1 files changed, 107 insertions, 122 deletions
diff --git a/plugins/sslutils.c b/plugins/sslutils.c
index 6bc0ba81..719de575 100644
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
@@ -1,46 +1,43 @@
 /*****************************************************************************
-*
+ *
-* Monitoring Plugins SSL utilities
+ * Monitoring Plugins SSL utilities
-*
+ *
-* License: GPL
+ * License: GPL
-* Copyright (c) 2005-2010 Monitoring Plugins Development Team
+ * Copyright (c) 2005-2024 Monitoring Plugins Development Team
-*
+ *
-* Description:
+ * Description:
-*
+ *
-* This file contains common functions for plugins that require SSL.
+ * This file contains common functions for plugins that require SSL.
-*
+ *
-*
+ *
-* This program is free software: you can redistribute it and/or modify
+ * This program is free software: you can redistribute it and/or modify
-* it under the terms of the GNU General Public License as published by
+ * it under the terms of the GNU General Public License as published by
-* the Free Software Foundation, either version 3 of the License, or
+ * the Free Software Foundation, either version 3 of the License, or
-* (at your option) any later version.
+ * (at your option) any later version.
-*
+ *
-* This program is distributed in the hope that it will be useful,
+ * This program is distributed in the hope that it will be useful,
-* but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
-* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-* GNU General Public License for more details.
+ * GNU General Public License for more details.
-*
+ *
-* You should have received a copy of the GNU General Public License
+ * You should have received a copy of the GNU General Public License
-* along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
-*
+ *
-*
+ *
-*****************************************************************************/
+ *****************************************************************************/
 #define MAX_CN_LENGTH 256
 #include "common.h"
 #include "netutils.h"
+#include "../lib/monitoringplug.h"
 #ifdef HAVE_SSL
-static SSL_CTX *ctx=NULL;
+static SSL_CTX *ctx = NULL;
-static SSL *s=NULL;
+static SSL *s = NULL;
-int np_net_ssl_init(int sd) {
+int np_net_ssl_init(int sd) { return np_net_ssl_init_with_hostname(sd, NULL); }
-        return np_net_ssl_init_with_hostname(sd, NULL);
-}
-int np_net_ssl_init_with_hostname(int sd, char *host_name) {
+int np_net_ssl_init_with_hostname(int sd, char *host_name) { return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0); }
-        return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0);
-}
 int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int version) {
        return np_net_ssl_init_with_hostname_version_and_cert(sd, host_name, version, NULL, NULL);
@@ -59,145 +56,141 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
                printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library."));
                return STATE_UNKNOWN;
        case MP_SSLv3: /* SSLv3 protocol */
-#if defined(OPENSSL_NO_SSL3)
+#       if defined(OPENSSL_NO_SSL3)
                printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library."));
                return STATE_UNKNOWN;
-#else
+#       else
                SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);
                SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION);
                break;
-#endif
+#       endif
        case MP_TLSv1: /* TLSv1 protocol */
-#if defined(OPENSSL_NO_TLS1)
+#       if defined(OPENSSL_NO_TLS1)
                printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library."));
                return STATE_UNKNOWN;
-#else
+#       else
                SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
                SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION);
                break;
-#endif
+#       endif
        case MP_TLSv1_1: /* TLSv1.1 protocol */
-#if !defined(SSL_OP_NO_TLSv1_1)
+#       if !defined(SSL_OP_NO_TLSv1_1)
                printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library."));
                return STATE_UNKNOWN;
-#else
+#       else
                SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);
                SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION);
                break;
-#endif
+#       endif
        case MP_TLSv1_2: /* TLSv1.2 protocol */
-#if !defined(SSL_OP_NO_TLSv1_2)
