diff options
Diffstat (limited to 'plugins/check_smtp.c')
-rw-r--r-- | plugins/check_smtp.c | 285 |
1 files changed, 272 insertions, 13 deletions
diff --git a/plugins/check_smtp.c b/plugins/check_smtp.c index 55cf5da..6e5d972 100644 --- a/plugins/check_smtp.c +++ b/plugins/check_smtp.c | |||
@@ -27,17 +27,49 @@ const char *email = "nagiosplug-devel@lists.sourceforge.net"; | |||
27 | #include "netutils.h" | 27 | #include "netutils.h" |
28 | #include "utils.h" | 28 | #include "utils.h" |
29 | 29 | ||
30 | #ifdef HAVE_SSL_H | ||
31 | # include <rsa.h> | ||
32 | # include <crypto.h> | ||
33 | # include <x509.h> | ||
34 | # include <pem.h> | ||
35 | # include <ssl.h> | ||
36 | # include <err.h> | ||
37 | #else | ||
38 | # ifdef HAVE_OPENSSL_SSL_H | ||
39 | # include <openssl/rsa.h> | ||
40 | # include <openssl/crypto.h> | ||
41 | # include <openssl/x509.h> | ||
42 | # include <openssl/pem.h> | ||
43 | # include <openssl/ssl.h> | ||
44 | # include <openssl/err.h> | ||
45 | # endif | ||
46 | #endif | ||
47 | |||
48 | #ifdef HAVE_SSL | ||
49 | |||
50 | int check_cert = FALSE; | ||
51 | int days_till_exp; | ||
52 | SSL_CTX *ctx; | ||
53 | SSL *ssl; | ||
54 | X509 *server_cert; | ||
55 | int connect_STARTTLS (void); | ||
56 | int check_certificate (X509 **); | ||
57 | #endif | ||
58 | |||
30 | enum { | 59 | enum { |
31 | SMTP_PORT = 25 | 60 | SMTP_PORT = 25 |
32 | }; | 61 | }; |
33 | const char *SMTP_EXPECT = "220"; | 62 | const char *SMTP_EXPECT = "220"; |
34 | const char *SMTP_HELO = "HELO "; | 63 | const char *SMTP_HELO = "HELO "; |
35 | const char *SMTP_QUIT = "QUIT\r\n"; | 64 | const char *SMTP_QUIT = "QUIT\r\n"; |
65 | const char *SMTP_STARTTLS = "STARTTLS\r\n"; | ||
36 | 66 | ||
37 | int process_arguments (int, char **); | 67 | int process_arguments (int, char **); |
38 | int validate_arguments (void); | 68 | int validate_arguments (void); |
39 | void print_help (void); | 69 | void print_help (void); |
40 | void print_usage (void); | 70 | void print_usage (void); |
71 | int myrecv(void); | ||
72 | int my_close(void); | ||
41 | 73 | ||
42 | #ifdef HAVE_REGEX_H | 74 | #ifdef HAVE_REGEX_H |
43 | #include <regex.h> | 75 | #include <regex.h> |
@@ -68,18 +100,23 @@ int check_warning_time = FALSE; | |||
68 | int critical_time = 0; | 100 | int critical_time = 0; |
69 | int check_critical_time = FALSE; | 101 | int check_critical_time = FALSE; |
70 | int verbose = 0; | 102 | int verbose = 0; |
71 | 103 | int use_ssl = FALSE; | |
72 | 104 | int sd; | |
105 | char buffer[MAX_INPUT_BUFFER]; | ||
106 | enum { | ||
107 | TCP_PROTOCOL = 1, | ||
108 | UDP_PROTOCOL = 2, | ||
109 | MAXBUF = 1024 | ||
110 | }; | ||
73 | 111 | ||
74 | int | 112 | int |
75 | main (int argc, char **argv) | 113 | main (int argc, char **argv) |
76 | { | 114 | { |
77 | int sd; | 115 | |
78 | int n = 0; | 116 | int n = 0; |
79 | double elapsed_time; | 117 | double elapsed_time; |
