL);
780 } else if (doc_data < srv_data - maximum_age) {
781 time_t last_modified = (srv_data - doc_data);
782 if (last_modified > (60 * 60 * 24 * 2)) { // two days hardcoded?
783 xasprintf(&sc_document_dates.output, _("Last modified %.1f days ago"),
784 ((float)last_modified) / (60 * 60 * 24));
785 sc_document_dates = mp_set_subcheck_state(sc_document_dates, STATE_CRITICAL);
786 } else {
787 xasprintf(&sc_document_dates.output, _("Last modified %ld:%02ld:%02ld ago"),
788 last_modified / (60 * 60), (last_modified / 60) % 60, last_modified % 60);
789 sc_document_dates = mp_set_subcheck_state(sc_document_dates, STATE_CRITICAL);
790 }
791 } else {
792 // TODO is this the OK case?
793 time_t last_modified = (srv_data - doc_data);
794 xasprintf(&sc_document_dates.output, _("Last modified %ld:%02ld:%02ld ago"),
795 last_modified / (60 * 60), (last_modified / 60) % 60, last_modified % 60);
796 sc_document_dates = mp_set_subcheck_state(sc_document_dates, STATE_OK);
797 }
798 }
799
800 if (server_date) {
801 free(server_date);
802 }
803 if (document_date) {
804 free(document_date);
805 }
806
807 return sc_document_dates;
808}
809
810void curlhelp_free_statusline(curlhelp_statusline *status_line) { free(status_line->first_line); }
811
812int curlhelp_parse_statusline(const char *buf, curlhelp_statusline *status_line) {
813 /* find last start of a new header */
814 const char *start = strrstr2(buf, "\r\nHTTP/");
815 if (start != NULL) {
816 start += 2;
817 buf = start;
818 }
819
820 // Accept either LF or CRLF as end of line for the status line
821 // CRLF is the standard (RFC9112), but it is recommended to accept both
822 size_t length_of_first_line = strcspn(buf, "\r\n");
823 const char *first_line_end = &buf[length_of_first_line];
824 if (first_line_end == NULL) {
825 return -1;
826 }
827
828 size_t first_line_len = (size_t)(first_line_end - buf);
829 status_line->first_line = (char *)calloc(first_line_len + 1, sizeof(char));
830 if (status_line->first_line == NULL) {
831 return -1;
832 }
833
834 memcpy(status_line->first_line, buf, first_line_len);
835 status_line->first_line[first_line_len] = '\0';
836 char *first_line_buf = strdup(status_line->first_line);
837
838 /* protocol and version: "HTTP/x.x" SP or "HTTP/2" SP */
839 char *temp_string = strtok(first_line_buf, "/");
840 if (temp_string == NULL) {
841 if (verbose > 1) {
842 printf("%s: no / found\n", __func__);
843 }
844 free(first_line_buf);
845 return -1;
846 }
847
848 if (strcmp(temp_string, "HTTP") != 0) {
849 if (verbose > 1) {
850 printf("%s: string 'HTTP' not found\n", __func__);
851 }
852 free(first_line_buf);
853 return -1;
854 }
855
856 // try to find a space in the remaining string?
