diff options
author | Andreas Baumann <mail@andreasbaumann.cc> | 2017-04-21 09:03:28 +0000 |
---|---|---|
committer | Sven Nierlein <sven@nierlein.de> | 2018-10-22 16:30:31 +0200 |
commit | 2da757519649f8806be1741ce7232724e5a03f24 (patch) | |
tree | 8b803e2298370c72f2ceaf894525001429d32404 /plugins | |
parent | f4a7a3b3e7aa0cda2153b68fecaa1f76ed2b2392 (diff) | |
download | monitoring-plugins-2da757519649f8806be1741ce7232724e5a03f24.tar.gz |
preparing for certificate checks (non-OpenSSL version)
Diffstat (limited to 'plugins')
-rw-r--r-- | plugins/check_curl.c | 61 |
1 files changed, 39 insertions, 22 deletions
diff --git a/plugins/check_curl.c b/plugins/check_curl.c index 261c534a..6575af71 100644 --- a/plugins/check_curl.c +++ b/plugins/check_curl.c | |||
@@ -158,18 +158,21 @@ int onredirect = STATE_OK; | |||
158 | int use_ssl = FALSE; | 158 | int use_ssl = FALSE; |
159 | int use_sni = TRUE; | 159 | int use_sni = TRUE; |
160 | int check_cert = FALSE; | 160 | int check_cert = FALSE; |
161 | union { | 161 | typedef union { |
162 | struct curl_slist* to_info; | 162 | struct curl_slist* to_info; |
163 | struct curl_certinfo* to_certinfo; | 163 | struct curl_certinfo* to_certinfo; |
164 | } cert_ptr; | 164 | } cert_ptr_union; |
165 | cert_ptr_union cert_ptr; | ||
165 | int ssl_version = CURL_SSLVERSION_DEFAULT; | 166 | int ssl_version = CURL_SSLVERSION_DEFAULT; |
166 | char *client_cert = NULL; | 167 | char *client_cert = NULL; |
167 | char *client_privkey = NULL; | 168 | char *client_privkey = NULL; |
168 | char *ca_cert = NULL; | 169 | char *ca_cert = NULL; |
169 | int is_openssl_callback = FALSE; | 170 | int is_openssl_callback = FALSE; |
170 | #ifdef HAVE_SSL | 171 | #ifdef HAVE_SSL |
172 | #ifdef USE_OPENSSL | ||
171 | X509 *cert = NULL; | 173 | X509 *cert = NULL; |
172 | #endif | 174 | #endif /* USE_OPENSSL */ |
175 | #endif /* HAVE_SSL */ | ||
173 | int no_body = FALSE; | 176 | int no_body = FALSE; |
174 | int maximum_age = -1; | 177 | int maximum_age = -1; |
175 | int address_family = AF_UNSPEC; | 178 | int address_family = AF_UNSPEC; |
@@ -189,6 +192,7 @@ int curlhelp_buffer_read_callback (void *, size_t , size_t , void *); | |||
189 | void curlhelp_freereadbuffer (curlhelp_read_curlbuf *); | 192 | void curlhelp_freereadbuffer (curlhelp_read_curlbuf *); |
190 | curlhelp_ssl_library curlhelp_get_ssl_library (CURL*); | 193 | curlhelp_ssl_library curlhelp_get_ssl_library (CURL*); |
191 | const char* curlhelp_get_ssl_library_string (curlhelp_ssl_library); | 194 | const char* curlhelp_get_ssl_library_string (curlhelp_ssl_library); |
195 | int net_noopenssl_check_certificate (cert_ptr_union*, int, int); | ||
192 | 196 | ||
193 | int curlhelp_parse_statusline (const char*, curlhelp_statusline *); | 197 | int curlhelp_parse_statusline (const char*, curlhelp_statusline *); |
194 | void curlhelp_free_statusline (curlhelp_statusline *); | 198 | void curlhelp_free_statusline (curlhelp_statusline *); |
@@ -229,6 +233,7 @@ main (int argc, char **argv) | |||
229 | } | 233 | } |
230 | 234 | ||
231 | #ifdef HAVE_SSL | 235 | #ifdef HAVE_SSL |
236 | #ifdef USE_OPENSSL | ||
232 | 237 | ||
233 | int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx) | 238 | int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx) |
234 | { | 239 | { |
@@ -247,6 +252,7 @@ CURLcode sslctxfun(CURL *curl, SSL_CTX *sslctx, void *parm) | |||
247 | return CURLE_OK; | 252 | return CURLE_OK; |
248 | } | 253 | } |
249 | 254 | ||
255 | #endif /* USE_OPENSSL */ | ||
250 | #endif /* HAVE_SSL */ | 256 | #endif /* HAVE_SSL */ |
251 | 257 | ||
