From 59d7d1c2f12363331d03d956cfce0936034c34f8 Mon Sep 17 00:00:00 2001 From: Alvar Penning Date: Wed, 10 Dec 2025 20:55:56 +0100 Subject: configure.ac: Fix PostgreSQL Check for OpenBSD On OpenBSD, crypt is named crypto. This diff is a portable version of a patch residing in the OpenBSD ports since ages. https://codeberg.org/OpenBSD/ports/src/commit/1f15238782c26deb728250cbf591f1ffcd10422f/net/monitoring-plugins/patches/patch-configure_ac --- configure.ac | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/configure.ac b/configure.ac index 2bf94014..abd90413 100644 --- a/configure.ac +++ b/configure.ac @@ -205,32 +205,46 @@ fi dnl Check for PostgreSQL libraries _SAVEDLIBS="$LIBS" _SAVEDCPPFLAGS="$CPPFLAGS" +case $host in + *openbsd*) + _CRYPTLIB="crypto" + ;; + *) + _CRYPTLIB="crypt" +esac + AC_ARG_WITH(pgsql, ACX_HELP_STRING([--with-pgsql=DIR], [sets path to pgsql installation]), PGSQL=$withval,) AC_CHECK_LIB(crypt,main) -if test "$ac_cv_lib_crypt_main" = "yes" -a "x$PGSQL" != "xno"; then +AC_CHECK_LIB(crypto,main) +if test \( "$ac_cv_lib_crypt_main" = "yes" -o "$ac_cv_lib_crypto_main" = "yes" \) -a "x$PGSQL" != "xno"; then if test -n "$PGSQL"; then LDFLAGS="$LDFLAGS -L$PGSQL/lib" CPPFLAGS="$CPPFLAGS -I$PGSQL/include" fi - AC_CHECK_LIB(pq,PQsetdbLogin,,,-lcrypt) + AC_CHECK_LIB(pq,PQsetdbLogin,,,"-l$_CRYPTLIB") if test "$ac_cv_lib_pq_PQsetdbLogin" = "yes"; then AC_CHECK_HEADERS(pgsql/libpq-fe.h) AC_CHECK_HEADERS(postgresql/libpq-fe.h) AC_CHECK_HEADERS(libpq-fe.h) if [[ -n "$PGSQL" -a "$ac_cv_header_libpq_fe_h" = "yes" ]]; then - PGLIBS="-L$PGSQL/lib -lpq -lcrypt" + PGLIBS="-L$PGSQL/lib -lpq -l$_CRYPTLIB" PGINCLUDE="-I$PGSQL/include" elif test "$ac_cv_header_pgsql_libpq_fe_h" = "yes"; then - PGLIBS="-lpq -lcrypt" + PGLIBS="-lpq -l$_CRYPTLIB" PGINCLUDE="-I/usr/include/pgsql" elif test "$ac_cv_header_postgresql_libpq_fe_h" = "yes"; then - PGLIBS="-L$PGSQL/lib -lpq -lcrypt" - PGINCLUDE="-I/usr/include/postgresql" + PGLIBS="-L$PGSQL/lib -lpq -l$_CRYPTLIB" + case $host in + *openbsd*) + PGINCLUDE="-I$PGSQL/include/postgresql" ;; + *) + PGINCLUDE="-I/usr/include/postgresql" + esac elif test "$ac_cv_header_libpq_fe_h" = "yes"; then - PGLIBS="-L$PGSQL/lib -lpq -lcrypt" + PGLIBS="-L$PGSQL/lib -lpq -l$_CRYPTLIB" PGINCLUDE="-I$PGSQL/include" fi if test -z "$PGINCLUDE"; then -- cgit v1.2.3-74-g34f1 From ca5c2b3a5fb4e3c2d8024c23a9566f64572c0882 Mon Sep 17 00:00:00 2001 From: Alvar Penning Date: Wed, 10 Dec 2025 21:03:40 +0100 Subject: plugins/check_smtp: Remove unnecessary glibc-only include This library is glibc-only and not necessary at this point. The getopt_long function is provided by "getopt.h", included via "common.h". Similar to #2159. --- plugins/check_smtp.c | 1 - 1 file changed, 1 deletion(-) diff --git a/plugins/check_smtp.c b/plugins/check_smtp.c index e806ad29..e8c35f58 100644 --- a/plugins/check_smtp.c +++ b/plugins/check_smtp.c @@ -37,7 +37,6 @@ #include "base64.h" #include "regex.h" -#include #include #include #include "check_smtp.d/config.h" -- cgit v1.2.3-74-g34f1 From cbddc7dbb4c218df453d3c14abe0ce21c17b6cce Mon Sep 17 00:00:00 2001 From: Alvar Penning Date: Wed, 10 Dec 