summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorM. Sean Finney <seanius@users.sourceforge.net>2005-10-19 20:22:00 +0000
committerM. Sean Finney <seanius@users.sourceforge.net>2005-10-19 20:22:00 +0000
commitcf66a717e9e8f55315d50b3b33a70b8a6f140981 (patch)
tree54dda3e4c83988c27cbc6f08a1d8da586032b4ac
parent5dd7b5dff439ab19119efd24d7822ca19b3e5bf7 (diff)
downloadmonitoring-plugins-cf66a717e9e8f55315d50b3b33a70b8a6f140981.tar.gz
all plugins now using centralized ssl functions in netutils.c
git-svn-id: https://nagiosplug.svn.sourceforge.net/svnroot/nagiosplug/nagiosplug/trunk@1257 f882894a-f735-0410-b71e-b25c423dba1c
-rw-r--r--plugins/check_http.c297
-rw-r--r--plugins/check_smtp.c218
-rw-r--r--plugins/check_tcp.c112
-rw-r--r--plugins/netutils.c78
-rw-r--r--plugins/netutils.h1
5 files changed, 134 insertions, 572 deletions
diff --git a/plugins/check_http.c b/plugins/check_http.c
index 294866b0..413d501d 100644
--- a/plugins/check_http.c
+++ b/plugins/check_http.c
@@ -37,38 +37,17 @@ enum {
37 HTTPS_PORT = 443 37 HTTPS_PORT = 443
38}; 38};
39 39
40#ifdef HAVE_SSL_H
41#include <rsa.h>
42#include <crypto.h>
43#include <x509.h>
44#include <pem.h>
45#include <ssl.h>
46#include <err.h>
47#include <rand.h>
48#else
49# ifdef HAVE_OPENSSL_SSL_H
50# include <openssl/rsa.h>
51# include <openssl/crypto.h>
52# include <openssl/x509.h>
53# include <openssl/pem.h>
54# include <openssl/ssl.h>
55# include <openssl/err.h>
56# include <openssl/rand.h>
57# endif
58#endif
59
60#ifdef HAVE_SSL 40#ifdef HAVE_SSL
61int check_cert = FALSE; 41int check_cert = FALSE;
62int days_till_exp; 42int days_till_exp;
63char *randbuff; 43char *randbuff;
64SSL_CTX *ctx;
65SSL *ssl;
66X509 *server_cert; 44X509 *server_cert;
67int connect_SSL (void); 45# define my_recv(buf, len) ((use_ssl) ? np_net_ssl_read(buf, len) : read(sd, buf, len))
68# ifdef USE_OPENSSL 46# define my_send(buf, len) ((use_ssl) ? np_net_ssl_write(buf, len) : send(sd, buf, len, 0))
69int check_certificate (X509 **); 47#else /* ifndef HAVE_SSL */
70# endif 48# define my_recv(buf, len) read(sd, buf, len)
71#endif 49# define my_send(buf, len) send(sd, buf, len, 0)
50#endif /* HAVE_SSL */
72int no_body = FALSE; 51int no_body = FALSE;
73int maximum_age = -1; 52int maximum_age = -1;
74 53
@@ -132,8 +111,6 @@ int server_type_check(const char *type);
132int server_port_check(int ssl_flag); 111int server_port_check(int ssl_flag);
133char *perfd_time (double microsec); 112char *perfd_time (double microsec);
134char *perfd_size (int page_len); 113char *perfd_size (int page_len);
135int my_recv (void);
136int my_close (void);
137void print_help (void); 114void print_help (void);
138void print_usage (void); 115void print_usage (void);
139 116
@@ -168,29 +145,7 @@ main (int argc, char **argv)
168 (void) alarm (socket_timeout); 145 (void) alarm (socket_timeout);
169 gettimeofday (&tv, NULL); 146 gettimeofday (&tv, NULL);
170 147
171#ifdef USE_OPENSSL
172 if (use_ssl && check_cert == TRUE) {
173 if (connect_SSL () != OK)
174 die (STATE_CRITICAL, _("HTTP CRITICAL - Could not make SSL connection\n"));
175 if ((server_cert = SSL_get_peer_certificate (ssl)) != NULL) {
176 result = check_certificate (&server_cert);
177 X509_free (server_cert);
178 }
179 else {
180 printf (_("CRITICAL - Cannot retrieve server certificate.\n"));
181 result = STATE_CRITICAL;
182 }
183 SSL_shutdown (ssl);
184 SSL_free (ssl);
185 SSL_CTX_free (ctx);
186 close (sd);
187 }
188 else {
189 result = check_http ();
190 }
191#else
192 result = check_http (); 148 result = check_http ();
193#endif
194 return result; 149 return result;
195} 150}
196 151
@@ -790,34 +745,27 @@ check_http (void)
790 long microsec; 745 long microsec;
