From 81345e3487b85712287efc851e67ca60da59c3a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lorenz=20K=C3=A4stle?= <12514511+RincewindsHat@users.noreply.github.com> Date: Tue, 7 Apr 2026 13:16:44 +0200 Subject: [PATCH 1/6] common.h: added guard to avoid warning when ENABLE_NLS is not defined (#2248) Co-authored-by: Andreas Baumann --- plugins/common.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/common.h b/plugins/common.h index ef888d08..b3053486 100644 --- a/plugins/common.h +++ b/plugins/common.h @@ -193,7 +193,7 @@ enum { */ #include "../gl/gettext.h" #define _(String) gettext(String) -#if !ENABLE_NLS +#if !defined(ENABLE_NLS) || !ENABLE_NLS # undef textdomain # define textdomain(Domainname) /* empty */ # undef bindtextdomain From 7c20cb97292a8207b0fe4e76425b62409be68b12 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lorenz=20K=C3=A4stle?= <12514511+RincewindsHat@users.noreply.github.com> Date: Tue, 7 Apr 2026 13:16:59 +0200 Subject: [PATCH 2/6] check_snmp: fixed falltrhough case in ASN_FLOAT/ASN_DOUBLE (#2249) Co-authored-by: Andreas Baumann --- plugins/check_snmp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/plugins/check_snmp.c b/plugins/check_snmp.c index f470d222..1746fd79 100644 --- a/plugins/check_snmp.c +++ b/plugins/check_snmp.c @@ -116,6 +116,7 @@ gen_state_string_type gen_state_string(check_snmp_state_entry *entries, size_t n break; case ASN_FLOAT: printf("Type FLOAT\n"); + break; case ASN_DOUBLE: printf("Type DOUBLE\n"); break; @@ -217,6 +218,7 @@ recover_state_data_type recover_state_data(char *state_string, idx_t state_strin break; case ASN_FLOAT: printf("Type FLOAT\n"); + break; case ASN_DOUBLE: printf("Type DOUBLE\n"); break; From ddd1bd9fbd84b29fb169e592943d1fdfc8ad0d7e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lorenz=20K=C3=A4stle?= <12514511+RincewindsHat@users.noreply.github.com> Date: Tue, 7 Apr 2026 14:13:38 +0200 Subject: [PATCH 3/6] removed -Werror=declaration-after-statement from net-snmp-config --cflags causing trouble in check_snmp.c (#2250) Co-authored-by: Andreas Baumann --- plugins/Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/Makefile.am b/plugins/Makefile.am index a35f273e..2bea8fc0 100644 --- a/plugins/Makefile.am +++ b/plugins/Makefile.am @@ -166,7 +166,7 @@ check_real_LDADD = $(NETLIBS) check_snmp_SOURCES = check_snmp.c check_snmp.d/check_snmp_helpers.c check_snmp_LDADD = $(BASEOBJS) check_snmp_LDFLAGS = $(AM_LDFLAGS) -lm `net-snmp-config --libs` -check_snmp_CFLAGS = $(AM_CFLAGS) `net-snmp-config --cflags` +check_snmp_CFLAGS = $(AM_CFLAGS) `net-snmp-config --cflags | sed 's/-Werror=declaration-after-statement//'` check_smtp_LDADD = $(SSLOBJS) check_ssh_LDADD = $(NETLIBS) check_swap_SOURCES = check_swap.c check_swap.d/swap.c From 613cb60c96e21eaafb82b80a6b6d84b1b1f9729f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lorenz=20K=C3=A4stle?= <12514511+RincewindsHat@users.noreply.github.com> Date: Wed, 8 Apr 2026 17:21:44 +0200 Subject: [PATCH 4/6] check_curl: Clean up (#2252) * check_curl: remove unused variables * check_curl: run formatter on related files * check_curl_helpers: make code a bit more understandable * check_curl helpers: general api cleanup and code style --- plugins/check_curl.c | 88 +++-- plugins/check_curl.d/check_curl_helpers.c | 372 +++++++++++++--------- plugins/check_curl.d/check_curl_helpers.h | 28 +- plugins/t/check_curl.t | 44 +-- plugins/tests/check_curl.t | 4 +- 5 files changed, 322 insertions(+), 214 deletions(-) diff --git a/plugins/check_curl.c b/plugins/check_curl.c index f63cdea2..b168cbcd 100644 --- a/plugins/check_curl.c +++ b/plugins/check_curl.c @@ -247,8 +247,9 @@ mp_subcheck check_http(const check_curl_config config, check_curl_working_state printf("**** REQUEST CONTENT ****\n%s\n", workingState.http_post_data); } - // curl_state is updated after curl_easy_perform, and with updated curl_state certificate checks can be done - // Check_http tries to check certs as early as possible, and exits with certificate check result by default. Behave similarly. + // curl_state is updated after curl_easy_perform, and with updated curl_state certificate checks + // can be done Check_http tries to check certs as early as possible, and exits with certificate + // check result by default. Behave similarly. #ifdef LIBCURL_FEATURE_SSL if (workingState.use_ssl && config.check_cert) { if (verbose > 1) { @@ -1546,8 +1547,8 @@ void print_help(void) { printf(" %s\n", "-I, --IP-address=ADDRESS"); printf(" %s\n", "IP address or name (use numeric address if possible to bypass DNS lookup)."); - printf(" %s\n", - "This overwrites the network address of the target while leaving everything else (HTTP headers) as they are"); + printf(" %s\n", "This overwrites the network address of the target while leaving everything " + "else (HTTP headers) as they are"); printf(" %s\n", "-p, --port=INTEGER"); printf(" %s", _("Port number (default: ")); printf("%d)\n", HTTP_PORT); @@ -1611,7 +1612,8 @@ void print_help(void) { printf(" %s\n", _("String to expect in the content")); printf(" %s\n", "-u, --url=PATH"); printf(" %s\n", _("URL to GET or POST (default: /)")); - printf(" %s\n", _("This is the part after the address in a URL, so for \"https://example.com/index.html\" it would be '-u /index.html'")); + printf(" %s\n", _("This is the part after the address in a URL, so for " + "\"https://example.com/index.html\" it would be '-u /index.html'")); printf(" %s\n", "-P, --post=STRING"); printf(" %s\n", _("URL decoded http POST data")); printf(" %s\n", @@ -1643,11 +1645,12 @@ void print_help(void) { printf(" %s\n", _("If port is not specified, libcurl defaults to 1080")); printf(" %s\n", _("This value will be set as CURLOPT_PROXY")); printf(" %s\n", "--noproxy=COMMA_SEPARATED_LIST"); - printf(" %s\n", _("Specify hostnames, addresses and subnets where proxy should not be used")); + printf(" %s\n", + _("Specify hostnames, addresses and subnets where proxy should not be used")); printf(" %s\n", _("Example usage: \"example.com,::1,1.1.1.1,localhost,192.168.0.0/16\"")); printf(" %s\n", _("Do not use brackets when specifying IPv6 addresses")); printf(" %s\n", _("Special case when an item is '*' : matches all hosts/addresses " - "and effectively disables proxy.")); + "and effectively disables proxy.")); printf(" %s\n", _("This value will be set as CURLOPT_NOPROXY")); printf(" %s\n", "-a, --authorization=AUTH_PAIR"); printf(" %s\n", _("Username:password on sites with basic authentication")); @@ -1757,38 +1760,59 @@ void print_help(void) { #endif printf("\n %s\n", "CHECK WEBSERVER CONTENT VIA PROXY:"); - printf(" %s\n", _("Proxies are specified or disabled for certain hosts/addresses using environment variables" - " or -x/--proxy and --noproxy arguments:")); - printf(" %s\n", _("Checked environment variables: all_proxy, http_proxy, https_proxy, no_proxy")); - printf(" %s\n", _("Environment variables can also be given in uppercase, but the lowercase ones will " - "take predence if both are defined.")); - printf(" %s\n", _("The environment variables are overwritten by -x/--proxy and --noproxy arguments:")); + printf(" %s\n", _("Proxies are specified or disabled for certain hosts/addresses using " + "environment variables" + " or -x/--proxy and --noproxy arguments:")); + printf(" %s\n", + _("Checked environment variables: all_proxy, http_proxy, https_proxy, no_proxy")); + printf(" %s\n", + _("Environment variables can also be given in uppercase, but the lowercase ones will " + "take predence if both are defined.")); + printf(" %s\n", + _("The environment variables are overwritten by -x/--proxy and --noproxy arguments:")); printf(" %s\n", _("all_proxy/ALL_PROXY environment variables are read first, but protocol " - "specific environment variables override them.")); - printf(" %s\n", _("If SSL is enabled and used, https_proxy/HTTPS_PROXY will be checked and overwrite " - "http_proxy/HTTPS_PROXY.")); - printf(" %s\n", _("Curl accepts proxies using http, https, socks4, socks4a, socks5 and socks5h schemes.")); - printf(" %s\n", _("http_proxy=http://192.168.100.35:3128 ./check_curl -H www.monitoring-plugins.org")); - printf(" %s\n", _("http_proxy=http://used.proxy.com HTTP_PROXY=http://ignored.proxy.com ./check_curl -H www.monitoring-plugins.org")); + "specific environment variables override them.")); + printf(" %s\n", + _("If SSL is enabled and used, https_proxy/HTTPS_PROXY will be checked and overwrite " + "http_proxy/HTTPS_PROXY.")); + printf( + " %s\n", + _("Curl accepts proxies using http, https, socks4, socks4a, socks5 and socks5h schemes.")); + printf(" %s\n", + _("http_proxy=http://192.168.100.35:3128 ./check_curl -H www.monitoring-plugins.org")); + printf(" %s\n", _("http_proxy=http://used.proxy.com HTTP_PROXY=http://ignored.proxy.com " + "./check_curl -H www.monitoring-plugins.org")); printf(" %s\n", _(" Lowercase http_proxy takes predence over uppercase HTTP_PROXY")); printf(" %s\n", _("./check_curl -H www.monitoring-plugins.org -x http://192.168.100.35:3128")); - printf(" %s\n", _("http_proxy=http://unused.proxy1.com HTTP_PROXY=http://unused.proxy2.com ./check_curl " - "-H www.monitoring-plugins.org --proxy http://used.proxy")); - printf(" %s\n", _(" Proxy specified by --proxy overrides any proxy specified by environment variable.")); + printf(" %s\n", + _("http_proxy=http://unused.proxy1.com HTTP_PROXY=http://unused.proxy2.com ./check_curl " + "-H www.monitoring-plugins.org --proxy http://used.proxy")); + printf( + " %s\n", + _(" Proxy specified by --proxy overrides any proxy specified by environment variable.")); printf(" %s\n", _(" Curl uses port 1080 by default as port is not specified")); - printf(" %s\n", _("HTTPS_PROXY=http://192.168.100.35:3128 ./check_curl -H www.monitoring-plugins.org --ssl")); + printf(" %s\n", _("HTTPS_PROXY=http://192.168.100.35:3128 ./check_curl -H " + "www.monitoring-plugins.org --ssl")); printf(" %s\n", _(" HTTPS_PROXY is read as --ssl is toggled")); - printf(" %s\n", _("./check_curl -H www.monitoring-plugins.org --proxy socks5h://192.168.122.21")); - printf(" %s\n", _("./check_curl -H www.monitoring-plugins.org -x http://unused.proxy.com --noproxy '*'")); + printf(" %s\n", + _("./check_curl -H www.monitoring-plugins.org --proxy socks5h://192.168.122.21")); + printf( + " %s\n", + _("./check_curl -H www.monitoring-plugins.org -x http://unused.proxy.com --noproxy '*'")); printf(" %s\n", _(" Disabled proxy for all hosts by using '*' in no_proxy .")); - printf(" %s\n", _("NO_PROXY=www.monitoring-plugins.org ./check_curl -H www.monitoring-plugins.org -x http://unused.proxy.com")); + printf(" %s\n", _("NO_PROXY=www.monitoring-plugins.org ./check_curl -H " + "www.monitoring-plugins.org -x http://unused.proxy.com")); printf(" %s\n", _(" Exact matches with the hostname/address work.")); - printf(" %s\n", _("no_proxy=192.168.178.0/24 ./check_curl -I 192.168.178.10 -x http://proxy.acme.org")); - printf(" %s\n", _("no_proxy=acme.org ./check_curl -H nonpublic.internalwebapp.acme.org -x http://proxy.acme.org")); - printf(" %s\n", _(" Do not use proxy when accessing internal domains/addresses, but use a default proxy when accessing public web.")); - printf(" %s\n", _(" IMPORTANT: Check_curl can not always determine whether itself or the proxy will " - "resolve a hostname before sending a request and getting an answer." - "This can lead to DNS resolvation issues if hostname is only resolvable over proxy.")); + printf(" %s\n", + _("no_proxy=192.168.178.0/24 ./check_curl -I 192.168.178.10 -x http://proxy.acme.org")); + printf(" %s\n", _("no_proxy=acme.org ./check_curl -H nonpublic.internalwebapp.acme.org -x " + "http://proxy.acme.org")); + printf(" %s\n", _(" Do not use proxy when accessing internal domains/addresses, but use a " + "default proxy when accessing public web.")); + printf(" %s\n", + _(" IMPORTANT: Check_curl can not always determine whether itself or the proxy will " + "resolve a hostname before sending a request and getting an answer." + "This can lead to DNS resolvation issues if hostname is only resolvable over proxy.")); printf(" %s\n", _("Legacy proxy requests in check_http style still work:")); printf(" %s\n", _("check_curl -I 192.168.100.35 -p 3128 -u http://www.monitoring-plugins.org/ " "-H www.monitoring-plugins.org")); diff --git a/plugins/check_curl.d/check_curl_helpers.c b/plugins/check_curl.d/check_curl_helpers.c index 4372dc0b..f23dbdb7 100644 --- a/plugins/check_curl.d/check_curl_helpers.c +++ b/plugins/check_curl.d/check_curl_helpers.c @@ -60,8 +60,8 @@ check_curl_configure_curl(const check_curl_static_curl_config config, result.curl_state.curl_easy_initialized = true; if (verbose >= 1) { - handle_curl_option_return_code(curl_easy_setopt(result.curl_state.curl, CURLOPT_VERBOSE, 1L), - "CURLOPT_VERBOSE"); + handle_curl_option_return_code( + curl_easy_setopt(result.curl_state.curl, CURLOPT_VERBOSE, 1L), "CURLOPT_VERBOSE"); } /* print everything on stdout like check_http would do */ @@ -120,21 +120,23 @@ check_curl_configure_curl(const check_curl_static_curl_config config, "CURLOPT_TIMEOUT"); /* set proxy */ - /* http(s) proxy can either be given from the command line, or taken from environment variables */ + /* http(s) proxy can either be given from the command line, or taken from environment variables + */ /* socks4(a) / socks5(h) proxy should be given using the command line */ /* first source to check is the environment variables */ - /* lower case proxy environment variables are almost always accepted, while some programs also checking - uppercase ones. discover both, but take the lowercase one if both are present */ + /* lower case proxy environment variables are almost always accepted, while some programs also + checking uppercase ones. discover both, but take the lowercase one if both are present */ - /* extra information: libcurl does not discover the uppercase version HTTP_PROXY due to security reasons */ + /* extra information: libcurl does not discover the uppercase version HTTP_PROXY due to security + * reasons */ /* https://github.com/curl/curl/blob/d445f2d930ae701039518d695481ee53b8490521/lib/url.c#L1987 */ - /* first environment variable to read is all_proxy. it can be overridden by protocol specific environment variables */ - char *all_proxy_env, *all_proxy_uppercase_env; - all_proxy_env = getenv("all_proxy"); - all_proxy_uppercase_env = getenv("ALL_PROXY"); - if (all_proxy_env != NULL && strlen(all_proxy_env)){ + /* first environment variable to read is all_proxy. it can be overridden by protocol specific + * environment variables */ + char *all_proxy_env = getenv("all_proxy"); + char *all_proxy_uppercase_env = getenv("ALL_PROXY"); + if (all_proxy_env != NULL && strlen(all_proxy_env)) { working_state.curlopt_proxy = strdup(all_proxy_env); if (all_proxy_uppercase_env != NULL && verbose >= 1) { printf("* cURL ignoring environment variable 'ALL_PROXY' as 'all_proxy' is set\n"); @@ -143,15 +145,16 @@ check_curl_configure_curl(const check_curl_static_curl_config config, working_state.curlopt_proxy = strdup(all_proxy_uppercase_env); } - /* second environment variable to read is http_proxy. only set curlopt_proxy if ssl is not toggled */ - char *http_proxy_env, *http_proxy_uppercase_env; - http_proxy_env = getenv("http_proxy"); - http_proxy_uppercase_env = getenv("HTTP_PROXY"); - if (!working_state.use_ssl){ + /* second environment variable to read is http_proxy. only set curlopt_proxy if ssl is not + * toggled */ + char *http_proxy_env = getenv("http_proxy"); + char *http_proxy_uppercase_env = getenv("HTTP_PROXY"); + if (!working_state.use_ssl) { if (http_proxy_env != NULL && strlen(http_proxy_env) > 0) { working_state.curlopt_proxy = strdup(http_proxy_env); if (http_proxy_uppercase_env != NULL && verbose >= 1) { - printf("* cURL ignoring environment variable 'HTTP_PROXY' as 'http_proxy' is set\n"); + printf( + "* cURL ignoring environment variable 'HTTP_PROXY' as 'http_proxy' is set\n"); } } else if (http_proxy_uppercase_env != NULL && strlen(http_proxy_uppercase_env) > 0) { working_state.curlopt_proxy = strdup(http_proxy_uppercase_env); @@ -159,30 +162,31 @@ check_curl_configure_curl(const check_curl_static_curl_config config, } #ifdef LIBCURL_FEATURE_SSL /* optionally read https_proxy environment variable and set curlopt_proxy if ssl is toggled */ - char *https_proxy_env, *https_proxy_uppercase_env; - https_proxy_env = getenv("https_proxy"); - https_proxy_uppercase_env = getenv("HTTPS_PROXY"); + char *https_proxy_env = getenv("https_proxy"); + char *https_proxy_uppercase_env = getenv("HTTPS_PROXY"); if (working_state.use_ssl) { if (https_proxy_env != NULL && strlen(https_proxy_env) > 0) { working_state.curlopt_proxy = strdup(https_proxy_env); if (https_proxy_uppercase_env != NULL && verbose >= 1) { - printf("* cURL ignoring environment variable 'HTTPS_PROXY' as 'https_proxy' is set\n"); + printf( + "* cURL ignoring environment variable 'HTTPS_PROXY' as 'https_proxy' is set\n"); } - } - else if (https_proxy_uppercase_env != NULL && strlen(https_proxy_uppercase_env) >= 0) { + } else if (https_proxy_uppercase_env != NULL) { working_state.curlopt_proxy = strdup(https_proxy_uppercase_env); } } #endif /* LIBCURL_FEATURE_SSL */ - /* second source to check for proxies is command line argument, overwriting the environment variables */ + /* second source to check for proxies is command line argument, overwriting the environment + * variables */ if (strlen(config.proxy) > 0) { working_state.curlopt_proxy = strdup(config.proxy); } - if (working_state.curlopt_proxy != NULL && strlen(working_state.curlopt_proxy)){ + if (working_state.curlopt_proxy != NULL && strlen(working_state.curlopt_proxy)) { handle_curl_option_return_code( - curl_easy_setopt(result.curl_state.curl, CURLOPT_PROXY, working_state.curlopt_proxy), "CURLOPT_PROXY"); + curl_easy_setopt(result.curl_state.curl, CURLOPT_PROXY, working_state.curlopt_proxy), + "CURLOPT_PROXY"); if (verbose >= 1) { printf("* curl CURLOPT_PROXY: %s\n", working_state.curlopt_proxy); } @@ -190,34 +194,35 @@ check_curl_configure_curl(const check_curl_static_curl_config config, /* set no_proxy */ /* first source to check is environment variables */ - char *no_proxy_env, *no_proxy_uppercase_env; - no_proxy_env = getenv("no_proxy"); - no_proxy_uppercase_env = getenv("NO_PROXY"); - if (no_proxy_env != NULL && strlen(no_proxy_env)){ + char *no_proxy_env = getenv("no_proxy"); + char *no_proxy_uppercase_env = getenv("NO_PROXY"); + if (no_proxy_env != NULL && strlen(no_proxy_env)) { working_state.curlopt_noproxy = strdup(no_proxy_env); - if (no_proxy_uppercase_env != NULL && verbose >= 1){ + if (no_proxy_uppercase_env != NULL && verbose >= 1) { printf("* cURL ignoring environment variable 'NO_PROXY' as 'no_proxy' is set\n"); } - }else if (no_proxy_uppercase_env != NULL && strlen(no_proxy_uppercase_env) > 0){ + } else if (no_proxy_uppercase_env != NULL && strlen(no_proxy_uppercase_env) > 0) { working_state.curlopt_noproxy = strdup(no_proxy_uppercase_env); } - /* second source to check for no_proxy is command line argument, overwriting the environment variables */ + /* second source to check for no_proxy is command line argument, overwriting the environment + * variables */ if (strlen(config.no_proxy) > 0) { working_state.curlopt_noproxy = strdup(config.no_proxy); } - if ( working_state.curlopt_noproxy != NULL && strlen(working_state.curlopt_noproxy)){ - handle_curl_option_return_code( - curl_easy_setopt(result.curl_state.curl, CURLOPT_NOPROXY, working_state.curlopt_noproxy), "CURLOPT_NOPROXY"); + if (working_state.curlopt_noproxy != NULL && strlen(working_state.curlopt_noproxy)) { + handle_curl_option_return_code(curl_easy_setopt(result.curl_state.curl, CURLOPT_NOPROXY, + working_state.curlopt_noproxy), + "CURLOPT_NOPROXY"); if (verbose >= 1) { printf("* curl CURLOPT_NOPROXY: %s\n", working_state.curlopt_noproxy); } } - int proxy_resolves_hostname = determine_hostname_resolver(working_state, config); + bool have_local_resolution = hostname_gets_resolved_locally(working_state); if (verbose >= 1) { - printf("* proxy_resolves_hostname: %d\n", proxy_resolves_hostname); + printf("* have local name resolution: %s\n", (have_local_resolution ? "true": "false")); } /* enable haproxy protocol */ @@ -231,7 +236,7 @@ check_curl_configure_curl(const check_curl_static_curl_config config, /* host_name, only required for ssl, because we use the host_name later on to make SNI happy */ char dnscache[DEFAULT_BUFFER_SIZE]; char addrstr[DEFAULT_BUFFER_SIZE / 2]; - if (working_state.use_ssl && working_state.host_name != NULL && !proxy_resolves_hostname ) { + if (working_state.use_ssl && working_state.host_name != NULL && !have_local_resolution) { char *tmp_mod_address; /* lookup_host() requires an IPv6 address without the brackets. */ @@ -682,7 +687,7 @@ char *get_header_value(const struct phr_header *headers, const size_t nof_header return NULL; } -check_curl_working_state check_curl_working_state_init() { +check_curl_working_state check_curl_working_state_init(void) { check_curl_working_state result = { .server_address = NULL, .server_url = DEFAULT_SERVER_URL, @@ -699,7 +704,7 @@ check_curl_working_state check_curl_working_state_init() { return result; } -check_curl_config check_curl_config_init() { +check_curl_config check_curl_config_init(void) { check_curl_config tmp = { .initial_config = check_curl_working_state_init(), @@ -1404,10 +1409,10 @@ char *fmt_url(check_curl_working_state workingState) { return url; } -int determine_hostname_resolver(const check_curl_working_state working_state, const check_curl_static_curl_config config){ +bool hostname_gets_resolved_locally(const check_curl_working_state working_state) { char *host_name_display = "NULL"; unsigned long host_name_len = 0; - if( working_state.host_name){ + if (working_state.host_name) { host_name_len = strlen(working_state.host_name); host_name_display = working_state.host_name; } @@ -1415,8 +1420,11 @@ int determine_hostname_resolver(const check_curl_working_state working_state, co /* IPv4 or IPv6 version of the address */ char *server_address_clean = strdup(working_state.server_address); /* server address might be a full length ipv6 address encapsulated in square brackets */ - if ((strnlen(working_state.server_address, MAX_IPV4_HOSTLENGTH) > 2) && (working_state.server_address[0] == '[') && (working_state.server_address[strlen(working_state.server_address)-1] == ']') ) { - server_address_clean = strndup( working_state.server_address + 1, strlen(working_state.server_address) - 2); + if ((strnlen(working_state.server_address, MAX_IPV4_HOSTLENGTH) > 2) && + (working_state.server_address[0] == '[') && + (working_state.server_address[strlen(working_state.server_address) - 1] == ']')) { + server_address_clean = + strndup(working_state.server_address + 1, strlen(working_state.server_address) - 2); } /* check curlopt_noproxy option first */ @@ -1427,79 +1435,90 @@ int determine_hostname_resolver(const check_curl_working_state working_state, co IPv4 or IPv6 CIDR regions e.g 10.241.0.0/16 , abcd:ef01:2345::/48 , direct hostnames e.g example.com, google.de */ - if (working_state.curlopt_noproxy != NULL){ - char* curlopt_noproxy_copy = strdup( working_state.curlopt_noproxy); - char* noproxy_item = strtok(curlopt_noproxy_copy, ","); - while(noproxy_item != NULL){ + if (working_state.curlopt_noproxy != NULL) { + char *curlopt_noproxy_copy = strdup(working_state.curlopt_noproxy); + char *noproxy_item = strtok(curlopt_noproxy_copy, ","); + while (noproxy_item != NULL) { unsigned long noproxy_item_len = strlen(noproxy_item); /* According to the CURLOPT_NOPROXY documentation: */ /* https://curl.se/libcurl/c/CURLOPT_NOPROXY.html */ - /* The only wildcard available is a single * character, which matches all hosts, and effectively disables the proxy. */ - if ( strlen(noproxy_item) == 1 && noproxy_item[0] == '*'){ - if (verbose >= 1){ - printf("* noproxy includes '*' which disables proxy for all host name incl. : %s / server address incl. : %s\n", host_name_display , server_address_clean); + /* The only wildcard available is a single * character, which matches all hosts, and + * effectively disables the proxy. */ + if (strlen(noproxy_item) == 1 && noproxy_item[0] == '*') { + if (verbose >= 1) { + printf("* noproxy includes '*' which disables proxy for all host name incl. : " + "%s / server address incl. : %s\n", + host_name_display, server_address_clean); } free(curlopt_noproxy_copy); free(server_address_clean); - return 0; + return true; } /* direct comparison with the server_address */ - if( server_address_clean != NULL && strlen(server_address_clean) == strlen(noproxy_item) && strcmp(server_address_clean, noproxy_item) == 0){ - if (verbose >= 1){ + if (server_address_clean != NULL && + strlen(server_address_clean) == strlen(noproxy_item) && + strcmp(server_address_clean, noproxy_item) == 0) { + if (verbose >= 1) { printf("* server_address is in the no_proxy list: %s\n", noproxy_item); } free(curlopt_noproxy_copy); free(server_address_clean); - return 0; + return true; } /* direct comparison with the host_name */ - if( working_state.host_name != NULL && host_name_len == noproxy_item_len && strcmp(working_state.host_name, noproxy_item) == 0){ - if (verbose >= 1){ + if (working_state.host_name != NULL && host_name_len == noproxy_item_len && + strcmp(working_state.host_name, noproxy_item) == 0) { + if (verbose >= 1) { printf("* host_name is in the no_proxy list: %s\n", noproxy_item); } free(curlopt_noproxy_copy); free(server_address_clean); - return 0; + return true; } - /* check if hostname is a subdomain of the item, e.g www.example.com when token is example.com */ - /* subdomain1.acme.com will not will use a proxy if you only specify 'acme' in the noproxy */ + /* check if hostname is a subdomain of the item, e.g www.example.com when token is + * example.com */ + /* subdomain1.acme.com will not will use a proxy if you only specify 'acme' in the + * noproxy */ /* check if noproxy_item is a suffix */ /* check if the character just before the suffix is '.' */ - if( working_state.host_name != NULL && host_name_len > noproxy_item_len){ + if (working_state.host_name != NULL && host_name_len > noproxy_item_len) { unsigned long suffix_start_idx = host_name_len - noproxy_item_len; - if (strcmp(working_state.host_name + suffix_start_idx, noproxy_item ) == 0 && working_state.host_name[suffix_start_idx-1] == '.' ){ - if (verbose >= 1){ - printf("* host_name: %s is a subdomain of the no_proxy list item: %s\n", working_state.host_name , noproxy_item); + if (strcmp(working_state.host_name + suffix_start_idx, noproxy_item) == 0 && + working_state.host_name[suffix_start_idx - 1] == '.') { + if (verbose >= 1) { + printf("* host_name: %s is a subdomain of the no_proxy list item: %s\n", + working_state.host_name, noproxy_item); } free(curlopt_noproxy_copy); free(server_address_clean); - return 0; + return true; } } // noproxy_item could be a CIDR IP range - if( server_address_clean != NULL && strlen(server_address_clean)){ + if (server_address_clean != NULL && strlen(server_address_clean)) { + ip_addr_inside ip_addr_inside_cidr_ret = + ip_addr_inside_cidr(noproxy_item, server_address_clean); - int ip_addr_inside_cidr_ret = ip_addr_inside_cidr(noproxy_item, server_address_clean); - - switch(ip_addr_inside_cidr_ret){ - case 1: - return 0; - break; - case 0: - if(verbose >= 1){ - printf("server address: %s is not inside IP cidr: %s\n", server_address_clean, noproxy_item); + if (ip_addr_inside_cidr_ret.error == NO_ERROR) { + if (ip_addr_inside_cidr_ret.inside) { + return true; + } else { + if (verbose >= 1) { + printf("server address: %s is not inside IP cidr: %s\n", + server_address_clean, noproxy_item); + } } - break; - case -1: - if(verbose >= 1){ - printf("could not fully determine if server address: %s is inside the IP cidr: %s\n", server_address_clean, noproxy_item); + } else { + if (verbose >= 1) { + printf("could not fully determine if server address: %s is inside the IP " + "cidr: %s\n", + server_address_clean, noproxy_item); } - break; } } @@ -1509,82 +1528,97 @@ int determine_hostname_resolver(const check_curl_working_state working_state, co free(curlopt_noproxy_copy); } - if (working_state.curlopt_proxy != NULL){ + if (working_state.curlopt_proxy != NULL) { // Libcurl documentation - // Setting the proxy string to "" (an empty string) explicitly disables the use of a proxy, even if there is an environment variable set for it. - if ( strlen(working_state.curlopt_proxy) == 0){ - return 0; + // Setting the proxy string to "" (an empty string) explicitly disables the use of a proxy, + // even if there is an environment variable set for it. + if (strlen(working_state.curlopt_proxy) == 0) { + return true; } - if ( strncmp( working_state.curlopt_proxy, "http://", 7) == 0){ - if (verbose >= 1){ - printf("* proxy scheme is http, proxy: %s resolves host: %s or server_address: %s\n", working_state.curlopt_proxy, host_name_display, server_address_clean); + if (strncmp(working_state.curlopt_proxy, "http://", 7) == 0) { + if (verbose >= 1) { + printf( + "* proxy scheme is http, proxy: %s resolves host: %s or server_address: %s\n", + working_state.curlopt_proxy, host_name_display, server_address_clean); } free(server_address_clean); - return 1; + return false; } - if ( strncmp( working_state.curlopt_proxy, "https://", 8) == 0){ - if (verbose >= 1){ - printf("* proxy scheme is https, proxy: %s resolves host: %s or server_address: %s\n", working_state.curlopt_proxy, host_name_display, server_address_clean); + if (strncmp(working_state.curlopt_proxy, "https://", 8) == 0) { + if (verbose >= 1) { + printf( + "* proxy scheme is https, proxy: %s resolves host: %s or server_address: %s\n", + working_state.curlopt_proxy, host_name_display, server_address_clean); } free(server_address_clean); - return 1; + return false; } - if ( strncmp( working_state.curlopt_proxy, "socks4://", 9) == 0){ - if (verbose >= 1){ - printf("* proxy scheme is socks, proxy: %s does not resolve host: %s or server_address: %s\n", working_state.curlopt_proxy, host_name_display, server_address_clean); + if (strncmp(working_state.curlopt_proxy, "socks4://", 9) == 0) { + if (verbose >= 1) { + printf("* proxy scheme is socks, proxy: %s does not resolve host: %s or " + "server_address: %s\n", + working_state.curlopt_proxy, host_name_display, server_address_clean); } free(server_address_clean); - return 0; + return true; } - if ( strncmp( working_state.curlopt_proxy, "socks4a://", 10) == 0){ - if (verbose >= 1){ - printf("* proxy scheme is socks4a, proxy: %s resolves host: %s or server_address: %s\n", working_state.curlopt_proxy, host_name_display, server_address_clean); + if (strncmp(working_state.curlopt_proxy, "socks4a://", 10) == 0) { + if (verbose >= 1) { + printf("* proxy scheme is socks4a, proxy: %s resolves host: %s or server_address: " + "%s\n", + working_state.curlopt_proxy, host_name_display, server_address_clean); } free(server_address_clean); - return 1; + return false; } - if ( strncmp( working_state.curlopt_proxy, "socks5://", 9) == 0){ - if (verbose >= 1){ - printf("* proxy scheme is socks5, proxy: %s does not resolve host: %s or server_address: %s\n", working_state.curlopt_proxy, host_name_display, server_address_clean); + if (strncmp(working_state.curlopt_proxy, "socks5://", 9) == 0) { + if (verbose >= 1) { + printf("* proxy scheme is socks5, proxy: %s does not resolve host: %s or " + "server_address: %s\n", + working_state.curlopt_proxy, host_name_display, server_address_clean); } free(server_address_clean); - return 0; + return true; } - if ( strncmp( working_state.curlopt_proxy, "socks5h://", 10) == 0){ - if (verbose >= 1){ - printf("* proxy scheme is socks5h, proxy: %s resolves host: %s or server_address: %s\n", working_state.curlopt_proxy, host_name_display, server_address_clean); + if (strncmp(working_state.curlopt_proxy, "socks5h://", 10) == 0) { + if (verbose >= 1) { + printf("* proxy scheme is socks5h, proxy: %s resolves host: %s or server_address: " + "%s\n", + working_state.curlopt_proxy, host_name_display, server_address_clean); } free(server_address_clean); - return 1; + return false; } // Libcurl documentation: - // Without a scheme prefix, CURLOPT_PROXYTYPE can be used to specify which kind of proxy the string identifies. - // We do not set this value - // Without a scheme, it is treated as an http proxy + // Without a scheme prefix, CURLOPT_PROXYTYPE can be used to specify which kind of proxy the + // string identifies. We do not set this value Without a scheme, it is treated as an http + // proxy - return 1; + return false; } - if (verbose >= 1){ - printf("* proxy scheme is unknown/unavailable, no proxy is assumed for host: %s or server_address: %s\n", host_name_display, server_address_clean); + if (verbose >= 1) { + printf("* proxy scheme is unknown/unavailable, no proxy is assumed for host: %s or " + "server_address: %s\n", + host_name_display, server_address_clean); } free(server_address_clean); return 0; } -int ip_addr_inside_cidr(const char* cidr_region_or_ip_addr, const char* target_ip){ +ip_addr_inside ip_addr_inside_cidr(const char *cidr_region_or_ip_addr, const char *target_ip) { unsigned int slash_count = 0; unsigned int last_slash_idx = 0; - for(size_t i = 0; i < strlen(cidr_region_or_ip_addr); i++){ - if(cidr_region_or_ip_addr[i] == '/'){ + for (size_t i = 0; i < strlen(cidr_region_or_ip_addr); i++) { + if (cidr_region_or_ip_addr[i] == '/') { slash_count++; last_slash_idx = (unsigned int)i; } @@ -1592,48 +1626,67 @@ int ip_addr_inside_cidr(const char* cidr_region_or_ip_addr, const char* target_i char *cidr_ip_part = NULL; int prefix_length = 0; + ip_addr_inside result = { + .inside = false, + .error = NO_ERROR, + }; if (slash_count == 0) { cidr_ip_part = strdup(cidr_region_or_ip_addr); - if (!cidr_ip_part) return -1; + if (!cidr_ip_part) { + result.error = FAILED_STRDUP; + return result; + } } else if (slash_count == 1) { cidr_ip_part = strndup(cidr_region_or_ip_addr, last_slash_idx); - if (!cidr_ip_part) return -1; + if (!cidr_ip_part) { + result.error = FAILED_STRDUP; + return result; + } errno = 0; long long tmp = strtoll(cidr_region_or_ip_addr + last_slash_idx + 1, NULL, 10); if (errno == ERANGE) { if (verbose >= 1) { - printf("cidr_region_or_ip: %s , could not parse subnet length\n", cidr_region_or_ip_addr); + printf("cidr_region_or_ip: %s , could not parse subnet length\n", + cidr_region_or_ip_addr); } free(cidr_ip_part); - return -1; + result.error = COULD_NOT_PARSE_SUBNET_LENGTH; + return result; } prefix_length = (int)tmp; } else { - printf("cidr_region_or_ip: %s , has %d number of '/' characters, is not a valid cidr_region or IP\n", cidr_region_or_ip_addr, slash_count); - return -1; + if (verbose >= 1) { + printf("cidr_region_or_ip: %s , has %d number of '/' characters, is not a valid " + "cidr_region or IP\n", + cidr_region_or_ip_addr, slash_count); + } + result.error = CIDR_REGION_INVALID; + return result; } int cidr_addr_family, target_addr_family; - if (strchr(cidr_ip_part, ':')){ + if (strchr(cidr_ip_part, ':')) { cidr_addr_family = AF_INET6; } else { cidr_addr_family = AF_INET; } - if (strchr(target_ip, ':')){ + if (strchr(target_ip, ':')) { target_addr_family = AF_INET6; } else { target_addr_family = AF_INET; } - if (cidr_addr_family != target_addr_family){ - if (verbose >= 1){ - printf("cidr address: %s and target ip address: %s have different address families\n", cidr_ip_part, target_ip); + if (cidr_addr_family != target_addr_family) { + if (verbose >= 1) { + printf("cidr address: %s and target ip address: %s have different address families\n", + cidr_ip_part, target_ip); } free(cidr_ip_part); - return 0; + result.inside = false; + return result; } // If no prefix is given, treat the cidr as a single address (full-length prefix) @@ -1644,14 +1697,17 @@ int ip_addr_inside_cidr(const char* cidr_region_or_ip_addr, const char* target_i int max_bits = (cidr_addr_family == AF_INET) ? 32u : 128u; if (prefix_length < 0 || prefix_length > max_bits) { if (verbose >= 1) { - printf("cidr_region_or_ip: %s has invalid prefix length: %u\n", cidr_region_or_ip_addr, prefix_length); + printf("cidr_region_or_ip: %s has invalid prefix length: %u\n", cidr_region_or_ip_addr, + prefix_length); } free(cidr_ip_part); - return -1; + result.error = CIDR_REGION_INVALID_PREFIX; + return result; } - if (verbose >= 1){ - printf("cidr_region_or_ip: %s , has prefix length: %u\n", cidr_region_or_ip_addr, prefix_length); + if (verbose >= 1) { + printf("cidr_region_or_ip: %s , has prefix length: %u\n", cidr_region_or_ip_addr, + prefix_length); } int inet_pton_rc; @@ -1659,7 +1715,6 @@ int ip_addr_inside_cidr(const char* cidr_region_or_ip_addr, const char* target_i uint8_t *target_bytes = NULL; uint8_t cidr_buf[16]; uint8_t target_buf[16]; - size_t total_bytes = 0; if (cidr_addr_family == AF_INET) { struct in_addr cidr_ipv4; @@ -1667,49 +1722,55 @@ int ip_addr_inside_cidr(const char* cidr_region_or_ip_addr, const char* target_i inet_pton_rc = inet_pton(AF_INET, cidr_ip_part, &cidr_ipv4); if (inet_pton_rc != 1) { if (verbose >= 1) { - printf("ip string: %s contains characters not valid for its address family: IPv4\n", cidr_ip_part); + printf("ip string: %s contains characters not valid for its address family: IPv4\n", + cidr_ip_part); } free(cidr_ip_part); - return -1; + result.error = IP_CONTAINS_INVALID_CHARACTERS; + return result; } inet_pton_rc = inet_pton(AF_INET, target_ip, &target_ipv4); if (inet_pton_rc != 1) { if (verbose >= 1) { - printf("ip string: %s contains characters not valid for its address family: IPv4\n", target_ip); + printf("ip string: %s contains characters not valid for its address family: IPv4\n", + target_ip); } free(cidr_ip_part); - return -1; + result.error = IP_CONTAINS_INVALID_CHARACTERS; + return result; } // copy the addresses in network byte order to a buffer for comparison memcpy(cidr_buf, &cidr_ipv4.s_addr, 4); memcpy(target_buf, &target_ipv4.s_addr, 4); cidr_bytes = cidr_buf; target_bytes = target_buf; - total_bytes = 4; } else { struct in6_addr cidr_ipv6; struct in6_addr target_ipv6; inet_pton_rc = inet_pton(AF_INET6, cidr_ip_part, &cidr_ipv6); if (inet_pton_rc != 1) { if (verbose >= 1) { - printf("ip string: %s contains characters not valid for its address family: IPv6\n", cidr_ip_part); + printf("ip string: %s contains characters not valid for its address family: IPv6\n", + cidr_ip_part); } free(cidr_ip_part); - return -1; + result.error = IP_CONTAINS_INVALID_CHARACTERS; + return result; } inet_pton_rc = inet_pton(AF_INET6, target_ip, &target_ipv6); if (inet_pton_rc != 1) { if (verbose >= 1) { - printf("ip string: %s contains characters not valid for its address family: IPv6\n", target_ip); + printf("ip string: %s contains characters not valid for its address family: IPv6\n", + target_ip); } free(cidr_ip_part); - return -1; + result.error = IP_CONTAINS_INVALID_CHARACTERS; + return result; } memcpy(cidr_buf, &cidr_ipv6, 16); memcpy(target_buf, &target_ipv6, 16); cidr_bytes = cidr_buf; target_bytes = target_buf; - total_bytes = 16; } int prefix_bytes = prefix_length / 8; @@ -1718,10 +1779,13 @@ int ip_addr_inside_cidr(const char* cidr_region_or_ip_addr, const char* target_i if (prefix_bytes > 0) { if (memcmp(cidr_bytes, target_bytes, (size_t)prefix_bytes) != 0) { if (verbose >= 1) { - printf("the first %d bytes of the cidr_region_or_ip: %s and target_ip: %s are different\n", prefix_bytes, cidr_ip_part, target_ip); + printf("the first %d bytes of the cidr_region_or_ip: %s and target_ip: %s are " + "different\n", + prefix_bytes, cidr_ip_part, target_ip); } free(cidr_ip_part); - return 0; + result.inside = false; + return result; } } @@ -1732,13 +1796,19 @@ int ip_addr_inside_cidr(const char* cidr_region_or_ip_addr, const char* target_i uint8_t mask = (uint8_t)(0xFFu << (8 - prefix_bits)); if ((cidr_oct & mask) != (target_oct & mask)) { if (verbose >= 1) { - printf("looking at the last %d bits of the prefix, cidr_region_or_ip(%s) byte is: %u and target_ip byte(%s) is: %u, applying bitmask: %02X returns different results\n", prefix_bits, cidr_ip_part, (unsigned)cidr_oct, target_ip, (unsigned)target_oct, mask); + printf("looking at the last %d bits of the prefix, cidr_region_or_ip(%s) byte is: " + "%u and target_ip byte(%s) is: %u, applying bitmask: %02X returns different " + "results\n", + prefix_bits, cidr_ip_part, (unsigned)cidr_oct, target_ip, + (unsigned)target_oct, mask); } free(cidr_ip_part); - return 0; + result.inside = false; + return result; } } free(cidr_ip_part); - return 1; + result.inside = true; + return result; } diff --git a/plugins/check_curl.d/check_curl_helpers.h b/plugins/check_curl.d/check_curl_helpers.h index cc47bf9d..55df9bc1 100644 --- a/plugins/check_curl.d/check_curl_helpers.h +++ b/plugins/check_curl.d/check_curl_helpers.h @@ -127,11 +127,25 @@ mp_subcheck check_curl_certificate_checks(CURL *curl, X509 *cert, int warn_days_ int crit_days_till_exp); char *fmt_url(check_curl_working_state workingState); +/* determine_hostname_resolver determines if the host or the proxy resolves the target hostname +returns RESOLVE_LOCALLY if requester resolves the hostname locally, RESOLVE_REMOTELY if proxy +resolves the hostname */ +bool hostname_gets_resolved_locally(const check_curl_working_state working_state); -/* function that will determine if the host or the proxy resolves the target hostname -returns 0 if requester resolves the hostname locally, 1 if proxy resolves the hostname */ -int determine_hostname_resolver(const check_curl_working_state working_state, const check_curl_static_curl_config config); - -/* Checks if an IP is inside given CIDR region. Using /protocol_size or not specifying the prefix length performs an equality check. Supports both IPv4 and IPv6 -returns 1 if the target_ip address is inside the given cidr_region_or_ip_addr, 0 if its out. return codes < 0 mean an error has occurred. */ -int ip_addr_inside_cidr(const char* cidr_region_or_ip_addr, const char* target_ip); +/* Checks if an IP is inside given CIDR region. Using /protocol_size or not specifying the prefix +length performs an equality check. Supports both IPv4 and IPv6 returns 1 if the target_ip address is +inside the given cidr_region_or_ip_addr, 0 if its out. return codes < 0 mean an error has occurred. +*/ +typedef enum { + NO_ERROR, + FAILED_STRDUP, + COULD_NOT_PARSE_SUBNET_LENGTH, + CIDR_REGION_INVALID, + CIDR_REGION_INVALID_PREFIX, + IP_CONTAINS_INVALID_CHARACTERS, +} ip_addr_inside_error_code; +typedef struct { + bool inside; + ip_addr_inside_error_code error; +} ip_addr_inside; +ip_addr_inside ip_addr_inside_cidr(const char *cidr_region_or_ip_addr, const char *target_ip); diff --git a/plugins/t/check_curl.t b/plugins/t/check_curl.t index a8326f12..0f4d0de7 100644 --- a/plugins/t/check_curl.t +++ b/plugins/t/check_curl.t @@ -238,100 +238,100 @@ SKIP: { # Test if proxy works $res = NPTest->testCmd( "./$plugin -H $host_tcp_http --proxy http://$host_tcp_proxy:$port_tcp_proxy -v" ); - like($res->output, qr/^\* proxy_resolves_hostname: 1/m, "proxy is used, there are no preventative measures "); + like($res->output, qr/^\* have local name resolution: false/m, "proxy is used, there are no preventative measures "); is( $res->return_code, 0, "Using proxy http://$host_tcp_proxy:$port_tcp_proxy to connect to $host_tcp_http works" ); $res = NPTest->testCmd( "./$plugin -I $host_tcp_http_ipv4 --proxy http://$host_tcp_proxy:$port_tcp_proxy -v" ); - like($res->output, qr/^\* proxy_resolves_hostname: 1/m, "proxy is used, there are no preventative measures "); + like($res->output, qr/^\* have local name resolution: false/m, "proxy is used, there are no preventative measures "); is( $res->return_code, 0, "Using proxy http://$host_tcp_proxy:$port_tcp_proxy to connect to $host_tcp_http_ipv4 works" ); $res = NPTest->testCmd( "./$plugin -I $host_tcp_http_ipv6 --proxy http://$host_tcp_proxy:$port_tcp_proxy -v" ); - like($res->output, qr/^\* proxy_resolves_hostname: 1/m, "proxy is used, there are no preventative measures "); + like($res->output, qr/^\* have local name resolution: false/m, "proxy is used, there are no preventative measures "); is( $res->return_code, 0, "Using proxy http://$host_tcp_proxy:$port_tcp_proxy to connect to $host_tcp_http_ipv6 works" ); $res = NPTest->testCmd( "./$plugin -H $host_tcp_http2 --proxy http://$host_tcp_proxy:$port_tcp_proxy -v" ); - like($res->output, qr/^\* proxy_resolves_hostname: 1/m, "proxy is used, there are no preventative measures "); + like($res->output, qr/^\* have local name resolution: false/m, "proxy is used, there are no preventative measures "); is( $res->return_code, 0, "Using proxy http://$host_tcp_proxy:$port_tcp_proxy to connect to $host_tcp_http2 works" ); $res = NPTest->testCmd( "./$plugin -H $host_tcp_http_subdomain --proxy http://$host_tcp_proxy:$port_tcp_proxy -v" ); - like($res->output, qr/^\* proxy_resolves_hostname: 1/m, "proxy is used, there are no preventative measures "); + like($res->output, qr/^\* have local name resolution: false/m, "proxy is used, there are no preventative measures "); is( $res->return_code, 0, "Using proxy http://$host_tcp_proxy:$port_tcp_proxy to connect to $host_tcp_http_subdomain works" ); $res = NPTest->testCmd( "./$plugin -H $host_tls_http --proxy http://$host_tcp_proxy:$port_tcp_proxy -v" ); - like($res->output, qr/^\* proxy_resolves_hostname: 1/m, "proxy is used, there are no preventative measures "); + like($res->output, qr/^\* have local name resolution: false/m, "proxy is used, there are no preventative measures "); is( $res->return_code, 0, "Using proxy http://$host_tcp_proxy:$port_tcp_proxy to connect to $host_tls_http works" ); # Noproxy '*' should prevent using proxy in any setting, even if its specified $res = NPTest->testCmd( "./$plugin -H $host_tcp_http_subdomain --proxy http://$host_tcp_proxy:$port_tcp_proxy --noproxy \"\*\" -v" ); - like($res->output, qr/^\* proxy_resolves_hostname: 0/m, "proxy is not used since noproxy has \"\*\" "); + like($res->output, qr/^\* have local name resolution: true/m, "proxy is not used since noproxy has \"\*\" "); is( $res->return_code, 0, "Should reach $host_tcp_http_subdomain with or without proxy." ); $res = NPTest->testCmd( "./$plugin -I $host_tcp_http_ipv4 --proxy http://$host_tcp_proxy:$port_tcp_proxy --noproxy \"\*\" -v" ); - like($res->output, qr/^\* proxy_resolves_hostname: 0/m, "proxy is not used since noproxy has \"\*\" "); + like($res->output, qr/^\* have local name resolution: true/m, "proxy is not used since noproxy has \"\*\" "); is( $res->return_code, 0, "Should reach $host_tcp_http_ipv4 with or without proxy." ); $res = NPTest->testCmd( "./$plugin -I $host_tcp_http_ipv6 --proxy http://$host_tcp_proxy:$port_tcp_proxy --noproxy \"\*\" -v" ); - like($res->output, qr/^\* proxy_resolves_hostname: 0/m, "proxy is not used since noproxy has \"\*\" "); + like($res->output, qr/^\* have local name resolution: true/m, "proxy is not used since noproxy has \"\*\" "); is( $res->return_code, 0, "Should reach $host_tcp_http_ipv6 with or without proxy." ); # Noproxy domain should prevent using proxy for subdomains of that domain $res = NPTest->testCmd( "./$plugin -H $host_tcp_http_subdomain --proxy http://$host_tcp_proxy:$port_tcp_proxy --noproxy $host_tcp_http -v" ); - like($res->output, qr/^\* proxy_resolves_hostname: 0/m, "proxy is not used since subdomain: $host_tcp_http_subdomain is under a noproxy domain: $host_tcp_http"); + like($res->output, qr/^\* have local name resolution: true/m, "proxy is not used since subdomain: $host_tcp_http_subdomain is under a noproxy domain: $host_tcp_http"); is( $res->return_code, 0, "Should reach $host_tcp_http_subdomain with or without proxy." ); # Noproxy should prevent using IP matches if an IP is found directly $res = NPTest->testCmd( "./$plugin -I $host_tcp_http_ipv4 --proxy http://$host_tcp_proxy:$port_tcp_proxy --noproxy $host_tcp_http_ipv4 -v" ); - like($res->output, qr/^\* proxy_resolves_hostname: 0/m, "proxy is not used since IP address: $host_tcp_http_ipv4 is added into noproxy: $host_tcp_http_ipv4"); + like($res->output, qr/^\* have local name resolution: true/m, "proxy is not used since IP address: $host_tcp_http_ipv4 is added into noproxy: $host_tcp_http_ipv4"); is( $res->return_code, 0, "Should reach $host_tcp_http_ipv4 with or without proxy." ); $res = NPTest->testCmd( "./$plugin -I $host_tcp_http_ipv6 --proxy http://$host_tcp_proxy:$port_tcp_proxy --noproxy $host_tcp_http_ipv6 -v" ); - like($res->output, qr/^\* proxy_resolves_hostname: 0/m, "proxy is not used since IP address: $host_tcp_http_ipv6 is added into noproxy: $host_tcp_http_ipv6"); + like($res->output, qr/^\* have local name resolution: true/m, "proxy is not used since IP address: $host_tcp_http_ipv6 is added into noproxy: $host_tcp_http_ipv6"); is( $res->return_code, 0, "Should reach $host_tcp_http_ipv6 with or without proxy." ); # Noproxy should prevent using IP matches if a CIDR region that contains that Ip is used directly. $res = NPTest->testCmd( "./$plugin -I $host_tcp_http_ipv4 --proxy http://$host_tcp_proxy:$port_tcp_proxy --noproxy $host_tcp_http_ipv4_cidr_1 -v" ); - like($res->output, qr/^\* proxy_resolves_hostname: 0/m, "proxy is not used since IP address: $host_tcp_http_ipv4 is inside CIDR range: $host_tcp_http_ipv4_cidr_1"); + like($res->output, qr/^\* have local name resolution: true/m, "proxy is not used since IP address: $host_tcp_http_ipv4 is inside CIDR range: $host_tcp_http_ipv4_cidr_1"); is( $res->return_code, 0, "Should reach $host_tcp_http_ipv4 with or without proxy." ); $res = NPTest->testCmd( "./$plugin -I $host_tcp_http_ipv4 --proxy http://$host_tcp_proxy:$port_tcp_proxy --noproxy $host_tcp_http_ipv4_cidr_2 -v" ); - like($res->output, qr/^\* proxy_resolves_hostname: 0/m, "proxy is not used since IP address: $host_tcp_http_ipv4 is inside CIDR range: $host_tcp_http_ipv4_cidr_2"); + like($res->output, qr/^\* have local name resolution: true/m, "proxy is not used since IP address: $host_tcp_http_ipv4 is inside CIDR range: $host_tcp_http_ipv4_cidr_2"); is( $res->return_code, 0, "Should reach $host_tcp_http_ipv4 with or without proxy." ); $res = NPTest->testCmd( "./$plugin -I $host_tcp_http_ipv6 --proxy http://$host_tcp_proxy:$port_tcp_proxy --noproxy $host_tcp_http_ipv6_cidr_1 -v " ); - like($res->output, qr/^\* proxy_resolves_hostname: 0/m, "proxy is not used since IP address: $host_tcp_http_ipv6 is inside CIDR range: $host_tcp_http_ipv6_cidr_1"); + like($res->output, qr/^\* have local name resolution: true/m, "proxy is not used since IP address: $host_tcp_http_ipv6 is inside CIDR range: $host_tcp_http_ipv6_cidr_1"); is( $res->return_code, 0, "Should reach $host_tcp_http_ipv6 with or without proxy." ); $res = NPTest->testCmd( "./$plugin -I $host_tcp_http_ipv6 --proxy http://$host_tcp_proxy:$port_tcp_proxy --noproxy $host_tcp_http_ipv6_cidr_2 -v" ); - like($res->output, qr/^\* proxy_resolves_hostname: 0/m, "proxy is not used since IP address: $host_tcp_http_ipv6 is inside CIDR range: $host_tcp_http_ipv6_cidr_2"); + like($res->output, qr/^\* have local name resolution: true/m, "proxy is not used since IP address: $host_tcp_http_ipv6 is inside CIDR range: $host_tcp_http_ipv6_cidr_2"); is( $res->return_code, 0, "Should reach $host_tcp_http_ipv6 with or without proxy." ); # Noproxy should discern over different types of proxy schemes $res = NPTest->testCmd( "./$plugin -H $host_tcp_http --proxy http://$host_tcp_proxy:$port_tcp_proxy -v" ); - like($res->output, qr/^\* proxy_resolves_hostname: 1/m, "proxy is used for resolving hostname, and is using scheme http "); + like($res->output, qr/^\* have local name resolution: false/m, "proxy is used for resolving hostname, and is using scheme http "); is( $res->return_code, 0, "Using proxy http:$host_tcp_proxy:$port_tcp_proxy to connect to $host_tcp_http works" ); $res = NPTest->testCmd( "./$plugin -H $host_tcp_http --proxy https://$host_tcp_proxy:$port_tcp_proxy -v" ); - like($res->output, qr/^\* proxy_resolves_hostname: 1/m, "proxy is used for resolving hostname, and is using scheme https"); + like($res->output, qr/^\* have local name resolution: false/m, "proxy is used for resolving hostname, and is using scheme https"); # Squid is not configured for https # is( $res->return_code, 0, "Using proxy https:$host_tcp_proxy:$port_tcp_proxy to connect to $host_tcp_http works" ); $res = NPTest->testCmd( "./$plugin -H $host_tcp_http --proxy socks4://$host_tcp_proxy:$port_tcp_proxy -v" ); - like($res->output, qr/^\* proxy_resolves_hostname: 0/m, "proxy is not used for resolving hostname, and is using scheme socks4"); + like($res->output, qr/^\* have local name resolution: true/m, "proxy is not used for resolving hostname, and is using scheme socks4"); # Squid is not configured for socks4 # is( $res->return_code, 0, "Using proxy socks4:$host_tcp_proxy:$port_tcp_proxy to connect to $host_tcp_http works" ); $res = NPTest->testCmd( "./$plugin -H $host_tcp_http --proxy socks4a://$host_tcp_proxy:$port_tcp_proxy -v" ); - like($res->output, qr/^\* proxy_resolves_hostname: 1/m, "proxy is used for resolving hostname, and is using scheme socks4a"); + like($res->output, qr/^\* have local name resolution: false/m, "proxy is used for resolving hostname, and is using scheme socks4a"); # Squid is not configured for socks4a # is( $res->return_code, 0, "Using proxy socks4a:$host_tcp_proxy:$port_tcp_proxy to connect to $host_tcp_http works" ); $res = NPTest->testCmd( "./$plugin -H $host_tcp_http --proxy socks5://$host_tcp_proxy:$port_tcp_proxy -v" ); - like($res->output, qr/^\* proxy_resolves_hostname: 0/m, "proxy is not used for resolving hostname, and is using scheme socks5"); + like($res->output, qr/^\* have local name resolution: true/m, "proxy is not used for resolving hostname, and is using scheme socks5"); # Squid is not configured for socks5 # is( $res->return_code, 0, "Using proxy socks5:$host_tcp_proxy:$port_tcp_proxy to connect to $host_tcp_http works" ); $res = NPTest->testCmd( "./$plugin -H $host_tcp_http --proxy socks5h://$host_tcp_proxy:$port_tcp_proxy -v" ); - like($res->output, qr/^\* proxy_resolves_hostname: 1/m, "proxy is used for resolving hostname, and is using scheme socks5h"); + like($res->output, qr/^\* have local name resolution: false/m, "proxy is used for resolving hostname, and is using scheme socks5h"); # Squid is not configured for socks5h # is( $res->return_code, 0, "Using proxy socks5h:$host_tcp_proxy:$port_tcp_proxy to connect to $host_tcp_http works" ); } diff --git a/plugins/tests/check_curl.t b/plugins/tests/check_curl.t index e027b6f4..d0a866cb 100755 --- a/plugins/tests/check_curl.t +++ b/plugins/tests/check_curl.t @@ -833,12 +833,12 @@ sub run_common_tests { $cmd = "$command -u /statuscode/200 --proxy http://proxy.example.com:8080 --noproxy '*' -v"; $result = NPTest->testCmd( $cmd ); is( $result->return_code, 0, $cmd); - like( $result->output, '/.*proxy_resolves_hostname: 0.*/', "Proxy will not be used due to '*' in noproxy: ".$result->output ); + like( $result->output, '/.*have local name resolution: true.*/', "Proxy will not be used due to '*' in noproxy: ".$result->output ); $cmd = "$command -u /statuscode/200 --proxy http://proxy.example.com:8080 --noproxy '127.0.0.1' -v"; $result = NPTest->testCmd( $cmd ); is( $result->return_code, 0, $cmd); - like( $result->output, '/.*proxy_resolves_hostname: 0.*/', "Proxy will not be used due to '127.0.0.1' in noproxy: ".$result->output ); + like( $result->output, '/.*have local name resolution: true.*/', "Proxy will not be used due to '127.0.0.1' in noproxy: ".$result->output ); } } From 3a6f9292f147de29b21dafa4cf9b7efce3e4cbfd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lorenz=20K=C3=A4stle?= <12514511+RincewindsHat@users.noreply.github.com> Date: Wed, 8 Apr 2026 18:06:29 +0200 Subject: [PATCH 5/6] Rename USE_OPENSSL to MOPL_USE_OPENSSL (#2253) net-snmp uses the same pre processor name "USE_OPENSSL" as we do. To avoid the conflict, this commit renames it on our side to "MOPL_USE_OPENSSL". "MOPL" (better "MoPl"?) stands for Monitoring Plugins. --- configure.ac | 2 +- lib/utils_base.h | 2 +- plugins/check_curl.c | 26 ++++++++-------- plugins/check_curl.d/check_curl_helpers.c | 16 +++++----- plugins/check_smtp.c | 6 ++-- plugins/check_tcp.c | 4 +-- plugins/sslutils.c | 38 +++++++++++------------ 7 files changed, 47 insertions(+), 47 deletions(-) diff --git a/configure.ac b/configure.ac index ae7eb30b..e4351ad7 100644 --- a/configure.ac +++ b/configure.ac @@ -578,7 +578,7 @@ if test "$FOUNDOPENSSL" = "yes" || test "$FOUNDGNUTLS" = "yes"; then AC_SUBST(SSLLIBS) AC_DEFINE(HAVE_SSL,1,[Define if SSL libraries are found]) if test "$FOUNDOPENSSL" = "yes"; then - AC_DEFINE(USE_OPENSSL,1,[Define if using OpenSSL libraries]) + AC_DEFINE(MOPL_USE_OPENSSL,1,[Define if using OpenSSL libraries]) with_openssl="yes" with_gnutls="no" else diff --git a/lib/utils_base.h b/lib/utils_base.h index 27884bf0..1da96f78 100644 --- a/lib/utils_base.h +++ b/lib/utils_base.h @@ -9,7 +9,7 @@ #include "./thresholds.h" #include "states.h" -#ifndef USE_OPENSSL +#ifndef MOPL_USE_OPENSSL # include "sha256.h" #endif diff --git a/plugins/check_curl.c b/plugins/check_curl.c index b168cbcd..fe7e61d6 100644 --- a/plugins/check_curl.c +++ b/plugins/check_curl.c @@ -62,7 +62,7 @@ const char *email = "devel@monitoring-plugins.org"; #include #include -#if defined(HAVE_SSL) && defined(USE_OPENSSL) +#if defined(HAVE_SSL) && defined(MOPL_USE_OPENSSL) # include #endif @@ -81,9 +81,9 @@ extern char errbuf[MAX_INPUT_BUFFER]; extern bool is_openssl_callback; extern bool add_sslctx_verify_fun; -#if defined(HAVE_SSL) && defined(USE_OPENSSL) +#if defined(HAVE_SSL) && defined(MOPL_USE_OPENSSL) static X509 *cert = NULL; -#endif /* defined(HAVE_SSL) && defined(USE_OPENSSL) */ +#endif /* defined(HAVE_SSL) && defined(MOPL_USE_OPENSSL) */ typedef struct { int errorcode; @@ -114,10 +114,10 @@ static void print_curl_version(void); // check_curl_evaluation_wrapper check_curl_evaluate(check_curl_config config, // mp_check overall[static 1]) {} -#if defined(HAVE_SSL) && defined(USE_OPENSSL) +#if defined(HAVE_SSL) && defined(MOPL_USE_OPENSSL) mp_state_enum np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int days_till_exp_crit); -#endif /* defined(HAVE_SSL) && defined(USE_OPENSSL) */ +#endif /* defined(HAVE_SSL) && defined(MOPL_USE_OPENSSL) */ int main(int argc, char **argv) { #ifdef __OpenBSD__ @@ -167,7 +167,7 @@ int main(int argc, char **argv) { } #ifdef HAVE_SSL -# ifdef USE_OPENSSL +# ifdef MOPL_USE_OPENSSL int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx) { (void)preverify_ok; /* TODO: we get all certificates of the chain, so which ones @@ -190,11 +190,11 @@ int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx) { } return 1; } -# endif /* USE_OPENSSL */ +# endif /* MOPL_USE_OPENSSL */ #endif /* HAVE_SSL */ #ifdef HAVE_SSL -# ifdef USE_OPENSSL +# ifdef MOPL_USE_OPENSSL