summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBenoit Mortier <opensides@users.sourceforge.net>2004-12-28 23:18:17 +0000
committerBenoit Mortier <opensides@users.sourceforge.net>2004-12-28 23:18:17 +0000
commit6ecaa524bf28b5fb861b161ea075a11119cb3bd2 (patch)
treefb5e86f3c4a5d8aa0b790e15f380baa54a8703f1
parentb8fcd0d2587a5415266d7f3eea7ae6764900a7cc (diff)
downloadmonitoring-plugins-6ecaa524bf28b5fb861b161ea075a11119cb3bd2.tar.gz
starttls support for check_smtp #1041576
git-svn-id: https://nagiosplug.svn.sourceforge.net/svnroot/nagiosplug/nagiosplug/trunk@1065 f882894a-f735-0410-b71e-b25c423dba1c
-rw-r--r--plugins/Makefile.am2
-rw-r--r--plugins/check_smtp.c285
-rw-r--r--po/fr.po42
3 files changed, 297 insertions, 32 deletions
diff --git a/plugins/Makefile.am b/plugins/Makefile.am
index 538f9057..51858215 100644
--- a/plugins/Makefile.am
+++ b/plugins/Makefile.am
@@ -69,7 +69,7 @@ check_procs_LDADD = $(BASEOBJS) popen.o
69check_radius_LDADD = $(NETLIBS) $(RADIUSLIBS) 69check_radius_LDADD = $(NETLIBS) $(RADIUSLIBS)
70check_real_LDADD = $(NETLIBS) 70check_real_LDADD = $(NETLIBS)
71check_snmp_LDADD = $(BASEOBJS) popen.o 71check_snmp_LDADD = $(BASEOBJS) popen.o
72check_smtp_LDADD = $(NETLIBS) 72check_smtp_LDADD = $(NETLIBS) $(SSLLIBS)
73check_ssh_LDADD = $(NETLIBS) 73check_ssh_LDADD = $(NETLIBS)
74check_swap_LDADD = $(BASEOBJS) popen.o 74check_swap_LDADD = $(BASEOBJS) popen.o
75check_tcp_LDADD = $(NETLIBS) $(SSLLIBS) 75check_tcp_LDADD = $(NETLIBS) $(SSLLIBS)
diff --git a/plugins/check_smtp.c b/plugins/check_smtp.c
index 55cf5da5..6e5d972a 100644
--- a/plugins/check_smtp.c
+++ b/plugins/check_smtp.c
@@ -27,17 +27,49 @@ const char *email = "nagiosplug-devel@lists.sourceforge.net";
27#include "netutils.h" 27#include "netutils.h"
28#include "utils.h" 28#include "utils.h"
29 29
30#ifdef HAVE_SSL_H
31# include <rsa.h>
32# include <crypto.h>
33# include <x509.h>
34# include <pem.h>
35# include <ssl.h>
36# include <err.h>
37#else
38# ifdef HAVE_OPENSSL_SSL_H
39# include <openssl/rsa.h>
40# include <openssl/crypto.h>
41# include <openssl/x509.h>
42# include <openssl/pem.h>
43# include <openssl/ssl.h>
44# include <openssl/err.h>
45# endif
46#endif
47
48#ifdef HAVE_SSL
49
50int check_cert = FALSE;
51int days_till_exp;
52SSL_CTX *ctx;
53SSL *ssl;
54X509 *server_cert;
55int connect_STARTTLS (void);
56int check_certificate (X509 **);
57#endif
58
30enum { 59enum {
31 SMTP_PORT = 25 60 SMTP_PORT = 25
32}; 61};
33const char *SMTP_EXPECT = "220"; 62const char *SMTP_EXPECT = "220";
34const char *SMTP_HELO = "HELO "; 63const char *SMTP_HELO = "HELO ";
35const char *SMTP_QUIT = "QUIT\r\n"; 64const char *SMTP_QUIT = "QUIT\r\n";
65const char *SMTP_STARTTLS = "STARTTLS\r\n";
36 66
37int process_arguments (int, char **); 67int process_arguments (int, char **);
38int validate_arguments (void); 68int validate_arguments (void);
39void print_help (void); 69void print_help (void);
40void print_usage (void); 70void print_usage (void);
71int myrecv(void);
72int my_close(void);
41 73
42#ifdef HAVE_REGEX_H 74#ifdef HAVE_REGEX_H
43#include <regex.h> 75#include <regex.h>
