diff options
author | M. Sean Finney <seanius@users.sourceforge.net> | 2005-10-19 20:22:00 +0000 |
---|---|---|
committer | M. Sean Finney <seanius@users.sourceforge.net> | 2005-10-19 20:22:00 +0000 |
commit | cf66a717e9e8f55315d50b3b33a70b8a6f140981 (patch) | |
tree | 54dda3e4c83988c27cbc6f08a1d8da586032b4ac | |
parent | 5dd7b5dff439ab19119efd24d7822ca19b3e5bf7 (diff) | |
download | monitoring-plugins-cf66a717e9e8f55315d50b3b33a70b8a6f140981.tar.gz |
all plugins now using centralized ssl functions in netutils.c
git-svn-id: https://nagiosplug.svn.sourceforge.net/svnroot/nagiosplug/nagiosplug/trunk@1257 f882894a-f735-0410-b71e-b25c423dba1c
-rw-r--r-- | plugins/check_http.c | 297 | ||||
-rw-r--r-- | plugins/check_smtp.c | 218 | ||||
-rw-r--r-- | plugins/check_tcp.c | 112 | ||||
-rw-r--r-- | plugins/netutils.c | 78 | ||||
-rw-r--r-- | plugins/netutils.h | 1 |
5 files changed, 134 insertions, 572 deletions
diff --git a/plugins/check_http.c b/plugins/check_http.c index 294866b0..413d501d 100644 --- a/plugins/check_http.c +++ b/plugins/check_http.c | |||
@@ -37,38 +37,17 @@ enum { | |||
37 | HTTPS_PORT = 443 | 37 | HTTPS_PORT = 443 |
38 | }; | 38 | }; |
39 | 39 | ||
40 | #ifdef HAVE_SSL_H | ||
41 | #include <rsa.h> | ||
42 | #include <crypto.h> | ||
43 | #include <x509.h> | ||
44 | #include <pem.h> | ||
45 | #include <ssl.h> | ||
46 | #include <err.h> | ||
47 | #include <rand.h> | ||
48 | #else | ||
49 | # ifdef HAVE_OPENSSL_SSL_H | ||
50 | # include <openssl/rsa.h> | ||
51 | # include <openssl/crypto.h> | ||
52 | # include <openssl/x509.h> | ||
53 | # include <openssl/pem.h> | ||
54 | # include <openssl/ssl.h> | ||
55 | # include <openssl/err.h> | ||
56 | # include <openssl/rand.h> | ||
57 | # endif | ||
58 | #endif | ||
59 | |||
60 | #ifdef HAVE_SSL | 40 | #ifdef HAVE_SSL |
61 | int check_cert = FALSE; | 41 | int check_cert = FALSE; |
62 | int days_till_exp; | 42 | int days_till_exp; |
63 | char *randbuff; | 43 | char *randbuff; |
64 | SSL_CTX *ctx; | ||
65 | SSL *ssl; | ||
66 | X509 *server_cert; | 44 | X509 *server_cert; |
67 | int connect_SSL (void); | 45 | # define my_recv(buf, len) ((use_ssl) ? np_net_ssl_read(buf, len) : read(sd, buf, len)) |
68 | # ifdef USE_OPENSSL | 46 | # define my_send(buf, len) ((use_ssl) ? np_net_ssl_write(buf, len) : send(sd, buf, len, 0)) |
69 | int check_certificate (X509 **); | 47 | #else /* ifndef HAVE_SSL */ |
70 | # endif | 48 | # define my_recv(buf, len) read(sd, buf, len) |
71 | #endif | 49 | # define my_send(buf, len) send(sd, buf, len, 0) |
50 | #endif /* HAVE_SSL */ | ||
72 | int no_body = FALSE; | 51 | int no_body = FALSE; |
73 | int maximum_age = -1; | 52 | int maximum_age = -1; |
74 | 53 | ||
@@ -132,8 +111,6 @@ int server_type_check(const char *type); | |||
132 | int server_port_check(int ssl_flag); | 111 | int server_port_check(int ssl_flag); |
133 | char *perfd_time (double microsec); | 112 | char *perfd_time (double microsec); |
134 | char *perfd_size (int page_len); | 113 | char *perfd_size (int page_len); |
135 | int my_recv (void); | ||
136 | int my_close (void); | ||
137 | void print_help (void); | 114 | void print_help (void); |
138 | void print_usage (void); | 115 | void print_usage (void); |
139 | 116 | ||
@@ -168,29 +145,7 @@ main (int argc, char **argv) | |||
168 | (void) alarm (socket_timeout); | 145 | (void) alarm (socket_timeout); |
169 | gettimeofday (&tv, NULL); | 146 | gettimeofday (&tv, NULL); |
170 | 147 | ||
171 | #ifdef USE_OPENSSL | ||
172 | if (use_ssl && check_cert == TRUE) { | ||
173 | if (connect_SSL () != OK) | ||
174 | die (STATE_CRITICAL, _("HTTP CRITICAL - Could not make SSL connection\n")); | ||
175 | if ((server_cert = SSL_get_peer_certificate (ssl)) != NULL) { | ||
176 | result = check_certificate (&server_cert); | ||
177 | X509_free (server_cert); | ||
178 | } | ||
179 | else { | ||
180 | printf (_("CRITICAL - Cannot retrieve server certificate.\n")); | ||
181 | result = STATE_CRITICAL; | ||
182 | } | ||
183 | SSL_shutdown (ssl); | ||
184 | SSL_free (ssl); | ||
185 | SSL_CTX_free (ctx); | ||
186 | close (sd); | ||
187 | } | ||
188 | else { | ||
189 | result = check_http (); | ||
190 | } | ||
191 | #else | ||
192 | result = check_http (); | 148 | result = check_http (); |
193 | #endif | ||
194 | return result; | 149 | return result; |
195 | } | 150 | } |
196 | 151 | ||
@@ -790,34 +745,27 @@ check_http (void) | |||
790 | long microsec; | 745 | long microsec; |
791 | double elapsed_time; | 746 | double elapsed_time; |
792 | int page_len = 0; | 747 | int page_len = 0; |
