[pkg-nagios-changes] [Git][nagios-team/monitoring-plugins][master] 3 commits: Adding d/p/15_check_curl_fix_regex from upstream
Jan Wagner (@waja)
gitlab at salsa.debian.org
Tue Nov 19 16:12:48 GMT 2024
Jan Wagner pushed to branch master at Debian Nagios Maintainer Group / monitoring-plugins
Commits:
1b018b3e by Jan Wagner at 2024-11-19T15:33:26+01:00
Adding d/p/15_check_curl_fix_regex from upstream
https://patch-diff.githubusercontent.com/raw/monitoring-plugins/monitoring-plugins/pull/2014.patch
- - - - -
9c49b6f1 by Jan Wagner at 2024-11-19T15:35:56+01:00
Adding d/p/16_check_curl_openssl_error from upstream
https://patch-diff.githubusercontent.com/raw/monitoring-plugins/monitoring-plugins/pull/2022.patch
- - - - -
f3e12797 by Jan Wagner at 2024-11-19T17:08:26+01:00
Adding d/p/17_check_fping_dontfrag_random from upstream
https://patch-diff.githubusercontent.com/raw/monitoring-plugins/monitoring-plugins/pull/2041.patch
https://patch-diff.githubusercontent.com/raw/monitoring-plugins/monitoring-plugins/pull/2042.patch
- - - - -
4 changed files:
- + debian/patches/15_check_curl_fix_regex
- + debian/patches/16_check_curl_openssl_error
- + debian/patches/17_check_fping_dontfrag_random
- debian/patches/series
Changes:
=====================================
debian/patches/15_check_curl_fix_regex
=====================================
@@ -0,0 +1,82 @@
+From 46efe803cf8e7b769ca112afc158b76510b01e46 Mon Sep 17 00:00:00 2001
+From: RincewindsHat <12514511+RincewindsHat at users.noreply.github.com>
+Date: Mon, 19 Aug 2024 15:23:41 +0200
+Subject: [PATCH 1/3] check_curl: Fix help for state regex option
+
+The help output of `check-curl` contained a typo,
+the real option is `state-regex` and not `regex-state` as
+the help suggests.
+Also added the two possible options to avoid confusion.
+---
+ plugins/check_curl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/plugins/check_curl.c b/plugins/check_curl.c
+index e9c15e648..bf46b2261 100644
+--- a/plugins/check_curl.c
++++ b/plugins/check_curl.c
+@@ -2061,8 +2061,8 @@ print_help (void)
+ printf (" %s\n", "--invert-regex");
+ printf (" %s\n", _("Return STATE if found, OK if not (STATE is CRITICAL, per default)"));
+ printf (" %s\n", _("can be changed with --state--regex)"));
+- printf (" %s\n", "--regex-state=STATE");
+- printf (" %s\n", _("Return STATE if regex is found, OK if not\n"));
++ printf (" %s\n", "--state-regex=STATE");
++ printf (" %s\n", _("Return STATE if regex is found, OK if not\nSTATE can be one of \"critical\",\"warning\""));
+ printf (" %s\n", "-a, --authorization=AUTH_PAIR");
+ printf (" %s\n", _("Username:password on sites with basic authentication"));
+ printf (" %s\n", "-b, --proxy-authorization=AUTH_PAIR");
+
+From b6c72064a53da8b173b7406a0a535922dc0cc1b3 Mon Sep 17 00:00:00 2001
+From: RincewindsHat <12514511+RincewindsHat at users.noreply.github.com>
+Date: Mon, 19 Aug 2024 15:26:52 +0200
+Subject: [PATCH 2/3] check_curl: Parse state-regex option ignoring case
+
+Previously the --state-regex option accepted only "critical" and
+"warning" as values.
+This commit changes the strcmp there to strcasecmp to be more tolerant
+regarding the input.