791 double elapsed_time; 746 double elapsed_time;
792 int page_len = 0; 747 int page_len = 0;
748 int result = STATE_UNKNOWN;
793#ifdef HAVE_SSL 749#ifdef HAVE_SSL
794 int sslerr; 750 int sslerr;
795#endif 751#endif
796 752
797 /* try to connect to the host at the given port number */ 753 /* try to connect to the host at the given port number */
754 if (my_tcp_connect (server_address, server_port, &sd) != STATE_OK)
755 die (STATE_CRITICAL, _("Unable to open TCP socket\n"));
798#ifdef HAVE_SSL 756#ifdef HAVE_SSL
799 if (use_ssl == TRUE) { 757 if (use_ssl == TRUE) {
800 758 np_net_ssl_init(sd);
801 if (connect_SSL () != OK) { 759 if (check_cert == TRUE) {
802 die (STATE_CRITICAL, _("Unable to open TCP socket\n")); 760 result = np_net_ssl_check_cert(days_till_exp);
803 } 761 if(result != STATE_OK){
804# ifdef USE_OPENSSL 762 np_net_ssl_cleanup();
805 if ((server_cert = SSL_get_peer_certificate (ssl)) != NULL) { 763 if(sd) close(sd);
806 X509_free (server_cert); 764 return result;
807 } 765 }
808 else {
809 printf (_("CRITICAL - Cannot retrieve server certificate.\n"));
810 return STATE_CRITICAL;
811 } 766 }
812# endif /* USE_OPENSSL */
813 }
814 else {
815#endif
816 if (my_tcp_connect (server_address, server_port, &sd) != STATE_OK)
817 die (STATE_CRITICAL, _("Unable to open TCP socket\n"));
818#ifdef HAVE_SSL
819 } 767 }
820#endif 768#endif /* HAVE_SSL */
821 769
822 asprintf (&buf, "%s %s HTTP/1.0\r\n%s\r\n", http_method, server_url, user_agent); 770 asprintf (&buf, "%s %s HTTP/1.0\r\n%s\r\n", http_method, server_url, user_agent);
823 771
@@ -853,28 +801,12 @@ check_http (void)
853 asprintf (&buf, "%s%s", buf, CRLF); 801 asprintf (&buf, "%s%s", buf, CRLF);
854 } 802 }
855 803
856 if (verbose) 804 if (verbose) printf ("%s\n", buf);
857 printf ("%s\n", buf); 805 my_send (buf, strlen (buf));
858
859#ifdef HAVE_SSL
860 if (use_ssl == TRUE) {
861 if (SSL_write (ssl, buf, (int)strlen(buf)) == -1) {
862# ifdef USE_OPENSSL
863 ERR_print_errors_fp (stderr);
864# endif
865 return STATE_CRITICAL;
866 }
867 }
868 else {
869#endif
870 send (sd, buf, strlen (buf), 0);
871#ifdef HAVE_SSL
872 }
873#endif
874 806
875 /* fetch the page */ 807 /* fetch the page */
876 full_page = strdup(""); 808 full_page = strdup("");
877 while ((i = my_recv ()) > 0) { 809 while ((i = my_recv (buffer, MAX_INPUT_BUFFER-1)) > 0) {
878 buffer[i] = '\0'; 810 buffer[i] = '\0';
879 asprintf (&full_page, "%s%s", full_page, buffer); 811 asprintf (&full_page, "%s%s", full_page, buffer);
880 pagesize += i; 812 pagesize += i;
@@ -887,6 +819,7 @@ check_http (void)
887 819
888 if (i < 0 && errno != ECONNRESET) { 820 if (i < 0 && errno != ECONNRESET) {
889#ifdef HAVE_SSL 821#ifdef HAVE_SSL
822 /*
890 if (use_ssl) { 823 if (use_ssl) {
891 sslerr=SSL_get_error(ssl, i); 824 sslerr=SSL_get_error(ssl, i);
892 if ( sslerr == SSL_ERROR_SSL ) { 825 if ( sslerr == SSL_ERROR_SSL ) {
@@ -896,10 +829,13 @@ check_http (void)
896 } 829 }
897 } 830 }
898 else { 831 else {
832 */
899#endif 833#endif
900 die (STATE_CRITICAL, _("Error on receive\n")); 834 die (STATE_CRITICAL, _("Error on receive\n"));
901#ifdef HAVE_SSL 835#ifdef HAVE_SSL
836 /* XXX
902 } 837 }
838 */
903#endif 839#endif
904 } 840 }
905 841
@@ -908,7 +844,10 @@ check_http (void)
908 die (STATE_CRITICAL, _("No data received %s\n"), timestamp); 844 die (STATE_CRITICAL, _("No data received %s\n"), timestamp);
909 845
910 /* close the connection */ 846 /* close the connection */
911 my_close (); 847#ifdef HAVE_SSL
848 np_net_ssl_cleanup();
849#endif
850 if(sd) close(sd);
912 851
913 /* reset the alarm */ 852 /* reset the alarm */
914 alarm (0); 853 alarm (0);
@@ -1248,143 +1187,6 @@ server_port_check (int ssl_flag)
