summaryrefslogtreecommitdiffstats
path: root/plugins/sslutils.c
diff options
context:
space:
mode:
Diffstat (limited to 'plugins/sslutils.c')
-rw-r--r--plugins/sslutils.c576
1 files changed, 418 insertions, 158 deletions
diff --git a/plugins/sslutils.c b/plugins/sslutils.c
index 6bc0ba81..c58a35ab 100644
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
@@ -1,42 +1,43 @@
1/***************************************************************************** 1/*****************************************************************************
2* 2 *
3* Monitoring Plugins SSL utilities 3 * Monitoring Plugins SSL utilities
4* 4 *
5* License: GPL 5 * License: GPL
6* Copyright (c) 2005-2010 Monitoring Plugins Development Team 6 * Copyright (c) 2005-2024 Monitoring Plugins Development Team
7* 7 *
8* Description: 8 * Description:
9* 9 *
10* This file contains common functions for plugins that require SSL. 10 * This file contains common functions for plugins that require SSL.
11* 11 *
12* 12 *
13* This program is free software: you can redistribute it and/or modify 13 * This program is free software: you can redistribute it and/or modify
14* it under the terms of the GNU General Public License as published by 14 * it under the terms of the GNU General Public License as published by
15* the Free Software Foundation, either version 3 of the License, or 15 * the Free Software Foundation, either version 3 of the License, or
16* (at your option) any later version. 16 * (at your option) any later version.
17* 17 *
18* This program is distributed in the hope that it will be useful, 18 * This program is distributed in the hope that it will be useful,
19* but WITHOUT ANY WARRANTY; without even the implied warranty of 19 * but WITHOUT ANY WARRANTY; without even the implied warranty of
20* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 20 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21* GNU General Public License for more details. 21 * GNU General Public License for more details.
22* 22 *
23* You should have received a copy of the GNU General Public License 23 * You should have received a copy of the GNU General Public License
24* along with this program. If not, see <http://www.gnu.org/licenses/>. 24 * along with this program. If not, see <http://www.gnu.org/licenses/>.
25* 25 *
26* 26 *
27*****************************************************************************/ 27 *****************************************************************************/
28 28
29#include "output.h"
29#define MAX_CN_LENGTH 256 30#define MAX_CN_LENGTH 256
30#include "common.h" 31#include "common.h"
31#include "netutils.h" 32#include "netutils.h"
33#include "../lib/monitoringplug.h"
34#include "states.h"
32 35
33#ifdef HAVE_SSL 36#ifdef HAVE_SSL
34static SSL_CTX *ctx=NULL; 37static SSL_CTX *ctx = NULL;
35static SSL *s=NULL; 38static SSL *s = NULL;
36 39
37int np_net_ssl_init(int sd) { 40int np_net_ssl_init(int sd) { return np_net_ssl_init_with_hostname(sd, NULL); }
38 return np_net_ssl_init_with_hostname(sd, NULL);
39}
40 41
41int np_net_ssl_init_with_hostname(int sd, char *host_name) { 42int np_net_ssl_init_with_hostname(int sd, char *host_name) {
42 return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0); 43 return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0);
@@ -46,7 +47,8 @@ int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int versi
46 return np_net_ssl_init_with_hostname_version_and_cert(sd, host_name, version, NULL, NULL); 47 return np_net_ssl_init_with_hostname_version_and_cert(sd, host_name, version, NULL, NULL);
47} 48}
48 49
49int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, char *privkey) { 50int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert,
51 char *privkey) {
50 long options = 0; 52 long options = 0;
51 53
52 if ((ctx = SSL_CTX_new(TLS_client_method())) == NULL) { 54 if ((ctx = SSL_CTX_new(TLS_client_method())) == NULL) {
@@ -59,272 +61,530 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
59 printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library.")); 61 printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library."));
60 return STATE_UNKNOWN; 62 return STATE_UNKNOWN;
61 case MP_SSLv3: /* SSLv3 protocol */ 63 case MP_SSLv3: /* SSLv3 protocol */
62#if defined(OPENSSL_NO_SSL3) 64# if defined(OPENSSL_NO_SSL3)
