From ca5c2b3a5fb4e3c2d8024c23a9566f64572c0882 Mon Sep 17 00:00:00 2001 From: Alvar Penning Date: Wed, 10 Dec 2025 21:03:40 +0100 Subject: plugins/check_smtp: Remove unnecessary glibc-only include This library is glibc-only and not necessary at this point. The getopt_long function is provided by "getopt.h", included via "common.h". Similar to #2159. --- plugins/check_smtp.c | 1 - 1 file changed, 1 deletion(-) (limited to 'plugins') diff --git a/plugins/check_smtp.c b/plugins/check_smtp.c index e806ad29..e8c35f58 100644 --- a/plugins/check_smtp.c +++ b/plugins/check_smtp.c @@ -37,7 +37,6 @@ #include "base64.h" #include "regex.h" -#include #include #include #include "check_smtp.d/config.h" -- cgit v1.2.3-74-g34f1 From 6ce11bc44f5fe2344083a94175a1667ca02e016c Mon Sep 17 00:00:00 2001 From: Alvar Penning Date: Thu, 11 Dec 2025 10:53:07 +0100 Subject: lib/utils_cmd: Rename stdout, stderr in cmd_run_result On OpenBSD's "stdio.h", stdin, stdout, and stderr are not directly FILE*, but #defines. Thus, naming the output struct fields stdout and stderr resulted in compiler errors, after replacing the #define. https://codeberg.org/OpenBSD/src/src/commit/a762189c5efbb2811f3c853bc0e5578fd5fb919d/include/stdio.h#L75-L77 --- lib/utils_cmd.c | 12 ++++++------ lib/utils_cmd.h | 4 ++-- plugins/check_by_ssh.c | 34 +++++++++++++++++----------------- 3 files changed, 25 insertions(+), 25 deletions(-) (limited to 'plugins') diff --git a/lib/utils_cmd.c b/lib/utils_cmd.c index 42c81793..23d42168 100644 --- a/lib/utils_cmd.c +++ b/lib/utils_cmd.c @@ -489,14 +489,14 @@ cmd_run_result cmd_run2(const char *cmd_string, int flags) { cmd_run_result result = { .cmd_error_code = 0, .error_code = 0, - .stderr = + .err = { .buf = NULL, .buflen = 0, .line = NULL, .lines = 0, }, - .stdout = + .out = { .buf = NULL, .buflen = 0, @@ -581,14 +581,14 @@ cmd_run_result cmd_run_array2(char *const *cmd, int flags) { cmd_run_result result = { .cmd_error_code = 0, .error_code = 0, - .stderr = + .err = { .buf = NULL, .buflen = 0, .line = NULL, .lines = 0, }, - .stdout = + .out = { .buf = NULL, .buflen = 0, @@ -610,9 +610,9 @@ cmd_run_result cmd_run_array2(char *const *cmd, int flags) { int pfd_err[2] = {cmd_open_result.stderr_pipe_fd[0], cmd_open_result.stderr_pipe_fd[1]}; int_cmd_fetch_output2 tmp_stdout = _cmd_fetch_output2(pfd_out[0], flags); - result.stdout = tmp_stdout.output_container; + result.out = tmp_stdout.output_container; int_cmd_fetch_output2 tmp_stderr = _cmd_fetch_output2(pfd_err[0], flags); - result.stderr = tmp_stderr.output_container; + result.err = tmp_stderr.output_container; result.cmd_error_code = _cmd_close(file_descriptor); return result; diff --git a/lib/utils_cmd.h b/lib/utils_cmd.h index d3a8f14f..04a624b8 100644 --- a/lib/utils_cmd.h +++ b/lib/utils_cmd.h @@ -24,8 +24,8 @@ int cmd_file_read(const char *, output *, int); typedef struct { int error_code; int cmd_error_code; - output stdout; - output stderr; + output out; + output err; } cmd_run_result; cmd_run_result cmd_run2(const char *cmd, int flags); cmd_run_result cmd_run_array2(char * const *cmd, int flags); diff --git a/plugins/check_by_ssh.c b/plugins/check_by_ssh.c index df8907d9..7ffa0ded 100644 --- a/plugins/check_by_ssh.c +++ b/plugins/check_by_ssh.c @@ -98,7 +98,7 @@ int main(int argc, char **argv) { if (child_result.cmd_error_code == 255 && config.unknown_timeout) { mp_subcheck sc_ssh_execution = mp_subcheck_init(); xasprintf(&sc_ssh_execution.output, "SSH connection failed: %s", - child_result.stderr.lines > 0 ? child_result.stderr.line[0] + child_result.err.lines > 0 ? child_result.err.line[0] : "(no error output)"); sc_ssh_execution = mp_set_subcheck_state(sc_ssh_execution, STATE_UNKNOWN); @@ -107,34 +107,34 @@ int main(int argc, char **argv) { } if (verbose) { - for (size_t i = 0; i < child_result.stdout.lines; i++) { - printf("stdout: %s\n", child_result.stdout.line[i]); + for (size_t i = 0; i < child_result.out.lines; i++) { + printf("stdout: %s\n", child_result.out.line[i]); } - for (size_t i = 0; i < child_result.stderr.lines; i++) { - printf("stderr: %s\n", child_result.stderr.line[i]); + for (size_t i = 0; i < child_result.err.lines; i++) { + printf("stderr: %s\n", child_result.err.line[i]); } } size_t skip_stdout = 0; if (config.skip_stdout) { /* --skip-stdout specified without argument */ - skip_stdout = child_result.stdout.lines; + skip_stdout = child_result.out.lines; } else { skip_stdout = config.stdout_lines_to_ignore; } size_t skip_stderr = 0; if (config.skip_stderr) { /* --skip-stderr specified without argument */ - skip_stderr = child_result.stderr.lines; + skip_stderr = child_result.err.lines; } else { skip_stderr = config.sterr_lines_to_ignore; } /* Allow UNKNOWN or WARNING state for (non-skipped) output found on stderr */ - if (child_result.stderr.lines > skip_stderr && + if (child_result.err.lines > skip_stderr && (config.unknown_on_stderr || config.warn_on_stderr)) { mp_subcheck sc_stderr = mp_subcheck_init(); xasprintf(&sc_stderr.output, "remote command execution failed: %s", - child_result.stderr.line[skip_stderr]); + child_result.err.line[skip_stderr]); if (config.unknown_on_stderr) { sc_stderr = mp_set_subcheck_state(sc_stderr, STATE_UNKNOWN); @@ -154,10 +154,10 @@ int main(int argc, char **argv) { mp_subcheck sc_active_check = mp_subcheck_init(); xasprintf(&sc_active_check.output, "command stdout:"); - if (child_result.stdout.lines > skip_stdout) { - for (size_t i = skip_stdout; i < child_result.stdout.lines; i++) { + if (child_result.out.lines > skip_stdout) { + for (size_t i = skip_stdout; i < child_result.out.lines; i++) { xasprintf(&sc_active_check.output, "%s\n%s", sc_active_check.output, - child_result.stdout.line[i]); + child_result.out.line[i]); } } else { xasprintf(&sc_active_check.output, "remote command '%s' returned status %d", @@ -209,10 +209,10 @@ int main(int argc, char **argv) { char *status_text; int cresult; mp_subcheck sc_parse_passive = mp_subcheck_init(); - for (size_t i = skip_stdout; i < child_result.stdout.lines; i++) { - status_text = child_result.stdout.line[i++]; - if (i == child_result.stdout.lines || - strstr(child_result.stdout.line[i], "STATUS CODE: ") == NULL) { + for (size_t i = skip_stdout; i < child_result.out.lines; i++) { + status_text = child_result.out.line[i++]; + if (i == child_result.out.lines || + strstr(child_result.out.line[i], "STATUS CODE: ") == NULL) { sc_parse_passive = mp_set_subcheck_state(sc_parse_passive, STATE_UNKNOWN); xasprintf(&sc_parse_passive.output, "failed to parse output"); @@ -221,7 +221,7 @@ int main(int argc, char **argv) { } if (config.service[commands] && status_text && - sscanf(child_result.stdout.line[i], "STATUS CODE: %d", &cresult) == 1) { + sscanf(child_result.out.line[i], "STATUS CODE: %d", &cresult) == 1) { fprintf(output_file, "[%d] PROCESS_SERVICE_CHECK_RESULT;%s;%s;%d;%s\n", (int)local_time, config.host_shortname, config.service[commands++], cresult, status_text); } -- cgit v1.2.3-74-g34f1 From 8bc1d57a7348afc4da80a60c37c971f51ae72a26 Mon