@@ -68,18 +100,23 @@ int check_warning_time = FALSE;
68int critical_time = 0; 100int critical_time = 0;
69int check_critical_time = FALSE; 101int check_critical_time = FALSE;
70int verbose = 0; 102int verbose = 0;
71 103int use_ssl = FALSE;
72 104int sd;
105char buffer[MAX_INPUT_BUFFER];
106enum {
107 TCP_PROTOCOL = 1,
108 UDP_PROTOCOL = 2,
109 MAXBUF = 1024
110};
73 111
74int 112int
75main (int argc, char **argv) 113main (int argc, char **argv)
76{ 114{
77 int sd; 115
78 int n = 0; 116 int n = 0;
79 double elapsed_time; 117 double elapsed_time;
80 long microsec; 118 long microsec;
81 int result = STATE_UNKNOWN; 119 int result = STATE_UNKNOWN;
82 char buffer[MAX_INPUT_BUFFER];
83 char *cmd_str = NULL; 120 char *cmd_str = NULL;
84 char *helocmd = NULL; 121 char *helocmd = NULL;
85 struct timeval tv; 122 struct timeval tv;
@@ -140,12 +177,45 @@ main (int argc, char **argv)
140 result = STATE_WARNING; 177 result = STATE_WARNING;
141 } 178 }
142 } 179 }
143 180#ifdef HAVE_SSL
181 if(use_ssl) {
182 /* send the STARTTLS command */
183 send(sd, SMTP_STARTTLS, strlen(SMTP_STARTTLS), 0);
184
185 recv(sd,buffer, MAX_INPUT_BUFFER-1, 0); // wait for it
186 if (!strstr (buffer, server_expect)) {
187 printf (_("Server does not support STARTTLS\n"));
188 return STATE_UNKNOWN;
189 }
190 if(connect_STARTTLS() != OK) {
191 printf (_("ERROR: Cannot create SSL context.\n"));
192 return STATE_CRITICAL;
193 }
194 if ( check_cert ) {
195 if ((server_cert = SSL_get_peer_certificate (ssl)) != NULL) {
196 result = check_certificate (&server_cert);
197 X509_free(server_cert);
198 }
199 else {
200 printf (_("ERROR: Cannot retrieve server certificate.\n"));
201 result = STATE_CRITICAL;
202
203 }
204 my_close();
205 return result;
206 }
207 }
208#endif
144 /* send the HELO command */ 209 /* send the HELO command */
210#ifdef HAVE_SSL
211 if (use_ssl)
212 SSL_write(ssl, helocmd, strlen(helocmd));
213 else
214#endif
145 send(sd, helocmd, strlen(helocmd), 0); 215 send(sd, helocmd, strlen(helocmd), 0);
146 216
147 /* allow for response to helo command to reach us */ 217 /* allow for response to helo command to reach us */
148 recv(sd, buffer, MAX_INPUT_BUFFER-1, 0); 218 myrecv();
149 219
150 /* sendmail will syslog a "NOQUEUE" error if session does not attempt 220 /* sendmail will syslog a "NOQUEUE" error if session does not attempt
151 * to do something useful. This can be prevented by giving a command 221 * to do something useful. This can be prevented by giving a command
@@ -158,16 +228,26 @@ main (int argc, char **argv)
158 * Use the -f option to provide a FROM address 228 * Use the -f option to provide a FROM address
159 */ 229 */
160 if (smtp_use_dummycmd) { 230 if (smtp_use_dummycmd) {
161 send(sd, cmd_str, strlen(cmd_str), 0); 231#ifdef HAVE_SSL
162 recv(sd, buffer, MAX_INPUT_BUFFER-1, 0); 232 if (use_ssl)
163 if (verbose) 233 SSL_write(ssl, cmd_str, strlen(cmd_str));
164 printf("%s", buffer); 234 else
235#endif
236 send(sd, cmd_str, strlen(cmd_str), 0);
237 myrecv();
238 if (verbose)
239 printf("%s", buffer);
165 } 240 }
166 241
167 while (n < ncommands) { 242 while (n < ncommands) {