748 | int result = STATE_UNKNOWN; | ||
793 | #ifdef HAVE_SSL | 749 | #ifdef HAVE_SSL |
794 | int sslerr; | 750 | int sslerr; |
795 | #endif | 751 | #endif |
796 | 752 | ||
797 | /* try to connect to the host at the given port number */ | 753 | /* try to connect to the host at the given port number */ |
754 | if (my_tcp_connect (server_address, server_port, &sd) != STATE_OK) | ||
755 | die (STATE_CRITICAL, _("Unable to open TCP socket\n")); | ||
798 | #ifdef HAVE_SSL | 756 | #ifdef HAVE_SSL |
799 | if (use_ssl == TRUE) { | 757 | if (use_ssl == TRUE) { |
800 | 758 | np_net_ssl_init(sd); | |
801 | if (connect_SSL () != OK) { | 759 | if (check_cert == TRUE) { |
802 | die (STATE_CRITICAL, _("Unable to open TCP socket\n")); | 760 | result = np_net_ssl_check_cert(days_till_exp); |
803 | } | 761 | if(result != STATE_OK){ |
804 | # ifdef USE_OPENSSL | 762 | np_net_ssl_cleanup(); |
805 | if ((server_cert = SSL_get_peer_certificate (ssl)) != NULL) { | 763 | if(sd) close(sd); |
806 | X509_free (server_cert); | 764 | return result; |
807 | } | 765 | } |
808 | else { | ||
809 | printf (_("CRITICAL - Cannot retrieve server certificate.\n")); | ||
810 | return STATE_CRITICAL; | ||
811 | } | 766 | } |
812 | # endif /* USE_OPENSSL */ | ||
813 | } | ||
814 | else { | ||
815 | #endif | ||
816 | if (my_tcp_connect (server_address, server_port, &sd) != STATE_OK) | ||
817 | die (STATE_CRITICAL, _("Unable to open TCP socket\n")); | ||
818 | #ifdef HAVE_SSL | ||
819 | } | 767 | } |
820 | #endif | 768 | #endif /* HAVE_SSL */ |
821 | 769 | ||
822 | asprintf (&buf, "%s %s HTTP/1.0\r\n%s\r\n", http_method, server_url, user_agent); | 770 | asprintf (&buf, "%s %s HTTP/1.0\r\n%s\r\n", http_method, server_url, user_agent); |
823 | 771 | ||
@@ -853,28 +801,12 @@ check_http (void) | |||
853 | asprintf (&buf, "%s%s", buf, CRLF); | 801 | asprintf (&buf, "%s%s", buf, CRLF); |
854 | } | 802 | } |
855 | 803 | ||
856 | if (verbose) | 804 | if (verbose) printf ("%s\n", buf); |
857 | printf ("%s\n", buf); | 805 | my_send (buf, strlen (buf)); |
858 | |||
859 | #ifdef HAVE_SSL | ||
860 | if (use_ssl == TRUE) { | ||
861 | if (SSL_write (ssl, buf, (int)strlen(buf)) == -1) { | ||
862 | # ifdef USE_OPENSSL | ||
863 | ERR_print_errors_fp (stderr); | ||
864 | # endif | ||
865 | return STATE_CRITICAL; | ||
866 | } | ||
867 | } | ||
868 | else { | ||
869 | #endif | ||
870 | send (sd, buf, strlen (buf), 0); | ||
871 | #ifdef HAVE_SSL | ||
872 | } | ||
873 | #endif | ||
874 | 806 | ||
875 | /* fetch the page */ | 807 | /* fetch the page */ |
876 | full_page = strdup(""); | 808 | full_page = strdup(""); |
877 | while ((i = my_recv ()) > 0) { | 809 | while ((i = my_recv (buffer, MAX_INPUT_BUFFER-1)) > 0) { |
878 | buffer[i] = '\0'; | 810 | buffer[i] = '\0'; |
879 | asprintf (&full_page, "%s%s", full_page, buffer); | 811 | asprintf (&full_page, "%s%s", full_page, buffer); |
880 | pagesize += i; | 812 | pagesize += i; |
@@ -887,6 +819,7 @@ check_http (void) | |||
887 | 819 | ||
888 | if (i < 0 && errno != ECONNRESET) { | 820 | if (i < 0 && errno != ECONNRESET) { |
889 | #ifdef HAVE_SSL | 821 | #ifdef HAVE_SSL |
822 | /* | ||
890 | if (use_ssl) { | 823 | if (use_ssl) { |
891 | sslerr=SSL_get_error(ssl, i); | 824 | sslerr=SSL_get_error(ssl, i); |
892 | if ( sslerr == SSL_ERROR_SSL ) { | 825 | if ( sslerr == SSL_ERROR_SSL ) { |
@@ -896,10 +829,13 @@ check_http (void) | |||
896 | } | 829 | } |
897 | } | 830 | } |
898 | else { | 831 | else { |
832 | */ | ||
899 | #endif | 833 | #endif |
900 | die (STATE_CRITICAL, _("Error on receive\n")); | 834 | die (STATE_CRITICAL, _("Error on receive\n")); |
901 | #ifdef HAVE_SSL | 835 | #ifdef HAVE_SSL |
836 | /* XXX | ||
902 | } | 837 | } |
838 | */ | ||
903 | #endif | 839 | #endif |
904 | } | 840 | } |
905 | 841 | ||
@@ -908,7 +844,10 @@ check_http (void) | |||
908 | die (STATE_CRITICAL, _("No data received %s\n"), timestamp); | 844 | die (STATE_CRITICAL, _("No data received %s\n"), timestamp); |
909 | 845 | ||
910 | /* close the connection */ | 846 | /* close the connection */ |
911 | my_close (); | 847 | #ifdef HAVE_SSL |
848 | np_net_ssl_cleanup(); | ||
849 | #endif | ||
850 | if(sd) close(sd); | ||
912 | 851 | ||
913 | /* reset the alarm */ | 852 | /* reset the alarm */ |
914 | alarm (0); | 853 | alarm (0); |
@@ -1248,143 +1187,6 @@ server_port_check (int ssl_flag) | |||
1248 | return HTTP_PORT; | 1187 | return HTTP_PORT; |
1249 | } | 1188 | } |
1250 | 1189 | ||
1251 | |||
1252 | |||
1253 | #ifdef HAVE_SSL | ||
1254 | int connect_SSL (void) | ||
