diff --git a/plugins/check_curl.c b/plugins/check_curl.c index 67d89129..18f2d9c6 100644 --- a/plugins/check_curl.c +++ b/plugins/check_curl.c @@ -251,6 +251,7 @@ mp_subcheck check_http(const check_curl_config config, check_curl_working_state // can be done Check_http tries to check certs as early as possible, and exits with certificate // check result by default. Behave similarly. #ifdef LIBCURL_FEATURE_SSL +# ifdef HAVE_SSL if (workingState.use_ssl && config.check_cert) { if (verbose > 1) { printf("* adding a subcheck for the certificate\n"); @@ -267,6 +268,7 @@ mp_subcheck check_http(const check_curl_config config, check_curl_working_state return sc_result; } } +# endif #endif mp_subcheck sc_curl = mp_subcheck_init(); @@ -1888,7 +1890,8 @@ time_t parse_cert_date(const char *s) { #endif /* LIBCURL_FEATURE_SSL */ #ifdef LIBCURL_FEATURE_SSL -# ifndef MOPL_USE_OPENSSL +# if HAVE_SSL +# ifndef MOPL_USE_OPENSSL /* TODO: this needs cleanup in the sslutils.c, maybe we the #else case to * OpenSSL could be this function */ @@ -2025,5 +2028,6 @@ int net_noopenssl_check_certificate(cert_ptr_union *cert_ptr, int days_till_exp_ } return status; } -# endif /* MOPL_USE_OPENSSL */ -#endif /* LIBCURL_FEATURE_SSL */ +# endif /* MOPL_USE_OPENSSL */ +# endif // HAVE_SSL +#endif /* LIBCURL_FEATURE_SSL */ diff --git a/plugins/check_curl.d/check_curl_helpers.c b/plugins/check_curl.d/check_curl_helpers.c index 80d6f4f6..369b3690 100644 --- a/plugins/check_curl.d/check_curl_helpers.c +++ b/plugins/check_curl.d/check_curl_helpers.c @@ -222,7 +222,7 @@ check_curl_configure_curl(const check_curl_static_curl_config config, bool have_local_resolution = hostname_gets_resolved_locally(working_state); if (verbose >= 1) { - printf("* have local name resolution: %s\n", (have_local_resolution ? "true": "false")); + printf("* have local name resolution: %s\n", (have_local_resolution ? "true" : "false")); } /* enable haproxy protocol */ @@ -378,7 +378,8 @@ check_curl_configure_curl(const check_curl_static_curl_config config, curl_easy_setopt(result.curl_state.curl, CURLOPT_HTTPHEADER, result.curl_state.header_list), "CURLOPT_HTTPHEADER"); -#ifdef LIBCURL_FEATURE_SSL +#if HAVE_SSL +# ifdef LIBCURL_FEATURE_SSL /* set SSL version, warn about insecure or unsupported versions */ if (working_state.use_ssl) { handle_curl_option_return_code( @@ -432,18 +433,18 @@ check_curl_configure_curl(const check_curl_static_curl_config config, /* try hard to get a stack of certificates to verify against */ if (check_cert) { -# if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1) +# if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1) /* inform curl to report back certificates */ switch (ssl_library) { case CURLHELP_SSL_LIBRARY_OPENSSL: case CURLHELP_SSL_LIBRARY_LIBRESSL: /* set callback to extract certificate with OpenSSL context function (works with * OpenSSL-style libraries only!) */ -# ifdef MOPL_USE_OPENSSL +# ifdef MOPL_USE_OPENSSL /* libcurl and monitoring plugins built with OpenSSL, good */ add_sslctx_verify_fun = true; is_openssl_callback = true; -# endif /* MOPL_USE_OPENSSL */ +# endif /* MOPL_USE_OPENSSL */ /* libcurl is built with OpenSSL, monitoring plugins, so falling * back to manually extracting certificate information */ handle_curl_option_return_code( @@ -451,29 +452,29 @@ check_curl_configure_curl(const check_curl_static_curl_config config, break; case CURLHELP_SSL_LIBRARY_NSS: -# if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) +# if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) /* NSS: support for CERTINFO is implemented since 7.34.0 */ handle_curl_option_return_code( curl_easy_setopt(result.curl_state.curl, CURLOPT_CERTINFO, 1L), "CURLOPT_CERTINFO"); -# else /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */ +# else /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */ die(STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates (libcurl