+---
+ plugins/check_curl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/plugins/check_curl.c b/plugins/check_curl.c
+index bf46b2261..38c971093 100644
+--- a/plugins/check_curl.c
++++ b/plugins/check_curl.c
+@@ -1775,9 +1775,9 @@ process_arguments (int argc, char **argv)
+ invert_regex = true;
+ break;
+ case STATE_REGEX:
+- if (!strcmp (optarg, "critical"))
++ if (!strcasecmp (optarg, "critical"))
+ state_regex = STATE_CRITICAL;
+- else if (!strcmp (optarg, "warning"))
++ else if (!strcasecmp (optarg, "warning"))
+ state_regex = STATE_WARNING;
+ else usage2 (_("Invalid state-regex option"), optarg);
+ break;
+
+From af097aa3642174a2111f0bbcbc8236fff0901e17 Mon Sep 17 00:00:00 2001
+From: RincewindsHat <12514511+RincewindsHat at users.noreply.github.com>
+Date: Mon, 19 Aug 2024 15:33:17 +0200
+Subject: [PATCH 3/3] check_curl: change help for --state-regex again to fix
+ formatting
+
+---
+ plugins/check_curl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/plugins/check_curl.c b/plugins/check_curl.c
+index 38c971093..214ba74f9 100644
+--- a/plugins/check_curl.c
++++ b/plugins/check_curl.c
+@@ -2062,7 +2062,7 @@ print_help (void)
+ printf (" %s\n", _("Return STATE if found, OK if not (STATE is CRITICAL, per default)"));
+ printf (" %s\n", _("can be changed with --state--regex)"));
+ printf (" %s\n", "--state-regex=STATE");
+- printf (" %s\n", _("Return STATE if regex is found, OK if not\nSTATE can be one of \"critical\",\"warning\""));
++ printf (" %s\n", _("Return STATE if regex is found, OK if not. STATE can be one of \"critical\",\"warning\""));
+ printf (" %s\n", "-a, --authorization=AUTH_PAIR");
+ printf (" %s\n", _("Username:password on sites with basic authentication"));
+ printf (" %s\n", "-b, --proxy-authorization=AUTH_PAIR");
=====================================
debian/patches/16_check_curl_openssl_error
=====================================
@@ -0,0 +1,115 @@
+From 528e92c180148703ee2cb90d7291f4edbfc270d4 Mon Sep 17 00:00:00 2001
+From: Sven Nierlein <sven at consol.de>
+Date: Wed, 9 Oct 2024 09:50:39 +0200
+Subject: [PATCH] fix check_curl: OpenSSL SSL_read: error:0A000126:SSL
+ routines::unexpected eof while reading, errno 0
+
+using check_curl on a probably embedded device responding as 'Server: GoAhead-Webs'
+
+ %> check_curl -H ... -S -vvv
+
+ > GET / HTTP/1.1
+ Host: ...
+ User-Agent: check_curl/v2.4.0 (monitoring-plugins 2.4.0, libcurl/7.76.1 OpenSSL/3.0.7 zlib/1.2.11 brotli/1.0.9 libidn2/2.3.0 libpsl/0.21.1 (+libidn2/2.3.0) libssh/0.10.4/openssl/zlib nghttp2/1.43.0)
+ Accept: */*
+ Connection: close
+
+ * Mark bundle as not supporting multiuse
+ * HTTP 1.0, assume close after body
+ < HTTP/1.0 302 Redirect
+ < Server: GoAhead-Webs
+ < Date: Tue Mar 26 17:57:16 2019
+ < Cache-Control: no-cache, no-store, must-revalidate,private
+ < Pragma: no-cache
+ < Expires: 0
+ < Content-Type: text/html
+ < X-Frame-Options: sameorigin
+ < X-XSS-Protection: 1; mode=block
+ < X-Content-Type-Options: nosniff
+ < Location: https://...
+ <
+ * OpenSSL SSL_read: error:0A000126:SSL routines::unexpected eof while reading, errno 0
+ * Closing connection 0
+
+reading the discussion on https://github.com/openssl/openssl/discussions/22690 suggest to set the option SSL_OP_IGNORE_UNEXPECTED_EOF
+which makes check_curl behave like check_http at this point.
+Since this is a rather new flag, fencing it in ifdefs.