1248 return HTTP_PORT; 1187 return HTTP_PORT;
1249} 1188}
1250 1189
1251
1252
1253#ifdef HAVE_SSL
1254int connect_SSL (void)
1255{
1256 SSL_METHOD *meth;
1257
1258 asprintf (&randbuff, "%s", "qwertyuiopasdfghjklqwertyuiopasdfghjkl");
1259 RAND_seed (randbuff, (int)strlen(randbuff));
1260 if (verbose)
1261 printf(_("SSL seeding: %s\n"), (RAND_status()==1 ? _("OK") : _("Failed")) );
1262
1263 /* Initialize SSL context */
1264 SSLeay_add_ssl_algorithms ();
1265 meth = SSLv23_client_method ();
1266 SSL_load_error_strings ();
1267 if ((ctx = SSL_CTX_new (meth)) == NULL) {
1268 printf (_("CRITICAL - Cannot create SSL context.\n"));
1269 return STATE_CRITICAL;
1270 }
1271
1272 /* Initialize alarm signal handling */
1273 signal (SIGALRM, socket_timeout_alarm_handler);
1274
1275 /* Set socket timeout */
1276 alarm (socket_timeout);
1277
1278 /* Save start time */
1279 gettimeofday (&tv, NULL);
1280
1281 /* Make TCP connection */
1282 if (my_tcp_connect (server_address, server_port, &sd) == STATE_OK) {
1283 /* Do the SSL handshake */
1284 if ((ssl = SSL_new (ctx)) != NULL) {
1285#ifdef USE_OPENSSL
1286 SSL_set_cipher_list(ssl, "ALL");
1287#endif
1288 SSL_set_fd (ssl, sd);
1289 if (SSL_connect (ssl) != -1)
1290 return OK;
1291#ifdef USE_OPENSSL
1292 ERR_print_errors_fp (stderr);
1293#endif
1294 }
1295 else {
1296 printf (_("CRITICAL - Cannot initiate SSL handshake.\n"));
1297 }
1298 SSL_free (ssl);
1299 }
1300
1301 SSL_CTX_free (ctx);
1302 close (sd);
1303
1304 return STATE_CRITICAL;
1305}
1306#endif
1307
1308
1309
1310#ifdef USE_OPENSSL
1311int
1312check_certificate (X509 ** certificate)
1313{
1314 ASN1_STRING *tm;
1315 int offset;
1316 struct tm stamp;
1317 int days_left;
1318
1319
1320 /* Retrieve timestamp of certificate */
1321 tm = X509_get_notAfter (*certificate);
1322
1323 /* Generate tm structure to process timestamp */
1324 if (tm->type == V_ASN1_UTCTIME) {
1325 if (tm->length < 10) {
1326 printf (_("CRITICAL - Wrong time format in certificate.\n"));
1327 return STATE_CRITICAL;
1328 }
1329 else {
1330 stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0');
1331 if (stamp.tm_year < 50)
1332 stamp.tm_year += 100;
1333 offset = 0;
1334 }
1335 }
1336 else {
1337 if (tm->length < 12) {
1338 printf (_("CRITICAL - Wrong time format in certificate.\n"));
1339 return STATE_CRITICAL;
1340 }
1341 else {
1342 stamp.tm_year =
1343 (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 +
1344 (tm->data[2] - '0') * 10 + (tm->data[3] - '0');
1345 stamp.tm_year -= 1900;
1346 offset = 2;
1347 }
1348 }
1349 stamp.tm_mon =
1350 (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1;
1351 stamp.tm_mday =
1352 (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0');
1353 stamp.tm_hour =
1354 (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0');
1355 stamp.tm_min =
1356 (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0');
1357 stamp.tm_sec = 0;
1358 stamp.tm_isdst = -1;
1359
1360 days_left = (mktime (&stamp) - time (NULL)) / 86400;
1361 snprintf
1362 (timestamp, 17, "%02d/%02d/%04d %02d:%02d",
1363 stamp.tm_mon + 1,
1364 stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min);
1365
1366 if (days_left > 0 && days_left <= days_till_exp) {
1367 printf (_("WARNING - Certificate expires in %d day(s) (%s).\n"), days_left, timestamp);
1368 return STATE_WARNING;
1369 }
1370 if (days_left < 0) {
1371 printf (_("CRITICAL - Certificate expired on %s.\n"), timestamp);
1372 return STATE_CRITICAL;
1373 }
1374
1375 if (days_left == 0) {
1376 printf (_("WARNING - Certificate expires today (%s).\n"), timestamp);
1377 return STATE_WARNING;
1378 }
1379
1380 printf (_("OK - Certificate will expire on %s.\n"), timestamp);
1381
1382 return STATE_OK;