1255 | { | ||
1256 | SSL_METHOD *meth; | ||
1257 | |||
1258 | asprintf (&randbuff, "%s", "qwertyuiopasdfghjklqwertyuiopasdfghjkl"); | ||
1259 | RAND_seed (randbuff, (int)strlen(randbuff)); | ||
1260 | if (verbose) | ||
1261 | printf(_("SSL seeding: %s\n"), (RAND_status()==1 ? _("OK") : _("Failed")) ); | ||
1262 | |||
1263 | /* Initialize SSL context */ | ||
1264 | SSLeay_add_ssl_algorithms (); | ||
1265 | meth = SSLv23_client_method (); | ||
1266 | SSL_load_error_strings (); | ||
1267 | if ((ctx = SSL_CTX_new (meth)) == NULL) { | ||
1268 | printf (_("CRITICAL - Cannot create SSL context.\n")); | ||
1269 | return STATE_CRITICAL; | ||
1270 | } | ||
1271 | |||
1272 | /* Initialize alarm signal handling */ | ||
1273 | signal (SIGALRM, socket_timeout_alarm_handler); | ||
1274 | |||
1275 | /* Set socket timeout */ | ||
1276 | alarm (socket_timeout); | ||
1277 | |||
1278 | /* Save start time */ | ||
1279 | gettimeofday (&tv, NULL); | ||
1280 | |||
1281 | /* Make TCP connection */ | ||
1282 | if (my_tcp_connect (server_address, server_port, &sd) == STATE_OK) { | ||
1283 | /* Do the SSL handshake */ | ||
1284 | if ((ssl = SSL_new (ctx)) != NULL) { | ||
1285 | #ifdef USE_OPENSSL | ||
1286 | SSL_set_cipher_list(ssl, "ALL"); | ||
1287 | #endif | ||
1288 | SSL_set_fd (ssl, sd); | ||
1289 | if (SSL_connect (ssl) != -1) | ||
1290 | return OK; | ||
1291 | #ifdef USE_OPENSSL | ||
1292 | ERR_print_errors_fp (stderr); | ||
1293 | #endif | ||
1294 | } | ||
1295 | else { | ||
1296 | printf (_("CRITICAL - Cannot initiate SSL handshake.\n")); | ||
1297 | } | ||
1298 | SSL_free (ssl); | ||
1299 | } | ||
1300 | |||
1301 | SSL_CTX_free (ctx); | ||
1302 | close (sd); | ||
1303 | |||
1304 | return STATE_CRITICAL; | ||
1305 | } | ||
1306 | #endif | ||
1307 | |||
1308 | |||
1309 | |||
1310 | #ifdef USE_OPENSSL | ||
1311 | int | ||
1312 | check_certificate (X509 ** certificate) | ||
1313 | { | ||
1314 | ASN1_STRING *tm; | ||
1315 | int offset; | ||
1316 | struct tm stamp; | ||
1317 | int days_left; | ||
1318 | |||
1319 | |||
1320 | /* Retrieve timestamp of certificate */ | ||
1321 | tm = X509_get_notAfter (*certificate); | ||
1322 | |||
1323 | /* Generate tm structure to process timestamp */ | ||
1324 | if (tm->type == V_ASN1_UTCTIME) { | ||
1325 | if (tm->length < 10) { | ||
1326 | printf (_("CRITICAL - Wrong time format in certificate.\n")); | ||
1327 | return STATE_CRITICAL; | ||
1328 | } | ||
1329 | else { | ||
1330 | stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0'); | ||
1331 | if (stamp.tm_year < 50) | ||
1332 | stamp.tm_year += 100; | ||
1333 | offset = 0; | ||
1334 | } | ||
1335 | } | ||
1336 | else { | ||
1337 | if (tm->length < 12) { | ||
1338 | printf (_("CRITICAL - Wrong time format in certificate.\n")); | ||
1339 | return STATE_CRITICAL; | ||
1340 | } | ||
1341 | else { | ||
1342 | stamp.tm_year = | ||
1343 | (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 + | ||
1344 | (tm->data[2] - '0') * 10 + (tm->data[3] - '0'); | ||
1345 | stamp.tm_year -= 1900; | ||
1346 | offset = 2; | ||
1347 | } | ||
1348 | } | ||
1349 | stamp.tm_mon = | ||
1350 | (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1; | ||
1351 | stamp.tm_mday = | ||
1352 | (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0'); | ||
1353 | stamp.tm_hour = | ||
1354 | (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0'); | ||
1355 | stamp.tm_min = | ||
1356 | (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0'); | ||
1357 | stamp.tm_sec = 0; | ||
1358 | stamp.tm_isdst = -1; | ||
1359 | |||
1360 | days_left = (mktime (&stamp) - time (NULL)) / 86400; | ||
1361 | snprintf | ||
1362 | (timestamp, 17, "%02d/%02d/%04d %02d:%02d", | ||
1363 | stamp.tm_mon + 1, | ||
1364 | stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min); | ||
1365 | |||
1366 | if (days_left > 0 && days_left <= days_till_exp) { | ||
1367 | printf (_("WARNING - Certificate expires in %d day(s) (%s).\n"), days_left, timestamp); | ||
1368 | return STATE_WARNING; | ||
1369 | } | ||
1370 | if (days_left < 0) { | ||
1371 | printf (_("CRITICAL - Certificate expired on %s.\n"), timestamp); | ||
1372 | return STATE_CRITICAL; | ||
1373 | } | ||
1374 | |||
1375 | if (days_left == 0) { | ||
1376 | printf (_("WARNING - Certificate expires today (%s).\n"), timestamp); | ||
1377 | return STATE_WARNING; | ||
1378 | } | ||
1379 | |||
1380 | printf (_("OK - Certificate will expire on %s.\n"), timestamp); | ||
1381 | |||
1382 | return STATE_OK; | ||
1383 | } | ||
1384 | #endif | ||
1385 | |||
1386 | |||
