summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHolger Weiss <holger@zedat.fu-berlin.de>2013-08-18 23:10:31 +0200
committerHolger Weiss <holger@zedat.fu-berlin.de>2013-08-18 23:10:31 +0200
commit8e444095e88428137594d6bd2f04af8daed0a1fb (patch)
treeea55fe38cf54324dffb8fe6179d7245878cd954e
parent3ccf66613fc01d345d98952b4127b1a8eb3d12f5 (diff)
parent2f92d0dab77a3f3b1005dae3401ea1316d6789b2 (diff)
downloadmonitoring-plugins-8e444095e88428137594d6bd2f04af8daed0a1fb.tar.gz
Merge branch 'master' of https://github.com/cern-mig/nagios-plugins
* 'master' of https://github.com/cern-mig/nagios-plugins: added support for client authentication via SSL Conflicts: plugins/check_http.c
-rw-r--r--plugins/check_http.c45
-rw-r--r--plugins/netutils.h2
-rw-r--r--plugins/sslutils.c12
3 files changed, 54 insertions, 5 deletions
diff --git a/plugins/check_http.c b/plugins/check_http.c
index ea7a6736..46c0c135 100644
--- a/plugins/check_http.c
+++ b/plugins/check_http.c
@@ -127,6 +127,8 @@ char *http_method;
127char *http_post_data; 127char *http_post_data;
128char *http_content_type; 128char *http_content_type;
129char buffer[MAX_INPUT_BUFFER]; 129char buffer[MAX_INPUT_BUFFER];
130char *client_cert = NULL;
131char *client_privkey = NULL;
130 132
131int process_arguments (int, char **); 133int process_arguments (int, char **);
132int check_http (void); 134int check_http (void);
@@ -178,7 +180,14 @@ main (int argc, char **argv)
178 return result; 180 return result;
179} 181}
180 182
181 183/* check whether a file exists */
184void
185test_file (char *path)
186{
187 if (access(path, R_OK) == 0)
188 return;
189 usage2 (_("file does not exist or is not readable"), path);
190}
182 191
183/* process command-line arguments */ 192/* process command-line arguments */
184int 193int
@@ -216,6 +225,8 @@ process_arguments (int argc, char **argv)
216 {"linespan", no_argument, 0, 'l'}, 225 {"linespan", no_argument, 0, 'l'},
217 {"onredirect", required_argument, 0, 'f'}, 226 {"onredirect", required_argument, 0, 'f'},
218 {"certificate", required_argument, 0, 'C'}, 227 {"certificate", required_argument, 0, 'C'},
228 {"client-cert", required_argument, 0, 'J'},
229 {"private-key", required_argument, 0, 'K'},
219 {"useragent", required_argument, 0, 'A'}, 230 {"useragent", required_argument, 0, 'A'},
220 {"header", required_argument, 0, 'k'}, 231 {"header", required_argument, 0, 'k'},
221 {"no-body", no_argument, 0, 'N'}, 232 {"no-body", no_argument, 0, 'N'},
@@ -246,7 +257,7 @@ process_arguments (int argc, char **argv)
246 } 257 }
247 258
248 while (1) { 259 while (1) {
249 c = getopt_long (argc, argv, "Vvh46t:c:w:A:k:H:P:j:T:I:a:b:d:e:p:s:R:r:u:f:C:nlLS::m:M:N:E", longopts, &option); 260 c = getopt_long (argc, argv, "Vvh46t:c:w:A:k:H:P:j:T:I:a:b:d:e:p:s:R:r:u:f:C:J:K:nlLS::m:M:N:E", longopts, &option);
250 if (c == -1 || c == EOF) 261 if (c == -1 || c == EOF)
251 break; 262 break;
252 263
@@ -311,10 +322,23 @@ process_arguments (int argc, char **argv)
311 days_till_exp_warn = atoi (optarg); 322 days_till_exp_warn = atoi (optarg);
312 } 323 }
313 check_cert = TRUE; 324 check_cert = TRUE;
314 /* Fall through to -S option */ 325 goto enable_ssl;
326#endif
327 case 'J': /* use client certificate */
328#ifdef HAVE_SSL
329 test_file(optarg);
330 client_cert = optarg;