+#       if !defined(SSL_OP_NO_TLSv1_2)
                printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library."));
                return STATE_UNKNOWN;
-#else
+#       else
                SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
                SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION);
                break;
-#endif
+#       endif
        case MP_TLSv1_2_OR_NEWER:
-#if !defined(SSL_OP_NO_TLSv1_1)
+#       if !defined(SSL_OP_NO_TLSv1_1)
                printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library."));
                return STATE_UNKNOWN;
-#else
+#       else
                SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
                break;
-#endif
+#       endif
        case MP_TLSv1_1_OR_NEWER:
-#if !defined(SSL_OP_NO_TLSv1)
+#       if !defined(SSL_OP_NO_TLSv1)
                printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library."));
                return STATE_UNKNOWN;
-#else
+#       else
                SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);
                break;
-#endif
+#       endif
        case MP_TLSv1_OR_NEWER:
-#if defined(SSL_OP_NO_SSLv3)
+#       if defined(SSL_OP_NO_SSLv3)
                SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
                break;
-#endif
+#       endif
        case MP_SSLv3_OR_NEWER:
-#if defined(SSL_OP_NO_SSLv2)
+#       if defined(SSL_OP_NO_SSLv2)
                SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);
                break;
-#endif
+#       endif
        }
        if (cert && privkey) {
-#ifdef USE_OPENSSL
+#       ifdef USE_OPENSSL
                if (!SSL_CTX_use_certificate_chain_file(ctx, cert)) {
-#elif  USE_GNUTLS
+#       elif USE_GNUTLS
                if (!SSL_CTX_use_certificate_file(ctx, cert, SSL_FILETYPE_PEM)) {
-#else
+#       else
-#error Unported for unknown SSL library
+#               error Unported for unknown SSL library
-#endif
+#       endif
-                        printf ("%s\n", _("CRITICAL - Unable to open certificate chain file!\n"));
+                        printf("%s\n", _("CRITICAL - Unable to open certificate chain file!\n"));
                        return STATE_CRITICAL;
                }
                SSL_CTX_use_PrivateKey_file(ctx, privkey, SSL_FILETYPE_PEM);
-#ifdef USE_OPENSSL
+#       ifdef USE_OPENSSL
                if (!SSL_CTX_check_private_key(ctx)) {
-                        printf ("%s\n", _("CRITICAL - Private key does not seem to match certificate!\n"));
+                        printf("%s\n", _("CRITICAL - Private key does not seem to match certificate!\n"));
                        return STATE_CRITICAL;
                }
-#endif
+#       endif
        }
-#ifdef SSL_OP_NO_TICKET
+#       ifdef SSL_OP_NO_TICKET
        options |= SSL_OP_NO_TICKET;
-#endif
+#       endif
        SSL_CTX_set_options(ctx, options);
        SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
        if ((s = SSL_new(ctx)) != NULL) {
-#ifdef SSL_set_tlsext_host_name
+#       ifdef SSL_set_tlsext_host_name
                if (host_name != NULL)
                        SSL_set_tlsext_host_name(s, host_name);
-#endif
+#       endif
                SSL_set_fd(s, sd);
                if (SSL_connect(s) == 1) {
                        return OK;
                } else {
                        printf("%s\n", _("CRITICAL - Cannot make SSL connection."));
-#  ifdef USE_OPENSSL /* XXX look into ERR_error_string */
+#       ifdef USE_OPENSSL /* XXX look into ERR_error_string */
                        ERR_print_errors_fp(stdout);
-#  endif /* USE_OPENSSL */
+#       endif /* USE_OPENSSL */
                }
        } else {
-                        printf("%s\n", _("CRITICAL - Cannot initiate SSL handshake."));
+                printf("%s\n", _("CRITICAL - Cannot initiate SSL handshake."));
        }
        return STATE_CRITICAL;
 }
 void np_net_ssl_cleanup() {
        if (s) {
-#ifdef SSL_set_tlsext_host_name
+#       ifdef SSL_set_tlsext_host_name
                SSL_set_tlsext_host_name(s, NULL);
-#endif
+#       endif
                SSL_shutdown(s);
                SSL_free(s);
                if (ctx) {
                        SSL_CTX_free(ctx);
-                        ctx=NULL;
+                        ctx = NULL;
                }
-                s=NULL;
+                s = NULL;
        }
 }
-int np_net_ssl_write(const void *buf, int num) {
