diff options
Diffstat (limited to 'plugins/sslutils.c')
-rw-r--r-- | plugins/sslutils.c | 143 |
1 files changed, 87 insertions, 56 deletions
diff --git a/plugins/sslutils.c b/plugins/sslutils.c index 0bc61ed3..5425bb2c 100644 --- a/plugins/sslutils.c +++ b/plugins/sslutils.c | |||
@@ -36,66 +36,97 @@ static SSL_CTX *c=NULL; | |||
36 | static SSL *s=NULL; | 36 | static SSL *s=NULL; |
37 | static int initialized=0; | 37 | static int initialized=0; |
38 | 38 | ||
39 | int np_net_ssl_init (int sd) { | 39 | int np_net_ssl_init(int sd) { |
40 | return np_net_ssl_init_with_hostname(sd, NULL); | 40 | return np_net_ssl_init_with_hostname(sd, NULL); |
41 | } | 41 | } |
42 | 42 | ||
43 | int np_net_ssl_init_with_hostname (int sd, char *host_name) { | 43 | int np_net_ssl_init_with_hostname(int sd, char *host_name) { |
44 | if (!initialized) { | 44 | return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0); |
45 | /* Initialize SSL context */ | 45 | } |
46 | SSLeay_add_ssl_algorithms (); | 46 | |
47 | SSL_load_error_strings (); | 47 | int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int version) { |
48 | OpenSSL_add_all_algorithms (); | 48 | const SSL_METHOD *method = NULL; |
49 | initialized = 1; | 49 | |
50 | } | 50 | switch (version) { |
51 | if ((c = SSL_CTX_new (SSLv23_client_method ())) == NULL) { | 51 | case 0: /* Deafult to auto negotiation */ |
52 | printf ("%s\n", _("CRITICAL - Cannot create SSL context.")); | 52 | method = SSLv23_client_method(); |
53 | return STATE_CRITICAL; | 53 | break; |
54 | } | 54 | case 1: /* TLSv1 protocol */ |
55 | if ((s = SSL_new (c)) != NULL){ | 55 | method = TLSv1_client_method(); |
56 | break; | ||
57 | case 2: /* SSLv2 protocol */ | ||
58 | #if defined(USE_GNUTLS) || defined(OPENSSL_NO_SSL2) | ||
59 | printf(("%s\n", _("CRITICAL - SSL protocol version 2 is not supported by your SSL library."))); | ||
60 | return STATE_CRITICAL; | ||
61 | #else | ||
62 | method = SSLv2_client_method(); | ||
63 | #endif | ||
64 | break; | ||
65 | case 3: /* SSLv3 protocol */ | ||
66 | method = SSLv3_client_method(); | ||
67 | break; | ||
68 | default: /* Unsupported */ | ||
69 | printf("%s\n", _("CRITICAL - Unsupported SSL protocol version.")); | ||
70 | return STATE_CRITICAL; | ||
71 | } | ||
72 | if (!initialized) { | ||
73 | /* Initialize SSL context */ | ||
74 | SSLeay_add_ssl_algorithms(); | ||
75 | SSL_load_error_strings(); | ||
76 | OpenSSL_add_all_algorithms(); | ||
77 | initialized = 1; | ||
78 | } | ||
79 | if ((c = SSL_CTX_new(method)) == NULL) { | ||
80 | printf("%s\n", _("CRITICAL - Cannot create SSL context.")); | ||
81 | return STATE_CRITICAL; | ||
82 | } | ||
83 | #ifdef SSL_OP_NO_TICKET | ||
84 | SSL_CTX_set_options(c, SSL_OP_NO_TICKET); | ||
85 | #endif | ||
86 | if ((s = SSL_new(c)) != NULL) { | ||
56 | #ifdef SSL_set_tlsext_host_name | 87 | #ifdef SSL_set_tlsext_host_name |
57 | if (host_name != NULL) | 88 | if (host_name != NULL) |
58 | SSL_set_tlsext_host_name(s, host_name); | 89 | SSL_set_tlsext_host_name(s, host_name); |
59 | #endif | 90 | #endif |
60 | SSL_set_fd (s, sd); | 91 | SSL_set_fd(s, sd); |
61 | if (SSL_connect(s) == 1){ | 92 | if (SSL_connect(s) == 1) { |
62 | return OK; | 93 | return OK; |
63 | } else { | 94 | } else { |
64 | printf ("%s\n", _("CRITICAL - Cannot make SSL connection ")); | 95 | printf("%s\n", _("CRITICAL - Cannot make SSL connection.")); |