857 // the space after HTTP/1.1 probably
858 temp_string = strtok(NULL, " ");
859 if (temp_string == NULL) {
860 if (verbose > 1) {
861 printf("%s: no space after protocol definition\n", __func__);
862 }
863 free(first_line_buf);
864 return -1;
865 }
866
867 char *temp_string_2;
868 if (strchr(temp_string, '.') != NULL) {
869 /* HTTP 1.x case */
870 strtok(temp_string, ".");
871 status_line->http_major = (int)strtol(temp_string, &temp_string_2, 10);
872 if (*temp_string_2 != '\0') {
873 free(first_line_buf);
874 return -1;
875 }
876 strtok(NULL, " ");
877 status_line->http_minor = (int)strtol(temp_string, &temp_string_2, 10);
878 if (*temp_string_2 != '\0') {
879 free(first_line_buf);
880 return -1;
881 }
882 temp_string += 4; /* 1.x SP */
883 } else {
884 /* HTTP 2 case */
885 status_line->http_major = (int)strtol(temp_string, &temp_string_2, 10);
886 status_line->http_minor = 0;
887 temp_string += 2; /* 2 SP */
888 }
889
890 /* status code: "404" or "404.1", then SP */
891 temp_string = strtok(temp_string, " ");
892 if (temp_string == NULL) {
893 free(first_line_buf);
894 return -1;
895 }
896 if (strchr(temp_string, '.') != NULL) {
897 char *ppp;
898 ppp = strtok(temp_string, ".");
899 status_line->http_code = (int)strtol(ppp, &temp_string_2, 10);
900 if (*temp_string_2 != '\0') {
901 free(first_line_buf);
902 return -1;
903 }
904 ppp = strtok(NULL, "");
905 status_line->http_subcode = (int)strtol(ppp, &temp_string_2, 10);
906 if (*temp_string_2 != '\0') {
907 free(first_line_buf);
908 return -1;
909 }
910 temp_string += 6; /* 400.1 SP */
911 } else {
912 status_line->http_code = (int)strtol(temp_string, &temp_string_2, 10);
913 status_line->http_subcode = -1;
914 if (*temp_string_2 != '\0') {
915 free(first_line_buf);
916 return -1;
917 }
918 temp_string += 4; /* 400 SP */
919 }
920
921 /* Human readable message: "Not Found" CRLF */
922
923 temp_string = strtok(temp_string, "");
924 if (temp_string == NULL) {
925 status_line->msg = "";
926 return 0;
927 }
928 status_line->msg = status_line->first_line + (temp_string - first_line_buf);
929 free(first_line_buf);
930
931 return 0;
932}
933
934/* TODO: where to put this, it's actually part of sstrings2 (logically)?
935 */
936const char *strrstr2(const char *haystack, const char *needle) {
937 if (haystack == NULL || needle == NULL) {
938 return NULL;
939 }
940
941 if (haystack[0] == '\0' || needle[0] == '\0') {
942 return NULL;
943 }
944
945 int counter = 0;
946 const char *prev_pos = NULL;
947 const char *pos = haystack;
948 size_t len = strlen(needle);
949 for (;;) {
950 pos = strstr(pos, needle);
951 if (pos == NULL) {
952 if (counter == 0) {
953 return NULL;
954 }
955 return prev_pos;
956 }
957 counter++;
958 prev_pos = pos;
959 pos += len;
960 if (*pos == '\0') {
961 return prev_pos;
962 }
963 }
964}
965
966void curlhelp_freereadbuffer(curlhelp_read_curlbuf *buf) {
967 free(buf->buf);
968 buf->buf = NULL;
969}
970
971void curlhelp_freewritebuffer(curlhelp_write_curlbuf *buf) {
972 free(buf->buf);
973 buf->buf = NULL;
974}
975
976int curlhelp_initreadbuffer(curlhelp_read_curlbuf **buf, const char *data, size_t datalen) {
977 if ((*buf = calloc(1, sizeof(curlhelp_read_curlbuf))) == NULL) {
978 return 1;
979 }
980
981 (*buf)->buflen = datalen;
982 (*buf)->buf = (char *)calloc((*buf)->buflen, sizeof(char));