+And since there can only be one ssl ctx function, we need to move both tasks into one function.
+---
+ plugins/check_curl.c | 29 ++++++++++++++++++++++-------
+ 1 file changed, 22 insertions(+), 7 deletions(-)
+
+diff --git a/plugins/check_curl.c b/plugins/check_curl.c
+index 7f45b5a79..d3bddacd2 100644
+--- a/plugins/check_curl.c
++++ b/plugins/check_curl.c
+@@ -214,6 +214,7 @@ char *client_privkey = NULL;
+ char *ca_cert = NULL;
+ bool verify_peer_and_host = false;
+ bool is_openssl_callback = false;
++bool add_sslctx_verify_fun = false;
+ #if defined(HAVE_SSL) && defined(USE_OPENSSL)
+ X509 *cert = NULL;
+ #endif /* defined(HAVE_SSL) && defined(USE_OPENSSL) */
+@@ -299,7 +300,7 @@ main (int argc, char **argv)
+
+ int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
+ {
+- (void) preverify_ok;
++ (void) preverify_ok;
+ /* TODO: we get all certificates of the chain, so which ones
+ * should we test?
+ * TODO: is the last certificate always the server certificate?
+@@ -324,9 +325,18 @@ int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
+
+ CURLcode sslctxfun(CURL *curl, SSL_CTX *sslctx, void *parm)
+ {
+- (void) curl; // ignore unused parameter
+- (void) parm; // ignore unused parameter
+- SSL_CTX_set_verify(sslctx, SSL_VERIFY_PEER, verify_callback);
++ (void) curl; // ignore unused parameter
++ (void) parm; // ignore unused parameter
++ if(add_sslctx_verify_fun) {
++ SSL_CTX_set_verify(sslctx, SSL_VERIFY_PEER, verify_callback);
++ }
++
++ // workaround for issue:
++ // OpenSSL SSL_read: error:0A000126:SSL routines::unexpected eof while reading, errno 0
++ // see discussion https://github.com/openssl/openssl/discussions/22690
++#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
++ SSL_CTX_set_options(sslctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
++#endif
+
+ return CURLE_OK;
+ }
+@@ -678,9 +688,8 @@ check_http (void)
+ * OpenSSL-style libraries only!) */
+ #ifdef USE_OPENSSL
+ /* libcurl and monitoring plugins built with OpenSSL, good */
+- handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun), "CURLOPT_SSL_CTX_FUNCTION");
++ add_sslctx_verify_fun = true;
+ is_openssl_callback = true;
+-#else /* USE_OPENSSL */
+ #endif /* USE_OPENSSL */
+ /* libcurl is built with OpenSSL, monitoring plugins, so falling
+ * back to manually extracting certificate information */
+@@ -713,12 +722,18 @@ check_http (void)
+ #else /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1) */
+ /* old libcurl, our only hope is OpenSSL, otherwise we are out of luck */
+ if (ssl_library == CURLHELP_SSL_LIBRARY_OPENSSL || ssl_library == CURLHELP_SSL_LIBRARY_LIBRESSL)
+- handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun), "CURLOPT_SSL_CTX_FUNCTION");
++ add_sslctx_verify_fun = true;
+ else
+ die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates (no CURLOPT_SSL_CTX_FUNCTION, no OpenSSL library or libcurl too old and has no CURLOPT_CERTINFO)\n");
+ #endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 19, 1) */
+ }
+
++#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 10, 6) /* required for CURLOPT_SSL_CTX_FUNCTION */
++ // ssl ctx function is not available with all ssl backends
++ if (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, NULL) != CURLE_UNKNOWN_OPTION)
++ handle_curl_option_return_code (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun), "CURLOPT_SSL_CTX_FUNCTION");
++#endif
++
+ #endif /* LIBCURL_FEATURE_SSL */
+