1387 | |||
1388 | char *perfd_time (double elapsed_time) | 1190 | char *perfd_time (double elapsed_time) |
1389 | { | 1191 | { |
1390 | return fperfdata ("time", elapsed_time, "s", | 1192 | return fperfdata ("time", elapsed_time, "s", |
@@ -1403,47 +1205,6 @@ char *perfd_size (int page_len) | |||
1403 | TRUE, 0, FALSE, 0); | 1205 | TRUE, 0, FALSE, 0); |
1404 | } | 1206 | } |
1405 | 1207 | ||
1406 | |||
1407 | |||
1408 | int | ||
1409 | my_recv (void) | ||
1410 | { | ||
1411 | int i; | ||
1412 | #ifdef HAVE_SSL | ||
1413 | if (use_ssl) { | ||
1414 | i = SSL_read (ssl, buffer, MAX_INPUT_BUFFER - 1); | ||
1415 | } | ||
1416 | else { | ||
1417 | i = recv (sd, buffer, MAX_INPUT_BUFFER - 1, 0); | ||
1418 | } | ||
1419 | #else | ||
1420 | i = recv (sd, buffer, MAX_INPUT_BUFFER - 1, 0); | ||
1421 | #endif | ||
1422 | return i; | ||
1423 | } | ||
1424 | |||
1425 | |||
1426 | |||
1427 | int | ||
1428 | my_close (void) | ||
1429 | { | ||
1430 | #ifdef HAVE_SSL | ||
1431 | if (use_ssl == TRUE) { | ||
1432 | SSL_shutdown (ssl); | ||
1433 | SSL_free (ssl); | ||
1434 | SSL_CTX_free (ctx); | ||
1435 | return 0; | ||
1436 | } | ||
1437 | else { | ||
1438 | #endif | ||
1439 | return close (sd); | ||
1440 | #ifdef HAVE_SSL | ||
1441 | } | ||
1442 | #endif | ||
1443 | } | ||
1444 | |||
1445 | |||
1446 | |||
1447 | void | 1208 | void |
1448 | print_help (void) | 1209 | print_help (void) |
1449 | { | 1210 | { |
diff --git a/plugins/check_smtp.c b/plugins/check_smtp.c index 19e9aea8..ad85c7f6 100644 --- a/plugins/check_smtp.c +++ b/plugins/check_smtp.c | |||
@@ -27,35 +27,14 @@ const char *email = "nagiosplug-devel@lists.sourceforge.net"; | |||
27 | #include "netutils.h" | 27 | #include "netutils.h" |
28 | #include "utils.h" | 28 | #include "utils.h" |
29 | 29 | ||
30 | #ifdef HAVE_SSL_H | ||
31 | # include <rsa.h> | ||
32 | # include <crypto.h> | ||
33 | # include <x509.h> | ||
34 | # include <pem.h> | ||
35 | # include <ssl.h> | ||
36 | # include <err.h> | ||
37 | #else | ||
38 | # ifdef HAVE_OPENSSL_SSL_H | ||
39 | # include <openssl/rsa.h> | ||
40 | # include <openssl/crypto.h> | ||
41 | # include <openssl/x509.h> | ||
42 | # include <openssl/pem.h> | ||
43 | # include <openssl/ssl.h> | ||
44 | # include <openssl/err.h> | ||
45 | # endif | ||
46 | #endif | ||
47 | |||
48 | #ifdef HAVE_SSL | 30 | #ifdef HAVE_SSL |
49 | |||
50 | int check_cert = FALSE; | 31 | int check_cert = FALSE; |
51 | int days_till_exp; | 32 | int days_till_exp; |
52 | SSL_CTX *ctx; | 33 | # define my_recv(buf, len) ((use_ssl && ssl_established) ? np_net_ssl_read(buf, len) : read(sd, buf, len)) |
53 | SSL *ssl; | 34 | # define my_send(buf, len) ((use_ssl && ssl_established) ? np_net_ssl_write(buf, len) : send(sd, buf, len, 0)) |
54 | X509 *server_cert; | 35 | #else /* ifndef HAVE_SSL */ |
55 | int connect_STARTTLS (void); | 36 | # define my_recv(buf, len) read(sd, buf, len) |
56 | # ifdef USE_OPENSSL | 37 | # define my_send(buf, len) send(sd, buf, len, 0) |
57 | int check_certificate (X509 **); | ||
58 | # endif | ||
59 | #endif | 38 | #endif |
60 | 39 | ||
61 | enum { | 40 | enum { |
@@ -77,7 +56,6 @@ int process_arguments (int, char **); | |||
77 | int validate_arguments (void); | 56 | int validate_arguments (void); |
78 | void print_help (void); | 57 | void print_help (void); |
79 | void print_usage (void); | 58 | void print_usage (void); |
80 | int myrecv(void); | ||
81 | int my_close(void); | 59 | int my_close(void); |
82 | 60 | ||
83 | #ifdef HAVE_REGEX_H | 61 | #ifdef HAVE_REGEX_H |
@@ -111,7 +89,7 @@ int check_critical_time = FALSE; | |||
111 | int verbose = 0; | 89 | int verbose = 0; |
112 | int use_ssl = FALSE; | 90 | int use_ssl = FALSE; |
113 | short use_ehlo = FALSE; | 91 | short use_ehlo = FALSE; |
114 | short ssl_established = TRUE; | 92 | short ssl_established = 0; |
115 | char *localhostname = NULL; | 93 | char *localhostname = NULL; |
116 | int sd; | 94 | int sd; |
117 | char buffer[MAX_INPUT_BUFFER]; | 95 | char buffer[MAX_INPUT_BUFFER]; |
@@ -237,22 +215,20 @@ main (int argc, char **argv) | |||
237 | send (sd, SMTP_QUIT, strlen (SMTP_QUIT), 0); | 215 | send (sd, SMTP_QUIT, strlen (SMTP_QUIT), 0); |
238 | return STATE_UNKNOWN; | 216 | return STATE_UNKNOWN; |
239 | } | 217 | } |
240 | if(connect_STARTTLS() != OK) { | 218 | result = np_net_ssl_init(sd); |
219 | if(result != STATE_OK) { | ||
241 | printf (_("CRITICAL - Cannot create SSL context.\n")); | 220 | printf (_("CRITICAL - Cannot create SSL context.\n")); |
221 | np_net_ssl_cleanup(); | ||
222 | close(sd); | ||