1383}
1384#endif
1385
1386
1387
1388char *perfd_time (double elapsed_time) 1190char *perfd_time (double elapsed_time)
1389{ 1191{
1390 return fperfdata ("time", elapsed_time, "s", 1192 return fperfdata ("time", elapsed_time, "s",
@@ -1403,47 +1205,6 @@ char *perfd_size (int page_len)
1403 TRUE, 0, FALSE, 0); 1205 TRUE, 0, FALSE, 0);
1404} 1206}
1405 1207
1406
1407
1408int
1409my_recv (void)
1410{
1411 int i;
1412#ifdef HAVE_SSL
1413 if (use_ssl) {
1414 i = SSL_read (ssl, buffer, MAX_INPUT_BUFFER - 1);
1415 }
1416 else {
1417 i = recv (sd, buffer, MAX_INPUT_BUFFER - 1, 0);
1418 }
1419#else
1420 i = recv (sd, buffer, MAX_INPUT_BUFFER - 1, 0);
1421#endif
1422 return i;
1423}
1424
1425
1426
1427int
1428my_close (void)
1429{
1430#ifdef HAVE_SSL
1431 if (use_ssl == TRUE) {
1432 SSL_shutdown (ssl);
1433 SSL_free (ssl);
1434 SSL_CTX_free (ctx);
1435 return 0;
1436 }
1437 else {
1438#endif
1439 return close (sd);
1440#ifdef HAVE_SSL
1441 }
1442#endif
1443}
1444
1445
1446
1447void 1208void
1448print_help (void) 1209print_help (void)
1449{ 1210{
diff --git a/plugins/check_smtp.c b/plugins/check_smtp.c
index 19e9aea8..ad85c7f6 100644
--- a/plugins/check_smtp.c
+++ b/plugins/check_smtp.c
@@ -27,35 +27,14 @@ const char *email = "nagiosplug-devel@lists.sourceforge.net";
27#include "netutils.h" 27#include "netutils.h"
28#include "utils.h" 28#include "utils.h"
29 29
30#ifdef HAVE_SSL_H
31# include <rsa.h>
32# include <crypto.h>
33# include <x509.h>
34# include <pem.h>
35# include <ssl.h>
36# include <err.h>
37#else
38# ifdef HAVE_OPENSSL_SSL_H
39# include <openssl/rsa.h>
40# include <openssl/crypto.h>
41# include <openssl/x509.h>
42# include <openssl/pem.h>
43# include <openssl/ssl.h>
44# include <openssl/err.h>
45# endif
46#endif
47
48#ifdef HAVE_SSL 30#ifdef HAVE_SSL
49
50int check_cert = FALSE; 31int check_cert = FALSE;
51int days_till_exp; 32int days_till_exp;
52SSL_CTX *ctx; 33# define my_recv(buf, len) ((use_ssl && ssl_established) ? np_net_ssl_read(buf, len) : read(sd, buf, len))
53SSL *ssl; 34# define my_send(buf, len) ((use_ssl && ssl_established) ? np_net_ssl_write(buf, len) : send(sd, buf, len, 0))
54X509 *server_cert; 35#else /* ifndef HAVE_SSL */
55int connect_STARTTLS (void); 36# define my_recv(buf, len) read(sd, buf, len)
56# ifdef USE_OPENSSL 37# define my_send(buf, len) send(sd, buf, len, 0)
57int check_certificate (X509 **);
58# endif
59#endif 38#endif
60 39
61enum { 40enum {
@@ -77,7 +56,6 @@ int process_arguments (int, char **);
77int validate_arguments (void); 56int validate_arguments (void);
78void print_help (void); 57void print_help (void);
79void print_usage (void); 58void print_usage (void);
80int myrecv(void);
81int my_close(void); 59int my_close(void);
82 60
83#ifdef HAVE_REGEX_H 61#ifdef HAVE_REGEX_H
@@ -111,7 +89,7 @@ int check_critical_time = FALSE;
111int verbose = 0; 89int verbose = 0;
112int use_ssl = FALSE; 90int use_ssl = FALSE;
113short use_ehlo = FALSE; 91short use_ehlo = FALSE;
114short ssl_established = TRUE; 92short ssl_established = 0;
115char *localhostname = NULL; 93char *localhostname = NULL;
116int sd; 94int sd;
117char buffer[MAX_INPUT_BUFFER]; 95char buffer[MAX_INPUT_BUFFER];
@@ -237,22 +215,20 @@ main (int argc, char **argv)
237 send (sd, SMTP_QUIT, strlen (SMTP_QUIT), 0); 215 send (sd, SMTP_QUIT, strlen (SMTP_QUIT), 0);
238 return STATE_UNKNOWN; 216 return STATE_UNKNOWN;
239 } 217 }
240 if(connect_STARTTLS() != OK) { 218 result = np_net_ssl_init(sd);
219 if(result != STATE_OK) {
241 printf (_("CRITICAL - Cannot create SSL context.\n")); 220 printf (_("CRITICAL - Cannot create SSL context.\n"));
221 np_net_ssl_cleanup();
222 close(sd);
242 return STATE_CRITICAL; 223 return STATE_CRITICAL;