CURLcode sslctxfun(CURL *curl, SSL_CTX *sslctx, void *parm) { (void)curl; // ignore unused parameter (void)parm; // ignore unused parameter @@ -211,7 +211,7 @@ CURLcode sslctxfun(CURL *curl, SSL_CTX *sslctx, void *parm) { return CURLE_OK; } -# endif /* USE_OPENSSL */ +# endif /* MOPL_USE_OPENSSL */ #endif /* HAVE_SSL */ mp_subcheck check_http(const check_curl_config config, check_curl_working_state workingState, @@ -1867,7 +1867,7 @@ void print_usage(void) { void print_curl_version(void) { printf("%s\n", curl_version()); } #ifdef LIBCURL_FEATURE_SSL -# ifndef USE_OPENSSL +# ifndef MOPL_USE_OPENSSL time_t parse_cert_date(const char *s) { if (!s) { return -1; @@ -1884,11 +1884,11 @@ time_t parse_cert_date(const char *s) { return date; } -# endif /* USE_OPENSSL */ +# endif /* MOPL_USE_OPENSSL */ #endif /* LIBCURL_FEATURE_SSL */ #ifdef LIBCURL_FEATURE_SSL -# ifndef USE_OPENSSL +# ifndef MOPL_USE_OPENSSL /* TODO: this needs cleanup in the sslutils.c, maybe we the #else case to * OpenSSL could be this function */ @@ -2025,5 +2025,5 @@ int net_noopenssl_check_certificate(cert_ptr_union *cert_ptr, int days_till_exp_ } return status; } -# endif /* USE_OPENSSL */ +# endif /* MOPL_USE_OPENSSL */ #endif /* LIBCURL_FEATURE_SSL */ diff --git a/plugins/check_curl.d/check_curl_helpers.c b/plugins/check_curl.d/check_curl_helpers.c index f23dbdb7..80d6f4f6 100644 --- a/plugins/check_curl.d/check_curl_helpers.c +++ b/plugins/check_curl.d/check_curl_helpers.c @@ -439,11 +439,11 @@ check_curl_configure_curl(const check_curl_static_curl_config config, case CURLHELP_SSL_LIBRARY_LIBRESSL: /* set callback to extract certificate with OpenSSL context function (works with * OpenSSL-style libraries only!) */ -# ifdef USE_OPENSSL +# ifdef MOPL_USE_OPENSSL /* libcurl and monitoring plugins built with OpenSSL, good */ add_sslctx_verify_fun = true; is_openssl_callback = true; -# endif /* USE_OPENSSL */ +# endif /* MOPL_USE_OPENSSL */ /* libcurl is built with OpenSSL, monitoring plugins, so falling * back to manually extracting certificate information */ handle_curl_option_return_code( @@ -1312,16 +1312,16 @@ mp_subcheck check_curl_certificate_checks(CURL *curl, X509 *cert, int warn_days_ #ifdef LIBCURL_FEATURE_SSL if (is_openssl_callback) { -# ifdef USE_OPENSSL +# ifdef MOPL_USE_OPENSSL /* check certificate with OpenSSL functions, curl has been built against OpenSSL * and we actually have OpenSSL in the monitoring tools */ return mp_net_ssl_check_certificate(cert, warn_days_till_exp, crit_days_till_exp); -# else /* USE_OPENSSL */ +# else /* MOPL_USE_OPENSSL */ xasprintf(&result.output, "HTTP CRITICAL - Cannot retrieve certificates - OpenSSL " "callback used and not linked against OpenSSL\n"); mp_set_subcheck_state(result, STATE_CRITICAL); -# endif /* USE_OPENSSL */ +# endif /* MOPL_USE_OPENSSL */ } else { struct curl_slist *slist; @@ -1329,7 +1329,7 @@ mp_subcheck check_curl_certificate_checks(CURL *curl, X509 *cert, int warn_days_ cert_ptr.to_info = NULL; CURLcode res = curl_easy_getinfo(curl, CURLINFO_CERTINFO, &cert_ptr.to_certinfo); if (!res && cert_ptr.to_info) { -# ifdef USE_OPENSSL +# ifdef MOPL_USE_OPENSSL /* We have no OpenSSL in libcurl, but we can use OpenSSL for X509 cert * parsing We only check the first certificate and assume it's the one of * the server @@ -1375,13 +1375,13 @@ mp_subcheck check_curl_certificate_checks(CURL *curl, X509 *cert, int warn_days_ BIO_free(cert_BIO); return mp_net_ssl_check_certificate(cert, warn_days_till_exp, crit_days_till_exp); -# else /* USE_OPENSSL */ +# else /* MOPL_USE_OPENSSL */ /* We assume we don't have OpenSSL and np_net_ssl_check_certificate at our * disposal, so we use the libcurl CURLINFO data */ return net_noopenssl_check_certificate(&cert_ptr, days_till_exp_warn, days_till_exp_crit); -# endif /* USE_OPENSSL */ +# endif /* MOPL_USE_OPENSSL */ } else { xasprintf(&sc_cert_result.output, _("Cannot retrieve certificates - cURL returned %d - %s"), res, diff --git a/plugins/check_smtp.c b/plugins/check_smtp.c index 24883fd8..19e2a58f 100644 --- a/plugins/check_smtp.c +++ b/plugins/check_smtp.c @@ -350,7 +350,7 @@ int main(int argc, char **argv) { } } -# ifdef USE_OPENSSL +# ifdef MOPL_USE_OPENSSL if (ssl_established) { net_ssl_check_cert_result cert_check_result = np_net_ssl_check_cert2(config.days_till_exp_warn, config.days_till_exp_crit); @@ -389,7 +389,7 @@ int main(int argc, char **argv) { mp_add_subcheck_to_check(&overall, sc_cert_check); } -# endif /* USE_OPENSSL */ +# endif /* MOPL_USE_OPENSSL */ #endif @@ -764,7 +764,7 @@ check_smtp_config_wrapper process_arguments(int argc, char **argv) { break; case 'D': { /* Check SSL cert validity */ -#ifdef USE_OPENSSL +#ifdef MOPL_USE_OPENSSL char *temp; if ((temp = strchr(optarg, ',')) != NULL) { *temp = '\0'; diff --git a/plugins/check_tcp.c b/plugins/check_tcp.c index 49a8c4c1..cd8e04b0 100644 --- a/plugins/check_tcp.c +++ b/plugins/check_tcp.c @@ -683,7 +683,7 @@ static check_tcp_config_wrapper process_arguments(int argc, char **argv, check_t break; case 'D': /* Check SSL cert validity - days 'til certificate expiration */ #ifdef HAVE_SSL -# ifdef USE_OPENSSL /* XXX */ +# ifdef MOPL_USE_OPENSSL /* XXX */ { char *temp; if ((temp = strchr(optarg, ',')) != NULL) { @@ -708,7 +708,7 @@ static check_tcp_config_wrapper process_arguments(int argc, char **argv, check_t config.check_cert = true; config.use_tls = true; } break; -# endif /* USE_OPENSSL */ +# endif /* MOPL_USE_OPENSSL */ #endif /* fallthrough if we don't have ssl */ case 'S': diff --git a/plugins/sslutils.c b/plugins/sslutils.c index c58a35ab..c4ab6a05 100644 --- a/plugins/sslutils.c +++ b/plugins/sslutils.c @@ -127,7 +127,7 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int } if (cert && privkey) { -# ifdef USE_OPENSSL +# ifdef MOPL_USE_OPENSSL if (!SSL_CTX_use_certificate_chain_file(ctx, cert)) { # elif USE_GNUTLS if (!SSL_CTX_use_certificate_file(ctx, cert, SSL_FILETYPE_PEM)) { @@ -138,7 +138,7 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int return STATE_CRITICAL; } SSL_CTX_use_PrivateKey_file(ctx, privkey, SSL_FILETYPE_PEM); -# ifdef USE_OPENSSL +# ifdef MOPL_USE_OPENSSL if (!SSL_CTX_check_private_key(ctx)) { printf("%s\n", _("CRITICAL - Private key does not seem to match certificate!\n")); return STATE_CRITICAL; @@ -161,9 +161,9 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int return OK; } else { printf("%s\n", _("CRITICAL - Cannot make SSL connection.")); -# ifdef USE_OPENSSL /* XXX look into ERR_error_string */ +# ifdef MOPL_USE_OPENSSL /* XXX look into ERR_error_string */ ERR_print_errors_fp(stdout); -# endif /* USE_OPENSSL */ +# endif /* MOPL_USE_OPENSSL */ } } else { printf("%s\n", _("CRITICAL - Cannot initiate SSL handshake.")); @@ -192,7 +192,7 @@ int np_net_ssl_read(void *buf, int num) { return SSL_read(s, buf, num); } mp_state_enum np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int days_till_exp_crit) { -# ifdef USE_OPENSSL +# ifdef MOPL_USE_OPENSSL if (!certificate) { printf("%s\n", _("CRITICAL - No server certificate present to inspect.")); return STATE_CRITICAL; @@ -306,14 +306,14 @@ mp_state_enum np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_ } X509_free(certificate); return status; -# else /* ifndef USE_OPENSSL */ +# else /* ifndef MOPL_USE_OPENSSL */ printf("%s\n", _("WARNING - Plugin does not support checking certificates.")); return STATE_WARNING; -# endif /* USE_OPENSSL */ +# endif /* MOPL_USE_OPENSSL */ } retrieve_expiration_time_result np_net_ssl_get_cert_expiration(X509 *certificate) { -# ifdef USE_OPENSSL +# ifdef MOPL_USE_OPENSSL retrieve_expiration_time_result result = { .errors = ALL_OK, .remaining_seconds = 0, @@ -404,14 +404,14 @@ retrieve_expiration_time_result np_net_ssl_get_cert_expiration(X509 *certificate X509_free(certificate); return result; -# else /* ifndef USE_OPENSSL */ +# else /* ifndef MOPL_USE_OPENSSL */ printf("%s\n", _("WARNING - Plugin does not support checking certificates.")); return STATE_WARNING; -# endif /* USE_OPENSSL */ +# endif /* MOPL_USE_OPENSSL */ } net_ssl_check_cert_result np_net_ssl_check_cert2(int days_till_exp_warn, int days_till_exp_crit) { -# ifdef USE_OPENSSL +# ifdef MOPL_USE_OPENSSL X509 *certificate = NULL; certificate = SSL_get_peer_certificate(s); @@ -438,27 +438,27 @@ net_ssl_check_cert_result np_net_ssl_check_cert2(int days_till_exp_warn, int day return result; -# else /* ifndef USE_OPENSSL */ +# else /* ifndef MOPL_USE_OPENSSL */ printf("%s\n", _("WARNING - Plugin does not support checking certificates.")); return STATE_WARNING; -# endif /* USE_OPENSSL */ +# endif /* MOPL_USE_OPENSSL */ } mp_state_enum np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit) { -# ifdef USE_OPENSSL +# ifdef MOPL_USE_OPENSSL X509 *certificate = NULL; certificate = SSL_get_peer_certificate(s); return (np_net_ssl_check_certificate(certificate, days_till_exp_warn, days_till_exp_crit)); -# else /* ifndef USE_OPENSSL */ +# else /* ifndef MOPL_USE_OPENSSL */ printf("%s\n", _("WARNING - Plugin does not support checking certificates.")); return STATE_WARNING; -# endif /* USE_OPENSSL */ +# endif /* MOPL_USE_OPENSSL */ } mp_subcheck mp_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int days_till_exp_crit) { mp_subcheck sc_cert = mp_subcheck_init(); -# ifdef USE_OPENSSL +# ifdef MOPL_USE_OPENSSL if (!certificate) { xasprintf(&sc_cert.output, _("No server certificate present to inspect")); sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL); @@ -581,10 +581,10 @@ mp_subcheck mp_net_ssl_check_certificate(X509 *certificate, int days_till_exp_wa } X509_free(certificate); return sc_cert; -# else /* ifndef USE_OPENSSL */ +# else /* ifndef MOPL_USE_OPENSSL */ xasprintf(&sc_cert.output, _("Plugin does not support checking certificates")); sc_cert = mp_set_subcheck_state(sc_cert, STATE_WARNING); return sc_cert; -# endif /* USE_OPENSSL */ +# endif /* MOPL_USE_OPENSSL */ } #endif /* HAVE_SSL */ From 1db493092ca6a68ff690251cc428037b54019a73 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lorenz=20K=C3=A4stle?