summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLorenz Kästle <12514511+RincewindsHat@users.noreply.github.com>2023-09-21 10:03:52 (GMT)
committerGitHub <noreply@github.com>2023-09-21 10:03:52 (GMT)
commit7e81cb3c1fb4123bd4d423b2c9e86538dec19e39 (patch)
tree1ef0975b2a059daa7b8552aaf6371b3320ef477b
parent220455a11e8f1dd3a86ac4725cf0c799c8e3b21b (diff)
parentd5d0b50e89ee600b6a605344aad004c60b88994d (diff)
downloadmonitoring-plugins-7e81cb3c1fb4123bd4d423b2c9e86538dec19e39.tar.gz
Merge pull request #1868 from RincewindsHat/compiler_warning_part_3
Replace deprecated TLS client functions
-rw-r--r--lib/utils_base.c33
-rw-r--r--lib/utils_base.h4
-rw-r--r--plugins/sslutils.c77
3 files changed, 62 insertions, 52 deletions
diff --git a/lib/utils_base.c b/lib/utils_base.c
index c458cf6..0f52126 100644
--- a/lib/utils_base.c
+++ b/lib/utils_base.c
@@ -402,26 +402,45 @@ int mp_translate_state (char *state_text) {
402 * parse of argv, so that uniqueness in parameters are reflected there. 402 * parse of argv, so that uniqueness in parameters are reflected there.
403 */ 403 */
404char *_np_state_generate_key() { 404char *_np_state_generate_key() {
405 struct sha256_ctx ctx;
406 int i; 405 int i;
407 char **argv = this_monitoring_plugin->argv; 406 char **argv = this_monitoring_plugin->argv;
408 unsigned char result[20];
409 char keyname[41]; 407 char keyname[41];
410 char *p=NULL; 408 char *p=NULL;
411 409
412 sha256_init_ctx(&ctx); 410 unsigned char result[256];
413 411
412#ifdef USE_OPENSSL
413 /*
414 * This code path is chosen if openssl is available (which should be the most common
415 * scenario). Alternatively, the gnulib implementation/
416 *
417 */
418 EVP_MD_CTX *ctx = EVP_MD_CTX_new();
419
420 EVP_DigestInit(ctx, EVP_sha256());
421
422 for(i=0; i<this_monitoring_plugin->argc; i++) {
423 EVP_DigestUpdate(ctx, argv[i], strlen(argv[i]));
424 }
425
426 EVP_DigestFinal(ctx, result, NULL);
427#else
428
429 struct sha256_ctx ctx;
430
414 for(i=0; i<this_monitoring_plugin->argc; i++) { 431 for(i=0; i<this_monitoring_plugin->argc; i++) {
415 sha256_process_bytes(argv[i], strlen(argv[i]), &ctx); 432 sha256_process_bytes(argv[i], strlen(argv[i]), &ctx);
416 } 433 }
417 434
418 sha256_finish_ctx(&ctx, &result); 435 sha256_finish_ctx(&ctx, result);
419 436#endif // FOUNDOPENSSL
437
420 for (i=0; i<20; ++i) { 438 for (i=0; i<20; ++i) {
421 sprintf(&keyname[2*i], "%02x", result[i]); 439 sprintf(&keyname[2*i], "%02x", result[i]);
422 } 440 }
441
423 keyname[40]='\0'; 442 keyname[40]='\0';
424 443
425 p = strdup(keyname); 444 p = strdup(keyname);
426 if(p==NULL) { 445 if(p==NULL) {
427 die(STATE_UNKNOWN, _("Cannot execute strdup: %s"), strerror(errno)); 446 die(STATE_UNKNOWN, _("Cannot execute strdup: %s"), strerror(errno));
diff --git a/lib/utils_base.h b/lib/utils_base.h
index 5906550..9cb4276 100644
--- a/lib/utils_base.h
+++ b/lib/utils_base.h
@@ -2,7 +2,9 @@
2#define _UTILS_BASE_ 2#define _UTILS_BASE_
3/* Header file for Monitoring Plugins utils_base.c */ 3/* Header file for Monitoring Plugins utils_base.c */
4 4
5#include "sha256.h" 5#ifndef USE_OPENSSL
6# include "sha256.h"
7#endif
6 8
7/* This file holds header information for thresholds - use this in preference to 9/* This file holds header information for thresholds - use this in preference to
8 individual plugin logic */ 10 individual plugin logic */
diff --git a/plugins/sslutils.c b/plugins/sslutils.c
index 666a012..6bc0ba8 100644
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
@@ -31,9 +31,8 @@
31#include "netutils.h" 31#include "netutils.h"
32 32
33#ifdef HAVE_SSL 33#ifdef HAVE_SSL
34static SSL_CTX *c=NULL; 34static SSL_CTX *ctx=NULL;
35static SSL *s=NULL; 35static SSL *s=NULL;
36static int initialized=0;
37 36