983 if ((*buf)->buf == NULL) {
984 return -1;
985 }
986 memcpy((*buf)->buf, data, datalen);
987 (*buf)->pos = 0;
988 return 0;
989}
990
991size_t curlhelp_buffer_read_callback(void *buffer, size_t size, size_t nmemb, void *stream) {
992 curlhelp_read_curlbuf *buf = (curlhelp_read_curlbuf *)stream;
993
994 size_t minimalSize = min(nmemb * size, buf->buflen - buf->pos);
995
996 memcpy(buffer, buf->buf + buf->pos, minimalSize);
997 buf->pos += minimalSize;
998
999 return minimalSize;
1000}
1001
1002int curlhelp_initwritebuffer(curlhelp_write_curlbuf **buf) {
1003 if ((*buf = calloc(1, sizeof(curlhelp_write_curlbuf))) == NULL) {
1004 return 1;
1005 }
1006 (*buf)->bufsize = DEFAULT_BUFFER_SIZE * sizeof(char);
1007 (*buf)->buflen = 0;
1008 (*buf)->buf = (char *)calloc((*buf)->bufsize, sizeof(char));
1009 if ((*buf)->buf == NULL) {
1010 return -1;
1011 }
1012 return 0;
1013}
1014
1015size_t curlhelp_buffer_write_callback(void *buffer, size_t size, size_t nmemb, void *stream) {
1016 curlhelp_write_curlbuf *buf = (curlhelp_write_curlbuf *)stream;
1017
1018 while (buf->bufsize < buf->buflen + size * nmemb + 1) {
1019 buf->bufsize = buf->bufsize * 2;
1020 buf->buf = (char *)realloc(buf->buf, buf->bufsize);
1021 if (buf->buf == NULL) {
1022 fprintf(stderr, "malloc failed (%d) %s\n", errno, strerror(errno));
1023 return 0;
1024 }
1025 }
1026
1027 memcpy(buf->buf + buf->buflen, buffer, size * nmemb);
1028 buf->buflen += size * nmemb;
1029 buf->buf[buf->buflen] = '\0';
1030
1031 return size * nmemb;
1032}
1033
1034void cleanup(check_curl_global_state global_state) {
1035 if (global_state.status_line_initialized) {
1036 curlhelp_free_statusline(global_state.status_line);
1037 }
1038 global_state.status_line_initialized = false;
1039
1040 if (global_state.curl_easy_initialized) {
1041 curl_easy_cleanup(global_state.curl);
1042 }
1043 global_state.curl_easy_initialized = false;
1044
1045 if (global_state.curl_global_initialized) {
1046 curl_global_cleanup();
1047 }
1048 global_state.curl_global_initialized = false;
1049
1050 if (global_state.body_buf_initialized) {
1051 curlhelp_freewritebuffer(global_state.body_buf);
1052 }
1053 global_state.body_buf_initialized = false;
1054
1055 if (global_state.header_buf_initialized) {
1056 curlhelp_freewritebuffer(global_state.header_buf);
1057 }
1058 global_state.header_buf_initialized = false;
1059
1060 if (global_state.put_buf_initialized) {
1061 curlhelp_freereadbuffer(global_state.put_buf);
1062 }
1063 global_state.put_buf_initialized = false;
1064
1065 if (global_state.header_list) {
1066 curl_slist_free_all(global_state.header_list);
1067 }
1068
1069 if (global_state.host) {
1070 curl_slist_free_all(global_state.host);
1071 }
1072}
1073
1074int lookup_host(const char *host, char *buf, size_t buflen, sa_family_t addr_family) {
1075 struct addrinfo hints = {
1076 .ai_family = addr_family,
1077 .ai_socktype = SOCK_STREAM,
1078 .ai_flags = AI_CANONNAME,
1079 };
1080
1081 struct addrinfo *result;
1082 int errcode = getaddrinfo(host, NULL, &hints, &result);
1083 if (errcode != 0) {
1084 return errcode;
1085 }
1086
1087 strcpy(buf, "");
1088 struct addrinfo *res = result;
1089
1090 size_t buflen_remaining = buflen - 1;
1091 size_t addrstr_len;
1092 char addrstr[100];
1093 void *ptr = {0};
1094 while (res) {
1095 switch (res->ai_family) {
1096 case AF_INET:
1097 ptr = &((struct sockaddr_in *)res->ai_addr)->sin_addr;
1098 break;
1099 case AF_INET6:
1100 ptr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
1101 break;
1102 }
1103
1104 inet_ntop(res->ai_family, ptr, addrstr, 100);
1105 if (verbose >= 1) {
1106 printf("* getaddrinfo IPv%d address: %s\n", res->ai_family == PF_INET6 ? 6 : 4,
1107 addrstr);
1108 }
1109
1110 // Append all IPs to buf as a comma-separated string
1111 addrstr_len = strlen(addrstr);
1112 if (buflen_remaining > addrstr_len + 1) {
1113 if (buf[0] != '\0') {
1114 strncat(buf, ",", buflen_remaining);
1115 buflen_remaining -= 1;
1116 }
1117 strncat(buf, addrstr, buflen_remaining);
1118 buflen_remaining -= addrstr_len;
1119 }
1120
1121 res = res->ai_next;
1122 }
1123
1124 freeaddrinfo(result);
1125
1126 return 0;
1127}
1128
1129/* Checks if the server 'reply' is one of the expected 'statuscodes' */
1130bool expected_statuscode(const char *reply, const char *statuscodes) {
1131 char *expected;
1132
1133 if ((expected = strdup(statuscodes)) == NULL) {
1134 die(STATE_UNKNOWN, _("HTTP UNKNOWN - Memory allocation error\n"));
1135 }
1136
1137 bool result = false;
1138 for (char *code = strtok(expected, ","); code != NULL; code = strtok(NULL, ",")) {
1139 if (strstr(reply, code) != NULL) {
1140 result = true;
1141 break;
1142 }
1143 }
1144
1145 free(expected);
1146 return result;
1147}
1148
1149/* returns a string "HTTP/1.x" or "HTTP/2" */
1150char *string_statuscode(int major, int minor) {
1151 static char buf[10];
1152
1153 switch (major) {
1154 case 1:
1155 snprintf(buf, sizeof(buf), "HTTP/%d.%d", major, minor);
1156 break;
1157 case 2:
1158 case 3:
1159 snprintf(buf, sizeof(buf), "HTTP/%d", major);
1160 break;
1161 default:
1162 /* assuming here HTTP/N with N>=4 */
1163 snprintf(buf, sizeof(buf), "HTTP/%d", major);
1164 break;
1165 }
1166
1167 return buf;
1168}
1169
1170/* check whether a file exists */
1171void test_file(char *path) {
1172 if (access(path, R_OK) == 0) {
1173 return;
1174 }
1175 usage2(_("file does not exist or is not readable"), path);
1176}
1177
1178mp_subcheck mp_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn,
1179 int days_till_exp_crit);
1180
1181mp_subcheck check_curl_certificate_checks(CURL *curl, X509 *cert, int warn_days_till_exp,
1182 int crit_days_till_exp) {
1183 mp_subcheck sc_cert_result = mp_subcheck_init();
1184 sc_cert_result = mp_set_subcheck_default_state(sc_cert_result, STATE_OK);
1185
1186#ifdef LIBCURL_FEATURE_SSL
1187 if (is_openssl_callback) {
1188# ifdef USE_OPENSSL
1189 /* check certificate with OpenSSL functions, curl has been built against OpenSSL
1190 * and we actually have OpenSSL in the monitoring tools
1191 */
1192 return mp_net_ssl_check_certificate(cert, warn_days_till_exp, crit_days_till_exp);
1193# else /* USE_OPENSSL */
1194 xasprintf(&result.output, "HTTP CRITICAL - Cannot retrieve certificates - OpenSSL "
1195 "callback used and not linked against OpenSSL\n");
1196 mp_set_subcheck_state(result, STATE_CRITICAL);
1197# endif /* USE_OPENSSL */
1198 } else {
1199 struct curl_slist *slist;
1200
1201 cert_ptr_union cert_ptr = {0};
1202 cert_ptr.to_info = NULL;
1203 CURLcode res = curl_easy_getinfo(curl, CURLINFO_CERTINFO, &cert_ptr.to_info);
1204 if (!res && cert_ptr.to_info) {
1205# ifdef USE_OPENSSL
1206 /* We have no OpenSSL in libcurl, but we can use OpenSSL for X509 cert