168 asprintf (&cmd_str, "%s%s", commands[n], "\r\n"); 243 asprintf (&cmd_str, "%s%s", commands[n], "\r\n");
244#ifdef HAVE_SSL
245 if (use_ssl)
246 SSL_write(ssl,cmd_str, strlen(cmd_str));
247 else
248#endif
169 send(sd, cmd_str, strlen(cmd_str), 0); 249 send(sd, cmd_str, strlen(cmd_str), 0);
170 recv(sd, buffer, MAX_INPUT_BUFFER-1, 0); 250 myrecv();
171 if (verbose) 251 if (verbose)
172 printf("%s", buffer); 252 printf("%s", buffer);
173 strip (buffer); 253 strip (buffer);
@@ -206,6 +286,11 @@ main (int argc, char **argv)
206 } 286 }
207 287
208 /* tell the server we're done */ 288 /* tell the server we're done */
289#ifdef HAVE_SSL
290 if (use_ssl)
291 SSL_write(ssl,SMTP_QUIT, strlen (SMTP_QUIT));
292 else
293#endif
209 send (sd, SMTP_QUIT, strlen (SMTP_QUIT), 0); 294 send (sd, SMTP_QUIT, strlen (SMTP_QUIT), 0);
210 295
211 /* finally close the connection */ 296 /* finally close the connection */
@@ -261,6 +346,8 @@ process_arguments (int argc, char **argv)
261 {"use-ipv4", no_argument, 0, '4'}, 346 {"use-ipv4", no_argument, 0, '4'},
262 {"use-ipv6", no_argument, 0, '6'}, 347 {"use-ipv6", no_argument, 0, '6'},
263 {"help", no_argument, 0, 'h'}, 348 {"help", no_argument, 0, 'h'},
349 {"starttls",no_argument,0,'S'},
350 {"certificate",required_argument,0,'D'},
264 {0, 0, 0, 0} 351 {0, 0, 0, 0}
265 }; 352 };
266 353
@@ -277,7 +364,7 @@ process_arguments (int argc, char **argv)
277 } 364 }
278 365
279 while (1) { 366 while (1) {
280 c = getopt_long (argc, argv, "+hVv46t:p:f:e:c:w:H:C:R:", 367 c = getopt_long (argc, argv, "+hVv46t:p:f:e:c:w:H:C:R:SD:",
281 longopts, &option); 368 longopts, &option);
282 369
283 if (c == -1 || c == EOF) 370 if (c == -1 || c == EOF)
@@ -354,6 +441,22 @@ process_arguments (int argc, char **argv)
354 usage4 (_("Timeout interval must be a positive integer")); 441 usage4 (_("Timeout interval must be a positive integer"));
355 } 442 }
356 break; 443 break;
444 case 'S':
445 /* starttls */
446 use_ssl = TRUE;
447 break;
448 case 'D':
449 /* Check SSL cert validity */
450#ifdef HAVE_SSL
451 if (!is_intnonneg (optarg))
452 usage2 ("Invalid certificate expiration period",optarg);
453 days_till_exp = atoi (optarg);
454 check_cert = TRUE;
455#else
456 terminate (STATE_UNKNOWN,
457 "SSL support not available. Install OpenSSL and recompile.");
458#endif
459 break;
357 case '4': 460 case '4':
358 address_family = AF_INET; 461 address_family = AF_INET;
359 break; 462 break;
@@ -443,6 +546,13 @@ print_help (void)
443 -f, --from=STRING\n\ 546 -f, --from=STRING\n\
444 FROM-address to include in MAIL command, required by Exchange 2000\n"), 547 FROM-address to include in MAIL command, required by Exchange 2000\n"),
445 SMTP_EXPECT); 548 SMTP_EXPECT);
549#ifdef HAVE_SSL
550 printf (_("\
551 -D, --certificate=INTEGER\n\
552 Minimum number of days a certificate has to be valid.\n\
553 -S, --starttls\n\
554 Use STARTTLS for the connection.\n"));
555#endif
446 556
447 printf (_(UT_WARN_CRIT)); 557 printf (_(UT_WARN_CRIT));
448 558
@@ -466,5 +576,154 @@ print_usage (void)
466{ 576{
467 printf ("\ 577 printf ("\
