diff options
author | Holger Weiss <holger@zedat.fu-berlin.de> | 2013-08-18 23:10:31 +0200 |
---|---|---|
committer | Holger Weiss <holger@zedat.fu-berlin.de> | 2013-08-18 23:10:31 +0200 |
commit | 8e444095e88428137594d6bd2f04af8daed0a1fb (patch) | |
tree | ea55fe38cf54324dffb8fe6179d7245878cd954e /plugins | |
parent | 3ccf66613fc01d345d98952b4127b1a8eb3d12f5 (diff) | |
parent | 2f92d0dab77a3f3b1005dae3401ea1316d6789b2 (diff) | |
download | monitoring-plugins-8e444095e88428137594d6bd2f04af8daed0a1fb.tar.gz |
Merge branch 'master' of https://github.com/cern-mig/nagios-plugins
* 'master' of https://github.com/cern-mig/nagios-plugins:
added support for client authentication via SSL
Conflicts:
plugins/check_http.c
Diffstat (limited to 'plugins')
-rw-r--r-- | plugins/check_http.c | 45 | ||||
-rw-r--r-- | plugins/netutils.h | 2 | ||||
-rw-r--r-- | plugins/sslutils.c | 12 |
3 files changed, 54 insertions, 5 deletions
diff --git a/plugins/check_http.c b/plugins/check_http.c index ea7a6736..46c0c135 100644 --- a/plugins/check_http.c +++ b/plugins/check_http.c | |||
@@ -127,6 +127,8 @@ char *http_method; | |||
127 | char *http_post_data; | 127 | char *http_post_data; |
128 | char *http_content_type; | 128 | char *http_content_type; |
129 | char buffer[MAX_INPUT_BUFFER]; | 129 | char buffer[MAX_INPUT_BUFFER]; |
130 | char *client_cert = NULL; | ||
131 | char *client_privkey = NULL; | ||
130 | 132 | ||
131 | int process_arguments (int, char **); | 133 | int process_arguments (int, char **); |
132 | int check_http (void); | 134 | int check_http (void); |
@@ -178,7 +180,14 @@ main (int argc, char **argv) | |||
178 | return result; | 180 | return result; |
179 | } | 181 | } |
180 | 182 | ||
181 | 183 | /* check whether a file exists */ | |
184 | void | ||
185 | test_file (char *path) | ||
186 | { | ||
187 | if (access(path, R_OK) == 0) | ||
188 | return; | ||
189 | usage2 (_("file does not exist or is not readable"), path); | ||
190 | } | ||
182 | 191 | ||
183 | /* process command-line arguments */ | 192 | /* process command-line arguments */ |
184 | int | 193 | int |
@@ -216,6 +225,8 @@ process_arguments (int argc, char **argv) | |||
216 | {"linespan", no_argument, 0, 'l'}, | 225 | {"linespan", no_argument, 0, 'l'}, |
217 | {"onredirect", required_argument, 0, 'f'}, | 226 | {"onredirect", required_argument, 0, 'f'}, |
218 | {"certificate", required_argument, 0, 'C'}, | 227 | {"certificate", required_argument, 0, 'C'}, |
228 | {"client-cert", required_argument, 0, 'J'}, | ||
229 | {"private-key", required_argument, 0, 'K'}, | ||
219 | {"useragent", required_argument, 0, 'A'}, | 230 | {"useragent", required_argument, 0, 'A'}, |
220 | {"header", required_argument, 0, 'k'}, | 231 | {"header", required_argument, 0, 'k'}, |
221 | {"no-body", no_argument, 0, 'N'}, | 232 | {"no-body", no_argument, 0, 'N'}, |
@@ -246,7 +257,7 @@ process_arguments (int argc, char **argv) | |||
246 | } | 257 | } |
247 | 258 | ||
248 | while (1) { | 259 | while (1) { |
249 | c = getopt_long (argc, argv, "Vvh46t:c:w:A:k:H:P:j:T:I:a:b:d:e:p:s:R:r:u:f:C:nlLS::m:M:N:E", longopts, &option); | 260 | c = getopt_long (argc, argv, "Vvh46t:c:w:A:k:H:P:j:T:I:a:b:d:e:p:s:R:r:u:f:C:J:K:nlLS::m:M:N:E", longopts, &option); |
250 | if (c == -1 || c == EOF) | 261 | if (c == -1 || c == EOF) |
251 | break; | 262 | break; |
252 | 263 | ||
@@ -311,10 +322,23 @@ process_arguments (int argc, char **argv) | |||
311 | days_till_exp_warn = atoi (optarg); | 322 | days_till_exp_warn = atoi (optarg); |
312 | } | 323 | } |
313 | check_cert = TRUE; | 324 | check_cert = TRUE; |
314 | /* Fall through to -S option */ | 325 | goto enable_ssl; |
326 | #endif | ||
327 | case 'J': /* use client certificate */ | ||