+int np_net_ssl_write(const void *buf, int num) { return SSL_write(s, buf, num); }
-        return SSL_write(s, buf, num);
-}
-int np_net_ssl_read(void *buf, int num) {
+int np_net_ssl_read(void *buf, int num) { return SSL_read(s, buf, num); }
-        return SSL_read(s, buf, num);
-}
-int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int days_till_exp_crit){
+int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int days_till_exp_crit) {
-#  ifdef USE_OPENSSL
+#       ifdef USE_OPENSSL
-        X509_NAME *subj=NULL;
+        X509_NAME *subj = NULL;
        char timestamp[50] = "";
-        char cn[MAX_CN_LENGTH]= "";
+        char cn[MAX_CN_LENGTH] = "";
        char *tz;
-        int cnlen =-1;
+        int cnlen = -1;
-        int status=STATE_UNKNOWN;
+        int status = STATE_UNKNOWN;
        ASN1_STRING *tm;
        int offset;
@@ -208,15 +201,15 @@ int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int
        time_t tm_t;
        if (!certificate) {
-                printf("%s\n",_("CRITICAL - Cannot retrieve server certificate."));
+                printf("%s\n", _("CRITICAL - Cannot retrieve server certificate."));
                return STATE_CRITICAL;
        }
        /* Extract CN from certificate subject */
-        subj=X509_get_subject_name(certificate);
+        subj = X509_get_subject_name(certificate);
        if (!subj) {
-                printf("%s\n",_("CRITICAL - Cannot retrieve certificate subject."));
+                printf("%s\n", _("CRITICAL - Cannot retrieve certificate subject."));
                return STATE_CRITICAL;
        }
        cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn));
@@ -242,23 +235,16 @@ int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int
                        printf("%s\n", _("CRITICAL - Wrong time format in certificate."));
                        return STATE_CRITICAL;
                } else {
-                        stamp.tm_year =
+                        stamp.tm_year = (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 + (tm->data[2] - '0') * 10 + (tm->data[3] - '0');
-                                (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 +
-                                (tm->data[2] - '0') * 10 + (tm->data[3] - '0');
                        stamp.tm_year -= 1900;
                        offset = 2;
                }
        }
-        stamp.tm_mon =
+        stamp.tm_mon = (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1;
-                (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1;
+        stamp.tm_mday = (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0');
-        stamp.tm_mday =
+        stamp.tm_hour = (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0');
-                (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0');
+        stamp.tm_min = (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0');
-        stamp.tm_hour =
+        stamp.tm_sec = (tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0');
-                (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0');
-        stamp.tm_min =
-                (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0');
-        stamp.tm_sec =
-                (tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0');
        stamp.tm_isdst = -1;
        tm_t = timegm(&stamp);
@@ -275,30 +261,30 @@ int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int
        tzset();
        if (days_left > 0 && days_left <= days_till_exp_warn) {
-                printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, days_left, timestamp);
+                printf(_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn,
+                           days_left, timestamp);
                if (days_left > days_till_exp_crit)
                        status = STATE_WARNING;
                else
                        status = STATE_CRITICAL;
        } else if (days_left == 0 && time_left > 0) {
                if (time_left >= 3600)
-                        time_remaining = (int) time_left / 3600;
+                        time_remaining = (int)time_left / 3600;
                else
-                        time_remaining = (int) time_left / 60;
+                        time_remaining = (int)time_left / 60;
-                printf (_("%s - Certificate '%s' expires in %u %s (%s)\n"),
+                printf(_("%s - Certificate '%s' expires in %u %s (%s)\n"), (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn,