2025 21:09:05 +0100 Subject: plugins-root/check_icmp: Import sys/ioctl.h The ioctl(2) call within "#if defined(SIOCGIFADDR)" requires the include. --- plugins-root/check_icmp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/plugins-root/check_icmp.c b/plugins-root/check_icmp.c index d46d2ccc..a5909c44 100644 --- a/plugins-root/check_icmp.c +++ b/plugins-root/check_icmp.c @@ -54,6 +54,9 @@ const char *email = "devel@monitoring-plugins.org"; #endif #include +#if defined(SIOCGIFADDR) +#include +#endif /* SIOCGIFADDR */ #include #include #include -- cgit v1.2.3-74-g34f1 From b27bf07ebf518a719482c5c40372549f5a9a127a Mon Sep 17 00:00:00 2001 From: Alvar Penning Date: Wed, 10 Dec 2025 21:12:17 +0100 Subject: plugins-root/check_icmp: Fix build for SIOCGIFADDR The refactoring in eafee9c3f91879afa82749fa1d8cd2b0b53a5d5c missed the part within "#if defined(SIOCGIFADDR)" in get_ip_address. --- plugins-root/check_icmp.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/plugins-root/check_icmp.c b/plugins-root/check_icmp.c index a5909c44..35cae3ed 100644 --- a/plugins-root/check_icmp.c +++ b/plugins-root/check_icmp.c @@ -149,7 +149,7 @@ static get_timevar_wrapper get_timevar(const char *str); static time_t get_timevaldiff(struct timeval earlier, struct timeval later); static time_t get_timevaldiff_to_now(struct timeval earlier); -static in_addr_t get_ip_address(const char *ifname); +static in_addr_t get_ip_address(const char *ifname, const int icmp_sock); static void set_source_ip(char *arg, int icmp_sock, sa_family_t addr_family); /* Receiving data */ @@ -1772,7 +1772,7 @@ static void set_source_ip(char *arg, const int icmp_sock, sa_family_t addr_famil memset(&src, 0, sizeof(src)); src.sin_family = addr_family; if ((src.sin_addr.s_addr = inet_addr(arg)) == INADDR_NONE) { - src.sin_addr.s_addr = get_ip_address(arg); + src.sin_addr.s_addr = get_ip_address(arg, icmp_sock); } if (bind(icmp_sock, (struct sockaddr *)&src, sizeof(src)) == -1) { crash("Cannot bind to IP address %s", arg); @@ -1780,7 +1780,7 @@ static void set_source_ip(char *arg, const int icmp_sock, sa_family_t addr_famil } /* TODO: Move this to netutils.c and also change check_dhcp to use that. */ -static in_addr_t get_ip_address(const char *ifname) { +static in_addr_t get_ip_address(const char *ifname, const int icmp_sock) { // TODO: Rewrite this so the function return an error and we exit somewhere else struct sockaddr_in ip_address; ip_address.sin_addr.s_addr = 0; // Fake initialization to make compiler happy @@ -1795,7 +1795,7 @@ static in_addr_t get_ip_address(const char *ifname) { crash("Cannot determine IP address of interface %s", ifname); } - memcpy(&ip, &ifr.ifr_addr, sizeof(ip)); + memcpy(&ip_address, &ifr.ifr_addr, sizeof(ip_address)); #else (void)ifname; errno = 0; -- cgit v1.2.3-74-g34f1 From 6ce11bc44f5fe2344083a94175a1667ca02e016c Mon Sep 17 00:00:00 2001 From: Alvar Penning Date: Thu, 11 Dec 2025 10:53:07 +0100 Subject: lib/utils_cmd: Rename stdout, stderr in cmd_run_result On OpenBSD's "stdio.h", stdin, stdout, and stderr are not directly FILE*, but #defines. Thus, naming the output struct fields stdout