diff options
-rw-r--r-- | plugins/sslutils.c | 160 |
1 files changed, 80 insertions, 80 deletions
diff --git a/plugins/sslutils.c b/plugins/sslutils.c index 12cd7341..5425bb2c 100644 --- a/plugins/sslutils.c +++ b/plugins/sslutils.c | |||
@@ -36,97 +36,97 @@ static SSL_CTX *c=NULL; | |||
36 | static SSL *s=NULL; | 36 | static SSL *s=NULL; |
37 | static int initialized=0; | 37 | static int initialized=0; |
38 | 38 | ||
39 | int np_net_ssl_init (int sd) { | 39 | int np_net_ssl_init(int sd) { |
40 | return np_net_ssl_init_with_hostname(sd, NULL); | 40 | return np_net_ssl_init_with_hostname(sd, NULL); |
41 | } | 41 | } |
42 | 42 | ||
43 | int np_net_ssl_init_with_hostname (int sd, char *host_name) { | 43 | int np_net_ssl_init_with_hostname(int sd, char *host_name) { |
44 | return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0); | 44 | return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0); |
45 | } | 45 | } |
46 | 46 | ||
47 | int np_net_ssl_init_with_hostname_and_version (int sd, char *host_name, int version) { | 47 | int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int version) { |
48 | const SSL_METHOD *method = NULL; | 48 | const SSL_METHOD *method = NULL; |
49 | 49 | ||
50 | switch (version) { | 50 | switch (version) { |
51 | case 0: /* Deafult to auto negotiation */ | 51 | case 0: /* Deafult to auto negotiation */ |
52 | method = SSLv23_client_method(); | 52 | method = SSLv23_client_method(); |
53 | break; | 53 | break; |
54 | case 1: /* TLSv1 protocol */ | 54 | case 1: /* TLSv1 protocol */ |
55 | method = TLSv1_client_method(); | 55 | method = TLSv1_client_method(); |
56 | break; | 56 | break; |
57 | case 2: /* SSLv2 protocol */ | 57 | case 2: /* SSLv2 protocol */ |
58 | #if defined(USE_GNUTLS) || defined(OPENSSL_NO_SSL2) | 58 | #if defined(USE_GNUTLS) || defined(OPENSSL_NO_SSL2) |
59 | printf (("%s\n", _("CRITICAL - SSL Protocol Version 2 is not supported by your SSL library."))); | 59 | printf(("%s\n", _("CRITICAL - SSL protocol version 2 is not supported by your SSL library."))); |
60 | return STATE_CRITICAL; | 60 | return STATE_CRITICAL; |
61 | #else | 61 | #else |
62 | method = SSLv2_client_method(); | 62 | method = SSLv2_client_method(); |
63 | #endif | 63 | #endif |
64 | break; | 64 | break; |
65 | case 3: /* SSLv3 protocol */ | 65 | case 3: /* SSLv3 protocol */ |
66 | method = SSLv3_client_method(); | 66 | method = SSLv3_client_method(); |
67 | break; | 67 | break; |
68 | default: /* Unsupported */ | 68 | default: /* Unsupported */ |
69 | printf ("%s\n", _("CRITICAL - Unsupported SSL Protocol Version.")); | 69 | printf("%s\n", _("CRITICAL - Unsupported SSL protocol version.")); |
70 | return STATE_CRITICAL; | 70 | return STATE_CRITICAL; |
71 | } | 71 | } |
72 | if (!initialized) { | 72 | if (!initialized) { |
73 | /* Initialize SSL context */ | 73 | /* Initialize SSL context */ |
74 | SSLeay_add_ssl_algorithms (); | 74 | SSLeay_add_ssl_algorithms(); |
75 | SSL_load_error_strings (); | 75 | SSL_load_error_strings(); |
76 | OpenSSL_add_all_algorithms (); | 76 | OpenSSL_add_all_algorithms(); |
77 | initialized = 1; | 77 | initialized = 1; |
78 | } | 78 | } |
79 | if ((c = SSL_CTX_new (method)) == NULL) { | 79 | if ((c = SSL_CTX_new(method)) == NULL) { |
80 | printf ("%s\n", _("CRITICAL - Cannot create SSL context.")); | 80 | printf("%s\n", _("CRITICAL - Cannot create SSL context.")); |
81 | return STATE_CRITICAL; | 81 | return STATE_CRITICAL; |
82 | } | 82 | } |
83 | #ifdef SSL_OP_NO_TICKET | 83 | #ifdef SSL_OP_NO_TICKET |
84 | SSL_CTX_set_options(c, SSL_OP_NO_TICKET); | 84 | SSL_CTX_set_options(c, SSL_OP_NO_TICKET); |
85 | #endif | 85 | #endif |