242 | return STATE_CRITICAL; | 223 | return STATE_CRITICAL; |
243 | } else { | 224 | } else { |
244 | ssl_established = TRUE; | 225 | ssl_established = 1; |
245 | } | 226 | } |
246 | # ifdef USE_OPENSSL | 227 | # ifdef USE_OPENSSL |
247 | if ( check_cert ) { | 228 | if ( check_cert ) { |
248 | if ((server_cert = SSL_get_peer_certificate (ssl)) != NULL) { | 229 | result = np_net_ssl_check_cert(days_till_exp); |
249 | result = check_certificate (&server_cert); | 230 | if(result != STATE_OK){ |
250 | X509_free(server_cert); | ||
251 | } | ||
252 | else { | ||
253 | printf (_("CRITICAL - Cannot retrieve server certificate.\n")); | 231 | printf (_("CRITICAL - Cannot retrieve server certificate.\n")); |
254 | result = STATE_CRITICAL; | ||
255 | |||
256 | } | 232 | } |
257 | my_close(); | 233 | my_close(); |
258 | return result; | 234 | return result; |
@@ -272,26 +248,16 @@ main (int argc, char **argv) | |||
272 | * Use the -f option to provide a FROM address | 248 | * Use the -f option to provide a FROM address |
273 | */ | 249 | */ |
274 | if (smtp_use_dummycmd) { | 250 | if (smtp_use_dummycmd) { |
275 | #ifdef HAVE_SSL | 251 | my_send(cmd_str, strlen(cmd_str)); |
276 | if (use_ssl) | 252 | my_recv(buffer, MAX_INPUT_BUFFER-1); |
277 | SSL_write(ssl, cmd_str, strlen(cmd_str)); | ||
278 | else | ||
279 | #endif | ||
280 | send(sd, cmd_str, strlen(cmd_str), 0); | ||
281 | myrecv(); | ||
282 | if (verbose) | 253 | if (verbose) |
283 | printf("%s", buffer); | 254 | printf("%s", buffer); |
284 | } | 255 | } |
285 | 256 | ||
286 | while (n < ncommands) { | 257 | while (n < ncommands) { |
287 | asprintf (&cmd_str, "%s%s", commands[n], "\r\n"); | 258 | asprintf (&cmd_str, "%s%s", commands[n], "\r\n"); |
288 | #ifdef HAVE_SSL | 259 | my_send(cmd_str, strlen(cmd_str)); |
289 | if (use_ssl) | 260 | my_recv(buffer, MAX_INPUT_BUFFER-1); |
290 | SSL_write(ssl,cmd_str, strlen(cmd_str)); | ||
291 | else | ||
292 | #endif | ||
293 | send(sd, cmd_str, strlen(cmd_str), 0); | ||
294 | myrecv(); | ||
295 | if (verbose) | 261 | if (verbose) |
296 | printf("%s", buffer); | 262 | printf("%s", buffer); |
297 | strip (buffer); | 263 | strip (buffer); |
@@ -328,12 +294,7 @@ main (int argc, char **argv) | |||
328 | } | 294 | } |
329 | 295 | ||
330 | /* tell the server we're done */ | 296 | /* tell the server we're done */ |
331 | #ifdef HAVE_SSL | 297 | my_send (SMTP_QUIT, strlen (SMTP_QUIT)); |
332 | if (use_ssl) | ||
333 | SSL_write(ssl,SMTP_QUIT, strlen (SMTP_QUIT)); | ||
334 | else | ||
335 | #endif | ||
336 | send (sd, SMTP_QUIT, strlen (SMTP_QUIT), 0); | ||
337 | 298 | ||
338 | /* finally close the connection */ | 299 | /* finally close the connection */ |
339 | close (sd); | 300 | close (sd); |
@@ -626,150 +587,11 @@ Usage: %s -H host [-p port] [-e expect] [-C command] [-f from addr]\n\ | |||
626 | [-w warn] [-c crit] [-t timeout] [-S] [-D days] [-n] [-v] [-4|-6]\n", progname); | 587 | [-w warn] [-c crit] [-t timeout] [-S] [-D days] [-n] [-v] [-4|-6]\n", progname); |
627 | } | 588 | } |
628 | 589 | ||
629 | #ifdef HAVE_SSL | ||
630 | int | ||
631 | connect_STARTTLS (void) | ||
632 | { | ||
633 | SSL_METHOD *meth; | ||
634 | |||
635 | /* Initialize SSL context */ | ||
636 | SSLeay_add_ssl_algorithms (); | ||
637 | meth = SSLv23_client_method (); | ||
638 | SSL_load_error_strings (); | ||
639 | if ((ctx = SSL_CTX_new (meth)) == NULL) | ||
640 | { | ||
641 | printf(_("CRITICAL - Cannot create SSL context.\n")); | ||
642 | return STATE_CRITICAL; | ||
643 | } | ||
644 | /* do the SSL handshake */ | ||
645 | if ((ssl = SSL_new (ctx)) != NULL) | ||
646 | { | ||
647 | SSL_set_fd (ssl, sd); | ||
648 | /* original version checked for -1 | ||
649 | I look for success instead (1) */ | ||
650 | if (SSL_connect (ssl) == 1) | ||
651 | return OK; | ||
652 | # ifdef USE_OPENSSL | ||
653 | ERR_print_errors_fp (stderr); | ||
654 | # endif | ||
655 | } | ||
656 | else | ||
657 | { | ||
658 | printf (_("CRITICAL - Cannot initiate SSL handshake.\n")); | ||
659 | } | ||
660 | my_close(); | ||
661 | |||
662 | return STATE_CRITICAL; | ||
663 | } | ||
664 | |||
665 | # ifdef USE_OPENSSL | ||
666 | int | ||
667 | check_certificate (X509 ** certificate) | ||
668 | { | ||
669 | ASN1_STRING *tm; | ||
670 | int offset; | ||
671 | struct tm stamp; | ||
672 | int days_left; | ||
673 | |||
674 | /* Retrieve timestamp of certificate */ | ||
675 | tm = X509_get_notAfter (*certificate); | ||
676 | |||
677 | /* Generate tm structure to process timestamp */ | ||
678 | if (tm->type == V_ASN1_UTCTIME) { | ||