linked with SSL library " "'%s' is too old)\n", curlhelp_get_ssl_library_string(ssl_library)); -# endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */ +# endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */ break; case CURLHELP_SSL_LIBRARY_GNUTLS: -# if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 42, 0) +# if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 42, 0) /* GnuTLS: support for CERTINFO is implemented since 7.42.0 */ handle_curl_option_return_code( curl_easy_setopt(result.curl_state.curl, CURLOPT_CERTINFO, 1L), "CURLOPT_CERTINFO"); -# else /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 42, 0) */ +# else /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 42, 0) */ die(STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates (libcurl linked with SSL library " "'%s' is too old)\n", curlhelp_get_ssl_library_string(ssl_library)); -# endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 42, 0) */ +# endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 42, 0) */ break; case CURLHELP_SSL_LIBRARY_UNKNOWN: @@ -484,7 +485,7 @@ check_curl_configure_curl(const check_curl_static_curl_config config, curlhelp_get_ssl_library_string(ssl_library)); break; } -# else /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1) */ +# else /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1) */ /* old libcurl, our only hope is OpenSSL, otherwise we are out of luck */ if (ssl_library == CURLHELP_SSL_LIBRARY_OPENSSL || ssl_library == CURLHELP_SSL_LIBRARY_LIBRESSL) { @@ -494,11 +495,11 @@ check_curl_configure_curl(const check_curl_static_curl_config config, "CURLOPT_SSL_CTX_FUNCTION, no OpenSSL library or libcurl " "too old and has no CURLOPT_CERTINFO)\n"); } -# endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1) */ +# endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1) */ } -# if LIBCURL_VERSION_NUM >= \ - MAKE_LIBCURL_VERSION(7, 10, 6) /* required for CURLOPT_SSL_CTX_FUNCTION */ +# if LIBCURL_VERSION_NUM >= \ + MAKE_LIBCURL_VERSION(7, 10, 6) /* required for CURLOPT_SSL_CTX_FUNCTION */ // ssl ctx function is not available with all ssl backends if (curl_easy_setopt(result.curl_state.curl, CURLOPT_SSL_CTX_FUNCTION, NULL) != CURLE_UNKNOWN_OPTION) { @@ -506,8 +507,9 @@ check_curl_configure_curl(const check_curl_static_curl_config config, curl_easy_setopt(result.curl_state.curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun), "CURLOPT_SSL_CTX_FUNCTION"); } -# endif -#endif /* LIBCURL_FEATURE_SSL */ +# endif +# endif /* LIBCURL_FEATURE_SSL */ +#endif /* set default or user-given user agent identification */ handle_curl_option_return_code( @@ -1302,9 +1304,12 @@ void test_file(char *path) { usage2(_("file does not exist or is not readable"), path); } +#if HAVE_SSL mp_subcheck mp_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int days_till_exp_crit); +#endif +#if HAVE_SSL mp_subcheck check_curl_certificate_checks(CURL *curl, X509 *cert, int warn_days_till_exp, int crit_days_till_exp) { mp_subcheck sc_cert_result = mp_subcheck_init(); @@ -1393,6 +1398,7 @@ mp_subcheck check_curl_certificate_checks(CURL *curl, X509 *cert, int warn_days_ return sc_cert_result; } +#endif char *fmt_url(check_curl_working_state workingState) { char *url = calloc(DEFAULT_BUFFER_SIZE, sizeof(char)); diff --git a/plugins/check_curl.d/check_curl_helpers.h b/plugins/check_curl.d/check_curl_helpers.h index 55df9bc1..c49e17b9 100644 --- a/plugins/check_curl.d/check_curl_helpers.h +++ b/plugins/check_curl.d/check_curl_helpers.h @@ -112,7 +112,9 @@ mp_subcheck check_document_dates(const curlhelp_write_curlbuf * /*header_buf*/, size_t get_content_length(const curlhelp_write_curlbuf *header_buf, const curlhelp_write_curlbuf *body_buf); int lookup_host(const char *host, char *buf, size_t buflen, sa_family_t addr_family); +#if HAVE_SSL CURLcode sslctxfun(CURL *curl, SSL_CTX *sslctx, void *parm); +#endif #define INET_ADDR_MAX_SIZE