summaryrefslogtreecommitdiffstats
path: root/plugins/sslutils.c
diff options
context:
space:
mode:
Diffstat (limited to 'plugins/sslutils.c')
-rw-r--r--plugins/sslutils.c143
1 files changed, 87 insertions, 56 deletions
diff --git a/plugins/sslutils.c b/plugins/sslutils.c
index 0bc61ed..5425bb2 100644
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
@@ -36,66 +36,97 @@ static SSL_CTX *c=NULL;
36static SSL *s=NULL; 36static SSL *s=NULL;
37static int initialized=0; 37static int initialized=0;
38 38
39int np_net_ssl_init (int sd) { 39int np_net_ssl_init(int sd) {
40 return np_net_ssl_init_with_hostname(sd, NULL); 40 return np_net_ssl_init_with_hostname(sd, NULL);
41} 41}
42 42
43int np_net_ssl_init_with_hostname (int sd, char *host_name) { 43int np_net_ssl_init_with_hostname(int sd, char *host_name) {
44 if (!initialized) { 44 return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0);
45 /* Initialize SSL context */ 45}
46 SSLeay_add_ssl_algorithms (); 46
47 SSL_load_error_strings (); 47int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int version) {
48 OpenSSL_add_all_algorithms (); 48 const SSL_METHOD *method = NULL;
49 initialized = 1; 49
50 } 50 switch (version) {
51 if ((c = SSL_CTX_new (SSLv23_client_method ())) == NULL) { 51 case 0: /* Deafult to auto negotiation */
52 printf ("%s\n", _("CRITICAL - Cannot create SSL context.")); 52 method = SSLv23_client_method();
53 return STATE_CRITICAL; 53 break;
54 } 54 case 1: /* TLSv1 protocol */
55 if ((s = SSL_new (c)) != NULL){ 55 method = TLSv1_client_method();
56 break;
57 case 2: /* SSLv2 protocol */
58#if defined(USE_GNUTLS) || defined(OPENSSL_NO_SSL2)
59 printf(("%s\n", _("CRITICAL - SSL protocol version 2 is not supported by your SSL library.")));
60 return STATE_CRITICAL;
61#else
62 method = SSLv2_client_method();
63#endif
64 break;
65 case 3: /* SSLv3 protocol */
66 method = SSLv3_client_method();
67 break;
68 default: /* Unsupported */
69 printf("%s\n", _("CRITICAL - Unsupported SSL protocol version."));
70 return STATE_CRITICAL;
71 }
72 if (!initialized) {
73 /* Initialize SSL context */
74 SSLeay_add_ssl_algorithms();
75 SSL_load_error_strings();
76 OpenSSL_add_all_algorithms();
77 initialized = 1;
78 }
79 if ((c = SSL_CTX_new(method)) == NULL) {
80 printf("%s\n", _("CRITICAL - Cannot create SSL context."));
81 return STATE_CRITICAL;
82 }
83#ifdef SSL_OP_NO_TICKET
84 SSL_CTX_set_options(c, SSL_OP_NO_TICKET);
85#endif
86 if ((s = SSL_new(c)) != NULL) {
56#ifdef SSL_set_tlsext_host_name 87#ifdef SSL_set_tlsext_host_name
57 if (host_name != NULL) 88 if (host_name != NULL)
58 SSL_set_tlsext_host_name(s, host_name); 89 SSL_set_tlsext_host_name(s, host_name);
59#endif 90#endif
60 SSL_set_fd (s, sd); 91 SSL_set_fd(s, sd);
61 if (SSL_connect(s) == 1){ 92 if (SSL_connect(s) == 1) {
62 return OK; 93 return OK;
63 } else { 94 } else {
64 printf ("%s\n", _("CRITICAL - Cannot make SSL connection ")); 95 printf("%s\n", _("CRITICAL - Cannot make SSL connection."));
65# ifdef USE_OPENSSL /* XXX look into ERR_error_string */ 96# ifdef USE_OPENSSL /* XXX look into ERR_error_string */
66 ERR_print_errors_fp (stdout); 97 ERR_print_errors_fp(stdout);
67# endif /* USE_OPENSSL */ 98# endif /* USE_OPENSSL */
68 }
69 } else {
70 printf ("%s\n", _("CRITICAL - Cannot initiate SSL handshake."));
71 } 99 }
72 return STATE_CRITICAL; 100 } else {
101 printf("%s\n", _("CRITICAL - Cannot initiate SSL handshake."));
102 }
103 return STATE_CRITICAL;
73} 104}
74 105
75void np_net_ssl_cleanup (){ 106void np_net_ssl_cleanup() {
76 if(s){ 107 if (s) {
77#ifdef SSL_set_tlsext_host_name 108#ifdef SSL_set_tlsext_host_name
78 SSL_set_tlsext_host_name(s, NULL); 109 SSL_set_tlsext_host_name(s, NULL);
79#endif 110#endif
80 SSL_shutdown (s); 111 SSL_shutdown(s);
81 SSL_free (s); 112 SSL_free(s);
82 if(c) { 113 if (c) {
83 SSL_CTX_free (c); 114 SSL_CTX_free(c);
84 c=NULL; 115 c=NULL;
85 }
86 s=NULL;
87 } 116 }
117 s=NULL;
118 }
88} 119}
89 120
90int np_net_ssl_write(const void *buf, int num){ 121int np_net_ssl_write(const void *buf, int num) {
91 return SSL_write(s, buf, num); 122 return SSL_write(s, buf, num);
92} 123}
93 124
94int np_net_ssl_read(void *buf, int num){ 125int np_net_ssl_read(void *buf, int num) {
95 return SSL_read(s, buf, num); 126 return SSL_read(s, buf, num);
96} 127}
97 128
98int np_net_ssl_check_cert(int days_till_exp){ 129int np_net_ssl_check_cert(int days_till_exp) {