38int np_net_ssl_init(int sd) { 37int np_net_ssl_init(int sd) {
39 return np_net_ssl_init_with_hostname(sd, NULL); 38 return np_net_ssl_init_with_hostname(sd, NULL);
@@ -48,24 +47,24 @@ int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int versi
48} 47}
49 48
50int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, char *privkey) { 49int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, char *privkey) {
51 const SSL_METHOD *method = NULL;
52 long options = 0; 50 long options = 0;
53 51
52 if ((ctx = SSL_CTX_new(TLS_client_method())) == NULL) {
53 printf("%s\n", _("CRITICAL - Cannot create SSL context."));
54 return STATE_CRITICAL;
55 }
56
54 switch (version) { 57 switch (version) {
55 case MP_SSLv2: /* SSLv2 protocol */ 58 case MP_SSLv2: /* SSLv2 protocol */
56#if defined(USE_GNUTLS) || defined(OPENSSL_NO_SSL2)
57 printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library.")); 59 printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library."));
58 return STATE_UNKNOWN; 60 return STATE_UNKNOWN;
59#else
60 method = SSLv2_client_method();
61 break;
62#endif
63 case MP_SSLv3: /* SSLv3 protocol */ 61 case MP_SSLv3: /* SSLv3 protocol */
64#if defined(OPENSSL_NO_SSL3) 62#if defined(OPENSSL_NO_SSL3)
65 printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library.")); 63 printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library."));
66 return STATE_UNKNOWN; 64 return STATE_UNKNOWN;
67#else 65#else
68 method = SSLv3_client_method(); 66 SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);
67 SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION);
69 break; 68 break;
70#endif 69#endif
71 case MP_TLSv1: /* TLSv1 protocol */ 70 case MP_TLSv1: /* TLSv1 protocol */
@@ -73,7 +72,8 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
73 printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library.")); 72 printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library."));
74 return STATE_UNKNOWN; 73 return STATE_UNKNOWN;
75#else 74#else
76 method = TLSv1_client_method(); 75 SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
76 SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION);
77 break; 77 break;
78#endif 78#endif
79 case MP_TLSv1_1: /* TLSv1.1 protocol */ 79 case MP_TLSv1_1: /* TLSv1.1 protocol */
@@ -81,7 +81,8 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
81 printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library.")); 81 printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library."));
82 return STATE_UNKNOWN; 82 return STATE_UNKNOWN;
83#else 83#else
84 method = TLSv1_1_client_method(); 84 SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);
85 SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION);
85 break; 86 break;
86#endif 87#endif
87 case MP_TLSv1_2: /* TLSv1.2 protocol */ 88 case MP_TLSv1_2: /* TLSv1.2 protocol */
@@ -89,7 +90,8 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
89 printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library.")); 90 printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library."));
90 return STATE_UNKNOWN; 91 return STATE_UNKNOWN;
91#else 92#else
92 method = TLSv1_2_client_method(); 93 SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
94 SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION);
93 break; 95 break;
94#endif 96#endif
95 case MP_TLSv1_2_OR_NEWER: 97 case MP_TLSv1_2_OR_NEWER:
@@ -97,56 +99,43 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
97 printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library.")); 99 printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library."));
98 return STATE_UNKNOWN; 100 return STATE_UNKNOWN;
99#else 101#else
100 options |= SSL_OP_NO_TLSv1_1; 102 SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
