summaryrefslogtreecommitdiffstats
path: root/plugins
diff options
context:
space:
mode:
authorBenoit Mortier <opensides@users.sourceforge.net>2004-12-28 23:18:17 +0000
committerBenoit Mortier <opensides@users.sourceforge.net>2004-12-28 23:18:17 +0000
commit6ecaa524bf28b5fb861b161ea075a11119cb3bd2 (patch)
treefb5e86f3c4a5d8aa0b790e15f380baa54a8703f1 /plugins
parentb8fcd0d2587a5415266d7f3eea7ae6764900a7cc (diff)
downloadmonitoring-plugins-6ecaa524bf28b5fb861b161ea075a11119cb3bd2.tar.gz
starttls support for check_smtp #1041576
git-svn-id: https://nagiosplug.svn.sourceforge.net/svnroot/nagiosplug/nagiosplug/trunk@1065 f882894a-f735-0410-b71e-b25c423dba1c
Diffstat (limited to 'plugins')
-rw-r--r--plugins/Makefile.am2
-rw-r--r--plugins/check_smtp.c285
2 files changed, 273 insertions, 14 deletions
diff --git a/plugins/Makefile.am b/plugins/Makefile.am
index 538f9057..51858215 100644
--- a/plugins/Makefile.am
+++ b/plugins/Makefile.am
@@ -69,7 +69,7 @@ check_procs_LDADD = $(BASEOBJS) popen.o
69check_radius_LDADD = $(NETLIBS) $(RADIUSLIBS) 69check_radius_LDADD = $(NETLIBS) $(RADIUSLIBS)
70check_real_LDADD = $(NETLIBS) 70check_real_LDADD = $(NETLIBS)
71check_snmp_LDADD = $(BASEOBJS) popen.o 71check_snmp_LDADD = $(BASEOBJS) popen.o
72check_smtp_LDADD = $(NETLIBS) 72check_smtp_LDADD = $(NETLIBS) $(SSLLIBS)
73check_ssh_LDADD = $(NETLIBS) 73check_ssh_LDADD = $(NETLIBS)
74check_swap_LDADD = $(BASEOBJS) popen.o 74check_swap_LDADD = $(BASEOBJS) popen.o
75check_tcp_LDADD = $(NETLIBS) $(SSLLIBS) 75check_tcp_LDADD = $(NETLIBS) $(SSLLIBS)
diff --git a/plugins/check_smtp.c b/plugins/check_smtp.c
index 55cf5da5..6e5d972a 100644
--- a/plugins/check_smtp.c
+++ b/plugins/check_smtp.c
@@ -27,17 +27,49 @@ const char *email = "nagiosplug-devel@lists.sourceforge.net";
27#include "netutils.h" 27#include "netutils.h"
28#include "utils.h" 28#include "utils.h"
29 29
30#ifdef HAVE_SSL_H
31# include <rsa.h>
32# include <crypto.h>
33# include <x509.h>
34# include <pem.h>
35# include <ssl.h>
36# include <err.h>
37#else
38# ifdef HAVE_OPENSSL_SSL_H
39# include <openssl/rsa.h>
40# include <openssl/crypto.h>
41# include <openssl/x509.h>
42# include <openssl/pem.h>
43# include <openssl/ssl.h>
44# include <openssl/err.h>
45# endif
46#endif
47
48#ifdef HAVE_SSL
49
50int check_cert = FALSE;
51int days_till_exp;
52SSL_CTX *ctx;
53SSL *ssl;
54X509 *server_cert;
55int connect_STARTTLS (void);
56int check_certificate (X509 **);
57#endif
58
30enum { 59enum {
31 SMTP_PORT = 25 60 SMTP_PORT = 25
32}; 61};
33const char *SMTP_EXPECT = "220"; 62const char *SMTP_EXPECT = "220";
34const char *SMTP_HELO = "HELO "; 63const char *SMTP_HELO = "HELO ";
35const char *SMTP_QUIT = "QUIT\r\n"; 64const char *SMTP_QUIT = "QUIT\r\n";
65const char *SMTP_STARTTLS = "STARTTLS\r\n";
36 66
37int process_arguments (int, char **); 67int process_arguments (int, char **);
38int validate_arguments (void); 68int validate_arguments (void);
39void print_help (void); 69void print_help (void);
40void print_usage (void); 70void print_usage (void);
71int myrecv(void);
72int my_close(void);
41 73
42#ifdef HAVE_REGEX_H 74#ifdef HAVE_REGEX_H
43#include <regex.h> 75#include <regex.h>
@@ -68,18 +100,23 @@ int check_warning_time = FALSE;
68int critical_time = 0; 100int critical_time = 0;