468Usage: %s -H host [-p port] [-e expect] [-C command] [-f from addr]\n\ 578Usage: %s -H host [-p port] [-e expect] [-C command] [-f from addr]\n\
469 [-w warn] [-c crit] [-t timeout] [-n] [-v] [-4|-6]\n", progname); 579 [-w warn] [-c crit] [-t timeout] [-S] [-D days] [-n] [-v] [-4|-6]\n", progname);
580}
581
582#ifdef HAVE_SSL
583int
584connect_STARTTLS (void)
585{
586 SSL_METHOD *meth;
587
588 /* Initialize SSL context */
589 SSLeay_add_ssl_algorithms ();
590 meth = SSLv2_client_method ();
591 SSL_load_error_strings ();
592 if ((ctx = SSL_CTX_new (meth)) == NULL)
593 {
594 printf(_("ERROR: Cannot create SSL context.\n"));
595 return STATE_CRITICAL;
596 }
597 /* do the SSL handshake */
598 if ((ssl = SSL_new (ctx)) != NULL)
599 {
600 SSL_set_fd (ssl, sd);
601 /* original version checked for -1
602 I look for success instead (1) */
603 if (SSL_connect (ssl) == 1)
604 return OK;
605 ERR_print_errors_fp (stderr);
606 }
607 else
608 {
609 printf (_("ERROR: Cannot initiate SSL handshake.\n"));
610 }
611 /* this causes a seg faul
612 not sure why, being sloppy
613 and commenting it out */
614 // SSL_free (ssl);
615 SSL_CTX_free(ctx);
616 my_close();
617
618 return STATE_CRITICAL;
619}
620
621int
622check_certificate (X509 ** certificate)
623{
624 ASN1_STRING *tm;
625 int offset;
626 struct tm stamp;
627 int days_left;
628
629 /* Retrieve timestamp of certificate */
630 tm = X509_get_notAfter (*certificate);
631
632 /* Generate tm structure to process timestamp */
633 if (tm->type == V_ASN1_UTCTIME) {
634 if (tm->length < 10) {
635 printf (_("ERROR: Wrong time format in certificate.\n"));
636 return STATE_CRITICAL;
637 }
638 else {
639 stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0');
640 if (stamp.tm_year < 50)
641 stamp.tm_year += 100;
642 offset = 0;
643 }
644 }
645 else {
646 if (tm->length < 12) {
647 printf (_("ERROR: Wrong time format in certificate.\n"));
648 return STATE_CRITICAL;
649 }
650 else {
651 stamp.tm_year =
652 (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 +
653 (tm->data[2] - '0') * 10 + (tm->data[3] - '0');
654 stamp.tm_year -= 1900;
655 offset = 2;
656 }
657 }
658 stamp.tm_mon =
659 (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1;
660 stamp.tm_mday =
661 (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0');
662 stamp.tm_hour =
663 (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0');
664 stamp.tm_min =
665 (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0');
666 stamp.tm_sec = 0;
667 stamp.tm_isdst = -1;
668
669 days_left = (mktime (&stamp) - time (NULL)) / 86400;
670 snprintf
671 (timestamp, 16, "%02d/%02d/%04d %02d:%02d",
672 stamp.tm_mon + 1,
673 stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min);
674
675 if (days_left > 0 && days_left <= days_till_exp) {
676 printf ("Certificate expires in %d day(s) (%s).\n", days_left, timestamp);
677 return STATE_WARNING;
678 }
679 if (days_left < 0) {
680 printf ("Certificate expired on %s.\n", timestamp);
681 return STATE_CRITICAL;
682 }
683
684 if (days_left == 0) {
685 printf ("Certificate expires today (%s).\n", timestamp);