-                        (days_left>days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, time_remaining,
+                           time_remaining, time_left >= 3600 ? "hours" : "minutes", timestamp);
-                        time_left >= 3600 ? "hours" : "minutes", timestamp);
-                if ( days_left > days_till_exp_crit)
+                if (days_left > days_till_exp_crit)
                        status = STATE_WARNING;
                else
                        status = STATE_CRITICAL;
        } else if (time_left < 0) {
                printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp);
-                status=STATE_CRITICAL;
+                status = STATE_CRITICAL;
        } else if (days_left == 0) {
-                printf (_("%s - Certificate '%s' just expired (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, timestamp);
+                printf(_("%s - Certificate '%s' just expired (%s).\n"), (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, timestamp);
                if (days_left > days_till_exp_crit)
                        status = STATE_WARNING;
                else
@@ -309,22 +295,21 @@ int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int
        }
        X509_free(certificate);
        return status;
-#  else /* ifndef USE_OPENSSL */
+#       else  /* ifndef USE_OPENSSL */
        printf("%s\n", _("WARNING - Plugin does not support checking certificates."));
        return STATE_WARNING;
-#  endif /* USE_OPENSSL */
+#       endif /* USE_OPENSSL */
 }
-int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
+int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit) {
-#  ifdef USE_OPENSSL
+#       ifdef USE_OPENSSL
        X509 *certificate = NULL;
-        certificate=SSL_get_peer_certificate(s);
+        certificate = SSL_get_peer_certificate(s);
-        return(np_net_ssl_check_certificate(certificate, days_till_exp_warn, days_till_exp_crit));
+        return (np_net_ssl_check_certificate(certificate, days_till_exp_warn, days_till_exp_crit));
-#  else /* ifndef USE_OPENSSL */
+#       else  /* ifndef USE_OPENSSL */
        printf("%s\n", _("WARNING - Plugin does not support checking certificates."));
        return STATE_WARNING;
-#  endif /* USE_OPENSSL */
+#       endif /* USE_OPENSSL */
 }
 #endif /* HAVE_SSL */

diff --git a/plugins/sslutils.c b/plugins/sslutils.c index 6bc0ba81..719de575 100644 --- a/plugins/sslutils.c +++ b/plugins/sslutils.c
@@ -1,46 +1,43 @@
1	/*****************************************************************************	1	/*****************************************************************************
2	*	2	*
3	* Monitoring Plugins SSL utilities	3	* Monitoring Plugins SSL utilities
4	*	4	*
5	* License: GPL	5	* License: GPL
6	* Copyright (c) 2005-2010 Monitoring Plugins Development Team	6	* Copyright (c) 2005-2024 Monitoring Plugins Development Team
7	*	7	*
8	* Description:	8	* Description:
9	*	9	*
10	* This file contains common functions for plugins that require SSL.	10	* This file contains common functions for plugins that require SSL.
11	*	11	*
12	*	12	*
13	* This program is free software: you can redistribute it and/or modify	13	* This program is free software: you can redistribute it and/or modify
14	* it under the terms of the GNU General Public License as published by	14	* it under the terms of the GNU General Public License as published by
15	* the Free Software Foundation, either version 3 of the License, or	15	* the Free Software Foundation, either version 3 of the License, or
16	* (at your option) any later version.	16	* (at your option) any later version.
17	*	17	*
18	* This program is distributed in the hope that it will be useful,	18	* This program is distributed in the hope that it will be useful,
19	* but WITHOUT ANY WARRANTY; without even the implied warranty of	19	* but WITHOUT ANY WARRANTY; without even the implied warranty of
20	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the	20	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21	* GNU General Public License for more details.	21	* GNU General Public License for more details.
22	*	22	*
23	* You should have received a copy of the GNU General Public License	23	* You should have received a copy of the GNU General Public License
24	* along with this program. If not, see <http://www.gnu.org/licenses/>.	24	* along with this program. If not, see <http://www.gnu.org/licenses/>.