328 | #ifdef HAVE_SSL | ||
329 | test_file(optarg); | ||
330 | client_cert = optarg; | ||
331 | goto enable_ssl; | ||
332 | #endif | ||
333 | case 'K': /* use client private key */ | ||
334 | #ifdef HAVE_SSL | ||
335 | test_file(optarg); | ||
336 | client_privkey = optarg; | ||
337 | goto enable_ssl; | ||
315 | #endif | 338 | #endif |
316 | case 'S': /* use SSL */ | 339 | case 'S': /* use SSL */ |
317 | #ifdef HAVE_SSL | 340 | #ifdef HAVE_SSL |
341 | enable_ssl: | ||
318 | use_ssl = TRUE; | 342 | use_ssl = TRUE; |
319 | if (optarg == NULL || c != 'S') | 343 | if (optarg == NULL || c != 'S') |
320 | ssl_version = 0; | 344 | ssl_version = 0; |
@@ -326,6 +350,7 @@ process_arguments (int argc, char **argv) | |||
326 | if (specify_port == FALSE) | 350 | if (specify_port == FALSE) |
327 | server_port = HTTPS_PORT; | 351 | server_port = HTTPS_PORT; |
328 | #else | 352 | #else |
353 | /* -C -J and -K fall through to here without SSL */ | ||
329 | usage4 (_("Invalid option - SSL is not available")); | 354 | usage4 (_("Invalid option - SSL is not available")); |
330 | #endif | 355 | #endif |
331 | break; | 356 | break; |
@@ -514,6 +539,9 @@ process_arguments (int argc, char **argv) | |||
514 | if (http_method == NULL) | 539 | if (http_method == NULL) |
515 | http_method = strdup ("GET"); | 540 | http_method = strdup ("GET"); |
516 | 541 | ||
542 | if (client_cert && !client_privkey) | ||
543 | usage4 (_("If you use a client certificate you must also specify a private key file")); | ||
544 | |||
517 | return TRUE; | 545 | return TRUE; |
518 | } | 546 | } |
519 | 547 | ||
@@ -851,7 +879,7 @@ check_http (void) | |||
851 | elapsed_time_connect = (double)microsec_connect / 1.0e6; | 879 | elapsed_time_connect = (double)microsec_connect / 1.0e6; |
852 | if (use_ssl == TRUE) { | 880 | if (use_ssl == TRUE) { |
853 | gettimeofday (&tv_temp, NULL); | 881 | gettimeofday (&tv_temp, NULL); |
854 | result = np_net_ssl_init_with_hostname_and_version(sd, (use_sni ? host_name : NULL), ssl_version); | 882 | result = np_net_ssl_init_with_hostname_version_and_certificate(sd, (use_sni ? host_name : NULL), ssl_version, client_cert, client_privkey); |
855 | if (result != STATE_OK) | 883 | if (result != STATE_OK) |
856 | return result; | 884 | return result; |
857 | microsec_ssl = deltime (tv_temp); | 885 | microsec_ssl = deltime (tv_temp); |
@@ -1444,7 +1472,13 @@ print_help (void) | |||
1444 | printf (" %s\n", _("Enable SSL/TLS hostname extension support (SNI)")); | 1472 | printf (" %s\n", _("Enable SSL/TLS hostname extension support (SNI)")); |
1445 | printf (" %s\n", "-C, --certificate=INTEGER[,INTEGER]"); | 1473 | printf (" %s\n", "-C, --certificate=INTEGER[,INTEGER]"); |
1446 | printf (" %s\n", _("Minimum number of days a certificate has to be valid. Port defaults to 443")); | 1474 | printf (" %s\n", _("Minimum number of days a certificate has to be valid. Port defaults to 443")); |
1447 | printf (" %s\n", _("(when this option is used the URL is not checked.)\n")); | 1475 | printf (" %s\n", _("(when this option is used the URL is not checked.)")); |
1476 | printf (" %s\n", "-J, --client-cert=FILE"); | ||
1477 | printf (" %s\n", _("Name of file that contains the client certificate (PEM format)")); | ||
1478 | printf (" %s\n", _("to be used in establishing the SSL session")); | ||
1479 | printf (" %s\n", "-K, --private-key=FILE"); | ||
1480 | printf (" %s\n", _("Name of file containing the private key (PEM format)")); | ||
1481 | printf (" %s\n", _("matching the client certificate")); | ||
1448 | #endif | 1482 | #endif |
1449 | 1483 | ||
1450 | printf (" %s\n", "-e, --expect=STRING"); | 1484 | printf (" %s\n", "-e, --expect=STRING"); |
@@ -1553,6 +1587,7 @@ print_usage (void) | |||