80 | long microsec; | 118 | long microsec; |
81 | int result = STATE_UNKNOWN; | 119 | int result = STATE_UNKNOWN; |
82 | char buffer[MAX_INPUT_BUFFER]; | ||
83 | char *cmd_str = NULL; | 120 | char *cmd_str = NULL; |
84 | char *helocmd = NULL; | 121 | char *helocmd = NULL; |
85 | struct timeval tv; | 122 | struct timeval tv; |
@@ -140,12 +177,45 @@ main (int argc, char **argv) | |||
140 | result = STATE_WARNING; | 177 | result = STATE_WARNING; |
141 | } | 178 | } |
142 | } | 179 | } |
143 | 180 | #ifdef HAVE_SSL | |
181 | if(use_ssl) { | ||
182 | /* send the STARTTLS command */ | ||
183 | send(sd, SMTP_STARTTLS, strlen(SMTP_STARTTLS), 0); | ||
184 | |||
185 | recv(sd,buffer, MAX_INPUT_BUFFER-1, 0); // wait for it | ||
186 | if (!strstr (buffer, server_expect)) { | ||
187 | printf (_("Server does not support STARTTLS\n")); | ||
188 | return STATE_UNKNOWN; | ||
189 | } | ||
190 | if(connect_STARTTLS() != OK) { | ||
191 | printf (_("ERROR: Cannot create SSL context.\n")); | ||
192 | return STATE_CRITICAL; | ||
193 | } | ||
194 | if ( check_cert ) { | ||
195 | if ((server_cert = SSL_get_peer_certificate (ssl)) != NULL) { | ||
196 | result = check_certificate (&server_cert); | ||
197 | X509_free(server_cert); | ||
198 | } | ||
199 | else { | ||
200 | printf (_("ERROR: Cannot retrieve server certificate.\n")); | ||
201 | result = STATE_CRITICAL; | ||
202 | |||
203 | } | ||
204 | my_close(); | ||
205 | return result; | ||
206 | } | ||
207 | } | ||
208 | #endif | ||
144 | /* send the HELO command */ | 209 | /* send the HELO command */ |
210 | #ifdef HAVE_SSL | ||
211 | if (use_ssl) | ||
212 | SSL_write(ssl, helocmd, strlen(helocmd)); | ||
213 | else | ||
214 | #endif | ||
145 | send(sd, helocmd, strlen(helocmd), 0); | 215 | send(sd, helocmd, strlen(helocmd), 0); |
146 | 216 | ||
147 | /* allow for response to helo command to reach us */ | 217 | /* allow for response to helo command to reach us */ |
148 | recv(sd, buffer, MAX_INPUT_BUFFER-1, 0); | 218 | myrecv(); |
149 | 219 | ||
150 | /* sendmail will syslog a "NOQUEUE" error if session does not attempt | 220 | /* sendmail will syslog a "NOQUEUE" error if session does not attempt |
151 | * to do something useful. This can be prevented by giving a command | 221 | * to do something useful. This can be prevented by giving a command |
@@ -158,16 +228,26 @@ main (int argc, char **argv) | |||
158 | * Use the -f option to provide a FROM address | 228 | * Use the -f option to provide a FROM address |
159 | */ | 229 | */ |
160 | if (smtp_use_dummycmd) { | 230 | if (smtp_use_dummycmd) { |
161 | send(sd, cmd_str, strlen(cmd_str), 0); | 231 | #ifdef HAVE_SSL |
162 | recv(sd, buffer, MAX_INPUT_BUFFER-1, 0); | 232 | if (use_ssl) |
163 | if (verbose) | 233 | SSL_write(ssl, cmd_str, strlen(cmd_str)); |
164 | printf("%s", buffer); | 234 | else |
235 | #endif | ||
236 | send(sd, cmd_str, strlen(cmd_str), 0); | ||