331 goto enable_ssl;
332#endif
333 case 'K': /* use client private key */
334#ifdef HAVE_SSL
335 test_file(optarg);
336 client_privkey = optarg;
337 goto enable_ssl;
315#endif 338#endif
316 case 'S': /* use SSL */ 339 case 'S': /* use SSL */
317#ifdef HAVE_SSL 340#ifdef HAVE_SSL
341 enable_ssl:
318 use_ssl = TRUE; 342 use_ssl = TRUE;
319 if (optarg == NULL || c != 'S') 343 if (optarg == NULL || c != 'S')
320 ssl_version = 0; 344 ssl_version = 0;
@@ -326,6 +350,7 @@ process_arguments (int argc, char **argv)
326 if (specify_port == FALSE) 350 if (specify_port == FALSE)
327 server_port = HTTPS_PORT; 351 server_port = HTTPS_PORT;
328#else 352#else
353 /* -C -J and -K fall through to here without SSL */
329 usage4 (_("Invalid option - SSL is not available")); 354 usage4 (_("Invalid option - SSL is not available"));
330#endif 355#endif
331 break; 356 break;
@@ -514,6 +539,9 @@ process_arguments (int argc, char **argv)
514 if (http_method == NULL) 539 if (http_method == NULL)
515 http_method = strdup ("GET"); 540 http_method = strdup ("GET");
516 541
542 if (client_cert && !client_privkey)
543 usage4 (_("If you use a client certificate you must also specify a private key file"));
544
517 return TRUE; 545 return TRUE;
518} 546}
519 547
@@ -851,7 +879,7 @@ check_http (void)
851 elapsed_time_connect = (double)microsec_connect / 1.0e6; 879 elapsed_time_connect = (double)microsec_connect / 1.0e6;
852 if (use_ssl == TRUE) { 880 if (use_ssl == TRUE) {
853 gettimeofday (&tv_temp, NULL); 881 gettimeofday (&tv_temp, NULL);
854 result = np_net_ssl_init_with_hostname_and_version(sd, (use_sni ? host_name : NULL), ssl_version); 882 result = np_net_ssl_init_with_hostname_version_and_certificate(sd, (use_sni ? host_name : NULL), ssl_version, client_cert, client_privkey);
855 if (result != STATE_OK) 883 if (result != STATE_OK)
856 return result; 884 return result;
857 microsec_ssl = deltime (tv_temp); 885 microsec_ssl = deltime (tv_temp);
@@ -1444,7 +1472,13 @@ print_help (void)
1444 printf (" %s\n", _("Enable SSL/TLS hostname extension support (SNI)")); 1472 printf (" %s\n", _("Enable SSL/TLS hostname extension support (SNI)"));
1445 printf (" %s\n", "-C, --certificate=INTEGER[,INTEGER]"); 1473 printf (" %s\n", "-C, --certificate=INTEGER[,INTEGER]");
1446 printf (" %s\n", _("Minimum number of days a certificate has to be valid. Port defaults to 443")); 1474 printf (" %s\n", _("Minimum number of days a certificate has to be valid. Port defaults to 443"));
1447 printf (" %s\n", _("(when this option is used the URL is not checked.)\n")); 1475 printf (" %s\n", _("(when this option is used the URL is not checked.)"));
1476 printf (" %s\n", "-J, --client-cert=FILE");
1477 printf (" %s\n", _("Name of file that contains the client certificate (PEM format)"));
1478 printf (" %s\n", _("to be used in establishing the SSL session"));
1479 printf (" %s\n", "-K, --private-key=FILE");
1480 printf (" %s\n", _("Name of file containing the private key (PEM format)"));
1481 printf (" %s\n", _("matching the client certificate"));
1448#endif 1482#endif
1449 1483
1450 printf (" %s\n", "-e, --expect=STRING"); 1484 printf (" %s\n", "-e, --expect=STRING");
@@ -1553,6 +1587,7 @@ print_usage (void)
1553{ 1587{
1554 printf ("%s\n", _("Usage:")); 1588 printf ("%s\n", _("Usage:"));