1207 * parsing We only check the first certificate and assume it's the one of
1208 * the server
1209 */
1210 char *raw_cert = NULL;
1211 bool got_first_cert = false;
1212 for (int i = 0; i < cert_ptr.to_certinfo->num_of_certs; i++) {
1213 if (got_first_cert) {
1214 break;
1215 }
1216
1217 for (slist = cert_ptr.to_certinfo->certinfo[i]; slist; slist = slist->next) {
1218 if (verbose >= 2) {
1219 printf("%d ** %s\n", i, slist->data);
1220 }
1221 if (strncmp(slist->data, "Cert:", 5) == 0) {
1222 raw_cert = &slist->data[5];
1223 got_first_cert = true;
1224 break;
1225 }
1226 }
1227 }
1228
1229 if (!raw_cert) {
1230
1231 xasprintf(&sc_cert_result.output,
1232 _("Cannot retrieve certificates from CERTINFO information - "
1233 "certificate data was empty"));
1234 sc_cert_result = mp_set_subcheck_state(sc_cert_result, STATE_CRITICAL);
1235 return sc_cert_result;
1236 }
1237
1238 BIO *cert_BIO = BIO_new(BIO_s_mem());
1239 BIO_write(cert_BIO, raw_cert, (int)strlen(raw_cert));
1240
1241 cert = PEM_read_bio_X509(cert_BIO, NULL, NULL, NULL);
1242 if (!cert) {
1243 xasprintf(&sc_cert_result.output,
1244 _("Cannot read certificate from CERTINFO information - BIO error"));
1245 sc_cert_result = mp_set_subcheck_state(sc_cert_result, STATE_CRITICAL);
1246 return sc_cert_result;
1247 }
1248
1249 BIO_free(cert_BIO);
1250 return mp_net_ssl_check_certificate(cert, warn_days_till_exp, crit_days_till_exp);
1251# else /* USE_OPENSSL */
1252 /* We assume we don't have OpenSSL and np_net_ssl_check_certificate at our
1253 * disposal, so we use the libcurl CURLINFO data
1254 */
1255 return net_noopenssl_check_certificate(&cert_ptr, days_till_exp_warn,
1256 days_till_exp_crit);
1257# endif /* USE_OPENSSL */
1258 } else {
1259 xasprintf(&sc_cert_result.output,
1260 _("Cannot retrieve certificates - cURL returned %d - %s"), res,
1261 curl_easy_strerror(res));
1262 mp_set_subcheck_state(sc_cert_result, STATE_CRITICAL);
1263 }
1264 }
1265#endif /* LIBCURL_FEATURE_SSL */
1266
1267 return sc_cert_result;
1268}
1269
1270char *fmt_url(check_curl_working_state workingState) {
1271 char *url = calloc(DEFAULT_BUFFER_SIZE, sizeof(char));
1272 if (url == NULL) {
1273 die(STATE_UNKNOWN, "memory allocation failed");
1274 }
1275
1276 snprintf(url, DEFAULT_BUFFER_SIZE, "%s://%s:%d%s", workingState.use_ssl ? "https" : "http",
1277 (workingState.use_ssl & (workingState.host_name != NULL))
1278 ? workingState.host_name
1279 : workingState.server_address,
1280 workingState.serverPort, workingState.server_url);
1281
1282 return url;
1283}
diff --git a/plugins/check_curl.d/check_curl_helpers.h b/plugins/check_curl.d/check_curl_helpers.h
new file mode 100644
index 00000000..87e45a9d
--- /dev/null
+++ b/plugins/check_curl.d/check_curl_helpers.h
@@ -0,0 +1,124 @@
1#include "./config.h"
2#include <curl/curl.h>
3#include "../picohttpparser/picohttpparser.h"
4#include "output.h"
5
6#if defined(HAVE_SSL) && defined(USE_OPENSSL)
7# include <openssl/opensslv.h>
8#endif
9
10/* for buffers for header and body */
11typedef struct {
12 size_t buflen;
13 size_t bufsize;
14 char *buf;
15} curlhelp_write_curlbuf;
16
17/* for buffering the data sent in PUT */
18typedef struct {
19 size_t buflen;
20 off_t pos;
21 char *buf;
22} curlhelp_read_curlbuf;
23
24/* for parsing the HTTP status line */