and stderr resulted in compiler errors, after replacing the #define. https://codeberg.org/OpenBSD/src/src/commit/a762189c5efbb2811f3c853bc0e5578fd5fb919d/include/stdio.h#L75-L77 --- lib/utils_cmd.c | 12 ++++++------ lib/utils_cmd.h | 4 ++-- plugins/check_by_ssh.c | 34 +++++++++++++++++----------------- 3 files changed, 25 insertions(+), 25 deletions(-) diff --git a/lib/utils_cmd.c b/lib/utils_cmd.c index 42c81793..23d42168 100644 --- a/lib/utils_cmd.c +++ b/lib/utils_cmd.c @@ -489,14 +489,14 @@ cmd_run_result cmd_run2(const char *cmd_string, int flags) { cmd_run_result result = { .cmd_error_code = 0, .error_code = 0, - .stderr = + .err = { .buf = NULL, .buflen = 0, .line = NULL, .lines = 0, }, - .stdout = + .out = { .buf = NULL, .buflen = 0, @@ -581,14 +581,14 @@ cmd_run_result cmd_run_array2(char *const *cmd, int flags) { cmd_run_result result = { .cmd_error_code = 0, .error_code = 0, - .stderr = + .err = { .buf = NULL, .buflen = 0, .line = NULL, .lines = 0, }, - .stdout = + .out = { .buf = NULL, .buflen = 0, @@ -610,9 +610,9 @@ cmd_run_result cmd_run_array2(char *const *cmd, int flags) { int pfd_err[2] = {cmd_open_result.stderr_pipe_fd[0], cmd_open_result.stderr_pipe_fd[1]}; int_cmd_fetch_output2 tmp_stdout = _cmd_fetch_output2(pfd_out[0], flags); - result.stdout = tmp_stdout.output_container; + result.out = tmp_stdout.output_container; int_cmd_fetch_output2 tmp_stderr = _cmd_fetch_output2(pfd_err[0], flags); - result.stderr = tmp_stderr.output_container; + result.err = tmp_stderr.output_container; result.cmd_error_code = _cmd_close(file_descriptor); return result; diff --git a/lib/utils_cmd.h b/lib/utils_cmd.h index d3a8f14f..04a624b8 100644 --- a/lib/utils_cmd.h +++ b/lib/utils_cmd.h @@ -24,8 +24,8 @@ int cmd_file_read(const char *, output *, int); typedef struct { int error_code; int cmd_error_code; - output stdout; - output stderr; + output out; + output err; } cmd_run_result; cmd_run_result cmd_run2(const char *cmd, int flags); cmd_run_result cmd_run_array2(char * const *cmd, int flags); diff --git a/plugins/check_by_ssh.c b/plugins/check_by_ssh.c index df8907d9..7ffa0ded 100644 --- a/plugins/check_by_ssh.c +++ b/plugins/check_by_ssh.c @@ -98,7 +98,7 @@ int main(int argc, char **argv) { if (child_result.cmd_error_code == 255 && config.unknown_timeout) { mp_subcheck sc_ssh_execution = mp_subcheck_init(); xasprintf(&sc_ssh_execution.output, "SSH connection failed: %s", - child_result.stderr.lines > 0 ? child_result.stderr.line[0] + child_result.err.lines > 0 ? child_result.err.line[0] : "(no error output)"); sc_ssh_execution = mp_set_subcheck_state(sc_ssh_execution, STATE_UNKNOWN); @@ -107,34 +107,34 @@ int main(int argc, char **argv) { } if (verbose) { - for (size_t i = 0; i < child_result.stdout.lines; i++) { - printf("stdout: %s\n", child_result.stdout.line[i]); + for (size_t i = 0; i < child_result.out.lines; i++) { + printf("stdout: %s\n", child_result.out.line[i]); } - for (size_t i = 0; i < child_result.stderr.lines; i++) { - printf("stderr: %s\n", child_result.stderr.line[i]); + for (size_t i = 0; i < child_result.err.lines; i++) { + printf("stderr: %s\n", child_result.err.line[i]); } } size_t skip_stdout = 0; if (config.skip_stdout) { /* --skip-stdout specified without argument */ - skip_stdout = child_result.stdout.lines; + skip_stdout = child_result.out.lines; } else { skip_stdout = config.stdout_lines_to_ignore; } size_t skip_stderr = 0; if (config.skip_stderr) { /* --skip-stderr specified without argument */ - skip_stderr = child_result.stderr.lines; + skip_stderr = child_result.err.lines; } else { skip_stderr = config.sterr_lines_to_ignore; } /* Allow UNKNOWN or WARNING state for (non-skipped) output found on stderr */ - if (child_result.stderr.lines > skip_stderr && + if (child_result.err.lines > skip_stderr && (config.unknown_on_stderr || config.warn_on_stderr)) { mp_subcheck sc_stderr = mp_subcheck_init(); xasprintf(&sc_stderr.output, "remote command execution failed: %s", - child_result.stderr.line[skip_stderr]); + child_result.err.line[skip_stderr]); if (config.unknown_on_stderr) { sc_stderr = mp_set_subcheck_state(sc_stderr, STATE_UNKNOWN); @@ -154,10 +154,10 @@ int main(int argc, char **argv) { mp_subcheck sc_active_check = mp_subcheck_init(); xasprintf(&sc_active_check.output, "command stdout:"); - if (child_result.stdout.lines > skip_stdout) { - for (size_t i = skip_stdout; i < child_result.stdout.lines; i++) { + if (child_result.out.lines > skip_stdout) { + for (size_t i = skip_stdout; i < child_result.out.lines; i++) { xasprintf(&sc_active_check.output, "%s\n%s", sc_active_check.output, - child_result.stdout.line[i]); + child_result.out.line[i]); } } else { xasprintf(&sc_active_check.output, "remote command '%s' returned status %d", @@ -209,10 +209,10 @@ int main(int argc, char **argv) { char *status_text; int cresult; mp_subcheck sc_parse_passive = mp_subcheck_init(); - for (size_t i = skip_stdout; i < child_result.stdout.lines; i++) { - status_text = child_result.stdout.line[i++]; - if (i == child_result.stdout.lines || - strstr(child_result.stdout.line[i], "STATUS CODE: ") == NULL) { + for (size_t i = skip_stdout; i < child_result.out.lines; i++) { + status_text = child_result.out.line[i++]; + if (i == child_result.out.lines || + strstr(child_result.out.line[i], "STATUS CODE: ") == NULL) { sc_parse_passive = mp_set_subcheck_state(sc_parse_passive, STATE_UNKNOWN); xasprintf(&sc_parse_passive.output, "failed to parse output"); @@ -221,7 +221,7 @@ int main(int argc, char **argv) { } if (config.service[commands] && status_text && - sscanf(child_result.stdout.line[i], "STATUS CODE: %d", &cresult) == 1) { + sscanf(child_result.out.line[i], "STATUS CODE: %d", &cresult) == 1) { fprintf(output_file, "[%d] PROCESS_SERVICE_CHECK_RESULT;%s;%s;%d;%s\n", (int)local_time, config.host_shortname, config.service[commands++], cresult, status_text); } -- cgit v1.2.3-74-g34f1 From 8bc1d57a7348afc4da80a60c37c971f51ae72a26 Mon Sep 17 00:00:00 2001 From: Alvar Penning Date: Thu, 11 Dec 2025 22:16:53 +0100 Subject: check_http: Abort invalid SSL w/ error If a SSL connection cannot be established, check_http bailed out with a die function call with a NULL fmt string. This adds a more meaningful message. The motivation for this patch was to get everything from the OpenBSD ports upstream. It seems like in the old days, this would have resulted in a segfault. https://codeberg.org/OpenBSD/ports/commit/b8a6b3cae57bbfd67e667dca583c621d45ab0d6f However, even if "die" now checks for NULL, a human readable error is nice to have. --- plugins/check_http.