679 | if (tm->length < 10) { | ||
680 | printf (_("CRITICAL - Wrong time format in certificate.\n")); | ||
681 | return STATE_CRITICAL; | ||
682 | } | ||
683 | else { | ||
684 | stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0'); | ||
685 | if (stamp.tm_year < 50) | ||
686 | stamp.tm_year += 100; | ||
687 | offset = 0; | ||
688 | } | ||
689 | } | ||
690 | else { | ||
691 | if (tm->length < 12) { | ||
692 | printf (_("CRITICAL - Wrong time format in certificate.\n")); | ||
693 | return STATE_CRITICAL; | ||
694 | } | ||
695 | else { | ||
696 | stamp.tm_year = | ||
697 | (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 + | ||
698 | (tm->data[2] - '0') * 10 + (tm->data[3] - '0'); | ||
699 | stamp.tm_year -= 1900; | ||
700 | offset = 2; | ||
701 | } | ||
702 | } | ||
703 | stamp.tm_mon = | ||
704 | (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1; | ||
705 | stamp.tm_mday = | ||
706 | (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0'); | ||
707 | stamp.tm_hour = | ||
708 | (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0'); | ||
709 | stamp.tm_min = | ||
710 | (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0'); | ||
711 | stamp.tm_sec = 0; | ||
712 | stamp.tm_isdst = -1; | ||
713 | |||
714 | days_left = (mktime (&stamp) - time (NULL)) / 86400; | ||
715 | snprintf | ||
716 | (timestamp, sizeof(timestamp), "%02d/%02d/%04d %02d:%02d", | ||
717 | stamp.tm_mon + 1, | ||
718 | stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min); | ||
719 | |||
720 | if (days_left > 0 && days_left <= days_till_exp) { | ||
721 | printf ("Certificate expires in %d day(s) (%s).\n", days_left, timestamp); | ||
722 | return STATE_WARNING; | ||
723 | } | ||
724 | if (days_left < 0) { | ||
725 | printf ("Certificate expired on %s.\n", timestamp); | ||
726 | return STATE_CRITICAL; | ||
727 | } | ||
728 | |||
729 | if (days_left == 0) { | ||
730 | printf ("Certificate expires today (%s).\n", timestamp); | ||
731 | return STATE_WARNING; | ||
732 | } | ||
733 | |||
734 | printf ("Certificate will expire on %s.\n", timestamp); | ||
735 | |||
736 | return STATE_OK; | ||
737 | } | ||
738 | # endif /* USE_OPENSSL */ | ||
739 | #endif | ||
740 | |||
741 | int | ||
742 | myrecv (void) | ||
743 | { | ||
744 | int i; | ||
745 | |||
746 | #ifdef HAVE_SSL | ||
747 | if (use_ssl) { | ||
748 | i = SSL_read (ssl, buffer, MAXBUF - 1); | ||
749 | } | ||
750 | else { | ||
751 | #endif | ||
752 | i = read (sd, buffer, MAXBUF - 1); | ||
753 | #ifdef HAVE_SSL | ||
754 | } | ||
755 | #endif | ||
756 | return i; | ||
757 | } | ||
758 | |||
759 | int | 590 | int |
760 | my_close (void) | 591 | my_close (void) |
761 | { | 592 | { |
762 | #ifdef HAVE_SSL | 593 | #ifdef HAVE_SSL |
763 | if (use_ssl == TRUE && ssl_established == TRUE) { | 594 | np_net_ssl_cleanup(); |
764 | SSL_shutdown (ssl); | ||
765 | SSL_free (ssl); | ||
766 | SSL_CTX_free (ctx); | ||
767 | return 0; | ||
768 | } | ||
769 | else { | ||
770 | #endif | ||
771 | return close(sd); | ||
772 | #ifdef HAVE_SSL | ||
773 | } | ||
774 | #endif | 595 | #endif |
596 | return close(sd); | ||
775 | } | 597 | } |
diff --git a/plugins/check_tcp.c b/plugins/check_tcp.c index 3ffa4cd6..1b6513ba 100644 --- a/plugins/check_tcp.c +++ b/plugins/check_tcp.c | |||
@@ -32,10 +32,6 @@ const char *email = "nagiosplug-devel@lists.sourceforge.net"; | |||
32 | static int check_cert = FALSE; | 32 | static int check_cert = FALSE; |
33 | static int days_till_exp; | 33 | static int days_till_exp; |
34 | static char *randbuff = ""; | 34 | static char *randbuff = ""; |
35 | static X509 *server_cert; | ||
36 | # ifdef USE_OPENSSL | ||
37 | static int check_certificate (X509 **); | ||
38 | # endif /* USE_OPENSSL */ | ||
39 | # define my_recv(buf, len) ((flags & FLAG_SSL) ? np_net_ssl_read(buf, len) : read(sd, buf, len)) | 35 | # define my_recv(buf, len) ((flags & FLAG_SSL) ? np_net_ssl_read(buf, len) : read(sd, buf, len)) |
40 | # define my_send(buf, len) ((flags & FLAG_SSL) ? np_net_ssl_write(buf, len) : send(sd, buf, len, 0)) | 36 | # define my_send(buf, len) ((flags & FLAG_SSL) ? np_net_ssl_write(buf, len) : send(sd, buf, len, 0)) |
41 | #else | 37 | #else |
@@ -43,7 +39,6 @@ static int check_certificate (X509 **); | |||
43 | # define my_send(buf, len) send(sd, buf, len, 0) | 39 | # define my_send(buf, len) send(sd, buf, len, 0) |
44 | #endif | 40 | #endif |
45 | 41 | ||
46 | |||
47 | /* int my_recv(char *, size_t); */ | 42 | /* int my_recv(char *, size_t); */ |