686 return STATE_WARNING;
687 }
688
689 printf ("Certificate will expire on %s.\n", timestamp);
690
691 return STATE_OK;
692}
693#endif
694
695int
696myrecv (void)
697{
698 int i;
699
700#ifdef HAVE_SSL
701 if (use_ssl) {
702 i = SSL_read (ssl, buffer, MAXBUF - 1);
703 }
704 else {
705#endif
706 i = read (sd, buffer, MAXBUF - 1);
707#ifdef HAVE_SSL
708 }
709#endif
710 return i;
711}
712
713int
714my_close (void)
715{
716#ifdef HAVE_SSL
717 if (use_ssl == TRUE) {
718 SSL_shutdown (ssl);
719 SSL_free (ssl);
720 SSL_CTX_free (ctx);
721 return 0;
722 }
723 else {
724#endif
725 return close(sd);
726#ifdef HAVE_SSL
727 }
728#endif
470} 729}
diff --git a/po/fr.po b/po/fr.po
index ed178637..4ad5f2c0 100644
--- a/po/fr.po
+++ b/po/fr.po
@@ -10,7 +10,7 @@ msgstr ""
10"Project-Id-Version: fr\n" 10"Project-Id-Version: fr\n"
11"Report-Msgid-Bugs-To: \n" 11"Report-Msgid-Bugs-To: \n"
12"POT-Creation-Date: 2004-12-26 00:06+0100\n" 12"POT-Creation-Date: 2004-12-26 00:06+0100\n"
13"PO-Revision-Date: 2004-12-27 23:43+0100\n" 13"PO-Revision-Date: 2004-12-29 00:09+0100\n"
14"Last-Translator: Benoit Mortier <benoit.mortier@opensides.be>\n" 14"Last-Translator: Benoit Mortier <benoit.mortier@opensides.be>\n"
15"Language-Team: Français <fr@li.org>\n" 15"Language-Team: Français <fr@li.org>\n"
16"MIME-Version: 1.0\n" 16"MIME-Version: 1.0\n"
@@ -324,81 +324,87 @@ msgstr "DHCPOFFER XID (%lu) ne correspond pas à DHCPDISCOVER XID (%lu) - paquet
324#, c-format 324#, c-format
325msgid "DHCPOFFER hardware address did not match our own - ignoring packet\n" 325msgid "DHCPOFFER hardware address did not match our own - ignoring packet\n"
326msgstr "" 326msgstr ""
327" l'addresse matérielleh du DHCPOFFER ne correspond pas à la notre\n"
328"paquet ignoré\n"
327 329
328#: plugins/check_dhcp.c:568 330#: plugins/check_dhcp.c:568
329#, c-format 331#, c-format
330msgid "Total responses seen on the wire: %d\n" 332msgid "Total responses seen on the wire: %d\n"
331msgstr "" 333msgstr "Nombre total de réponses: %d\n"
332 334
333#: plugins/check_dhcp.c:569 335#: plugins/check_dhcp.c:569
334#, fuzzy, c-format 336#, c-format
335msgid "Valid responses for this machine: %d\n" 337msgid "Valid responses for this machine: %d\n"
336msgstr "Réponse invalide du serveur après load 1\n" 338msgstr "Nombre de réponse valides pour cette machine: %d\n"
337 339
338#: plugins/check_dhcp.c:585 340#: plugins/check_dhcp.c:585
339#, c-format 341#, c-format
340msgid "send_dhcp_packet result: %d\n" 342msgid "send_dhcp_packet result: %d\n"
341msgstr "" 343msgstr "résultat de send_dchp_packet: %d\n"
342 344
343#: plugins/check_dhcp.c:614 345#: plugins/check_dhcp.c:614
344#, fuzzy, c-format 346#, c-format
345msgid "No (more) data received\n" 347msgid "No (more) data received\n"
346msgstr "Pas de données reçues %s\n" 348msgstr "Plus de données reçues\n"
347 349
348#: plugins/check_dhcp.c:633 350#: plugins/check_dhcp.c:633
349#, fuzzy, c-format 351#, c-format
350msgid "recvfrom() failed, " 352msgid "recvfrom() failed, "
351msgstr "La réception à échoué\n" 353msgstr "La réception à échoué\n"
352 354
