diff options
Diffstat (limited to 'plugins/sslutils.c')
-rw-r--r-- | plugins/sslutils.c | 173 |
1 files changed, 92 insertions, 81 deletions
diff --git a/plugins/sslutils.c b/plugins/sslutils.c index 2157764f..a1ce560d 100644 --- a/plugins/sslutils.c +++ b/plugins/sslutils.c | |||
@@ -36,92 +36,97 @@ static SSL_CTX *c=NULL; | |||
36 | static SSL *s=NULL; | 36 | static SSL *s=NULL; |
37 | static int initialized=0; | 37 | static int initialized=0; |
38 | 38 | ||
39 | int np_net_ssl_init (int sd) { | 39 | int np_net_ssl_init(int sd) { |
40 | return np_net_ssl_init_with_hostname(sd, NULL); | 40 | return np_net_ssl_init_with_hostname(sd, NULL); |
41 | } | 41 | } |
42 | 42 | ||
43 | int np_net_ssl_init_with_hostname (int sd, char *host_name) { | 43 | int np_net_ssl_init_with_hostname(int sd, char *host_name) { |
44 | return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0); | 44 | return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0); |
45 | } | 45 | } |
46 | 46 | ||
47 | int np_net_ssl_init_with_hostname_and_version (int sd, char *host_name, int version) { | 47 | int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int version) { |
48 | const SSL_METHOD *method = NULL; | 48 | const SSL_METHOD *method = NULL; |
49 | 49 | ||
50 | switch (version) { | 50 | switch (version) { |
51 | case 0: /* Deafult to auto negotiation */ | 51 | case 0: /* Deafult to auto negotiation */ |
52 | method = SSLv23_client_method(); | 52 | method = SSLv23_client_method(); |
53 | break; | 53 | break; |
54 | case 1: /* TLSv1 protocol */ | 54 | case 1: /* TLSv1 protocol */ |
55 | method = TLSv1_client_method(); | 55 | method = TLSv1_client_method(); |
56 | break; | 56 | break; |
57 | case 2: /* SSLv2 protocol */ | 57 | case 2: /* SSLv2 protocol */ |
58 | method = SSLv2_client_method(); | 58 | #if defined(USE_GNUTLS) || defined(OPENSSL_NO_SSL2) |
59 | break; | 59 | printf(("%s\n", _("CRITICAL - SSL protocol version 2 is not supported by your SSL library."))); |
60 | case 3: /* SSLv3 protocol */ | 60 | return STATE_CRITICAL; |
61 | method = SSLv3_client_method(); | 61 | #else |
62 | break; | 62 | method = SSLv2_client_method(); |
63 | default: /* Unsupported */ | 63 | #endif |
64 | printf ("%s\n", _("CRITICAL - Unsupported SSL Protocol Version.")); | 64 | break; |
65 | return STATE_CRITICAL; | 65 | case 3: /* SSLv3 protocol */ |
66 | } | 66 | method = SSLv3_client_method(); |
67 | if (!initialized) { | 67 | break; |
68 | /* Initialize SSL context */ | 68 | default: /* Unsupported */ |
69 | SSLeay_add_ssl_algorithms (); | 69 | printf("%s\n", _("CRITICAL - Unsupported SSL protocol version.")); |
70 | SSL_load_error_strings (); | 70 | return STATE_CRITICAL; |
71 | OpenSSL_add_all_algorithms (); | 71 | } |
72 | initialized = 1; | 72 | if (!initialized) { |
73 | } | 73 | /* Initialize SSL context */ |
74 | if ((c = SSL_CTX_new (method)) == NULL) { | 74 | SSLeay_add_ssl_algorithms(); |
75 | printf ("%s\n", _("CRITICAL - Cannot create SSL context.")); | 75 | SSL_load_error_strings(); |
76 | return STATE_CRITICAL; | 76 | OpenSSL_add_all_algorithms(); |
77 | } | 77 | initialized = 1; |
78 | } | ||
79 | if ((c = SSL_CTX_new(method)) == NULL) { | ||
80 | printf("%s\n", _("CRITICAL - Cannot create SSL context.")); | ||
81 | return STATE_CRITICAL; | ||
82 | } | ||
78 | #ifdef SSL_OP_NO_TICKET | 83 | #ifdef SSL_OP_NO_TICKET |
79 | SSL_CTX_set_options(c, SSL_OP_NO_TICKET); | 84 | SSL_CTX_set_options(c, SSL_OP_NO_TICKET); |
80 | #endif | 85 | #endif |
81 | if ((s = SSL_new (c)) != NULL){ | 86 | if ((s = SSL_new(c)) != NULL) { |
82 | #ifdef SSL_set_tlsext_host_name | 87 | #ifdef SSL_set_tlsext_host_name |
83 | if (host_name != NULL) | 88 | if (host_name != NULL) |