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/check_http.c b/plugins/check_http.c index d264b95d..d2f080c7 100644 --- a/plugins/check_http.c +++ b/plugins/check_http.c @@ -1036,7 +1036,7 @@ int check_http(void) { printf("SSL initialized\n"); } if (result != STATE_OK) { - die(STATE_CRITICAL, NULL); + die(STATE_CRITICAL, _("HTTP CRITICAL - SSL error\n")); } microsec_ssl = deltime(tv_temp); elapsed_time_ssl = (double)microsec_ssl / 1.0e6; -- cgit v1.2.3-74-g34f1 From eed2dd00bb61db0f7654e394948a42b8bf0b14f3 Mon Sep 17 00:00:00 2001 From: Alvar Date: Sun, 14 Dec 2025 11:53:51 +0000 Subject: check_curl: --verify-cert / -D in examples (#2204) Include the -D flag for certificate verification in the "CHECK CERTIFICATE" examples. Otherwise, only the certificate dates are checked, but not if the certificate matches to the hostname or is signed by a trusted CA. Fixes #2146. --- plugins/check_curl.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/plugins/check_curl.c b/plugins/check_curl.c index e3e514ff..0aff8b40 100644 --- a/plugins/check_curl.c +++ b/plugins/check_curl.c @@ -1648,6 +1648,8 @@ void print_help(void) { printf(" %s\n", _("certificate matches the hostname of the server, or if the certificate")); printf(" %s\n", _("has a valid chain of trust to one of the locally installed CAs.")); printf("\n"); + printf(" %s\n", _("To also verify certificates, please set --verify-cert.")); + printf("\n"); printf("%s\n", _("Examples:")); printf(" %s\n\n", "CHECK CONTENT: check_curl -w 5 -c 10 --ssl -H www.verisign.com"); printf(" %s\n", _("When the 'www.verisign.com' server returns its content within 5 seconds,")); @@ -1657,16 +1659,18 @@ void print_help(void) { _("the 5-second threshold, a STATE_WARNING will be returned. When an error occurs,")); printf(" %s\n", _("a STATE_CRITICAL will be returned.")); printf("\n"); - printf(" %s\n\n", "CHECK CERTIFICATE: check_curl -H www.verisign.com -C 14"); + printf(" %s\n\n", "CHECK CERTIFICATE: check_curl -H www.verisign.com -C 14 -D"); printf(" %s\n", _("When the certificate of 'www.verisign.com' is valid for more than 14 days,")); printf(" %s\n", _("a STATE_OK is returned. When the certificate is still valid, but for less than")); printf(" %s\n", _("14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when")); - printf(" %s\n\n", _("the certificate is expired.")); + printf(" %s\n", _("the certificate is expired.")); + printf("\n"); + printf(" %s\n", _("The -D flag enforces a certificate validation beyond expiration time.")); printf("\n"); - printf(" %s\n\n", "CHECK CERTIFICATE: check_curl -H www.verisign.com -C 30,14"); + printf(" %s\n\n", "CHECK CERTIFICATE: check_curl -H www.verisign.com -C 30,14 -D"); printf(" %s\n", _("When the certificate of 'www.verisign.com' is valid for more than 30 days,")); printf(" %s\n", -- cgit v1.2.3-74-g34f1