86 | if ((s = SSL_new (c)) != NULL){ | 86 | if ((s = SSL_new(c)) != NULL) { |
87 | #ifdef SSL_set_tlsext_host_name | 87 | #ifdef SSL_set_tlsext_host_name |
88 | if (host_name != NULL) | 88 | if (host_name != NULL) |
89 | SSL_set_tlsext_host_name(s, host_name); | 89 | SSL_set_tlsext_host_name(s, host_name); |
90 | #endif | 90 | #endif |
91 | SSL_set_fd (s, sd); | 91 | SSL_set_fd(s, sd); |
92 | if (SSL_connect(s) == 1){ | 92 | if (SSL_connect(s) == 1) { |
93 | return OK; | 93 | return OK; |
94 | } else { | 94 | } else { |
95 | printf ("%s\n", _("CRITICAL - Cannot make SSL connection ")); | 95 | printf("%s\n", _("CRITICAL - Cannot make SSL connection.")); |
96 | # ifdef USE_OPENSSL /* XXX look into ERR_error_string */ | 96 | # ifdef USE_OPENSSL /* XXX look into ERR_error_string */ |
97 | ERR_print_errors_fp (stdout); | 97 | ERR_print_errors_fp(stdout); |
98 | # endif /* USE_OPENSSL */ | 98 | # endif /* USE_OPENSSL */ |
99 | } | ||
100 | } else { | ||
101 | printf ("%s\n", _("CRITICAL - Cannot initiate SSL handshake.")); | ||
102 | } | 99 | } |
103 | return STATE_CRITICAL; | 100 | } else { |
101 | printf("%s\n", _("CRITICAL - Cannot initiate SSL handshake.")); | ||
102 | } | ||
103 | return STATE_CRITICAL; | ||
104 | } | 104 | } |
105 | 105 | ||
106 | void np_net_ssl_cleanup (){ | 106 | void np_net_ssl_cleanup() { |
107 | if(s){ | 107 | if (s) { |
108 | #ifdef SSL_set_tlsext_host_name | 108 | #ifdef SSL_set_tlsext_host_name |
109 | SSL_set_tlsext_host_name(s, NULL); | 109 | SSL_set_tlsext_host_name(s, NULL); |
110 | #endif | 110 | #endif |
111 | SSL_shutdown (s); | 111 | SSL_shutdown(s); |
112 | SSL_free (s); | 112 | SSL_free(s); |
113 | if(c) { | 113 | if (c) { |
114 | SSL_CTX_free (c); | 114 | SSL_CTX_free(c); |
115 | c=NULL; | 115 | c=NULL; |
116 | } | ||
117 | s=NULL; | ||
118 | } | 116 | } |
117 | s=NULL; | ||
118 | } | ||
119 | } | 119 | } |
120 | 120 | ||
121 | int np_net_ssl_write(const void *buf, int num){ | 121 | int np_net_ssl_write(const void *buf, int num) { |
122 | return SSL_write(s, buf, num); | 122 | return SSL_write(s, buf, num); |
123 | } | 123 | } |
124 | 124 | ||
125 | int np_net_ssl_read(void *buf, int num){ | 125 | int np_net_ssl_read(void *buf, int num) { |
126 | return SSL_read(s, buf, num); | 126 | return SSL_read(s, buf, num); |
127 | } | 127 | } |
128 | 128 | ||
129 | int np_net_ssl_check_cert(int days_till_exp){ | 129 | int np_net_ssl_check_cert(int days_till_exp) { |
130 | # ifdef USE_OPENSSL | 130 | # ifdef USE_OPENSSL |
131 | X509 *certificate=NULL; | 131 | X509 *certificate=NULL; |
132 | X509_NAME *subj=NULL; | 132 | X509_NAME *subj=NULL; |
@@ -142,29 +142,29 @@ int np_net_ssl_check_cert(int days_till_exp){ | |||
142 | char timestamp[17] = ""; | 142 | char timestamp[17] = ""; |
143 | 143 | ||
144 | certificate=SSL_get_peer_certificate(s); | 144 | certificate=SSL_get_peer_certificate(s); |
145 | if(! certificate){ | 145 | if (!certificate) { |
146 | printf ("%s\n",_("CRITICAL - Cannot retrieve server certificate.")); | 146 | printf("%s\n",_("CRITICAL - Cannot retrieve server certificate.")); |
147 | return STATE_CRITICAL; | 147 | return STATE_CRITICAL; |
148 | } | 148 | } |
149 | 149 | ||
150 | /* Extract CN from certificate subject */ | 150 | /* Extract CN from certificate subject */ |
151 | subj=X509_get_subject_name(certificate); | 151 | subj=X509_get_subject_name(certificate); |
152 | 152 | ||
153 | if(! subj){ | 153 | if (!subj) { |
154 | printf ("%s\n",_("CRITICAL - Cannot retrieve certificate subject.")); | 154 | printf("%s\n",_("CRITICAL - Cannot retrieve certificate subject.")); |
155 | return STATE_CRITICAL; | 155 | return STATE_CRITICAL; |