= <12514511+RincewindsHat@users.noreply.github.com> Date: Wed, 8 Apr 2026 18:26:03 +0200 Subject: [PATCH 6/6] added CHECK_EOF to work around warnings about EOF and -1 being the same (#2254) Co-authored-by: Andreas Baumann --- plugins/check_cluster.c | 2 +- plugins/check_curl.c | 2 +- plugins/check_dig.c | 2 +- plugins/check_disk.c | 2 +- plugins/check_fping.c | 2 +- plugins/check_game.c | 2 +- plugins/check_hpjd.c | 2 +- plugins/check_ide_smart.c | 2 +- plugins/check_ldap.c | 2 +- plugins/check_load.c | 2 +- plugins/check_mysql.c | 2 +- plugins/check_nagios.c | 2 +- plugins/check_ping.c | 2 +- plugins/check_procs.c | 2 +- plugins/check_radius.c | 2 +- plugins/check_snmp.c | 4 ++-- plugins/check_tcp.c | 2 +- plugins/check_time.c | 2 +- plugins/common.h | 7 +++++++ 19 files changed, 26 insertions(+), 19 deletions(-) diff --git a/plugins/check_cluster.c b/plugins/check_cluster.c index 1cbdcd60..92c3827a 100644 --- a/plugins/check_cluster.c +++ b/plugins/check_cluster.c @@ -175,7 +175,7 @@ check_cluster_config_wrapper process_arguments(int argc, char **argv) { while (true) { int option_index = getopt_long(argc, argv, "hHsvVw:c:d:l:", longopts, &option); - if (option_index == -1 || option_index == EOF || option_index == 1) { + if (CHECK_EOF(option_index) || option_index == 1) { break; } diff --git a/plugins/check_curl.c b/plugins/check_curl.c index fe7e61d6..67d89129 100644 --- a/plugins/check_curl.c +++ b/plugins/check_curl.c @@ -980,7 +980,7 @@ check_curl_config_wrapper process_arguments(int argc, char **argv) { int option_index = getopt_long( argc, argv, "Vvh46t:c:w:A:k:H:P:j:T:I:a:x:b:d:e:p:s:R:r:u:f:C:J:K:DnlLS::m:M:NEB", longopts, &option); - if (option_index == -1 || option_index == EOF || option_index == 1) { + if (CHECK_EOF(option_index) || option_index == 1) { break; } diff --git a/plugins/check_dig.c b/plugins/check_dig.c index 9ea19e6a..9ec8028a 100644 --- a/plugins/check_dig.c +++ b/plugins/check_dig.c @@ -284,7 +284,7 @@ check_dig_config_wrapper process_arguments(int argc, char **argv) { int option_index = getopt_long(argc, argv, "hVvt:l:H:w:c:T:p:a:A:E:X:46", longopts, &option); - if (option_index == -1 || option_index == EOF) { + if (CHECK_EOF(option_index)) { break; } diff --git a/plugins/check_disk.c b/plugins/check_disk.c index 73fe815e..e773e56c 100644 --- a/plugins/check_disk.c +++ b/plugins/check_disk.c @@ -448,7 +448,7 @@ check_disk_config_wrapper process_arguments(int argc, char **argv) { int option_index = getopt_long( argc, argv, "+?VqhvefCt:c:w:K:W:u:p:x:X:N:mklLPg:R:r:i:I:MEAn", longopts, &option); - if (option_index == -1 || option_index == EOF) { + if (CHECK_EOF(option_index)) { break; } diff --git a/plugins/check_fping.c b/plugins/check_fping.c index 6160c2cb..86ef64a4 100644 --- a/plugins/check_fping.c +++ b/plugins/check_fping.c @@ -361,7 +361,7 @@ check_fping_config_wrapper process_arguments(int argc, char **argv) { int option_index = getopt_long(argc, argv, "+hVvaH:S:c:w:b:n:T:i:I:M:R:46", longopts, &option); - if (option_index == -1 || option_index == EOF || option_index == 1) { + if (CHECK_EOF(option_index) || option_index == 1) { break; } diff --git a/plugins/check_game.c b/plugins/check_game.c index 974a7253..48ec6883 100644 --- a/plugins/check_game.c +++ b/plugins/check_game.c @@ -186,7 +186,7 @@ check_game_config_wrapper process_arguments(int argc, char **argv) { while (true) { int option_index = getopt_long(argc, argv, "hVvt:H:P:G:g:p:m:", long_opts, &opt_index); - if (option_index == -1 || option_index == EOF) { + if (CHECK_EOF(option_index)) { break; } diff --git a/plugins/check_hpjd.c b/plugins/check_hpjd.c index 9907abc5..883f1df0 100644 --- a/plugins/check_hpjd.c +++ b/plugins/check_hpjd.c @@ -299,7 +299,7 @@ check_hpjd_config_wrapper process_arguments(int argc, char **argv) { while (true) { int option_index = getopt_long(argc, argv, "+hVH:C:p:D", longopts, &option); - if (option_index == -1 || option_index == EOF || option_index == 1) { + if (CHECK_EOF(option_index) || option_index == 1) { break; } diff --git a/plugins/check_ide_smart.c b/plugins/check_ide_smart.c index c1325cf9..43731039 100644 --- a/plugins/check_ide_smart.c +++ b/plugins/check_ide_smart.c @@ -169,7 +169,7 @@ static check_ide_smart_config_wrapper process_arguments(int argc, char **argv) { int longindex = 0; int option_index = getopt_long(argc, argv, "+d:iq10nhVv", longopts, &longindex); - if (option_index == -1 || option_index == EOF || option_index == 1) { + if (CHECK_EOF(option_index) || option_index == 1) { break; } diff --git a/plugins/check_ldap.c b/plugins/check_ldap.c index 7f8282b4..0e8c5804 100644 --- a/plugins/check_ldap.c +++ b/plugins/check_ldap.c @@ -362,7 +362,7 @@ check_ldap_config_wrapper process_arguments(int argc, char **argv) { int option_index = getopt_long(argc, argv, "hvV234TS6t:c:w:H:b:p:a:D:P:C:W:", longopts, &option); - if (option_index == -1 || option_index == EOF) { + if (CHECK_EOF(option_index)) { break; } diff --git a/plugins/check_load.c b/plugins/check_load.c index 644cd604..60fa646f 100644 --- a/plugins/check_load.c +++ b/plugins/check_load.c @@ -295,7 +295,7 @@ static check_load_config_wrapper process_arguments(int argc, char **argv) { int option = 0; int option_index = getopt_long(argc, argv, "Vhrc:w:n:", longopts, &option); - if (option_index == -1 || option_index == EOF) { + if (CHECK_EOF(option_index)) { break; } diff --git a/plugins/check_mysql.c b/plugins/check_mysql.c index 15005bf5..b70e0e22 100644 --- a/plugins/check_mysql.c +++ b/plugins/check_mysql.c @@ -504,7 +504,7 @@ check_mysql_config_wrapper process_arguments(int argc, char **argv) { int option_index = getopt_long(argc, argv, "hlvVnSP:p:u:d:H:s:c:w:a:k:C:D:L:f:g:", longopts, &option); - if (option_index == -1 || option_index == EOF) { + if (CHECK_EOF(option_index)) { break; } diff --git a/plugins/check_nagios.c b/plugins/check_nagios.c index a46dc1ed..e2f230c9 100644 --- a/plugins/check_nagios.c +++ b/plugins/check_nagios.c @@ -227,7 +227,7 @@ check_nagios_config_wrapper process_arguments(int argc, char **argv) { while (true) { int option_index = getopt_long(argc, argv, "+hVvF:C:e:t:", longopts, &option); - if (option_index == -1 || option_index == EOF || option_index == 1) { + if (CHECK_EOF(option_index) || option_index == 1) { break; } diff --git a/plugins/check_ping.c b/plugins/check_ping.c index e1ee0f5c..0c9cb19d 100644 --- a/plugins/check_ping.c +++ b/plugins/check_ping.c @@ -221,7 +221,7 @@ check_ping_config_wrapper process_arguments(int argc, char **argv) { while (true) { int option_index = getopt_long(argc, argv, "VvhnL46t:c:w:H:p:", longopts, &option); - if (option_index == -1 || option_index == EOF) { + if (CHECK_EOF(option_index)) { break; } diff --git a/plugins/check_procs.c b/plugins/check_procs.c index 50837cb4..174dcd97 100644 --- a/plugins/check_procs.c +++ b/plugins/check_procs.c @@ -432,7 +432,7 @@ check_procs_config_wrapper process_arguments(int argc, char **argv) { int option_index = getopt_long(argc, argv, "Vvhkt:c:w:p:s:u:C:a:z:r:m:P:TX:", longopts, &option); - if (option_index == -1 || option_index == EOF) { + if (CHECK_EOF(option_index)) { break; } diff --git a/plugins/check_radius.c b/plugins/check_radius.c index f20af660..03153926 100644 --- a/plugins/check_radius.c +++ b/plugins/check_radius.c @@ -334,7 +334,7 @@ check_radius_config_wrapper process_arguments(int argc, char **argv) { int option = 0; int option_index = getopt_long(argc, argv, "+hVvH:P:F:u:p:n:N:t:r:e:", longopts, &option); - if (option_index == -1 || option_index == EOF || option_index == 1) { + if (CHECK_EOF(option_index) || option_index == 1) { break; } diff --git a/plugins/check_snmp.c b/plugins/check_snmp.c index 1746fd79..0f62ce8b 100644 --- a/plugins/check_snmp.c +++ b/plugins/check_snmp.c @@ -447,7 +447,7 @@ static process_arguments_wrapper process_arguments(int argc, char **argv) { argc, argv, "nhvVO46t:c:w:H:C:o:e:E:d:D:s:t:R:r:l:u:p:m:P:N:L:U:a:x:A:X:M:f:z:", longopts, &option); - if (option_char == -1 || option_char == EOF) { + if (CHECK_EOF(option_char)) { break; } @@ -517,7 +517,7 @@ static process_arguments_wrapper process_arguments(int argc, char **argv) { argc, argv, "nhvVO46t:c:w:H:C:o:e:E:d:D:s:t:R:r:l:u:p:m:P:N:L:U:a:x:A:X:M:f:z:", longopts, &option); - if (option_char == -1 || option_char == EOF) { + if (CHECK_EOF(option_char)) { break; } diff --git a/plugins/check_tcp.c b/plugins/check_tcp.c index cd8e04b0..924322e4 100644 --- a/plugins/check_tcp.c +++ b/plugins/check_tcp.c @@ -562,7 +562,7 @@ static check_tcp_config_wrapper process_arguments(int argc, char **argv, check_t int option_index = getopt_long(argc, argv, "+hVv46EAH:s:e:q:m:c:w:t:p:C:W:d:Sr:jD:M:", longopts, &option); - if (option_index == -1 || option_index == EOF || option_index == 1) { + if (CHECK_EOF(option_index) || option_index == 1) { break; } diff --git a/plugins/check_time.c b/plugins/check_time.c index 99708ad3..aec995d4 100644 --- a/plugins/check_time.c +++ b/plugins/check_time.c @@ -213,7 +213,7 @@ check_time_config_wrapper process_arguments(int argc, char **argv) { int option = 0; option_char = getopt_long(argc, argv, "hVH:w:c:W:C:p:t:u", longopts, &option); - if (option_char == -1 || option_char == EOF) { + if (CHECK_EOF(option_char)) { break; } diff --git a/plugins/common.h b/plugins/common.h index b3053486..9d1434a3 100644 --- a/plugins/common.h +++ b/plugins/common.h @@ -205,4 +205,11 @@ enum { # define __attribute__(x) /* do nothing */ #endif +/* for checking the result of getopt_long */ +#if EOF == -1 +#define CHECK_EOF(c) ((c) == EOF) +#else +#define CHECK_EOF(c) ((c) == -1 || (c) == EOF) +#endif + #endif /* _COMMON_H_ */