353#: plugins/check_dhcp.c:640 355#: plugins/check_dhcp.c:640
354#, c-format 356#, c-format
355msgid "receive_dhcp_packet() result: %d\n" 357msgid "receive_dhcp_packet() result: %d\n"
356msgstr "" 358msgstr "résultat de receive_dchp_packet: %d\n"
357 359
358#: plugins/check_dhcp.c:641 360#: plugins/check_dhcp.c:641
359#, c-format 361#, c-format
360msgid "receive_dhcp_packet() source: %s\n" 362msgid "receive_dhcp_packet() source: %s\n"
361msgstr "" 363msgstr "source de receive_dchp_packet: %s\n"
362 364
363#: plugins/check_dhcp.c:670 365#: plugins/check_dhcp.c:670
364#, c-format 366#, c-format
365msgid "Error: Could not create socket!\n" 367msgid "Error: Could not create socket!\n"
366msgstr "" 368msgstr "Erreur: Impossible de créer un socket!\n"
367 369
368#: plugins/check_dhcp.c:680 370#: plugins/check_dhcp.c:680
369#, c-format 371#, c-format
370msgid "Error: Could not set reuse address option on DHCP socket!\n" 372msgid "Error: Could not set reuse address option on DHCP socket!\n"
371msgstr "" 373msgstr ""
374"Erreur: Impossible de configurer l'option de réutilisation de l'adresse sur\n"
375"le socket DHCP!\n"
372 376
373#: plugins/check_dhcp.c:686 377#: plugins/check_dhcp.c:686
374#, c-format 378#, c-format
375msgid "Error: Could not set broadcast option on DHCP socket!\n" 379msgid "Error: Could not set broadcast option on DHCP socket!\n"
376msgstr "" 380msgstr "Erreur: Impossible de configurer l'option broadcast sur le socket DHCP!\n"
377 381
378#: plugins/check_dhcp.c:694 382#: plugins/check_dhcp.c:694
379#, c-format 383#, c-format
380msgid "Error: Could not bind socket to interface %s. Check your privileges...\n" 384msgid "Error: Could not bind socket to interface %s. Check your privileges...\n"
381msgstr "" 385msgstr ""
386"Erreur: Impossible de connecter le socket à l'interface %s.\n"
387"Verifiez vos droits...\n"
382 388
383#: plugins/check_dhcp.c:704 389#: plugins/check_dhcp.c:704
384#, c-format 390#, c-format
385msgid "Error: Could not bind to DHCP socket (port %d)! Check your privileges...\n" 391msgid "Error: Could not bind to DHCP socket (port %d)! Check your privileges...\n"
386msgstr "" 392msgstr "Erreur: Impossible de se connecter au socket (port %d)! Verifiez vos droits..\n"
387 393
388#: plugins/check_dhcp.c:737 394#: plugins/check_dhcp.c:737
389#, fuzzy, c-format 395#, c-format
390msgid "Requested server address: %s\n" 396msgid "Requested server address: %s\n"
391msgstr "Vous devez fournir une adresse serveur\n" 397msgstr "Adresse serveur demandée: %s\n"
392 398
393#: plugins/check_dhcp.c:787 399#: plugins/check_dhcp.c:787
394#, c-format 400#, c-format
395msgid "Lease Time: Infinite\n" 401msgid "Lease Time: Infinite\n"
396msgstr "" 402msgstr "Durée du Bail: Infini\n"
397 403
398#: plugins/check_dhcp.c:789 404#: plugins/check_dhcp.c:789
399#, fuzzy, c-format 405#, c-format
400msgid "Lease Time: %lu seconds\n" 406msgid "Lease Time: %lu seconds\n"
401msgstr "LRU temps d'attente = %lu secondes" 407msgstr "Durée du Bai: %lu secondes\n"
402 408
403#: plugins/check_dhcp.c:791 409#: plugins/check_dhcp.c:791
404#, c-format 410#, c-format