84 | SSL_set_tlsext_host_name(s, host_name); | 89 | SSL_set_tlsext_host_name(s, host_name); |
85 | #endif | 90 | #endif |
86 | SSL_set_fd (s, sd); | 91 | SSL_set_fd(s, sd); |
87 | if (SSL_connect(s) == 1){ | 92 | if (SSL_connect(s) == 1) { |
88 | return OK; | 93 | return OK; |
89 | } else { | 94 | } else { |
90 | printf ("%s\n", _("CRITICAL - Cannot make SSL connection ")); | 95 | printf("%s\n", _("CRITICAL - Cannot make SSL connection.")); |
91 | # ifdef USE_OPENSSL /* XXX look into ERR_error_string */ | 96 | # ifdef USE_OPENSSL /* XXX look into ERR_error_string */ |
92 | ERR_print_errors_fp (stdout); | 97 | ERR_print_errors_fp(stdout); |
93 | # endif /* USE_OPENSSL */ | 98 | # endif /* USE_OPENSSL */ |
94 | } | ||
95 | } else { | ||
96 | printf ("%s\n", _("CRITICAL - Cannot initiate SSL handshake.")); | ||
97 | } | 99 | } |
98 | return STATE_CRITICAL; | 100 | } else { |
101 | printf("%s\n", _("CRITICAL - Cannot initiate SSL handshake.")); | ||
102 | } | ||
103 | return STATE_CRITICAL; | ||
99 | } | 104 | } |
100 | 105 | ||
101 | void np_net_ssl_cleanup (){ | 106 | void np_net_ssl_cleanup() { |
102 | if(s){ | 107 | if (s) { |
103 | #ifdef SSL_set_tlsext_host_name | 108 | #ifdef SSL_set_tlsext_host_name |
104 | SSL_set_tlsext_host_name(s, NULL); | 109 | SSL_set_tlsext_host_name(s, NULL); |
105 | #endif | 110 | #endif |
106 | SSL_shutdown (s); | 111 | SSL_shutdown(s); |
107 | SSL_free (s); | 112 | SSL_free(s); |
108 | if(c) { | 113 | if (c) { |
109 | SSL_CTX_free (c); | 114 | SSL_CTX_free(c); |
110 | c=NULL; | 115 | c=NULL; |
111 | } | ||
112 | s=NULL; | ||
113 | } | 116 | } |
117 | s=NULL; | ||
118 | } | ||
114 | } | 119 | } |
115 | 120 | ||
116 | int np_net_ssl_write(const void *buf, int num){ | 121 | int np_net_ssl_write(const void *buf, int num) { |
117 | return SSL_write(s, buf, num); | 122 | return SSL_write(s, buf, num); |
118 | } | 123 | } |
119 | 124 | ||
120 | int np_net_ssl_read(void *buf, int num){ | 125 | int np_net_ssl_read(void *buf, int num) { |
121 | return SSL_read(s, buf, num); | 126 | return SSL_read(s, buf, num); |
122 | } | 127 | } |
123 | 128 | ||
124 | int np_net_ssl_check_cert(int days_till_exp){ | 129 | int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){ |
125 | # ifdef USE_OPENSSL | 130 | # ifdef USE_OPENSSL |
126 | X509 *certificate=NULL; | 131 | X509 *certificate=NULL; |
127 | X509_NAME *subj=NULL; | 132 | X509_NAME *subj=NULL; |
@@ -137,29 +142,29 @@ int np_net_ssl_check_cert(int days_till_exp){ | |||
137 | char timestamp[17] = ""; | 142 | char timestamp[17] = ""; |
138 | 143 | ||
139 | certificate=SSL_get_peer_certificate(s); | 144 | certificate=SSL_get_peer_certificate(s); |
140 | if(! certificate){ | 145 | if (!certificate) { |
141 | printf ("%s\n",_("CRITICAL - Cannot retrieve server certificate.")); | 146 | printf("%s\n",_("CRITICAL - Cannot retrieve server certificate.")); |
142 | return STATE_CRITICAL; | 147 | return STATE_CRITICAL; |
143 | } | 148 | } |
144 | 149 | ||
145 | /* Extract CN from certificate subject */ | 150 | /* Extract CN from certificate subject */ |
146 | subj=X509_get_subject_name(certificate); | 151 | subj=X509_get_subject_name(certificate); |
147 | 152 | ||
148 | if(! subj){ | 153 | if (!subj) { |
149 | printf ("%s\n",_("CRITICAL - Cannot retrieve certificate subject.")); | 154 | printf("%s\n",_("CRITICAL - Cannot retrieve certificate subject.")); |
150 | return STATE_CRITICAL; | 155 | return STATE_CRITICAL; |
151 | } | 156 | } |
152 | cnlen = X509_NAME_get_text_by_NID (subj, NID_commonName, cn, sizeof(cn)); | 157 | cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn)); |
153 | if ( cnlen == -1 ) | 158 | if (cnlen == -1) |