237 | myrecv(); | ||
238 | if (verbose) | ||
239 | printf("%s", buffer); | ||
165 | } | 240 | } |
166 | 241 | ||
167 | while (n < ncommands) { | 242 | while (n < ncommands) { |
168 | asprintf (&cmd_str, "%s%s", commands[n], "\r\n"); | 243 | asprintf (&cmd_str, "%s%s", commands[n], "\r\n"); |
244 | #ifdef HAVE_SSL | ||
245 | if (use_ssl) | ||
246 | SSL_write(ssl,cmd_str, strlen(cmd_str)); | ||
247 | else | ||
248 | #endif | ||
169 | send(sd, cmd_str, strlen(cmd_str), 0); | 249 | send(sd, cmd_str, strlen(cmd_str), 0); |
170 | recv(sd, buffer, MAX_INPUT_BUFFER-1, 0); | 250 | myrecv(); |
171 | if (verbose) | 251 | if (verbose) |
172 | printf("%s", buffer); | 252 | printf("%s", buffer); |
173 | strip (buffer); | 253 | strip (buffer); |
@@ -206,6 +286,11 @@ main (int argc, char **argv) | |||
206 | } | 286 | } |
207 | 287 | ||
208 | /* tell the server we're done */ | 288 | /* tell the server we're done */ |
289 | #ifdef HAVE_SSL | ||
290 | if (use_ssl) | ||
291 | SSL_write(ssl,SMTP_QUIT, strlen (SMTP_QUIT)); | ||
292 | else | ||
293 | #endif | ||
209 | send (sd, SMTP_QUIT, strlen (SMTP_QUIT), 0); | 294 | send (sd, SMTP_QUIT, strlen (SMTP_QUIT), 0); |
210 | 295 | ||
211 | /* finally close the connection */ | 296 | /* finally close the connection */ |
@@ -261,6 +346,8 @@ process_arguments (int argc, char **argv) | |||
261 | {"use-ipv4", no_argument, 0, '4'}, | 346 | {"use-ipv4", no_argument, 0, '4'}, |
262 | {"use-ipv6", no_argument, 0, '6'}, | 347 | {"use-ipv6", no_argument, 0, '6'}, |
263 | {"help", no_argument, 0, 'h'}, | 348 | {"help", no_argument, 0, 'h'}, |
349 | {"starttls",no_argument,0,'S'}, | ||
350 | {"certificate",required_argument,0,'D'}, | ||
264 | {0, 0, 0, 0} | 351 | {0, 0, 0, 0} |
265 | }; | 352 | }; |
266 | 353 | ||
@@ -277,7 +364,7 @@ process_arguments (int argc, char **argv) | |||
277 | } | 364 | } |
278 | 365 | ||
279 | while (1) { | 366 | while (1) { |
280 | c = getopt_long (argc, argv, "+hVv46t:p:f:e:c:w:H:C:R:", | 367 | c = getopt_long (argc, argv, "+hVv46t:p:f:e:c:w:H:C:R:SD:", |
281 | longopts, &option); | 368 | longopts, &option); |
282 | 369 | ||
283 | if (c == -1 || c == EOF) | 370 | if (c == -1 || c == EOF) |
@@ -354,6 +441,22 @@ process_arguments (int argc, char **argv) | |||
354 | usage4 (_("Timeout interval must be a positive integer")); | 441 | usage4 (_("Timeout interval must be a positive integer")); |
355 | } | 442 | } |
356 | break; | 443 | break; |
444 | case 'S': | ||
445 | /* starttls */ | ||
446 | use_ssl = TRUE; | ||
447 | break; | ||
448 | case 'D': | ||
449 | /* Check SSL cert validity */ | ||
450 | #ifdef HAVE_SSL | ||
451 | if (!is_intnonneg (optarg)) | ||
452 | usage2 ("Invalid certificate expiration period",optarg); | ||
453 | days_till_exp = atoi (optarg); | ||
454 | check_cert = TRUE; | ||
455 | #else | ||
456 | terminate (STATE_UNKNOWN, | ||
457 | "SSL support not available. Install OpenSSL and recompile."); | ||