252 | /* Checks if the server 'reply' is one of the expected 'statuscodes' */ | 258 | /* Checks if the server 'reply' is one of the expected 'statuscodes' */ |
@@ -535,33 +541,19 @@ check_http (void) | |||
535 | die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates - OpenSSL callback used and not linked against OpenSSL\n"); | 541 | die (STATE_CRITICAL, "HTTP CRITICAL - Cannot retrieve certificates - OpenSSL callback used and not linked against OpenSSL\n"); |
536 | #endif /* HAVE_SSL */ | 542 | #endif /* HAVE_SSL */ |
537 | } else { | 543 | } else { |
538 | /* going with the libcurl CURLINFO data */ | 544 | /* We assume we don't have OpenSSL and np_net_ssl_check_certificate at our disposal, |
539 | if (verbose >= 2) | 545 | * so we use the libcurl CURLINFO data |
540 | printf ("**** REQUEST CERTIFICATES ****\n"); | 546 | */ |
541 | cert_ptr.to_info = NULL; | 547 | cert_ptr.to_info = NULL; |
542 | res = curl_easy_getinfo (curl, CURLINFO_CERTINFO, &cert_ptr.to_info); | 548 | res = curl_easy_getinfo (curl, CURLINFO_CERTINFO, &cert_ptr.to_info); |
543 | if (!res && cert_ptr.to_info) { | 549 | if (!res && cert_ptr.to_info) { |
544 | int i; | 550 | result = net_noopenssl_check_certificate(&cert_ptr, days_till_exp_warn, days_till_exp_crit); |
545 | for (i = 0; i < cert_ptr.to_certinfo->num_of_certs; i++) { | 551 | return result; |
546 | struct curl_slist *slist; | ||
547 | for (slist = cert_ptr.to_certinfo->certinfo[i]; slist; slist = slist->next) { | ||
548 | if (verbose >= 2) | ||
549 | printf ("%d ** %s\n", i, slist->data); | ||
550 | } | ||
551 | } | ||
552 | } else { | 552 | } else { |
553 | snprintf (msg, DEFAULT_BUFFER_SIZE, _("Cannot retrieve certificates - cURL returned %d - %s"), | 553 | snprintf (msg, DEFAULT_BUFFER_SIZE, _("Cannot retrieve certificates - cURL returned %d - %s"), |
554 | res, curl_easy_strerror(res)); | 554 | res, curl_easy_strerror(res)); |
555 | die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg); | 555 | die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg); |
556 | } | 556 | } |
557 | if (verbose >= 2) | ||
558 | printf ("**** REQUEST CERTIFICATES ****\n"); | ||
559 | /* TODO: either convert data to X509 certs we can check with np_net_ssl_check_certificate | ||
560 | * or do something on our own.. | ||
561 | * result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit); | ||
562 | * return result; | ||
563 | */ | ||
564 | die (STATE_UNKNOWN, "HTTP UNKNOWN - CERTINFO certificate checks not implemented yet\n"); | ||
565 | } | 557 | } |
566 | } | 558 | } |
567 | } | 559 | } |
@@ -1723,3 +1715,28 @@ curlhelp_get_ssl_library_string (curlhelp_ssl_library ssl_library) | |||
1723 | return "unknown"; | 1715 | return "unknown"; |
1724 | } | 1716 | } |
1725 | } | 1717 | } |
1718 | |||
1719 | #ifdef LIBCURL_FEATURE_SSL | ||
1720 | int | ||
1721 | net_noopenssl_check_certificate (cert_ptr_union* cert_ptr, int days_till_exp_warn, int days_till_exp_crit) | ||
1722 | { | ||
1723 | int i; | ||
1724 | struct curl_slist *slist; | ||
1725 | |||
1726 | if (verbose >= 2) | ||
1727 | printf ("**** REQUEST CERTIFICATES ****\n"); | ||
1728 | |||
1729 | for (i = 0; i < cert_ptr->to_certinfo->num_of_certs; i++) { | ||
1730 | for (slist = cert_ptr->to_certinfo->certinfo[i]; slist; slist = slist->next) { | ||
1731 | if (verbose >= 2) | ||
1732 | printf ("%d ** %s\n", i, slist->data); | ||
1733 | } | ||
1734 | } | ||
1735 | |||
1736 | if (verbose >= 2) | ||
1737 | printf ("**** REQUEST CERTIFICATES ****\n"); | ||
1738 | |||
1739 | printf("%s\n", _("WARNING - Plugin does not support checking certificates without OpenSSL.")); | ||
1740 | return STATE_WARNING; | ||
1741 | } | ||
1742 | #endif /* LIBCURL_FEATURE_SSL */ | ||