Sep 17 00:00:00 2001 From: Alvar Penning Date: Thu, 11 Dec 2025 22:16:53 +0100 Subject: check_http: Abort invalid SSL w/ error If a SSL connection cannot be established, check_http bailed out with a die function call with a NULL fmt string. This adds a more meaningful message. The motivation for this patch was to get everything from the OpenBSD ports upstream. It seems like in the old days, this would have resulted in a segfault. https://codeberg.org/OpenBSD/ports/commit/b8a6b3cae57bbfd67e667dca583c621d45ab0d6f However, even if "die" now checks for NULL, a human readable error is nice to have. --- plugins/check_http.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'plugins') diff --git a/plugins/check_http.c b/plugins/check_http.c index d264b95d..d2f080c7 100644 --- a/plugins/check_http.c +++ b/plugins/check_http.c @@ -1036,7 +1036,7 @@ int check_http(void) { printf("SSL initialized\n"); } if (result != STATE_OK) { - die(STATE_CRITICAL, NULL); + die(STATE_CRITICAL, _("HTTP CRITICAL - SSL error\n")); } microsec_ssl = deltime(tv_temp); elapsed_time_ssl = (double)microsec_ssl / 1.0e6; -- cgit v1.2.3-74-g34f1 From eed2dd00bb61db0f7654e394948a42b8bf0b14f3 Mon Sep 17 00:00:00 2001 From: Alvar Date: Sun, 14 Dec 2025 11:53:51 +0000 Subject: check_curl: --verify-cert / -D in examples (#2204) Include the -D flag for certificate verification in the "CHECK CERTIFICATE" examples. Otherwise, only the certificate dates are checked, but not if the certificate matches to the hostname or is signed by a trusted CA. Fixes #2146. --- plugins/check_curl.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'plugins') diff --git a/plugins/check_curl.c b/plugins/check_curl.c index e3e514ff..0aff8b40 100644 --- a/plugins/check_curl.c +++ b/plugins/check_curl.c @@ -1648,6 +1648,8 @@ void print_help(void) { printf(" %s\n", _("certificate matches the hostname of the server, or if the certificate")); printf(" %s\n", _("has a valid chain of trust to one of the locally installed CAs.")); printf("\n"); + printf(" %s\n", _("To also verify certificates, please set --verify-cert.")); + printf("\n"); printf("%s\n", _("Examples:")); printf(" %s\n\n", "CHECK CONTENT: check_curl -w 5 -c 10 --ssl -H www.verisign.com"); printf(" %s\n", _("When the 'www.verisign.com' server returns its content within 5 seconds,")); @@ -1657,16 +1659,18 @@ void print_help(void) { _("the 5-second threshold, a STATE_WARNING will be returned. When an error occurs,")); printf(" %s\n", _("a STATE_CRITICAL will be returned.")); printf("\n"); - printf(" %s\n\n", "CHECK CERTIFICATE: check_curl -H www.verisign.com -C 14"); + printf(" %s\n\n", "CHECK CERTIFICATE: check_curl -H www.verisign.com -C 14 -D"); printf(" %s\n", _("When the certificate of 'www.verisign.com' is valid for more than 14 days,")); printf(" %s\n", _("a STATE_OK is returned. When the certificate is still valid, but for less than")); printf(" %s\n", _("14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when")); - printf(" %s\n\n", _("the certificate is expired.")); + printf(" %s\n", _("the certificate is expired.")); + printf("\n"); + printf(" %s\n", _("The -D flag enforces a certificate validation beyond expiration time.")); printf("\n"); - printf(" %s\n\n", "CHECK CERTIFICATE: check_curl -H www.verisign.com -C 30,14"); + printf(" %s\n\n", "CHECK CERTIFICATE: check_curl -H www.verisign.com -C 30,14 -D"); printf(" %s\n", _("When the certificate of 'www.verisign.com' is valid for more than 30 days,")); printf(" %s\n", -- cgit v1.2.3-74-g34f1