25	*	25	*
26	*	26	*
27	*****************************************************************************/	27	*****************************************************************************/
28		28
29	#define MAX_CN_LENGTH 256	29	#define MAX_CN_LENGTH 256
30	#include "common.h"	30	#include "common.h"
31	#include "netutils.h"	31	#include "netutils.h"
		32	#include "../lib/monitoringplug.h"
32		33
33	#ifdef HAVE_SSL	34	#ifdef HAVE_SSL
34	static SSL_CTX *ctx=NULL;	35	static SSL_CTX *ctx = NULL;
35	static SSL *s=NULL;	36	static SSL *s = NULL;
36		37
37	int np_net_ssl_init(int sd) {	38	int np_net_ssl_init(int sd) { return np_net_ssl_init_with_hostname(sd, NULL); }
38	return np_net_ssl_init_with_hostname(sd, NULL);
39	}
40		39
41	int np_net_ssl_init_with_hostname(int sd, char *host_name) {	40	int np_net_ssl_init_with_hostname(int sd, char *host_name) { return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0); }
42	return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0);
43	}
44		41
45	int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int version) {	42	int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int version) {
46	return np_net_ssl_init_with_hostname_version_and_cert(sd, host_name, version, NULL, NULL);	43	return np_net_ssl_init_with_hostname_version_and_cert(sd, host_name, version, NULL, NULL);
@@ -59,145 +56,141 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
59	printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library."));	56	printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library."));
60	return STATE_UNKNOWN;	57	return STATE_UNKNOWN;
61	case MP_SSLv3: /* SSLv3 protocol */	58	case MP_SSLv3: /* SSLv3 protocol */
62	#if defined(OPENSSL_NO_SSL3)	59	# if defined(OPENSSL_NO_SSL3)
63	printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library."));	60	printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library."));
64	return STATE_UNKNOWN;	61	return STATE_UNKNOWN;
65	#else	62	# else
66	SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);	63	SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);
67	SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION);	64	SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION);
68	break;	65	break;
69	#endif	66	# endif
70	case MP_TLSv1: /* TLSv1 protocol */	67	case MP_TLSv1: /* TLSv1 protocol */
71	#if defined(OPENSSL_NO_TLS1)	68	# if defined(OPENSSL_NO_TLS1)
72	printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library."));	69	printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library."));
73	return STATE_UNKNOWN;	70	return STATE_UNKNOWN;
74	#else	71	# else
75	SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);	72	SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
76	SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION);	73	SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION);
77	break;	74	break;
78	#endif	75	# endif
79	case MP_TLSv1_1: /* TLSv1.1 protocol */	76	case MP_TLSv1_1: /* TLSv1.1 protocol */
80	#if !defined(SSL_OP_NO_TLSv1_1)	77	# if !defined(SSL_OP_NO_TLSv1_1)
81	printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library."));	78	printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library."));
82	return STATE_UNKNOWN;	79	return STATE_UNKNOWN;
83	#else	80	# else
84	SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);	81	SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);
85	SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION);	82	SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION);
86	break;	83	break;
87	#endif	84	# endif
88	case MP_TLSv1_2: /* TLSv1.2 protocol */	85	case MP_TLSv1_2: /* TLSv1.2 protocol */
89	#if !defined(SSL_OP_NO_TLSv1_2)	86	# if !defined(SSL_OP_NO_TLSv1_2)
90	printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library."));	87	printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library."));
91	return STATE_UNKNOWN;	88	return STATE_UNKNOWN;
92	#else	89	# else
93	SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);	90	SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
94	SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION);	91	SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION);