243 } else { 224 } else {
244 ssl_established = TRUE; 225 ssl_established = 1;
245 } 226 }
246# ifdef USE_OPENSSL 227# ifdef USE_OPENSSL
247 if ( check_cert ) { 228 if ( check_cert ) {
248 if ((server_cert = SSL_get_peer_certificate (ssl)) != NULL) { 229 result = np_net_ssl_check_cert(days_till_exp);
249 result = check_certificate (&server_cert); 230 if(result != STATE_OK){
250 X509_free(server_cert);
251 }
252 else {
253 printf (_("CRITICAL - Cannot retrieve server certificate.\n")); 231 printf (_("CRITICAL - Cannot retrieve server certificate.\n"));
254 result = STATE_CRITICAL;
255
256 } 232 }
257 my_close(); 233 my_close();
258 return result; 234 return result;
@@ -272,26 +248,16 @@ main (int argc, char **argv)
272 * Use the -f option to provide a FROM address 248 * Use the -f option to provide a FROM address
273 */ 249 */
274 if (smtp_use_dummycmd) { 250 if (smtp_use_dummycmd) {
275#ifdef HAVE_SSL 251 my_send(cmd_str, strlen(cmd_str));
276 if (use_ssl) 252 my_recv(buffer, MAX_INPUT_BUFFER-1);
277 SSL_write(ssl, cmd_str, strlen(cmd_str));
278 else
279#endif
280 send(sd, cmd_str, strlen(cmd_str), 0);
281 myrecv();
282 if (verbose) 253 if (verbose)
283 printf("%s", buffer); 254 printf("%s", buffer);
284 } 255 }
285 256
286 while (n < ncommands) { 257 while (n < ncommands) {
287 asprintf (&cmd_str, "%s%s", commands[n], "\r\n"); 258 asprintf (&cmd_str, "%s%s", commands[n], "\r\n");
288#ifdef HAVE_SSL 259 my_send(cmd_str, strlen(cmd_str));
289 if (use_ssl) 260 my_recv(buffer, MAX_INPUT_BUFFER-1);
290 SSL_write(ssl,cmd_str, strlen(cmd_str));
291 else
292#endif
293 send(sd, cmd_str, strlen(cmd_str), 0);
294 myrecv();
295 if (verbose) 261 if (verbose)
296 printf("%s", buffer); 262 printf("%s", buffer);
297 strip (buffer); 263 strip (buffer);
@@ -328,12 +294,7 @@ main (int argc, char **argv)
328 } 294 }
329 295
330 /* tell the server we're done */ 296 /* tell the server we're done */
331#ifdef HAVE_SSL 297 my_send (SMTP_QUIT, strlen (SMTP_QUIT));
332 if (use_ssl)
333 SSL_write(ssl,SMTP_QUIT, strlen (SMTP_QUIT));
334 else
335#endif
336 send (sd, SMTP_QUIT, strlen (SMTP_QUIT), 0);
337 298
338 /* finally close the connection */ 299 /* finally close the connection */
339 close (sd); 300 close (sd);
@@ -626,150 +587,11 @@ Usage: %s -H host [-p port] [-e expect] [-C command] [-f from addr]\n\
626 [-w warn] [-c crit] [-t timeout] [-S] [-D days] [-n] [-v] [-4|-6]\n", progname); 587 [-w warn] [-c crit] [-t timeout] [-S] [-D days] [-n] [-v] [-4|-6]\n", progname);
627} 588}
628 589
629#ifdef HAVE_SSL
630int
631connect_STARTTLS (void)
632{
633 SSL_METHOD *meth;
634
635 /* Initialize SSL context */
636 SSLeay_add_ssl_algorithms ();
637 meth = SSLv23_client_method ();
638 SSL_load_error_strings ();
639 if ((ctx = SSL_CTX_new (meth)) == NULL)
640 {
641 printf(_("CRITICAL - Cannot create SSL context.\n"));
642 return STATE_CRITICAL;
643 }
644 /* do the SSL handshake */
645 if ((ssl = SSL_new (ctx)) != NULL)
646 {
647 SSL_set_fd (ssl, sd);
648 /* original version checked for -1
649 I look for success instead (1) */
650 if (SSL_connect (ssl) == 1)
651 return OK;
652# ifdef USE_OPENSSL
653 ERR_print_errors_fp (stderr);
654# endif
655 }
656 else
657 {
658 printf (_("CRITICAL - Cannot initiate SSL handshake.\n"));
659 }
660 my_close();
661
662 return STATE_CRITICAL;
663}
664
665# ifdef USE_OPENSSL
666int
667check_certificate (X509 ** certificate)
668{
669 ASN1_STRING *tm;
670 int offset;
671 struct tm stamp;
672 int days_left;
673
674 /* Retrieve timestamp of certificate */
675 tm = X509_get_notAfter (*certificate);
676
677 /* Generate tm structure to process timestamp */
678 if (tm->type == V_ASN1_UTCTIME) {
679 if (tm->length < 10) {