69int check_critical_time = FALSE; 101int check_critical_time = FALSE;
70int verbose = 0; 102int verbose = 0;
71 103int use_ssl = FALSE;
72 104int sd;
105char buffer[MAX_INPUT_BUFFER];
106enum {
107 TCP_PROTOCOL = 1,
108 UDP_PROTOCOL = 2,
109 MAXBUF = 1024
110};
73 111
74int 112int
75main (int argc, char **argv) 113main (int argc, char **argv)
76{ 114{
77 int sd; 115
78 int n = 0; 116 int n = 0;
79 double elapsed_time; 117 double elapsed_time;
80 long microsec; 118 long microsec;
81 int result = STATE_UNKNOWN; 119 int result = STATE_UNKNOWN;
82 char buffer[MAX_INPUT_BUFFER];
83 char *cmd_str = NULL; 120 char *cmd_str = NULL;
84 char *helocmd = NULL; 121 char *helocmd = NULL;
85 struct timeval tv; 122 struct timeval tv;
@@ -140,12 +177,45 @@ main (int argc, char **argv)
140 result = STATE_WARNING; 177 result = STATE_WARNING;
141 } 178 }
142 } 179 }
143 180#ifdef HAVE_SSL
181 if(use_ssl) {
182 /* send the STARTTLS command */
183 send(sd, SMTP_STARTTLS, strlen(SMTP_STARTTLS), 0);
184
185 recv(sd,buffer, MAX_INPUT_BUFFER-1, 0); // wait for it
186 if (!strstr (buffer, server_expect)) {
187 printf (_("Server does not support STARTTLS\n"));
188 return STATE_UNKNOWN;
189 }
190 if(connect_STARTTLS() != OK) {
191 printf (_("ERROR: Cannot create SSL context.\n"));
192 return STATE_CRITICAL;
193 }
194 if ( check_cert ) {
195 if ((server_cert = SSL_get_peer_certificate (ssl)) != NULL) {
196 result = check_certificate (&server_cert);
197 X509_free(server_cert);
198 }
199 else {
200 printf (_("ERROR: Cannot retrieve server certificate.\n"));
201 result = STATE_CRITICAL;
202
203 }
204 my_close();
205 return result;
206 }
207 }
208#endif
144 /* send the HELO command */ 209 /* send the HELO command */
210#ifdef HAVE_SSL
211 if (use_ssl)
212 SSL_write(ssl, helocmd, strlen(helocmd));
213 else
214#endif
145 send(sd, helocmd, strlen(helocmd), 0); 215 send(sd, helocmd, strlen(helocmd), 0);
146 216
147 /* allow for response to helo command to reach us */ 217 /* allow for response to helo command to reach us */
148 recv(sd, buffer, MAX_INPUT_BUFFER-1, 0); 218 myrecv();
149 219
150 /* sendmail will syslog a "NOQUEUE" error if session does not attempt 220 /* sendmail will syslog a "NOQUEUE" error if session does not attempt
151 * to do something useful. This can be prevented by giving a command 221 * to do something useful. This can be prevented by giving a command
@@ -158,16 +228,26 @@ main (int argc, char **argv)
158 * Use the -f option to provide a FROM address 228 * Use the -f option to provide a FROM address
159 */ 229 */
160 if (smtp_use_dummycmd) { 230 if (smtp_use_dummycmd) {
161 send(sd, cmd_str, strlen(cmd_str), 0); 231#ifdef HAVE_SSL
162 recv(sd, buffer, MAX_INPUT_BUFFER-1, 0); 232 if (use_ssl)
163 if (verbose) 233 SSL_write(ssl, cmd_str, strlen(cmd_str));
164 printf("%s", buffer); 234 else
235#endif
236 send(sd, cmd_str, strlen(cmd_str), 0);
237 myrecv();
238 if (verbose)
239 printf("%s", buffer);
165 } 240 }
166 241
167 while (n < ncommands) { 242 while (n < ncommands) {
168 asprintf (&cmd_str, "%s%s", commands[n], "\r\n"); 243 asprintf (&cmd_str, "%s%s", commands[n], "\r\n");
244#ifdef HAVE_SSL
245 if (use_ssl)
246 SSL_write(ssl,cmd_str, strlen(cmd_str));
247 else
248#endif
169 send(sd, cmd_str, strlen(cmd_str), 0); 249 send(sd, cmd_str, strlen(cmd_str), 0);