48 | static int process_arguments (int, char **); | 43 | static int process_arguments (int, char **); |
49 | void print_help (void); | 44 | void print_help (void); |
@@ -217,34 +212,19 @@ main (int argc, char **argv) | |||
217 | #ifdef HAVE_SSL | 212 | #ifdef HAVE_SSL |
218 | if (flags & FLAG_SSL){ | 213 | if (flags & FLAG_SSL){ |
219 | result = np_net_ssl_init(sd); | 214 | result = np_net_ssl_init(sd); |
220 | if(result != STATE_OK) return result; | 215 | if (result == STATE_OK && check_cert == TRUE) { |
221 | /* XXX does np_net_ssl take care of printing an error? | 216 | result = np_net_ssl_check_cert(days_till_exp); |
222 | die (STATE_CRITICAL,_("CRITICAL - Could not make SSL connection\n")); | 217 | if(result != STATE_OK) { |
223 | */ | 218 | printf(_("CRITICAL - Cannot retrieve server certificate.\n")); |
224 | } | 219 | } |
225 | # ifdef USE_OPENSSL /* XXX gnutls does cert checking differently */ | ||
226 | /* | ||
227 | if (flags & FLAG_SSL && check_cert == TRUE) { | ||
228 | if ((server_cert = SSL_get_peer_certificate (ssl)) != NULL) { | ||
229 | result = check_certificate (&server_cert); | ||
230 | X509_free(server_cert); | ||
231 | } | ||
232 | else { | ||
233 | printf(_("CRITICAL - Cannot retrieve server certificate.\n")); | ||
234 | result = STATE_CRITICAL; | ||
235 | } | 220 | } |
236 | } | 221 | } |
237 | */ | ||
238 | # endif /* USE_OPENSSL */ | ||
239 | #endif | ||
240 | |||
241 | if(result != STATE_OK){ | 222 | if(result != STATE_OK){ |
242 | #ifdef HAVE_SSL | ||
243 | np_net_ssl_cleanup(); | 223 | np_net_ssl_cleanup(); |
244 | #endif | ||
245 | if(sd) close(sd); | 224 | if(sd) close(sd); |
246 | return result; | 225 | return result; |
247 | } | 226 | } |
227 | #endif /* HAVE_SSL */ | ||
248 | 228 | ||
249 | if (server_send != NULL) { /* Something to send? */ | 229 | if (server_send != NULL) { /* Something to send? */ |
250 | my_send(server_send, strlen(server_send)); | 230 | my_send(server_send, strlen(server_send)); |
@@ -567,86 +547,6 @@ process_arguments (int argc, char **argv) | |||
567 | } | 547 | } |
568 | 548 | ||
569 | 549 | ||
570 | /* SSL-specific functions */ | ||
571 | #ifdef HAVE_SSL | ||
572 | # ifdef USE_OPENSSL /* XXX */ | ||
573 | static int | ||
574 | check_certificate (X509 ** certificate) | ||
575 | { | ||
576 | ASN1_STRING *tm; | ||
577 | int offset; | ||
578 | struct tm stamp; | ||
579 | int days_left; | ||
580 | |||
581 | |||
582 | /* Retrieve timestamp of certificate */ | ||
583 | tm = X509_get_notAfter (*certificate); | ||
584 | |||
585 | /* Generate tm structure to process timestamp */ | ||
586 | if (tm->type == V_ASN1_UTCTIME) { | ||
587 | if (tm->length < 10) { | ||
588 | printf (_("CRITICAL - Wrong time format in certificate.\n")); | ||
589 | return STATE_CRITICAL; | ||
590 | } | ||
591 | else { | ||
592 | stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0'); | ||
593 | if (stamp.tm_year < 50) | ||
594 | stamp.tm_year += 100; | ||
595 | offset = 0; | ||
596 | } | ||
597 | } | ||
598 | else { | ||
599 | if (tm->length < 12) { | ||
600 | printf (_("CRITICAL - Wrong time format in certificate.\n")); | ||
601 | return STATE_CRITICAL; | ||
602 | } | ||
603 | else { | ||
604 | stamp.tm_year = | ||
605 | (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 + | ||
606 | (tm->data[2] - '0') * 10 + (tm->data[3] - '0'); | ||
607 | stamp.tm_year -= 1900; | ||
608 | offset = 2; | ||
609 | } | ||
610 | } | ||
611 | stamp.tm_mon = | ||
612 | (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1; | ||
613 | stamp.tm_mday = | ||
614 | (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0'); | ||
615 | stamp.tm_hour = | ||
616 | (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0'); | ||
617 | stamp.tm_min = | ||
618 | (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0'); | ||
619 | stamp.tm_sec = 0; | ||
620 | stamp.tm_isdst = -1; | ||
621 | |||
622 | days_left = (mktime (&stamp) - time (NULL)) / 86400; | ||
623 | snprintf | ||
624 | (timestamp, 16, "%02d/%02d/%04d %02d:%02d", | ||
625 | stamp.tm_mon + 1, | ||
626 | stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min); | ||
627 | |||
628 | if (days_left > 0 && days_left <= days_till_exp) { | ||
629 | printf (_("Certificate expires in %d day(s) (%s).\n"), days_left, timestamp); | ||
630 | return STATE_WARNING; | ||
631 | } | ||
632 | if (days_left < 0) { | ||
633 | printf (_("Certificate expired on %s.\n"), timestamp); | ||
634 | return STATE_CRITICAL; | ||
635 | } | ||
636 | |||
637 | if (days_left == 0) { | ||
638 | printf (_("Certificate expires today (%s).\n"), timestamp); | ||