65 | # ifdef USE_OPENSSL /* XXX look into ERR_error_string */ | 96 | # ifdef USE_OPENSSL /* XXX look into ERR_error_string */ |
66 | ERR_print_errors_fp (stdout); | 97 | ERR_print_errors_fp(stdout); |
67 | # endif /* USE_OPENSSL */ | 98 | # endif /* USE_OPENSSL */ |
68 | } | ||
69 | } else { | ||
70 | printf ("%s\n", _("CRITICAL - Cannot initiate SSL handshake.")); | ||
71 | } | 99 | } |
72 | return STATE_CRITICAL; | 100 | } else { |
101 | printf("%s\n", _("CRITICAL - Cannot initiate SSL handshake.")); | ||
102 | } | ||
103 | return STATE_CRITICAL; | ||
73 | } | 104 | } |
74 | 105 | ||
75 | void np_net_ssl_cleanup (){ | 106 | void np_net_ssl_cleanup() { |
76 | if(s){ | 107 | if (s) { |
77 | #ifdef SSL_set_tlsext_host_name | 108 | #ifdef SSL_set_tlsext_host_name |
78 | SSL_set_tlsext_host_name(s, NULL); | 109 | SSL_set_tlsext_host_name(s, NULL); |
79 | #endif | 110 | #endif |
80 | SSL_shutdown (s); | 111 | SSL_shutdown(s); |
81 | SSL_free (s); | 112 | SSL_free(s); |
82 | if(c) { | 113 | if (c) { |
83 | SSL_CTX_free (c); | 114 | SSL_CTX_free(c); |
84 | c=NULL; | 115 | c=NULL; |
85 | } | ||
86 | s=NULL; | ||
87 | } | 116 | } |
117 | s=NULL; | ||
118 | } | ||
88 | } | 119 | } |
89 | 120 | ||
90 | int np_net_ssl_write(const void *buf, int num){ | 121 | int np_net_ssl_write(const void *buf, int num) { |
91 | return SSL_write(s, buf, num); | 122 | return SSL_write(s, buf, num); |
92 | } | 123 | } |
93 | 124 | ||
94 | int np_net_ssl_read(void *buf, int num){ | 125 | int np_net_ssl_read(void *buf, int num) { |
95 | return SSL_read(s, buf, num); | 126 | return SSL_read(s, buf, num); |
96 | } | 127 | } |
97 | 128 | ||
98 | int np_net_ssl_check_cert(int days_till_exp){ | 129 | int np_net_ssl_check_cert(int days_till_exp) { |
99 | # ifdef USE_OPENSSL | 130 | # ifdef USE_OPENSSL |
100 | X509 *certificate=NULL; | 131 | X509 *certificate=NULL; |
101 | X509_NAME *subj=NULL; | 132 | X509_NAME *subj=NULL; |
@@ -111,29 +142,29 @@ int np_net_ssl_check_cert(int days_till_exp){ | |||
111 | char timestamp[17] = ""; | 142 | char timestamp[17] = ""; |
112 | 143 | ||
113 | certificate=SSL_get_peer_certificate(s); | 144 | certificate=SSL_get_peer_certificate(s); |
114 | if(! certificate){ | 145 | if (!certificate) { |
115 | printf ("%s\n",_("CRITICAL - Cannot retrieve server certificate.")); | 146 | printf("%s\n",_("CRITICAL - Cannot retrieve server certificate.")); |
116 | return STATE_CRITICAL; | 147 | return STATE_CRITICAL; |
117 | } | 148 | } |
118 | 149 | ||
119 | /* Extract CN from certificate subject */ | 150 | /* Extract CN from certificate subject */ |
120 | subj=X509_get_subject_name(certificate); | 151 | subj=X509_get_subject_name(certificate); |
121 | 152 | ||
122 | if(! subj){ | 153 | if (!subj) { |
123 | printf ("%s\n",_("CRITICAL - Cannot retrieve certificate subject.")); | 154 | printf("%s\n",_("CRITICAL - Cannot retrieve certificate subject.")); |
124 | return STATE_CRITICAL; | 155 | return STATE_CRITICAL; |
125 | } | 156 | } |
126 | cnlen = X509_NAME_get_text_by_NID (subj, NID_commonName, cn, sizeof(cn)); | 157 | cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn)); |
127 | if ( cnlen == -1 ) | 158 | if (cnlen == -1) |
128 | strcpy(cn , _("Unknown CN")); | 159 | strcpy(cn, _("Unknown CN")); |