95	break;	92	break;
96	#endif	93	# endif
97	case MP_TLSv1_2_OR_NEWER:	94	case MP_TLSv1_2_OR_NEWER:
98	#if !defined(SSL_OP_NO_TLSv1_1)	95	# if !defined(SSL_OP_NO_TLSv1_1)
99	printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library."));	96	printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library."));
100	return STATE_UNKNOWN;	97	return STATE_UNKNOWN;
101	#else	98	# else
102	SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);	99	SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
103	break;	100	break;
104	#endif	101	# endif
105	case MP_TLSv1_1_OR_NEWER:	102	case MP_TLSv1_1_OR_NEWER:
106	#if !defined(SSL_OP_NO_TLSv1)	103	# if !defined(SSL_OP_NO_TLSv1)
107	printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library."));	104	printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library."));
108	return STATE_UNKNOWN;	105	return STATE_UNKNOWN;
109	#else	106	# else
110	SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);	107	SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);
111	break;	108	break;
112	#endif	109	# endif
113	case MP_TLSv1_OR_NEWER:	110	case MP_TLSv1_OR_NEWER:
114	#if defined(SSL_OP_NO_SSLv3)	111	# if defined(SSL_OP_NO_SSLv3)
115	SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);	112	SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
116	break;	113	break;
117	#endif	114	# endif
118	case MP_SSLv3_OR_NEWER:	115	case MP_SSLv3_OR_NEWER:
119	#if defined(SSL_OP_NO_SSLv2)	116	# if defined(SSL_OP_NO_SSLv2)
120	SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);	117	SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);
121	break;	118	break;
122	#endif	119	# endif
123	}	120	}
124		121
125	if (cert && privkey) {	122	if (cert && privkey) {
126	#ifdef USE_OPENSSL	123	# ifdef USE_OPENSSL
127	if (!SSL_CTX_use_certificate_chain_file(ctx, cert)) {	124	if (!SSL_CTX_use_certificate_chain_file(ctx, cert)) {
128	#elif USE_GNUTLS	125	# elif USE_GNUTLS
129	if (!SSL_CTX_use_certificate_file(ctx, cert, SSL_FILETYPE_PEM)) {	126	if (!SSL_CTX_use_certificate_file(ctx, cert, SSL_FILETYPE_PEM)) {
130	#else	127	# else
131	#error Unported for unknown SSL library	128	# error Unported for unknown SSL library
132	#endif	129	# endif
133	printf ("%s\n", _("CRITICAL - Unable to open certificate chain file!\n"));	130	printf("%s\n", _("CRITICAL - Unable to open certificate chain file!\n"));
134	return STATE_CRITICAL;	131	return STATE_CRITICAL;
135	}	132	}
136	SSL_CTX_use_PrivateKey_file(ctx, privkey, SSL_FILETYPE_PEM);	133	SSL_CTX_use_PrivateKey_file(ctx, privkey, SSL_FILETYPE_PEM);
137	#ifdef USE_OPENSSL	134	# ifdef USE_OPENSSL
138	if (!SSL_CTX_check_private_key(ctx)) {	135	if (!SSL_CTX_check_private_key(ctx)) {
139	printf ("%s\n", _("CRITICAL - Private key does not seem to match certificate!\n"));	136	printf("%s\n", _("CRITICAL - Private key does not seem to match certificate!\n"));
140	return STATE_CRITICAL;	137	return STATE_CRITICAL;
141	}	138	}
142	#endif	139	# endif
143	}	140	}
144	#ifdef SSL_OP_NO_TICKET	141	# ifdef SSL_OP_NO_TICKET
145	options \|= SSL_OP_NO_TICKET;	142	options \|= SSL_OP_NO_TICKET;
146	#endif	143	# endif
147	SSL_CTX_set_options(ctx, options);	144	SSL_CTX_set_options(ctx, options);
148	SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);	145	SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
149	if ((s = SSL_new(ctx)) != NULL) {	146	if ((s = SSL_new(ctx)) != NULL) {
150	#ifdef SSL_set_tlsext_host_name	147	# ifdef SSL_set_tlsext_host_name
151	if (host_name != NULL)	148	if (host_name != NULL)
152	SSL_set_tlsext_host_name(s, host_name);	149	SSL_set_tlsext_host_name(s, host_name);
153	#endif	150	# endif
154	SSL_set_fd(s, sd);	151	SSL_set_fd(s, sd);
155	if (SSL_connect(s) == 1) {	152	if (SSL_connect(s) == 1) {
156	return OK;	153	return OK;
157	} else {	154	} else {
158	printf("%s\n", _("CRITICAL - Cannot make SSL connection."));	155	printf("%s\n", _("CRITICAL - Cannot make SSL connection."));
159	# ifdef USE_OPENSSL /* XXX look into ERR_error_string */	156	# ifdef USE_OPENSSL /* XXX look into ERR_error_string */