25typedef struct {
26 int http_major; /* major version of the protocol, always 1 (HTTP/0.9
27 * never reached the big internet most likely) */
28 int http_minor; /* minor version of the protocol, usually 0 or 1 */
29 int http_code; /* HTTP return code as in RFC 2145 */
30 int http_subcode; /* Microsoft IIS extension, HTTP subcodes, see
31 * http://support.microsoft.com/kb/318380/en-us */
32 const char *msg; /* the human readable message */
33 char *first_line; /* a copy of the first line */
34} curlhelp_statusline;
35
36typedef struct {
37 bool curl_global_initialized;
38 bool curl_easy_initialized;
39
40 bool body_buf_initialized;
41 curlhelp_write_curlbuf *body_buf;
42
43 bool header_buf_initialized;
44 curlhelp_write_curlbuf *header_buf;
45
46 bool status_line_initialized;
47 curlhelp_statusline *status_line;
48
49 bool put_buf_initialized;
50 curlhelp_read_curlbuf *put_buf;
51
52 CURL *curl;
53
54 struct curl_slist *header_list;
55 struct curl_slist *host;
56} check_curl_global_state;
57
58/* to know the underlying SSL library used by libcurl */
59typedef enum curlhelp_ssl_library {
60 CURLHELP_SSL_LIBRARY_UNKNOWN,
61 CURLHELP_SSL_LIBRARY_OPENSSL,
62 CURLHELP_SSL_LIBRARY_LIBRESSL,
63 CURLHELP_SSL_LIBRARY_GNUTLS,
64 CURLHELP_SSL_LIBRARY_NSS
65} curlhelp_ssl_library;
66
67#define MAKE_LIBCURL_VERSION(major, minor, patch) ((major) * 0x10000 + (minor) * 0x100 + (patch))
68
69typedef struct {
70 int errorcode;
71 check_curl_global_state curl_state;
72 check_curl_working_state working_state;
73} check_curl_configure_curl_wrapper;
74
75check_curl_configure_curl_wrapper check_curl_configure_curl(check_curl_static_curl_config config,
76 check_curl_working_state working_state,
77 bool check_cert,
78 bool on_redirect_dependent,
79 int follow_method, int max_depth);
80
81void handle_curl_option_return_code(CURLcode res, const char *option);
82
83int curlhelp_initwritebuffer(curlhelp_write_curlbuf **buf);
84size_t curlhelp_buffer_write_callback(void * /*buffer*/, size_t /*size*/, size_t /*nmemb*/,
85 void * /*stream*/);
86void curlhelp_freewritebuffer(curlhelp_write_curlbuf * /*buf*/);
87
88int curlhelp_initreadbuffer(curlhelp_read_curlbuf **buf, const char * /*data*/, size_t /*datalen*/);
89size_t curlhelp_buffer_read_callback(void * /*buffer*/, size_t /*size*/, size_t /*nmemb*/,
90 void * /*stream*/);
91void curlhelp_freereadbuffer(curlhelp_read_curlbuf * /*buf*/);
92
93curlhelp_ssl_library curlhelp_get_ssl_library(void);
94const char *curlhelp_get_ssl_library_string(curlhelp_ssl_library /*ssl_library*/);
95
96typedef union {
97 struct curl_slist *to_info;
98 struct curl_certinfo *to_certinfo;
99} cert_ptr_union;
100int net_noopenssl_check_certificate(cert_ptr_union *, int, int);
101
102int curlhelp_parse_statusline(const char * /*buf*/, curlhelp_statusline * /*status_line*/);
103void curlhelp_free_statusline(curlhelp_statusline * /*status_line*/);
104
105char *get_header_value(const struct phr_header *headers, size_t nof_headers, const char *header);
106mp_subcheck check_document_dates(const curlhelp_write_curlbuf * /*header_buf*/,
107 int /*maximum_age*/);
108size_t get_content_length(const curlhelp_write_curlbuf *header_buf,
109 const curlhelp_write_curlbuf *body_buf);
110int lookup_host(const char *host, char *buf, size_t buflen, sa_family_t addr_family);