156 | } | 156 | } |
157 | cnlen = X509_NAME_get_text_by_NID (subj, NID_commonName, cn, sizeof(cn)); | 157 | cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn)); |
158 | if ( cnlen == -1 ) | 158 | if (cnlen == -1) |
159 | strcpy(cn , _("Unknown CN")); | 159 | strcpy(cn, _("Unknown CN")); |
160 | 160 | ||
161 | /* Retrieve timestamp of certificate */ | 161 | /* Retrieve timestamp of certificate */ |
162 | tm = X509_get_notAfter (certificate); | 162 | tm = X509_get_notAfter(certificate); |
163 | 163 | ||
164 | /* Generate tm structure to process timestamp */ | 164 | /* Generate tm structure to process timestamp */ |
165 | if (tm->type == V_ASN1_UTCTIME) { | 165 | if (tm->type == V_ASN1_UTCTIME) { |
166 | if (tm->length < 10) { | 166 | if (tm->length < 10) { |
167 | printf ("%s\n", _("CRITICAL - Wrong time format in certificate.")); | 167 | printf("%s\n", _("CRITICAL - Wrong time format in certificate.")); |
168 | return STATE_CRITICAL; | 168 | return STATE_CRITICAL; |
169 | } else { | 169 | } else { |
170 | stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0'); | 170 | stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0'); |
@@ -174,7 +174,7 @@ int np_net_ssl_check_cert(int days_till_exp){ | |||
174 | } | 174 | } |
175 | } else { | 175 | } else { |
176 | if (tm->length < 12) { | 176 | if (tm->length < 12) { |
177 | printf ("%s\n", _("CRITICAL - Wrong time format in certificate.")); | 177 | printf("%s\n", _("CRITICAL - Wrong time format in certificate.")); |
178 | return STATE_CRITICAL; | 178 | return STATE_CRITICAL; |
179 | } else { | 179 | } else { |
180 | stamp.tm_year = | 180 | stamp.tm_year = |
@@ -203,22 +203,22 @@ int np_net_ssl_check_cert(int days_till_exp){ | |||
203 | stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min); | 203 | stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min); |
204 | 204 | ||
205 | if (days_left > 0 && days_left <= days_till_exp) { | 205 | if (days_left > 0 && days_left <= days_till_exp) { |
206 | printf (_("WARNING - Certificate '%s' expires in %d day(s) (%s).\n"), cn, days_left, timestamp); | 206 | printf(_("WARNING - Certificate '%s' expires in %d day(s) (%s).\n"), cn, days_left, timestamp); |
207 | status=STATE_WARNING; | 207 | status=STATE_WARNING; |
208 | } else if (time_left < 0) { | 208 | } else if (time_left < 0) { |
209 | printf (_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp); | 209 | printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp); |
210 | status=STATE_CRITICAL; | 210 | status=STATE_CRITICAL; |
211 | } else if (days_left == 0) { | 211 | } else if (days_left == 0) { |
212 | printf (_("WARNING - Certificate '%s' expires today (%s).\n"), cn, timestamp); | 212 | printf(_("WARNING - Certificate '%s' expires today (%s).\n"), cn, timestamp); |
213 | status=STATE_WARNING; | 213 | status=STATE_WARNING; |
214 | } else { | 214 | } else { |
215 | printf (_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp); | 215 | printf(_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp); |
216 | status=STATE_OK; | 216 | status=STATE_OK; |
217 | } | 217 | } |
218 | X509_free (certificate); | 218 | X509_free(certificate); |
219 | return status; | 219 | return status; |
220 | # else /* ifndef USE_OPENSSL */ | 220 | # else /* ifndef USE_OPENSSL */ |
221 | printf ("%s\n", _("WARNING - Plugin does not support checking certificates.")); | 221 | printf("%s\n", _("WARNING - Plugin does not support checking certificates.")); |
222 | return STATE_WARNING; | 222 | return STATE_WARNING; |
223 | # endif /* USE_OPENSSL */ | 223 | # endif /* USE_OPENSSL */ |
224 | } | 224 | } |