680 printf (_("CRITICAL - Wrong time format in certificate.\n"));
681 return STATE_CRITICAL;
682 }
683 else {
684 stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0');
685 if (stamp.tm_year < 50)
686 stamp.tm_year += 100;
687 offset = 0;
688 }
689 }
690 else {
691 if (tm->length < 12) {
692 printf (_("CRITICAL - Wrong time format in certificate.\n"));
693 return STATE_CRITICAL;
694 }
695 else {
696 stamp.tm_year =
697 (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 +
698 (tm->data[2] - '0') * 10 + (tm->data[3] - '0');
699 stamp.tm_year -= 1900;
700 offset = 2;
701 }
702 }
703 stamp.tm_mon =
704 (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1;
705 stamp.tm_mday =
706 (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0');
707 stamp.tm_hour =
708 (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0');
709 stamp.tm_min =
710 (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0');
711 stamp.tm_sec = 0;
712 stamp.tm_isdst = -1;
713
714 days_left = (mktime (&stamp) - time (NULL)) / 86400;
715 snprintf
716 (timestamp, sizeof(timestamp), "%02d/%02d/%04d %02d:%02d",
717 stamp.tm_mon + 1,
718 stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min);
719
720 if (days_left > 0 && days_left <= days_till_exp) {
721 printf ("Certificate expires in %d day(s) (%s).\n", days_left, timestamp);
722 return STATE_WARNING;
723 }
724 if (days_left < 0) {
725 printf ("Certificate expired on %s.\n", timestamp);
726 return STATE_CRITICAL;
727 }
728
729 if (days_left == 0) {
730 printf ("Certificate expires today (%s).\n", timestamp);
731 return STATE_WARNING;
732 }
733
734 printf ("Certificate will expire on %s.\n", timestamp);
735
736 return STATE_OK;
737}
738# endif /* USE_OPENSSL */
739#endif
740
741int
742myrecv (void)
743{
744 int i;
745
746#ifdef HAVE_SSL
747 if (use_ssl) {
748 i = SSL_read (ssl, buffer, MAXBUF - 1);
749 }
750 else {
751#endif
752 i = read (sd, buffer, MAXBUF - 1);
753#ifdef HAVE_SSL
754 }
755#endif
756 return i;
757}
758
759int 590int
760my_close (void) 591my_close (void)
761{ 592{
762#ifdef HAVE_SSL 593#ifdef HAVE_SSL
763 if (use_ssl == TRUE && ssl_established == TRUE) { 594 np_net_ssl_cleanup();
764 SSL_shutdown (ssl);
765 SSL_free (ssl);
766 SSL_CTX_free (ctx);
767 return 0;
768 }
769 else {
770#endif
771 return close(sd);
772#ifdef HAVE_SSL
773 }
774#endif 595#endif
596 return close(sd);
775} 597}
diff --git a/plugins/check_tcp.c b/plugins/check_tcp.c
index 3ffa4cd6..1b6513ba 100644
--- a/plugins/check_tcp.c
+++ b/plugins/check_tcp.c
@@ -32,10 +32,6 @@ const char *email = "nagiosplug-devel@lists.sourceforge.net";
32static int check_cert = FALSE; 32static int check_cert = FALSE;
33static int days_till_exp; 33static int days_till_exp;
34static char *randbuff = ""; 34static char *randbuff = "";
35static X509 *server_cert;
36# ifdef USE_OPENSSL
37static int check_certificate (X509 **);
38# endif /* USE_OPENSSL */
39# define my_recv(buf, len) ((flags & FLAG_SSL) ? np_net_ssl_read(buf, len) : read(sd, buf, len)) 35# define my_recv(buf, len) ((flags & FLAG_SSL) ? np_net_ssl_read(buf, len) : read(sd, buf, len))
40# define my_send(buf, len) ((flags & FLAG_SSL) ? np_net_ssl_write(buf, len) : send(sd, buf, len, 0)) 36# define my_send(buf, len) ((flags & FLAG_SSL) ? np_net_ssl_write(buf, len) : send(sd, buf, len, 0))
41#else 37#else
@@ -43,7 +39,6 @@ static int check_certificate (X509 **);
43# define my_send(buf, len) send(sd, buf, len, 0) 39# define my_send(buf, len) send(sd, buf, len, 0)
44#endif 40#endif
45 41
46
47/* int my_recv(char *, size_t); */ 42/* int my_recv(char *, size_t); */
48static int process_arguments (int, char **); 43static int process_arguments (int, char **);