1553 | { | 1587 | { |
1554 | printf ("%s\n", _("Usage:")); | 1588 | printf ("%s\n", _("Usage:")); |
1555 | printf (" %s -H <vhost> | -I <IP-address> [-u <uri>] [-p <port>]\n",progname); | 1589 | printf (" %s -H <vhost> | -I <IP-address> [-u <uri>] [-p <port>]\n",progname); |
1590 | printf (" [-J <client certificate file>] [-K <private key>]\n"); | ||
1556 | printf (" [-w <warn time>] [-c <critical time>] [-t <timeout>] [-L] [-a auth]\n"); | 1591 | printf (" [-w <warn time>] [-c <critical time>] [-t <timeout>] [-L] [-a auth]\n"); |
1557 | printf (" [-b proxy_auth] [-f <ok|warning|critcal|follow|sticky|stickyport>]\n"); | 1592 | printf (" [-b proxy_auth] [-f <ok|warning|critcal|follow|sticky|stickyport>]\n"); |
1558 | printf (" [-e <expect>] [-d string] [-s string] [-l] [-r <regex> | -R <case-insensitive regex>]\n"); | 1593 | printf (" [-e <expect>] [-d string] [-s string] [-l] [-r <regex> | -R <case-insensitive regex>]\n"); |
diff --git a/plugins/netutils.h b/plugins/netutils.h index 21017f1f..765b3d5f 100644 --- a/plugins/netutils.h +++ b/plugins/netutils.h | |||
@@ -100,6 +100,8 @@ extern int address_family; | |||
100 | /* maybe this could be merged with the above np_net_connect, via some flags */ | 100 | /* maybe this could be merged with the above np_net_connect, via some flags */ |
101 | int np_net_ssl_init(int sd); | 101 | int np_net_ssl_init(int sd); |
102 | int np_net_ssl_init_with_hostname(int sd, char *host_name); | 102 | int np_net_ssl_init_with_hostname(int sd, char *host_name); |
103 | int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int version); | ||
104 | int np_net_ssl_init_with_hostname_version_and_certificate(int sd, char *host_name, int version, char *cert, char *privkey); | ||
103 | void np_net_ssl_cleanup(); | 105 | void np_net_ssl_cleanup(); |
104 | int np_net_ssl_write(const void *buf, int num); | 106 | int np_net_ssl_write(const void *buf, int num); |
105 | int np_net_ssl_read(void *buf, int num); | 107 | int np_net_ssl_read(void *buf, int num); |
diff --git a/plugins/sslutils.c b/plugins/sslutils.c index a1ce560d..4927e361 100644 --- a/plugins/sslutils.c +++ b/plugins/sslutils.c | |||
@@ -45,6 +45,10 @@ int np_net_ssl_init_with_hostname(int sd, char *host_name) { | |||
45 | } | 45 | } |
46 | 46 | ||
47 | int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int version) { | 47 | int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int version) { |
48 | return np_net_ssl_init_with_hostname_version_and_certificate(sd, host_name, version, NULL, NULL); | ||
49 | } | ||
50 | |||
51 | int np_net_ssl_init_with_hostname_version_and_certificate(int sd, char *host_name, int version, char *cert, char *privkey) { | ||
48 | const SSL_METHOD *method = NULL; | 52 | const SSL_METHOD *method = NULL; |
49 | 53 | ||
50 | switch (version) { | 54 | switch (version) { |
@@ -80,6 +84,14 @@ int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int versi | |||
80 | printf("%s\n", _("CRITICAL - Cannot create SSL context.")); | 84 | printf("%s\n", _("CRITICAL - Cannot create SSL context.")); |
81 | return STATE_CRITICAL; | 85 | return STATE_CRITICAL; |
82 | } | 86 | } |
87 | if (cert && privkey) { | ||
88 | SSL_CTX_use_certificate_file(c, cert, SSL_FILETYPE_PEM); | ||
89 | SSL_CTX_use_PrivateKey_file(c, privkey, SSL_FILETYPE_PEM); | ||
90 | if (!SSL_CTX_check_private_key(c)) { | ||
91 | printf ("%s\n", _("CRITICAL - Private key does not seem to match certificate!\n")); | ||
92 | return STATE_CRITICAL; | ||
93 | } | ||
94 | } | ||
83 | #ifdef SSL_OP_NO_TICKET | 95 | #ifdef SSL_OP_NO_TICKET |
84 | SSL_CTX_set_options(c, SSL_OP_NO_TICKET); | 96 | SSL_CTX_set_options(c, SSL_OP_NO_TICKET); |
85 | #endif | 97 | #endif |