639 | return STATE_WARNING; | ||
640 | } | ||
641 | |||
642 | printf (_("Certificate will expire on %s.\n"), timestamp); | ||
643 | |||
644 | return STATE_OK; | ||
645 | } | ||
646 | # endif /* USE_OPENSSL */ | ||
647 | #endif /* HAVE_SSL */ | ||
648 | |||
649 | |||
650 | void | 550 | void |
651 | print_help (void) | 551 | print_help (void) |
652 | { | 552 | { |
diff --git a/plugins/netutils.c b/plugins/netutils.c index e3fbb3aa..2678f911 100644 --- a/plugins/netutils.c +++ b/plugins/netutils.c | |||
@@ -281,6 +281,84 @@ int np_net_ssl_read(void *buf, int num){ | |||
281 | return SSL_read(s, buf, num); | 281 | return SSL_read(s, buf, num); |
282 | } | 282 | } |
283 | 283 | ||
284 | int np_net_ssl_check_cert(int days_till_exp){ | ||
285 | # ifdef USE_OPENSSL | ||
286 | X509 *certificate=NULL; | ||
287 | ASN1_STRING *tm; | ||
288 | int offset; | ||
289 | struct tm stamp; | ||
290 | int days_left; | ||
291 | char timestamp[17] = ""; | ||
292 | |||
293 | certificate=SSL_get_peer_certificate(s); | ||
294 | if(! certificate){ | ||
295 | printf (_("CRITICAL - Cannot retrieve server certificate.\n")); | ||
296 | return STATE_CRITICAL; | ||
297 | } | ||
298 | |||
299 | /* Retrieve timestamp of certificate */ | ||
300 | tm = X509_get_notAfter (certificate); | ||
301 | |||
302 | /* Generate tm structure to process timestamp */ | ||
303 | if (tm->type == V_ASN1_UTCTIME) { | ||
304 | if (tm->length < 10) { | ||
305 | printf (_("CRITICAL - Wrong time format in certificate.\n")); | ||
306 | return STATE_CRITICAL; | ||
307 | } else { | ||
308 | stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0'); | ||
309 | if (stamp.tm_year < 50) | ||
310 | stamp.tm_year += 100; | ||
311 | offset = 0; | ||
312 | } | ||
313 | } else { | ||
314 | if (tm->length < 12) { | ||
315 | printf (_("CRITICAL - Wrong time format in certificate.\n")); | ||
316 | return STATE_CRITICAL; | ||
317 | } else { | ||
318 | stamp.tm_year = | ||
319 | (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 + | ||
320 | (tm->data[2] - '0') * 10 + (tm->data[3] - '0'); | ||
321 | stamp.tm_year -= 1900; | ||
322 | offset = 2; | ||
323 | } | ||
324 | } | ||
325 | stamp.tm_mon = | ||
326 | (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1; | ||
327 | stamp.tm_mday = | ||
328 | (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0'); | ||
329 | stamp.tm_hour = | ||
330 | (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0'); | ||
331 | stamp.tm_min = | ||
332 | (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0'); | ||
333 | stamp.tm_sec = 0; | ||
334 | stamp.tm_isdst = -1; | ||
335 | |||
336 | days_left = (mktime (&stamp) - time (NULL)) / 86400; | ||
337 | snprintf | ||
338 | (timestamp, 17, "%02d/%02d/%04d %02d:%02d", | ||
339 | stamp.tm_mon + 1, | ||
340 | stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min); | ||
341 | |||
342 | if (days_left > 0 && days_left <= days_till_exp) { | ||
343 | printf (_("WARNING - Certificate expires in %d day(s) (%s).\n"), days_left, timestamp); | ||
344 | return STATE_WARNING; | ||
345 | } else if (days_left < 0) { | ||
346 | printf (_("CRITICAL - Certificate expired on %s.\n"), timestamp); | ||
347 | return STATE_CRITICAL; | ||
348 | } else if (days_left == 0) { | ||
349 | printf (_("WARNING - Certificate expires today (%s).\n"), timestamp); | ||
350 | return STATE_WARNING; | ||
351 | } | ||
352 | |||
353 | printf (_("OK - Certificate will expire on %s.\n"), timestamp); | ||
354 | X509_free (certificate); | ||
355 | return STATE_OK; | ||
356 | # else /* ifndef USE_OPENSSL */ | ||
357 | printf (_("WARNING - Plugin does not support checking certificates.\n")); | ||
358 | return STATE_WARNING; | ||
359 | # endif /* USE_OPENSSL */ | ||
360 | } | ||
361 | |||
284 | #endif /* HAVE_SSL */ | 362 | #endif /* HAVE_SSL */ |
285 | 363 | ||
286 | int | 364 | int |
diff --git a/plugins/netutils.h b/plugins/netutils.h index 85b5aa99..9b0557d3 100644 --- a/plugins/netutils.h +++ b/plugins/netutils.h | |||
@@ -89,6 +89,7 @@ int np_net_ssl_init(int sd); | |||
89 | void np_net_ssl_cleanup(); | 89 | void np_net_ssl_cleanup(); |
90 | int np_net_ssl_write(const void *buf, int num); | 90 | int np_net_ssl_write(const void *buf, int num); |
91 | int np_net_ssl_read(void *buf, int num); | 91 | int np_net_ssl_read(void *buf, int num); |
92 | int np_net_ssl_check_cert(int days_till_exp); | ||
92 | #endif /* HAVE_SSL */ | 93 | #endif /* HAVE_SSL */ |
93 | 94 | ||
94 | #endif /* _NETUTILS_H_ */ | 95 | #endif /* _NETUTILS_H_ */ |