160	ERR_print_errors_fp(stdout);	157	ERR_print_errors_fp(stdout);
161	# endif /* USE_OPENSSL */	158	# endif /* USE_OPENSSL */
162	}	159	}
163	} else {	160	} else {
164	printf("%s\n", _("CRITICAL - Cannot initiate SSL handshake."));	161	printf("%s\n", _("CRITICAL - Cannot initiate SSL handshake."));
165	}	162	}
166	return STATE_CRITICAL;	163	return STATE_CRITICAL;
167	}	164	}
168		165
169	void np_net_ssl_cleanup() {	166	void np_net_ssl_cleanup() {
170	if (s) {	167	if (s) {
171	#ifdef SSL_set_tlsext_host_name	168	# ifdef SSL_set_tlsext_host_name
172	SSL_set_tlsext_host_name(s, NULL);	169	SSL_set_tlsext_host_name(s, NULL);
173	#endif	170	# endif
174	SSL_shutdown(s);	171	SSL_shutdown(s);
175	SSL_free(s);	172	SSL_free(s);
176	if (ctx) {	173	if (ctx) {
177	SSL_CTX_free(ctx);	174	SSL_CTX_free(ctx);
178	ctx=NULL;	175	ctx = NULL;
179	}	176	}
180	s=NULL;	177	s = NULL;
181	}	178	}
182	}	179	}
183		180
184	int np_net_ssl_write(const void *buf, int num) {	181	int np_net_ssl_write(const void *buf, int num) { return SSL_write(s, buf, num); }
185	return SSL_write(s, buf, num);
186	}
187		182
188	int np_net_ssl_read(void *buf, int num) {	183	int np_net_ssl_read(void *buf, int num) { return SSL_read(s, buf, num); }
189	return SSL_read(s, buf, num);
190	}
191		184
192	int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int days_till_exp_crit){	185	int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int days_till_exp_crit) {
193	# ifdef USE_OPENSSL	186	# ifdef USE_OPENSSL
194	X509_NAME *subj=NULL;	187	X509_NAME *subj = NULL;
195	char timestamp[50] = "";	188	char timestamp[50] = "";
196	char cn[MAX_CN_LENGTH]= "";	189	char cn[MAX_CN_LENGTH] = "";
197	char *tz;	190	char *tz;
198		191
199	int cnlen =-1;	192	int cnlen = -1;
200	int status=STATE_UNKNOWN;	193	int status = STATE_UNKNOWN;
201		194
202	ASN1_STRING *tm;	195	ASN1_STRING *tm;
203	int offset;	196	int offset;
@@ -208,15 +201,15 @@ int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int
208	time_t tm_t;	201	time_t tm_t;
209		202
210	if (!certificate) {	203	if (!certificate) {
211	printf("%s\n",_("CRITICAL - Cannot retrieve server certificate."));	204	printf("%s\n", _("CRITICAL - Cannot retrieve server certificate."));
212	return STATE_CRITICAL;	205	return STATE_CRITICAL;
213	}	206	}
214		207
215	/* Extract CN from certificate subject */	208	/* Extract CN from certificate subject */
216	subj=X509_get_subject_name(certificate);	209	subj = X509_get_subject_name(certificate);
217		210
218	if (!subj) {	211	if (!subj) {
219	printf("%s\n",_("CRITICAL - Cannot retrieve certificate subject."));	212	printf("%s\n", _("CRITICAL - Cannot retrieve certificate subject."));
220	return STATE_CRITICAL;	213	return STATE_CRITICAL;
221	}	214	}
222	cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn));	215	cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn));
@@ -242,23 +235,16 @@ int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int
242	printf("%s\n", _("CRITICAL - Wrong time format in certificate."));	235	printf("%s\n", _("CRITICAL - Wrong time format in certificate."));
243	return STATE_CRITICAL;	236	return STATE_CRITICAL;
244	} else {	237	} else {
245	stamp.tm_year =	238	stamp.tm_year = (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 + (tm->data[2] - '0') * 10 + (tm->data[3] - '0');
246	(tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 +
247	(tm->data[2] - '0') * 10 + (tm->data[3] - '0');
248	stamp.tm_year -= 1900;	239	stamp.tm_year -= 1900;
249	offset = 2;	240	offset = 2;
250	}	241	}
251	}	242	}
252	stamp.tm_mon =	243	stamp.tm_mon = (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1;
253	(tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1;	244	stamp.tm_mday = (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0');
254	stamp.tm_mday =	245	stamp.tm_hour = (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0');
255	(tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0');	246	stamp.tm_min = (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0');
256	stamp.tm_hour =	247	stamp.tm_sec = (tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0');
257	(tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0');