49void print_help (void); 44void print_help (void);
@@ -217,34 +212,19 @@ main (int argc, char **argv)
217#ifdef HAVE_SSL 212#ifdef HAVE_SSL
218 if (flags & FLAG_SSL){ 213 if (flags & FLAG_SSL){
219 result = np_net_ssl_init(sd); 214 result = np_net_ssl_init(sd);
220 if(result != STATE_OK) return result; 215 if (result == STATE_OK && check_cert == TRUE) {
221 /* XXX does np_net_ssl take care of printing an error? 216 result = np_net_ssl_check_cert(days_till_exp);
222 die (STATE_CRITICAL,_("CRITICAL - Could not make SSL connection\n")); 217 if(result != STATE_OK) {
223 */ 218 printf(_("CRITICAL - Cannot retrieve server certificate.\n"));
224 } 219 }
225# ifdef USE_OPENSSL /* XXX gnutls does cert checking differently */
226 /*
227 if (flags & FLAG_SSL && check_cert == TRUE) {
228 if ((server_cert = SSL_get_peer_certificate (ssl)) != NULL) {
229 result = check_certificate (&server_cert);
230 X509_free(server_cert);
231 }
232 else {
233 printf(_("CRITICAL - Cannot retrieve server certificate.\n"));
234 result = STATE_CRITICAL;
235 } 220 }
236 } 221 }
237 */
238# endif /* USE_OPENSSL */
239#endif
240
241 if(result != STATE_OK){ 222 if(result != STATE_OK){
242#ifdef HAVE_SSL
243 np_net_ssl_cleanup(); 223 np_net_ssl_cleanup();
244#endif
245 if(sd) close(sd); 224 if(sd) close(sd);
246 return result; 225 return result;
247 } 226 }
227#endif /* HAVE_SSL */
248 228
249 if (server_send != NULL) { /* Something to send? */ 229 if (server_send != NULL) { /* Something to send? */
250 my_send(server_send, strlen(server_send)); 230 my_send(server_send, strlen(server_send));
@@ -567,86 +547,6 @@ process_arguments (int argc, char **argv)
567} 547}
568 548
569 549
570/* SSL-specific functions */
571#ifdef HAVE_SSL
572# ifdef USE_OPENSSL /* XXX */
573static int
574check_certificate (X509 ** certificate)
575{
576 ASN1_STRING *tm;
577 int offset;
578 struct tm stamp;
579 int days_left;
580
581
582 /* Retrieve timestamp of certificate */
583 tm = X509_get_notAfter (*certificate);
584
585 /* Generate tm structure to process timestamp */
586 if (tm->type == V_ASN1_UTCTIME) {
587 if (tm->length < 10) {
588 printf (_("CRITICAL - Wrong time format in certificate.\n"));
589 return STATE_CRITICAL;
590 }
591 else {
592 stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0');
593 if (stamp.tm_year < 50)
594 stamp.tm_year += 100;
595 offset = 0;
596 }
597 }
598 else {
599 if (tm->length < 12) {
600 printf (_("CRITICAL - Wrong time format in certificate.\n"));
601 return STATE_CRITICAL;
602 }
603 else {
604 stamp.tm_year =
605 (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 +
606 (tm->data[2] - '0') * 10 + (tm->data[3] - '0');
607 stamp.tm_year -= 1900;
608 offset = 2;
609 }
610 }
611 stamp.tm_mon =
612 (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1;
613 stamp.tm_mday =
614 (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0');
615 stamp.tm_hour =
616 (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0');
617 stamp.tm_min =
618 (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0');
619 stamp.tm_sec = 0;
620 stamp.tm_isdst = -1;
621
622 days_left = (mktime (&stamp) - time (NULL)) / 86400;
623 snprintf
624 (timestamp, 16, "%02d/%02d/%04d %02d:%02d",
625 stamp.tm_mon + 1,
626 stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min);
627
628 if (days_left > 0 && days_left <= days_till_exp) {
629 printf (_("Certificate expires in %d day(s) (%s).\n"), days_left, timestamp);
630 return STATE_WARNING;
631 }
632 if (days_left < 0) {
633 printf (_("Certificate expired on %s.\n"), timestamp);
634 return STATE_CRITICAL;
635 }
636
637 if (days_left == 0) {
638 printf (_("Certificate expires today (%s).\n"), timestamp);
639 return STATE_WARNING;