103 break;
101#endif 104#endif
102 /* FALLTHROUGH */
103 case MP_TLSv1_1_OR_NEWER: 105 case MP_TLSv1_1_OR_NEWER:
104#if !defined(SSL_OP_NO_TLSv1) 106#if !defined(SSL_OP_NO_TLSv1)
105 printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library.")); 107 printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library."));
106 return STATE_UNKNOWN; 108 return STATE_UNKNOWN;
107#else 109#else
108 options |= SSL_OP_NO_TLSv1; 110 SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);
111 break;
109#endif 112#endif
110 /* FALLTHROUGH */
111 case MP_TLSv1_OR_NEWER: 113 case MP_TLSv1_OR_NEWER:
112#if defined(SSL_OP_NO_SSLv3) 114#if defined(SSL_OP_NO_SSLv3)
113 options |= SSL_OP_NO_SSLv3; 115 SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
116 break;
114#endif 117#endif
115 /* FALLTHROUGH */
116 case MP_SSLv3_OR_NEWER: 118 case MP_SSLv3_OR_NEWER:
117#if defined(SSL_OP_NO_SSLv2) 119#if defined(SSL_OP_NO_SSLv2)
118 options |= SSL_OP_NO_SSLv2; 120 SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);
121 break;
119#endif 122#endif
120 case MP_SSLv2_OR_NEWER:
121 /* FALLTHROUGH */
122 default: /* Default to auto negotiation */
123 method = SSLv23_client_method();
124 }
125 if (!initialized) {
126 /* Initialize SSL context */
127 SSLeay_add_ssl_algorithms();
128 SSL_load_error_strings();
129 OpenSSL_add_all_algorithms();
130 initialized = 1;
131 }
132 if ((c = SSL_CTX_new(method)) == NULL) {
133 printf("%s\n", _("CRITICAL - Cannot create SSL context."));
134 return STATE_CRITICAL;
135 } 123 }
124
136 if (cert && privkey) { 125 if (cert && privkey) {
137#ifdef USE_OPENSSL 126#ifdef USE_OPENSSL
138 if (!SSL_CTX_use_certificate_chain_file(c, cert)) { 127 if (!SSL_CTX_use_certificate_chain_file(ctx, cert)) {
139#elif USE_GNUTLS 128#elif USE_GNUTLS
140 if (!SSL_CTX_use_certificate_file(c, cert, SSL_FILETYPE_PEM)) { 129 if (!SSL_CTX_use_certificate_file(ctx, cert, SSL_FILETYPE_PEM)) {
141#else 130#else
142#error Unported for unknown SSL library 131#error Unported for unknown SSL library
143#endif 132#endif
144 printf ("%s\n", _("CRITICAL - Unable to open certificate chain file!\n")); 133 printf ("%s\n", _("CRITICAL - Unable to open certificate chain file!\n"));
145 return STATE_CRITICAL; 134 return STATE_CRITICAL;
146 } 135 }
147 SSL_CTX_use_PrivateKey_file(c, privkey, SSL_FILETYPE_PEM); 136 SSL_CTX_use_PrivateKey_file(ctx, privkey, SSL_FILETYPE_PEM);
148#ifdef USE_OPENSSL 137#ifdef USE_OPENSSL
149 if (!SSL_CTX_check_private_key(c)) { 138 if (!SSL_CTX_check_private_key(ctx)) {
150 printf ("%s\n", _("CRITICAL - Private key does not seem to match certificate!\n")); 139 printf ("%s\n", _("CRITICAL - Private key does not seem to match certificate!\n"));
151 return STATE_CRITICAL; 140 return STATE_CRITICAL;
152 } 141 }
@@ -155,9 +144,9 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
155#ifdef SSL_OP_NO_TICKET 144#ifdef SSL_OP_NO_TICKET
156 options |= SSL_OP_NO_TICKET; 145 options |= SSL_OP_NO_TICKET;
157#endif 146#endif
158 SSL_CTX_set_options(c, options); 147 SSL_CTX_set_options(ctx, options);
159 SSL_CTX_set_mode(c, SSL_MODE_AUTO_RETRY); 148 SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
160 if ((s = SSL_new(c)) != NULL) { 149 if ((s = SSL_new(ctx)) != NULL) {
161#ifdef SSL_set_tlsext_host_name 150#ifdef SSL_set_tlsext_host_name
162 if (host_name != NULL) 151 if (host_name != NULL)
163 SSL_set_tlsext_host_name(s, host_name); 152 SSL_set_tlsext_host_name(s, host_name);
@@ -184,9 +173,9 @@ void np_net_ssl_cleanup() {
184#endif 173#endif
185 SSL_shutdown(s); 174 SSL_shutdown(s);
186 SSL_free(s); 175 SSL_free(s);
187 if (c) { 176 if (ctx) {
188 SSL_CTX_free(c); 177 SSL_CTX_free(ctx);
189 c=NULL; 178 ctx=NULL;
190 } 179 }
191 s=NULL; 180 s=NULL;
192 } 181 }