111CURLcode sslctxfun(CURL *curl, SSL_CTX *sslctx, void *parm);
112
113#define INET_ADDR_MAX_SIZE INET6_ADDRSTRLEN
114const char *strrstr2(const char *haystack, const char *needle);
115
116void cleanup(check_curl_global_state global_state);
117
118bool expected_statuscode(const char *reply, const char *statuscodes);
119char *string_statuscode(int major, int minor);
120
121void test_file(char *path);
122mp_subcheck check_curl_certificate_checks(CURL *curl, X509 *cert, int warn_days_till_exp,
123 int crit_days_till_exp);
124char *fmt_url(check_curl_working_state workingState);
diff --git a/plugins/check_curl.d/config.h b/plugins/check_curl.d/config.h
new file mode 100644
index 00000000..f51b2ee9
--- /dev/null
+++ b/plugins/check_curl.d/config.h
@@ -0,0 +1,116 @@
1#pragma once
2
3#include "../../config.h"
4#include "../common.h"
5#include "../../lib/states.h"
6#include "../../lib/thresholds.h"
7#include <stddef.h>
8#include <string.h>
9#include <sys/socket.h>
10#include "curl/curl.h"
11#include "perfdata.h"
12#include "regex.h"
13
14enum {
15 MAX_RE_SIZE = 1024,
16 HTTP_PORT = 80,
17 HTTPS_PORT = 443,
18 MAX_PORT = 65535,
19 DEFAULT_MAX_REDIRS = 15
20};
21
22enum {
23 FOLLOW_HTTP_CURL = 0,
24 FOLLOW_LIBCURL = 1
25};
26
27enum {
28 STICKY_NONE = 0,
29 STICKY_HOST = 1,
30 STICKY_PORT = 2
31};
32
33#define HTTP_EXPECT "HTTP/"
34#define DEFAULT_BUFFER_SIZE 2048
35#define DEFAULT_SERVER_URL "/"
36
37typedef struct {
38 char *server_address;
39 char *server_url;
40 char *host_name;
41
42 char *http_method;
43
44 char *http_post_data;
45
46 unsigned short virtualPort;
47 unsigned short serverPort;
48
49 bool use_ssl;
50 bool no_body;
51} check_curl_working_state;
52
53check_curl_working_state check_curl_working_state_init();
54
55typedef struct {
56 bool automatic_decompression;
57 bool haproxy_protocol;
58 long socket_timeout;
59 sa_family_t sin_family;
60 int curl_http_version;
61 char **http_opt_headers;
62 size_t http_opt_headers_count;
63 int ssl_version;
64 char *client_cert;
65 char *client_privkey;
66 char *ca_cert;
67 bool verify_peer_and_host;
68 char user_agent[DEFAULT_BUFFER_SIZE];
69 char proxy_auth[MAX_INPUT_BUFFER];
70 char user_auth[MAX_INPUT_BUFFER];
71 char *http_content_type;
72 char *cookie_jar_file;
73} check_curl_static_curl_config;
74
75typedef struct {
76 check_curl_working_state initial_config;
77
78 check_curl_static_curl_config curl_config;
79 int max_depth;
80 int followmethod;
81 int followsticky;
82
83 int maximum_age;
84
85 // the original regex string from the command line
86 char regexp[MAX_RE_SIZE];
87
88 // the compiled regex for usage later
89 regex_t compiled_regex;
90
91 mp_state_enum state_regex;
92 bool invert_regex;
93 bool check_cert;
94 bool continue_after_check_cert;
95 int days_till_exp_warn;
96 int days_till_exp_crit;
97 mp_thresholds thlds;
98 mp_range page_length_limits;
99 bool page_length_limits_is_set;
100 struct {
101 char string[MAX_INPUT_BUFFER];
102 bool is_present;
103 } server_expect;
104 char string_expect[MAX_INPUT_BUFFER];
105 char header_expect[MAX_INPUT_BUFFER];
106 mp_state_enum on_redirect_result_state;
107 bool on_redirect_dependent;
108
109 bool show_extended_perfdata;
110 bool show_body;
111
112 bool output_format_is_set;
113 mp_output_format output_format;
114} check_curl_config;
115
116check_curl_config check_curl_config_init();