1555 printf (" %s -H <vhost> | -I <IP-address> [-u <uri>] [-p <port>]\n",progname); 1589 printf (" %s -H <vhost> | -I <IP-address> [-u <uri>] [-p <port>]\n",progname);
1590 printf (" [-J <client certificate file>] [-K <private key>]\n");
1556 printf (" [-w <warn time>] [-c <critical time>] [-t <timeout>] [-L] [-a auth]\n"); 1591 printf (" [-w <warn time>] [-c <critical time>] [-t <timeout>] [-L] [-a auth]\n");
1557 printf (" [-b proxy_auth] [-f <ok|warning|critcal|follow|sticky|stickyport>]\n"); 1592 printf (" [-b proxy_auth] [-f <ok|warning|critcal|follow|sticky|stickyport>]\n");
1558 printf (" [-e <expect>] [-d string] [-s string] [-l] [-r <regex> | -R <case-insensitive regex>]\n"); 1593 printf (" [-e <expect>] [-d string] [-s string] [-l] [-r <regex> | -R <case-insensitive regex>]\n");
diff --git a/plugins/netutils.h b/plugins/netutils.h
index 21017f1f..765b3d5f 100644
--- a/plugins/netutils.h
+++ b/plugins/netutils.h
@@ -100,6 +100,8 @@ extern int address_family;
100/* maybe this could be merged with the above np_net_connect, via some flags */ 100/* maybe this could be merged with the above np_net_connect, via some flags */
101int np_net_ssl_init(int sd); 101int np_net_ssl_init(int sd);
102int np_net_ssl_init_with_hostname(int sd, char *host_name); 102int np_net_ssl_init_with_hostname(int sd, char *host_name);
103int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int version);
104int np_net_ssl_init_with_hostname_version_and_certificate(int sd, char *host_name, int version, char *cert, char *privkey);
103void np_net_ssl_cleanup(); 105void np_net_ssl_cleanup();
104int np_net_ssl_write(const void *buf, int num); 106int np_net_ssl_write(const void *buf, int num);
105int np_net_ssl_read(void *buf, int num); 107int np_net_ssl_read(void *buf, int num);
diff --git a/plugins/sslutils.c b/plugins/sslutils.c
index a1ce560d..4927e361 100644
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
@@ -45,6 +45,10 @@ int np_net_ssl_init_with_hostname(int sd, char *host_name) {
45} 45}
46 46
47int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int version) { 47int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int version) {
48 return np_net_ssl_init_with_hostname_version_and_certificate(sd, host_name, version, NULL, NULL);
49}
50
51int np_net_ssl_init_with_hostname_version_and_certificate(int sd, char *host_name, int version, char *cert, char *privkey) {
48 const SSL_METHOD *method = NULL; 52 const SSL_METHOD *method = NULL;
49 53
50 switch (version) { 54 switch (version) {
@@ -80,6 +84,14 @@ int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int versi
80 printf("%s\n", _("CRITICAL - Cannot create SSL context.")); 84 printf("%s\n", _("CRITICAL - Cannot create SSL context."));
81 return STATE_CRITICAL; 85 return STATE_CRITICAL;
82 } 86 }
87 if (cert && privkey) {
88 SSL_CTX_use_certificate_file(c, cert, SSL_FILETYPE_PEM);
89 SSL_CTX_use_PrivateKey_file(c, privkey, SSL_FILETYPE_PEM);
90 if (!SSL_CTX_check_private_key(c)) {
91 printf ("%s\n", _("CRITICAL - Private key does not seem to match certificate!\n"));
92 return STATE_CRITICAL;
93 }
94 }
83#ifdef SSL_OP_NO_TICKET 95#ifdef SSL_OP_NO_TICKET
84 SSL_CTX_set_options(c, SSL_OP_NO_TICKET); 96 SSL_CTX_set_options(c, SSL_OP_NO_TICKET);
85#endif 97#endif