129 | 160 | ||
130 | /* Retrieve timestamp of certificate */ | 161 | /* Retrieve timestamp of certificate */ |
131 | tm = X509_get_notAfter (certificate); | 162 | tm = X509_get_notAfter(certificate); |
132 | 163 | ||
133 | /* Generate tm structure to process timestamp */ | 164 | /* Generate tm structure to process timestamp */ |
134 | if (tm->type == V_ASN1_UTCTIME) { | 165 | if (tm->type == V_ASN1_UTCTIME) { |
135 | if (tm->length < 10) { | 166 | if (tm->length < 10) { |
136 | printf ("%s\n", _("CRITICAL - Wrong time format in certificate.")); | 167 | printf("%s\n", _("CRITICAL - Wrong time format in certificate.")); |
137 | return STATE_CRITICAL; | 168 | return STATE_CRITICAL; |
138 | } else { | 169 | } else { |
139 | stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0'); | 170 | stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0'); |
@@ -143,7 +174,7 @@ int np_net_ssl_check_cert(int days_till_exp){ | |||
143 | } | 174 | } |
144 | } else { | 175 | } else { |
145 | if (tm->length < 12) { | 176 | if (tm->length < 12) { |
146 | printf ("%s\n", _("CRITICAL - Wrong time format in certificate.")); | 177 | printf("%s\n", _("CRITICAL - Wrong time format in certificate.")); |
147 | return STATE_CRITICAL; | 178 | return STATE_CRITICAL; |
148 | } else { | 179 | } else { |
149 | stamp.tm_year = | 180 | stamp.tm_year = |
@@ -172,22 +203,22 @@ int np_net_ssl_check_cert(int days_till_exp){ | |||
172 | stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min); | 203 | stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min); |
173 | 204 | ||
174 | if (days_left > 0 && days_left <= days_till_exp) { | 205 | if (days_left > 0 && days_left <= days_till_exp) { |
175 | printf (_("WARNING - Certificate '%s' expires in %d day(s) (%s).\n"), cn, days_left, timestamp); | 206 | printf(_("WARNING - Certificate '%s' expires in %d day(s) (%s).\n"), cn, days_left, timestamp); |
176 | status=STATE_WARNING; | 207 | status=STATE_WARNING; |
177 | } else if (time_left < 0) { | 208 | } else if (time_left < 0) { |
178 | printf (_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp); | 209 | printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp); |
179 | status=STATE_CRITICAL; | 210 | status=STATE_CRITICAL; |
180 | } else if (days_left == 0) { | 211 | } else if (days_left == 0) { |
181 | printf (_("WARNING - Certificate '%s' expires today (%s).\n"), cn, timestamp); | 212 | printf(_("WARNING - Certificate '%s' expires today (%s).\n"), cn, timestamp); |
182 | status=STATE_WARNING; | 213 | status=STATE_WARNING; |
183 | } else { | 214 | } else { |
184 | printf (_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp); | 215 | printf(_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp); |
185 | status=STATE_OK; | 216 | status=STATE_OK; |
186 | } | 217 | } |
187 | X509_free (certificate); | 218 | X509_free(certificate); |
188 | return status; | 219 | return status; |
189 | # else /* ifndef USE_OPENSSL */ | 220 | # else /* ifndef USE_OPENSSL */ |
190 | printf ("%s\n", _("WARNING - Plugin does not support checking certificates.")); | 221 | printf("%s\n", _("WARNING - Plugin does not support checking certificates.")); |
191 | return STATE_WARNING; | 222 | return STATE_WARNING; |
192 | # endif /* USE_OPENSSL */ | 223 | # endif /* USE_OPENSSL */ |
193 | } | 224 | } |