458 | #endif | ||
459 | break; | ||
357 | case '4': | 460 | case '4': |
358 | address_family = AF_INET; | 461 | address_family = AF_INET; |
359 | break; | 462 | break; |
@@ -443,6 +546,13 @@ print_help (void) | |||
443 | -f, --from=STRING\n\ | 546 | -f, --from=STRING\n\ |
444 | FROM-address to include in MAIL command, required by Exchange 2000\n"), | 547 | FROM-address to include in MAIL command, required by Exchange 2000\n"), |
445 | SMTP_EXPECT); | 548 | SMTP_EXPECT); |
549 | #ifdef HAVE_SSL | ||
550 | printf (_("\ | ||
551 | -D, --certificate=INTEGER\n\ | ||
552 | Minimum number of days a certificate has to be valid.\n\ | ||
553 | -S, --starttls\n\ | ||
554 | Use STARTTLS for the connection.\n")); | ||
555 | #endif | ||
446 | 556 | ||
447 | printf (_(UT_WARN_CRIT)); | 557 | printf (_(UT_WARN_CRIT)); |
448 | 558 | ||
@@ -466,5 +576,154 @@ print_usage (void) | |||
466 | { | 576 | { |
467 | printf ("\ | 577 | printf ("\ |
468 | Usage: %s -H host [-p port] [-e expect] [-C command] [-f from addr]\n\ | 578 | Usage: %s -H host [-p port] [-e expect] [-C command] [-f from addr]\n\ |
469 | [-w warn] [-c crit] [-t timeout] [-n] [-v] [-4|-6]\n", progname); | 579 | [-w warn] [-c crit] [-t timeout] [-S] [-D days] [-n] [-v] [-4|-6]\n", progname); |
580 | } | ||
581 | |||
582 | #ifdef HAVE_SSL | ||
583 | int | ||
584 | connect_STARTTLS (void) | ||
585 | { | ||
586 | SSL_METHOD *meth; | ||
587 | |||
588 | /* Initialize SSL context */ | ||
589 | SSLeay_add_ssl_algorithms (); | ||
590 | meth = SSLv2_client_method (); | ||
591 | SSL_load_error_strings (); | ||
592 | if ((ctx = SSL_CTX_new (meth)) == NULL) | ||
593 | { | ||
594 | printf(_("ERROR: Cannot create SSL context.\n")); | ||
595 | return STATE_CRITICAL; | ||
596 | } | ||
597 | /* do the SSL handshake */ | ||
598 | if ((ssl = SSL_new (ctx)) != NULL) | ||
599 | { | ||
600 | SSL_set_fd (ssl, sd); | ||
601 | /* original version checked for -1 | ||
602 | I look for success instead (1) */ | ||
603 | if (SSL_connect (ssl) == 1) | ||
604 | return OK; | ||
605 | ERR_print_errors_fp (stderr); | ||
606 | } | ||
607 | else | ||
608 | { | ||
609 | printf (_("ERROR: Cannot initiate SSL handshake.\n")); | ||
610 | } | ||
611 | /* this causes a seg faul | ||
612 | not sure why, being sloppy | ||
613 | and commenting it out */ | ||
614 | // SSL_free (ssl); | ||
615 | SSL_CTX_free(ctx); | ||
616 | my_close(); | ||
617 | |||
618 | return STATE_CRITICAL; | ||
619 | } | ||
620 | |||
621 | int | ||
622 | check_certificate (X509 ** certificate) | ||
623 | { | ||
624 | ASN1_STRING *tm; | ||
625 | int offset; | ||
626 | struct tm stamp; | ||
627 | int days_left; | ||
628 | |||
629 | /* Retrieve timestamp of certificate */ | ||
630 | tm = X509_get_notAfter (*certificate); | ||
631 | |||
632 | /* Generate tm structure to process timestamp */ | ||
633 | if (tm->type == V_ASN1_UTCTIME) { | ||