170 recv(sd, buffer, MAX_INPUT_BUFFER-1, 0); 250 myrecv();
171 if (verbose) 251 if (verbose)
172 printf("%s", buffer); 252 printf("%s", buffer);
173 strip (buffer); 253 strip (buffer);
@@ -206,6 +286,11 @@ main (int argc, char **argv)
206 } 286 }
207 287
208 /* tell the server we're done */ 288 /* tell the server we're done */
289#ifdef HAVE_SSL
290 if (use_ssl)
291 SSL_write(ssl,SMTP_QUIT, strlen (SMTP_QUIT));
292 else
293#endif
209 send (sd, SMTP_QUIT, strlen (SMTP_QUIT), 0); 294 send (sd, SMTP_QUIT, strlen (SMTP_QUIT), 0);
210 295
211 /* finally close the connection */ 296 /* finally close the connection */
@@ -261,6 +346,8 @@ process_arguments (int argc, char **argv)
261 {"use-ipv4", no_argument, 0, '4'}, 346 {"use-ipv4", no_argument, 0, '4'},
262 {"use-ipv6", no_argument, 0, '6'}, 347 {"use-ipv6", no_argument, 0, '6'},
263 {"help", no_argument, 0, 'h'}, 348 {"help", no_argument, 0, 'h'},
349 {"starttls",no_argument,0,'S'},
350 {"certificate",required_argument,0,'D'},
264 {0, 0, 0, 0} 351 {0, 0, 0, 0}
265 }; 352 };
266 353
@@ -277,7 +364,7 @@ process_arguments (int argc, char **argv)
277 } 364 }
278 365
279 while (1) { 366 while (1) {
280 c = getopt_long (argc, argv, "+hVv46t:p:f:e:c:w:H:C:R:", 367 c = getopt_long (argc, argv, "+hVv46t:p:f:e:c:w:H:C:R:SD:",
281 longopts, &option); 368 longopts, &option);
282 369
283 if (c == -1 || c == EOF) 370 if (c == -1 || c == EOF)
@@ -354,6 +441,22 @@ process_arguments (int argc, char **argv)
354 usage4 (_("Timeout interval must be a positive integer")); 441 usage4 (_("Timeout interval must be a positive integer"));
355 } 442 }
356 break; 443 break;
444 case 'S':
445 /* starttls */
446 use_ssl = TRUE;
447 break;
448 case 'D':
449 /* Check SSL cert validity */
450#ifdef HAVE_SSL
451 if (!is_intnonneg (optarg))
452 usage2 ("Invalid certificate expiration period",optarg);
453 days_till_exp = atoi (optarg);
454 check_cert = TRUE;
455#else
456 terminate (STATE_UNKNOWN,
457 "SSL support not available. Install OpenSSL and recompile.");
458#endif
459 break;
357 case '4': 460 case '4':
358 address_family = AF_INET; 461 address_family = AF_INET;
359 break; 462 break;
@@ -443,6 +546,13 @@ print_help (void)
443 -f, --from=STRING\n\ 546 -f, --from=STRING\n\
444 FROM-address to include in MAIL command, required by Exchange 2000\n"), 547 FROM-address to include in MAIL command, required by Exchange 2000\n"),
445 SMTP_EXPECT); 548 SMTP_EXPECT);
549#ifdef HAVE_SSL
550 printf (_("\
551 -D, --certificate=INTEGER\n\
552 Minimum number of days a certificate has to be valid.\n\
553 -S, --starttls\n\
554 Use STARTTLS for the connection.\n"));
555#endif
446 556
447 printf (_(UT_WARN_CRIT)); 557 printf (_(UT_WARN_CRIT));
448 558
@@ -466,5 +576,154 @@ print_usage (void)
466{ 576{
467 printf ("\ 577 printf ("\
468Usage: %s -H host [-p port] [-e expect] [-C command] [-f from addr]\n\ 578Usage: %s -H host [-p port] [-e expect] [-C command] [-f from addr]\n\
469 [-w warn] [-c crit] [-t timeout] [-n] [-v] [-4|-6]\n", progname); 579 [-w warn] [-c crit] [-t timeout] [-S] [-D days] [-n] [-v] [-4|-6]\n", progname);
580}
581
582#ifdef HAVE_SSL
583int
584connect_STARTTLS (void)
585{
586 SSL_METHOD *meth;
587
588 /* Initialize SSL context */
589 SSLeay_add_ssl_algorithms ();