INET6_ADDRSTRLEN const char *strrstr2(const char *haystack, const char *needle); @@ -123,8 +125,10 @@ bool expected_statuscode(const char *reply, const char *statuscodes); char *string_statuscode(int major, int minor); void test_file(char *path); +#if HAVE_SSL mp_subcheck check_curl_certificate_checks(CURL *curl, X509 *cert, int warn_days_till_exp, int crit_days_till_exp); +#endif char *fmt_url(check_curl_working_state workingState); /* determine_hostname_resolver determines if the host or the proxy resolves the target hostname diff --git a/plugins/check_smtp.c b/plugins/check_smtp.c index 19e2a58f..a371b81f 100644 --- a/plugins/check_smtp.c +++ b/plugins/check_smtp.c @@ -70,7 +70,9 @@ int my_recv(check_smtp_config config, void *buf, int num, int socket_descriptor, } return (int)read(socket_descriptor, buf, (size_t)num); #else /* ifndef HAVE_SSL */ - return read(socket_descriptor, buf, len) + (void)config; + (void)ssl_established; + return read(socket_descriptor, buf, num); #endif } @@ -83,7 +85,9 @@ int my_send(check_smtp_config config, void *buf, int num, int socket_descriptor, } return (int)send(socket_descriptor, buf, (size_t)num, 0); #else /* ifndef HAVE_SSL */ - return send(socket_descriptor, buf, len, 0); + (void)config; + (void)ssl_established; + return send(socket_descriptor, buf, num, 0); #endif } @@ -258,6 +262,7 @@ int main(int argc, char **argv) { mp_exit(overall); } +#ifdef HAVE_SSL bool supports_tls = false; if (config.use_ehlo || config.use_lhlo) { if (strstr(buffer, "250 STARTTLS") != NULL || strstr(buffer, "250-STARTTLS") != NULL) { @@ -275,7 +280,6 @@ int main(int argc, char **argv) { mp_exit(overall); } -#ifdef HAVE_SSL if (config.use_starttls) { /* send the STARTTLS command */ send(socket_descriptor, SMTP_STARTTLS, strlen(SMTP_STARTTLS), 0); @@ -792,14 +796,18 @@ check_smtp_config_wrapper process_arguments(int argc, char **argv) { implicit_tls = true; // fallthrough case 's': - /* ssl */ + /* TLS/SSL */ +#ifdef HAVE_SSL result.config.use_ssl = true; result.config.server_port = SMTPS_PORT; +#endif break; case 'S': - /* starttls */ + /* STARTTLS */ +#ifdef HAVE_SSL result.config.use_starttls = true; result.config.use_ehlo = true; +#endif break; } case SNI_OPTION: @@ -842,7 +850,9 @@ check_smtp_config_wrapper process_arguments(int argc, char **argv) { break; } case ignore_certificate_expiration_index: { +#ifdef HAVE_SSL result.config.ignore_certificate_expiration = true; +#endif } } } @@ -860,6 +870,7 @@ check_smtp_config_wrapper process_arguments(int argc, char **argv) { } } +#ifdef HAVE_SSL if (result.config.use_starttls && result.config.use_ssl) { if (implicit_tls) { result.config.use_ssl = false; @@ -867,6 +878,7 @@ check_smtp_config_wrapper process_arguments(int argc, char **argv) { usage4(_("Set either -s/--ssl/--tls or -S/--starttls")); } } +#endif if (server_port_option != 0) { result.config.server_port = server_port_option; diff --git a/plugins/check_snmp.d/check_snmp_helpers.c b/plugins/check_snmp.d/check_snmp_helpers.c index 83e94a34..e4ddc734 100644 --- a/plugins/check_snmp.d/check_snmp_helpers.c +++ b/plugins/check_snmp.d/check_snmp_helpers.c @@ -896,7 +896,10 @@ state_key np_enable_state(char *keyname, int expected_data_version, const char * char *_np_state_generate_key(int argc, char **argv) { unsigned char result[256]; -#ifdef USE_OPENSSL +#if HAVE_SSL + (void)argc; + (void)argv; +# ifdef USE_OPENSSL /* * This code path is chosen if openssl is available (which should be the most common * scenario). Alternatively, the gnulib implementation/ @@ -911,7 +914,7 @@ char *_np_state_generate_key(int argc, char **argv) { } EVP_DigestFinal(ctx, result, NULL); -#else +# else struct sha256_ctx ctx; @@ -920,7 +923,8 @@ char *_np_state_generate_key(int argc, char **argv) { } sha256_finish_ctx(&ctx, result); -#endif // FOUNDOPENSSL +# endif // USE_OPENSSL +#endif // HAVE_SSL char keyname[41]; for (int i = 0; i < 20; ++i) {