154 | strcpy(cn , _("Unknown CN")); | 159 | strcpy(cn, _("Unknown CN")); |
155 | 160 | ||
156 | /* Retrieve timestamp of certificate */ | 161 | /* Retrieve timestamp of certificate */ |
157 | tm = X509_get_notAfter (certificate); | 162 | tm = X509_get_notAfter(certificate); |
158 | 163 | ||
159 | /* Generate tm structure to process timestamp */ | 164 | /* Generate tm structure to process timestamp */ |
160 | if (tm->type == V_ASN1_UTCTIME) { | 165 | if (tm->type == V_ASN1_UTCTIME) { |
161 | if (tm->length < 10) { | 166 | if (tm->length < 10) { |
162 | printf ("%s\n", _("CRITICAL - Wrong time format in certificate.")); | 167 | printf("%s\n", _("CRITICAL - Wrong time format in certificate.")); |
163 | return STATE_CRITICAL; | 168 | return STATE_CRITICAL; |
164 | } else { | 169 | } else { |
165 | stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0'); | 170 | stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0'); |
@@ -169,7 +174,7 @@ int np_net_ssl_check_cert(int days_till_exp){ | |||
169 | } | 174 | } |
170 | } else { | 175 | } else { |
171 | if (tm->length < 12) { | 176 | if (tm->length < 12) { |
172 | printf ("%s\n", _("CRITICAL - Wrong time format in certificate.")); | 177 | printf("%s\n", _("CRITICAL - Wrong time format in certificate.")); |
173 | return STATE_CRITICAL; | 178 | return STATE_CRITICAL; |
174 | } else { | 179 | } else { |
175 | stamp.tm_year = | 180 | stamp.tm_year = |
@@ -197,23 +202,29 @@ int np_net_ssl_check_cert(int days_till_exp){ | |||
197 | stamp.tm_mon + 1, | 202 | stamp.tm_mon + 1, |
198 | stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min); | 203 | stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min); |
199 | 204 | ||
200 | if (days_left > 0 && days_left <= days_till_exp) { | 205 | if (days_left > 0 && days_left <= days_till_exp_warn) { |
201 | printf (_("WARNING - Certificate '%s' expires in %d day(s) (%s).\n"), cn, days_left, timestamp); | 206 | printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, days_left, timestamp); |
202 | status=STATE_WARNING; | 207 | if (days_left > days_till_exp_crit) |
208 | return STATE_WARNING; | ||
209 | else | ||
210 | return STATE_CRITICAL; | ||
203 | } else if (time_left < 0) { | 211 | } else if (time_left < 0) { |
204 | printf (_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp); | 212 | printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp); |
205 | status=STATE_CRITICAL; | 213 | status=STATE_CRITICAL; |
206 | } else if (days_left == 0) { | 214 | } else if (days_left == 0) { |
207 | printf (_("WARNING - Certificate '%s' expires today (%s).\n"), cn, timestamp); | 215 | printf (_("%s - Certificate '%s' expires today (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, timestamp); |
208 | status=STATE_WARNING; | 216 | if (days_left > days_till_exp_crit) |
217 | return STATE_WARNING; | ||
218 | else | ||
219 | return STATE_CRITICAL; | ||
209 | } else { | 220 | } else { |
210 | printf (_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp); | 221 | printf(_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp); |
211 | status=STATE_OK; | 222 | status=STATE_OK; |
212 | } | 223 | } |
213 | X509_free (certificate); | 224 | X509_free(certificate); |
214 | return status; | 225 | return status; |
215 | # else /* ifndef USE_OPENSSL */ | 226 | # else /* ifndef USE_OPENSSL */ |
216 | printf ("%s\n", _("WARNING - Plugin does not support checking certificates.")); | 227 | printf("%s\n", _("WARNING - Plugin does not support checking certificates.")); |
217 | return STATE_WARNING; | 228 | return STATE_WARNING; |
218 | # endif /* USE_OPENSSL */ | 229 | # endif /* USE_OPENSSL */ |
219 | } | 230 | } |