summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndreas Baumann <mail@andreasbaumann.cc>2017-04-21 09:03:28 (GMT)
committerSven Nierlein <sven@nierlein.de>2018-10-22 14:30:31 (GMT)
commit2da757519649f8806be1741ce7232724e5a03f24 (patch)
tree8b803e2298370c72f2ceaf894525001429d32404
parentf4a7a3b3e7aa0cda2153b68fecaa1f76ed2b2392 (diff)
downloadmonitoring-plugins-2da757519649f8806be1741ce7232724e5a03f24.tar.gz
preparing for certificate checks (non-OpenSSL version)
-rw-r--r--plugins/check_curl.c61
1 files changed, 39 insertions, 22 deletions
diff --git a/plugins/check_curl.c b/plugins/check_curl.c
index 261c534..6575af7 100644
--- a/plugins/check_curl.c
+++ b/plugins/check_curl.c
@@ -158,18 +158,21 @@ int onredirect = STATE_OK;
158int use_ssl = FALSE; 158int use_ssl = FALSE;
159int use_sni = TRUE; 159int use_sni = TRUE;
160int check_cert = FALSE; 160int check_cert = FALSE;
161union { 161typedef union {
162 struct curl_slist* to_info; 162 struct curl_slist* to_info;
163 struct curl_certinfo* to_certinfo; 163 struct curl_certinfo* to_certinfo;
164} cert_ptr; 164} cert_ptr_union;
165cert_ptr_union cert_ptr;
165int ssl_version = CURL_SSLVERSION_DEFAULT; 166int ssl_version = CURL_SSLVERSION_DEFAULT;
166char *client_cert = NULL; 167char *client_cert = NULL;
167char *client_privkey = NULL; 168char *client_privkey = NULL;
168char *ca_cert = NULL; 169char *ca_cert = NULL;
169int is_openssl_callback = FALSE; 170int is_openssl_callback = FALSE;
170#ifdef HAVE_SSL 171#ifdef HAVE_SSL
172#ifdef USE_OPENSSL
171X509 *cert = NULL; 173X509 *cert = NULL;
172#endif 174#endif /* USE_OPENSSL */
175#endif /* HAVE_SSL */
173int no_body = FALSE; 176int no_body = FALSE;
174int maximum_age = -1; 177int maximum_age = -1;
175int address_family = AF_UNSPEC; 178int address_family = AF_UNSPEC;
@@ -189,6 +192,7 @@ int curlhelp_buffer_read_callback (void *, size_t , size_t , void *);
189void curlhelp_freereadbuffer (curlhelp_read_curlbuf *); 192void curlhelp_freereadbuffer (curlhelp_read_curlbuf *);
190curlhelp_ssl_library curlhelp_get_ssl_library (CURL*); 193curlhelp_ssl_library curlhelp_get_ssl_library (CURL*);
191const char* curlhelp_get_ssl_library_string (curlhelp_ssl_library); 194const char* curlhelp_get_ssl_library_string (curlhelp_ssl_library);
195int net_noopenssl_check_certificate (cert_ptr_union*, int, int);
192 196
193int curlhelp_parse_statusline (const char*, curlhelp_statusline *); 197int curlhelp_parse_statusline (const char*, curlhelp_statusline *);
194void curlhelp_free_statusline (curlhelp_statusline *); 198void curlhelp_free_statusline (curlhelp_statusline *);
@@ -229,6 +233,7 @@ main (int argc, char **argv)
229} 233}
230 234
231#ifdef HAVE_SSL 235#ifdef HAVE_SSL
236#ifdef USE_OPENSSL
232 237
233int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx) 238int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
234{ 239{
@@ -247,6 +252,7 @@ CURLcode sslctxfun(CURL *curl, SSL_CTX *sslctx, void *parm)
247 return CURLE_OK; 252 return CURLE_OK;
248} 253}
249 254
255#endif /* USE_OPENSSL */
250#endif /* HAVE_SSL */ 256#endif /* HAVE_SSL */
251 257