640 }
641
642 printf (_("Certificate will expire on %s.\n"), timestamp);
643
644 return STATE_OK;
645}
646# endif /* USE_OPENSSL */
647#endif /* HAVE_SSL */
648
649
650void 550void
651print_help (void) 551print_help (void)
652{ 552{
diff --git a/plugins/netutils.c b/plugins/netutils.c
index e3fbb3aa..2678f911 100644
--- a/plugins/netutils.c
+++ b/plugins/netutils.c
@@ -281,6 +281,84 @@ int np_net_ssl_read(void *buf, int num){
281 return SSL_read(s, buf, num); 281 return SSL_read(s, buf, num);
282} 282}
283 283
284int np_net_ssl_check_cert(int days_till_exp){
285# ifdef USE_OPENSSL
286 X509 *certificate=NULL;
287 ASN1_STRING *tm;
288 int offset;
289 struct tm stamp;
290 int days_left;
291 char timestamp[17] = "";
292
293 certificate=SSL_get_peer_certificate(s);
294 if(! certificate){
295 printf (_("CRITICAL - Cannot retrieve server certificate.\n"));
296 return STATE_CRITICAL;
297 }
298
299 /* Retrieve timestamp of certificate */
300 tm = X509_get_notAfter (certificate);
301
302 /* Generate tm structure to process timestamp */
303 if (tm->type == V_ASN1_UTCTIME) {
304 if (tm->length < 10) {
305 printf (_("CRITICAL - Wrong time format in certificate.\n"));
306 return STATE_CRITICAL;
307 } else {
308 stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0');
309 if (stamp.tm_year < 50)
310 stamp.tm_year += 100;
311 offset = 0;
312 }
313 } else {
314 if (tm->length < 12) {
315 printf (_("CRITICAL - Wrong time format in certificate.\n"));
316 return STATE_CRITICAL;
317 } else {
318 stamp.tm_year =
319 (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 +
320 (tm->data[2] - '0') * 10 + (tm->data[3] - '0');
321 stamp.tm_year -= 1900;
322 offset = 2;
323 }
324 }
325 stamp.tm_mon =
326 (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1;
327 stamp.tm_mday =
328 (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0');
329 stamp.tm_hour =
330 (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0');
331 stamp.tm_min =
332 (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0');
333 stamp.tm_sec = 0;
334 stamp.tm_isdst = -1;
335
336 days_left = (mktime (&stamp) - time (NULL)) / 86400;
337 snprintf
338 (timestamp, 17, "%02d/%02d/%04d %02d:%02d",
339 stamp.tm_mon + 1,
340 stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min);
341
342 if (days_left > 0 && days_left <= days_till_exp) {
343 printf (_("WARNING - Certificate expires in %d day(s) (%s).\n"), days_left, timestamp);
344 return STATE_WARNING;
345 } else if (days_left < 0) {
346 printf (_("CRITICAL - Certificate expired on %s.\n"), timestamp);
347 return STATE_CRITICAL;
348 } else if (days_left == 0) {
349 printf (_("WARNING - Certificate expires today (%s).\n"), timestamp);
350 return STATE_WARNING;
351 }
352
353 printf (_("OK - Certificate will expire on %s.\n"), timestamp);
354 X509_free (certificate);
355 return STATE_OK;
356# else /* ifndef USE_OPENSSL */
357 printf (_("WARNING - Plugin does not support checking certificates.\n"));
358 return STATE_WARNING;
359# endif /* USE_OPENSSL */
360}
361
284#endif /* HAVE_SSL */ 362#endif /* HAVE_SSL */
285 363
286int 364int
diff --git a/plugins/netutils.h b/plugins/netutils.h
index 85b5aa99..9b0557d3 100644
--- a/plugins/netutils.h
+++ b/plugins/netutils.h
@@ -89,6 +89,7 @@ int np_net_ssl_init(int sd);
89void np_net_ssl_cleanup(); 89void np_net_ssl_cleanup();
90int np_net_ssl_write(const void *buf, int num); 90int np_net_ssl_write(const void *buf, int num);
91int np_net_ssl_read(void *buf, int num); 91int np_net_ssl_read(void *buf, int num);
92int np_net_ssl_check_cert(int days_till_exp);
92#endif /* HAVE_SSL */ 93#endif /* HAVE_SSL */
93 94
94#endif /* _NETUTILS_H_ */ 95#endif /* _NETUTILS_H_ */