258	stamp.tm_min =
259	(tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0');
260	stamp.tm_sec =
261	(tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0');
262	stamp.tm_isdst = -1;	248	stamp.tm_isdst = -1;
263		249
264	tm_t = timegm(&stamp);	250	tm_t = timegm(&stamp);
@@ -275,30 +261,30 @@ int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int
275	tzset();	261	tzset();
276		262
277	if (days_left > 0 && days_left <= days_till_exp_warn) {	263	if (days_left > 0 && days_left <= days_till_exp_warn) {
278	printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, days_left, timestamp);	264	printf(_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn,
		265	days_left, timestamp);
279	if (days_left > days_till_exp_crit)	266	if (days_left > days_till_exp_crit)
280	status = STATE_WARNING;	267	status = STATE_WARNING;
281	else	268	else
282	status = STATE_CRITICAL;	269	status = STATE_CRITICAL;
283	} else if (days_left == 0 && time_left > 0) {	270	} else if (days_left == 0 && time_left > 0) {
284	if (time_left >= 3600)	271	if (time_left >= 3600)
285	time_remaining = (int) time_left / 3600;	272	time_remaining = (int)time_left / 3600;
286	else	273	else
287	time_remaining = (int) time_left / 60;	274	time_remaining = (int)time_left / 60;
288		275
289	printf (_("%s - Certificate '%s' expires in %u %s (%s)\n"),	276	printf(_("%s - Certificate '%s' expires in %u %s (%s)\n"), (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn,
290	(days_left>days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, time_remaining,	277	time_remaining, time_left >= 3600 ? "hours" : "minutes", timestamp);
291	time_left >= 3600 ? "hours" : "minutes", timestamp);
292		278
293	if ( days_left > days_till_exp_crit)	279	if (days_left > days_till_exp_crit)
294	status = STATE_WARNING;	280	status = STATE_WARNING;
295	else	281	else
296	status = STATE_CRITICAL;	282	status = STATE_CRITICAL;
297	} else if (time_left < 0) {	283	} else if (time_left < 0) {
298	printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp);	284	printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp);
299	status=STATE_CRITICAL;	285	status = STATE_CRITICAL;
300	} else if (days_left == 0) {	286	} else if (days_left == 0) {
301	printf (_("%s - Certificate '%s' just expired (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, timestamp);	287	printf(_("%s - Certificate '%s' just expired (%s).\n"), (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, timestamp);
302	if (days_left > days_till_exp_crit)	288	if (days_left > days_till_exp_crit)
303	status = STATE_WARNING;	289	status = STATE_WARNING;
304	else	290	else
@@ -309,22 +295,21 @@ int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int
309	}	295	}
310	X509_free(certificate);	296	X509_free(certificate);
311	return status;	297	return status;
312	# else /* ifndef USE_OPENSSL */	298	# else /* ifndef USE_OPENSSL */
313	printf("%s\n", _("WARNING - Plugin does not support checking certificates."));	299	printf("%s\n", _("WARNING - Plugin does not support checking certificates."));
314	return STATE_WARNING;	300	return STATE_WARNING;
315	# endif /* USE_OPENSSL */	301	# endif /* USE_OPENSSL */
316	}	302	}
317		303
318	int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){	304	int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit) {
319	# ifdef USE_OPENSSL	305	# ifdef USE_OPENSSL
320	X509 *certificate = NULL;	306	X509 *certificate = NULL;
321	certificate=SSL_get_peer_certificate(s);	307	certificate = SSL_get_peer_certificate(s);
322	return(np_net_ssl_check_certificate(certificate, days_till_exp_warn, days_till_exp_crit));	308	return (np_net_ssl_check_certificate(certificate, days_till_exp_warn, days_till_exp_crit));
323	# else /* ifndef USE_OPENSSL */	309	# else /* ifndef USE_OPENSSL */
324	printf("%s\n", _("WARNING - Plugin does not support checking certificates."));	310	printf("%s\n", _("WARNING - Plugin does not support checking certificates."));
325	return STATE_WARNING;	311	return STATE_WARNING;
326	# endif /* USE_OPENSSL */	312	# endif /* USE_OPENSSL */
327	}	313	}
328		314
329
330	#endif /* HAVE_SSL */	315	#endif /* HAVE_SSL */