590 meth = SSLv2_client_method ();
591 SSL_load_error_strings ();
592 if ((ctx = SSL_CTX_new (meth)) == NULL)
593 {
594 printf(_("ERROR: Cannot create SSL context.\n"));
595 return STATE_CRITICAL;
596 }
597 /* do the SSL handshake */
598 if ((ssl = SSL_new (ctx)) != NULL)
599 {
600 SSL_set_fd (ssl, sd);
601 /* original version checked for -1
602 I look for success instead (1) */
603 if (SSL_connect (ssl) == 1)
604 return OK;
605 ERR_print_errors_fp (stderr);
606 }
607 else
608 {
609 printf (_("ERROR: Cannot initiate SSL handshake.\n"));
610 }
611 /* this causes a seg faul
612 not sure why, being sloppy
613 and commenting it out */
614 // SSL_free (ssl);
615 SSL_CTX_free(ctx);
616 my_close();
617
618 return STATE_CRITICAL;
619}
620
621int
622check_certificate (X509 ** certificate)
623{
624 ASN1_STRING *tm;
625 int offset;
626 struct tm stamp;
627 int days_left;
628
629 /* Retrieve timestamp of certificate */
630 tm = X509_get_notAfter (*certificate);
631
632 /* Generate tm structure to process timestamp */
633 if (tm->type == V_ASN1_UTCTIME) {
634 if (tm->length < 10) {
635 printf (_("ERROR: Wrong time format in certificate.\n"));
636 return STATE_CRITICAL;
637 }
638 else {
639 stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0');
640 if (stamp.tm_year < 50)
641 stamp.tm_year += 100;
642 offset = 0;
643 }
644 }
645 else {
646 if (tm->length < 12) {
647 printf (_("ERROR: Wrong time format in certificate.\n"));
648 return STATE_CRITICAL;
649 }
650 else {
651 stamp.tm_year =
652 (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 +
653 (tm->data[2] - '0') * 10 + (tm->data[3] - '0');
654 stamp.tm_year -= 1900;
655 offset = 2;
656 }
657 }
658 stamp.tm_mon =
659 (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1;
660 stamp.tm_mday =
661 (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0');
662 stamp.tm_hour =
663 (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0');
664 stamp.tm_min =
665 (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0');
666 stamp.tm_sec = 0;
667 stamp.tm_isdst = -1;
668
669 days_left = (mktime (&stamp) - time (NULL)) / 86400;
670 snprintf
671 (timestamp, 16, "%02d/%02d/%04d %02d:%02d",
672 stamp.tm_mon + 1,
673 stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min);
674
675 if (days_left > 0 && days_left <= days_till_exp) {
676 printf ("Certificate expires in %d day(s) (%s).\n", days_left, timestamp);
677 return STATE_WARNING;
678 }
679 if (days_left < 0) {
680 printf ("Certificate expired on %s.\n", timestamp);
681 return STATE_CRITICAL;
682 }
683
684 if (days_left == 0) {
685 printf ("Certificate expires today (%s).\n", timestamp);
686 return STATE_WARNING;
687 }
688
689 printf ("Certificate will expire on %s.\n", timestamp);
690
691 return STATE_OK;
692}
693#endif
694
695int
696myrecv (void)
697{
698 int i;
699
700#ifdef HAVE_SSL
701 if (use_ssl) {
702 i = SSL_read (ssl, buffer, MAXBUF - 1);
703 }
704 else {
705#endif
706 i = read (sd, buffer, MAXBUF - 1);
707#ifdef HAVE_SSL
708 }
709#endif
710 return i;
711}
712
713int
714my_close (void)
715{
716#ifdef HAVE_SSL
717 if (use_ssl == TRUE) {
718 SSL_shutdown (ssl);
719 SSL_free (ssl);
720 SSL_CTX_free (ctx);
721 return 0;
722 }
723 else {
724#endif
725 return close(sd);
726#ifdef HAVE_SSL
727 }
728#endif
470} 729}