+ /* set default or user-given user agent identification */
=====================================
debian/patches/17_check_fping_dontfrag_random
=====================================
@@ -0,0 +1,83 @@
+From 88d991773b6d8ac416ad2931ea8debc949555c7a Mon Sep 17 00:00:00 2001
+From: William <william at blackhats.net.au>
+Date: Wed, 6 Nov 2024 14:00:23 +1000
+Subject: [PATCH] Add dontfrag/random for fping
+
+Support the dont fragment and randomise packet data options for check_fping
+---
+ plugins/check_fping.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+--- a/plugins/check_fping.c
++++ b/plugins/check_fping.c
+@@ -7,7 +7,7 @@
+ *
+ * Description:
+ *
+-* This file contains the check_disk plugin
++* This file contains the check_fping plugin
+ *
+ * This plugin will use the fping command to ping the specified host for a
+ * fast check
+@@ -60,6 +60,8 @@
+ int target_timeout = 0;
+ int packet_interval = 0;
+ bool verbose = false;
++bool dontfrag = false;
++bool randomize_packet_data = false;
+ int cpl;
+ int wpl;
+ double crta;
+@@ -105,6 +107,10 @@
+ xasprintf(&option_string, "%s-S %s ", option_string, sourceip);
+ if (sourceif)
+ xasprintf(&option_string, "%s-I %s ", option_string, sourceif);
++ if (dontfrag)
++ xasprintf(&option_string, "%s-M ", option_string);
++ if (randomize_packet_data)
++ xasprintf(&option_string, "%s-R ", option_string);
+
+ #ifdef PATH_TO_FPING6
+ if (address_family != AF_INET && is_inet6_addr(server))
+@@ -303,6 +309,8 @@
+ {"help", no_argument, 0, 'h'},
+ {"use-ipv4", no_argument, 0, '4'},
+ {"use-ipv6", no_argument, 0, '6'},
++ {"dontfrag", no_argument, 0, 'M'},
++ {"random", no_argument, 0, 'R'},
+ {0, 0, 0, 0}
+ };
+
+@@ -320,7 +328,7 @@
+ }
+
+ while (1) {
+- c = getopt_long (argc, argv, "+hVvaH:S:c:w:b:n:T:i:I:46", longopts, &option);
++ c = getopt_long (argc, argv, "+hVvaH:S:c:w:b:n:T:i:I:M:R:46", longopts, &option);
+
+ if (c == -1 || c == EOF || c == 1)
+ break;
+@@ -415,6 +423,12 @@
+ else
+ usage (_("Interval must be a positive integer"));
+ break;
++ case 'R':
++ randomize_packet_data = true;
++ break;
++ case 'M':
++ dontfrag = true;
++ break;
+ }
+ }
+
+@@ -506,6 +520,10 @@
+ printf (" %s\n", _("name or IP Address of sourceip"));
+ printf (" %s\n", "-I, --sourceif=IF");
+ printf (" %s\n", _("source interface name"));
++ printf(" %s\n", "-M, --dontfrag");
++ printf(" %s\n", _("set the Don't Fragment flag"));
++ printf(" %s\n", "-R, --random");
++ printf(" %s\n", _("random packet data (to foil link data compression)"));
+ printf (UT_VERBOSE);
+ printf ("\n");
+ printf (" %s\n", _("THRESHOLD is <rta>,<pl>%% where <rta> is the round trip average travel time (ms)"));
=====================================
debian/patches/series
=====================================
@@ -6,4 +6,7 @@
12_check_curl_add_docu
13_check_mysql_fix_variables
14_check_curl_remove_experimental_state
+15_check_curl_fix_regex
+16_check_curl_openssl_error
+17_check_fping_dontfrag_random
# feature patches
View it on GitLab: https://salsa.debian.org/nagios-team/monitoring-plugins/-/compare/01e11f95824091e481dcee2321a761e716fc38a2...f3e127972cca688ee91a1b2956d906ca0d10206d
--
View it on GitLab: https://salsa.debian.org/nagios-team/monitoring-plugins/-/compare/01e11f95824091e481dcee2321a761e716fc38a2...f3e127972cca688ee91a1b2956d906ca0d10206d
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-changes/attachments/20241119/3aa783d5/attachment-0001.htm>
More information about the pkg-nagios-changes
mailing list