634 | if (tm->length < 10) { | ||
635 | printf (_("ERROR: Wrong time format in certificate.\n")); | ||
636 | return STATE_CRITICAL; | ||
637 | } | ||
638 | else { | ||
639 | stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0'); | ||
640 | if (stamp.tm_year < 50) | ||
641 | stamp.tm_year += 100; | ||
642 | offset = 0; | ||
643 | } | ||
644 | } | ||
645 | else { | ||
646 | if (tm->length < 12) { | ||
647 | printf (_("ERROR: Wrong time format in certificate.\n")); | ||
648 | return STATE_CRITICAL; | ||
649 | } | ||
650 | else { | ||
651 | stamp.tm_year = | ||
652 | (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 + | ||
653 | (tm->data[2] - '0') * 10 + (tm->data[3] - '0'); | ||
654 | stamp.tm_year -= 1900; | ||
655 | offset = 2; | ||
656 | } | ||
657 | } | ||
658 | stamp.tm_mon = | ||
659 | (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1; | ||
660 | stamp.tm_mday = | ||
661 | (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0'); | ||
662 | stamp.tm_hour = | ||
663 | (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0'); | ||
664 | stamp.tm_min = | ||
665 | (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0'); | ||
666 | stamp.tm_sec = 0; | ||
667 | stamp.tm_isdst = -1; | ||
668 | |||
669 | days_left = (mktime (&stamp) - time (NULL)) / 86400; | ||
670 | snprintf | ||
671 | (timestamp, 16, "%02d/%02d/%04d %02d:%02d", | ||
672 | stamp.tm_mon + 1, | ||
673 | stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min); | ||
674 | |||
675 | if (days_left > 0 && days_left <= days_till_exp) { | ||
676 | printf ("Certificate expires in %d day(s) (%s).\n", days_left, timestamp); | ||
677 | return STATE_WARNING; | ||
678 | } | ||
679 | if (days_left < 0) { | ||
680 | printf ("Certificate expired on %s.\n", timestamp); | ||
681 | return STATE_CRITICAL; | ||
682 | } | ||
683 | |||
684 | if (days_left == 0) { | ||
685 | printf ("Certificate expires today (%s).\n", timestamp); | ||
686 | return STATE_WARNING; | ||
687 | } | ||
688 | |||
689 | printf ("Certificate will expire on %s.\n", timestamp); | ||
690 | |||
691 | return STATE_OK; | ||
692 | } | ||
693 | #endif | ||
694 | |||
695 | int | ||
696 | myrecv (void) | ||
697 | { | ||
698 | int i; | ||
699 | |||
700 | #ifdef HAVE_SSL | ||
701 | if (use_ssl) { | ||
702 | i = SSL_read (ssl, buffer, MAXBUF - 1); | ||
703 | } | ||
704 | else { | ||
705 | #endif | ||
706 | i = read (sd, buffer, MAXBUF - 1); | ||
707 | #ifdef HAVE_SSL | ||
708 | } | ||
709 | #endif | ||
710 | return i; | ||
711 | } | ||
712 | |||
713 | int | ||
714 | my_close (void) | ||
715 | { | ||
716 | #ifdef HAVE_SSL | ||
717 | if (use_ssl == TRUE) { | ||
718 | SSL_shutdown (ssl); | ||
719 | SSL_free (ssl); | ||
720 | SSL_CTX_free (ctx); | ||
721 | return 0; | ||
722 | } | ||
723 | else { | ||
724 | #endif | ||
725 | return close(sd); | ||
726 | #ifdef HAVE_SSL | ||
727 | } | ||
728 | #endif | ||
470 | } | 729 | } |