99# ifdef USE_OPENSSL 130# ifdef USE_OPENSSL
100 X509 *certificate=NULL; 131 X509 *certificate=NULL;
101 X509_NAME *subj=NULL; 132 X509_NAME *subj=NULL;
@@ -111,29 +142,29 @@ int np_net_ssl_check_cert(int days_till_exp){
111 char timestamp[17] = ""; 142 char timestamp[17] = "";
112 143
113 certificate=SSL_get_peer_certificate(s); 144 certificate=SSL_get_peer_certificate(s);
114 if(! certificate){ 145 if (!certificate) {
115 printf ("%s\n",_("CRITICAL - Cannot retrieve server certificate.")); 146 printf("%s\n",_("CRITICAL - Cannot retrieve server certificate."));
116 return STATE_CRITICAL; 147 return STATE_CRITICAL;
117 } 148 }
118 149
119 /* Extract CN from certificate subject */ 150 /* Extract CN from certificate subject */
120 subj=X509_get_subject_name(certificate); 151 subj=X509_get_subject_name(certificate);
121 152
122 if(! subj){ 153 if (!subj) {
123 printf ("%s\n",_("CRITICAL - Cannot retrieve certificate subject.")); 154 printf("%s\n",_("CRITICAL - Cannot retrieve certificate subject."));
124 return STATE_CRITICAL; 155 return STATE_CRITICAL;
125 } 156 }
126 cnlen = X509_NAME_get_text_by_NID (subj, NID_commonName, cn, sizeof(cn)); 157 cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn));
127 if ( cnlen == -1 ) 158 if (cnlen == -1)
128 strcpy(cn , _("Unknown CN")); 159 strcpy(cn, _("Unknown CN"));
129 160
130 /* Retrieve timestamp of certificate */ 161 /* Retrieve timestamp of certificate */
131 tm = X509_get_notAfter (certificate); 162 tm = X509_get_notAfter(certificate);
132 163
133 /* Generate tm structure to process timestamp */ 164 /* Generate tm structure to process timestamp */
134 if (tm->type == V_ASN1_UTCTIME) { 165 if (tm->type == V_ASN1_UTCTIME) {
135 if (tm->length < 10) { 166 if (tm->length < 10) {
136 printf ("%s\n", _("CRITICAL - Wrong time format in certificate.")); 167 printf("%s\n", _("CRITICAL - Wrong time format in certificate."));
137 return STATE_CRITICAL; 168 return STATE_CRITICAL;
138 } else { 169 } else {
139 stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0'); 170 stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0');
@@ -143,7 +174,7 @@ int np_net_ssl_check_cert(int days_till_exp){
143 } 174 }
144 } else { 175 } else {
145 if (tm->length < 12) { 176 if (tm->length < 12) {
146 printf ("%s\n", _("CRITICAL - Wrong time format in certificate.")); 177 printf("%s\n", _("CRITICAL - Wrong time format in certificate."));
147 return STATE_CRITICAL; 178 return STATE_CRITICAL;
148 } else { 179 } else {
149 stamp.tm_year = 180 stamp.tm_year =
@@ -172,22 +203,22 @@ int np_net_ssl_check_cert(int days_till_exp){
172 stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min); 203 stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min);
173 204
174 if (days_left > 0 && days_left <= days_till_exp) { 205 if (days_left > 0 && days_left <= days_till_exp) {
175 printf (_("WARNING - Certificate '%s' expires in %d day(s) (%s).\n"), cn, days_left, timestamp); 206 printf(_("WARNING - Certificate '%s' expires in %d day(s) (%s).\n"), cn, days_left, timestamp);
176 status=STATE_WARNING; 207 status=STATE_WARNING;
177 } else if (time_left < 0) { 208 } else if (time_left < 0) {
178 printf (_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp); 209 printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp);
179 status=STATE_CRITICAL; 210 status=STATE_CRITICAL;
180 } else if (days_left == 0) { 211 } else if (days_left == 0) {
181 printf (_("WARNING - Certificate '%s' expires today (%s).\n"), cn, timestamp); 212 printf(_("WARNING - Certificate '%s' expires today (%s).\n"), cn, timestamp);
182 status=STATE_WARNING; 213 status=STATE_WARNING;
183 } else { 214 } else {
184 printf (_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp); 215 printf(_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp);
185 status=STATE_OK; 216 status=STATE_OK;
186 } 217 }
187 X509_free (certificate); 218 X509_free(certificate);
188 return status; 219 return status;
189# else /* ifndef USE_OPENSSL */ 220# else /* ifndef USE_OPENSSL */
190 printf ("%s\n", _("WARNING - Plugin does not support checking certificates.")); 221 printf("%s\n", _("WARNING - Plugin does not support checking certificates."));
191 return STATE_WARNING; 222 return STATE_WARNING;
192# endif /* USE_OPENSSL */ 223# endif /* USE_OPENSSL */
193} 224}