252/* Checks if the server 'reply' is one of the expected 'statuscodes' */ 258/* Checks if the server 'reply' is one of the expected 'statuscodes' */
@@ -535,33 +541,19 @@ check_http (void)
535 die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates - OpenSSL callback used and not linked against OpenSSL\n"); 541 die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates - OpenSSL callback used and not linked against OpenSSL\n");
536#endif /* HAVE_SSL */ 542#endif /* HAVE_SSL */
537 } else { 543 } else {
538 /* going with the libcurl CURLINFO data */ 544 /* We assume we don't have OpenSSL and np_net_ssl_check_certificate at our disposal,
539 if (verbose >= 2) 545 * so we use the libcurl CURLINFO data
540 printf ("**** REQUEST CERTIFICATES ****\n"); 546 */
541 cert_ptr.to_info = NULL; 547 cert_ptr.to_info = NULL;
542 res = curl_easy_getinfo (curl, CURLINFO_CERTINFO, &cert_ptr.to_info); 548 res = curl_easy_getinfo (curl, CURLINFO_CERTINFO, &cert_ptr.to_info);
543 if (!res && cert_ptr.to_info) { 549 if (!res && cert_ptr.to_info) {
544 int i; 550 result = net_noopenssl_check_certificate(&cert_ptr, days_till_exp_warn, days_till_exp_crit);
545 for (i = 0; i < cert_ptr.to_certinfo->num_of_certs; i++) { 551 return result;
546 struct curl_slist *slist;
547 for (slist = cert_ptr.to_certinfo->certinfo[i]; slist; slist = slist->next) {
548 if (verbose >= 2)
549 printf ("%d ** %s\n", i, slist->data);
550 }
551 }
552 } else { 552 } else {
553 snprintf (msg, DEFAULT_BUFFER_SIZE, _("Cannot retrieve certificates - cURL returned %d - %s"), 553 snprintf (msg, DEFAULT_BUFFER_SIZE, _("Cannot retrieve certificates - cURL returned %d - %s"),
554 res, curl_easy_strerror(res)); 554 res, curl_easy_strerror(res));
555 die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg); 555 die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg);
556 } 556 }
557 if (verbose >= 2)
558 printf ("**** REQUEST CERTIFICATES ****\n");
559 /* TODO: either convert data to X509 certs we can check with np_net_ssl_check_certificate
560 * or do something on our own..
561 * result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit);
562 * return result;
563 */
564 die (STATE_UNKNOWN, "HTTP UNKNOWN - CERTINFO certificate checks not implemented yet\n");
565 } 557 }
566 } 558 }
567 } 559 }
@@ -1723,3 +1715,28 @@ curlhelp_get_ssl_library_string (curlhelp_ssl_library ssl_library)
1723 return "unknown"; 1715 return "unknown";
1724 } 1716 }
1725} 1717}
1718
1719#ifdef LIBCURL_FEATURE_SSL
1720int
1721net_noopenssl_check_certificate (cert_ptr_union* cert_ptr, int days_till_exp_warn, int days_till_exp_crit)
1722{
1723 int i;
1724 struct curl_slist *slist;
1725
1726 if (verbose >= 2)
1727 printf ("**** REQUEST CERTIFICATES ****\n");
1728
1729 for (i = 0; i < cert_ptr->to_certinfo->num_of_certs; i++) {
1730 for (slist = cert_ptr->to_certinfo->certinfo[i]; slist; slist = slist->next) {
1731 if (verbose >= 2)
1732 printf ("%d ** %s\n", i, slist->data);
1733 }
1734 }
1735
1736 if (verbose >= 2)
1737 printf ("**** REQUEST CERTIFICATES ****\n");
1738
1739 printf("%s\n", _("WARNING - Plugin does not support checking certificates without OpenSSL."));
1740 return STATE_WARNING;
1741}
1742#endif /* LIBCURL_FEATURE_SSL */