63 printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library.")); 65 printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library."));
64 return STATE_UNKNOWN; 66 return STATE_UNKNOWN;
65#else 67# else
66 SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION); 68 SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);
67 SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION); 69 SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION);
68 break; 70 break;
69#endif 71# endif
70 case MP_TLSv1: /* TLSv1 protocol */ 72 case MP_TLSv1: /* TLSv1 protocol */
71#if defined(OPENSSL_NO_TLS1) 73# if defined(OPENSSL_NO_TLS1)
72 printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library.")); 74 printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library."));
73 return STATE_UNKNOWN; 75 return STATE_UNKNOWN;
74#else 76# else
75 SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); 77 SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
76 SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION); 78 SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION);
77 break; 79 break;
78#endif 80# endif
79 case MP_TLSv1_1: /* TLSv1.1 protocol */ 81 case MP_TLSv1_1: /* TLSv1.1 protocol */
80#if !defined(SSL_OP_NO_TLSv1_1) 82# if !defined(SSL_OP_NO_TLSv1_1)
81 printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library.")); 83 printf("%s\n",
84 _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library."));
82 return STATE_UNKNOWN; 85 return STATE_UNKNOWN;
83#else 86# else
84 SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION); 87 SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);
85 SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION); 88 SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION);
86 break; 89 break;
87#endif 90# endif
88 case MP_TLSv1_2: /* TLSv1.2 protocol */ 91 case MP_TLSv1_2: /* TLSv1.2 protocol */
89#if !defined(SSL_OP_NO_TLSv1_2) 92# if !defined(SSL_OP_NO_TLSv1_2)
90 printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library.")); 93 printf("%s\n",
94 _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library."));
91 return STATE_UNKNOWN; 95 return STATE_UNKNOWN;
92#else 96# else
93 SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); 97 SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
94 SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION); 98 SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION);
95 break; 99 break;
96#endif 100# endif
97 case MP_TLSv1_2_OR_NEWER: 101 case MP_TLSv1_2_OR_NEWER:
98#if !defined(SSL_OP_NO_TLSv1_1) 102# if !defined(SSL_OP_NO_TLSv1_1)
99 printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library.")); 103 printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library."));
100 return STATE_UNKNOWN; 104 return STATE_UNKNOWN;
101#else 105# else
102 SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); 106 SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
103 break; 107 break;
104#endif 108# endif
105 case MP_TLSv1_1_OR_NEWER: 109 case MP_TLSv1_1_OR_NEWER:
106#if !defined(SSL_OP_NO_TLSv1) 110# if !defined(SSL_OP_NO_TLSv1)
107 printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library.")); 111 printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library."));
108 return STATE_UNKNOWN; 112 return STATE_UNKNOWN;
109#else 113# else
110 SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION); 114 SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);
111 break; 115 break;
112#endif 116# endif
113 case MP_TLSv1_OR_NEWER: 117 case MP_TLSv1_OR_NEWER:
114#if defined(SSL_OP_NO_SSLv3) 118# if defined(SSL_OP_NO_SSLv3)
115 SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); 119 SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
116 break; 120 break;
117#endif 121# endif
118 case MP_SSLv3_OR_NEWER: 122 case MP_SSLv3_OR_NEWER:
119#if defined(SSL_OP_NO_SSLv2) 123# if defined(SSL_OP_NO_SSLv2)
120 SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION); 124 SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);
121 break; 125 break;
122#endif 126# endif
123 } 127 }
124 128
125 if (cert && privkey) { 129 if (cert && privkey) {
126#ifdef USE_OPENSSL 130# ifdef USE_OPENSSL
127 if (!SSL_CTX_use_certificate_chain_file(ctx, cert)) { 131 if (!SSL_CTX_use_certificate_chain_file(ctx, cert)) {
128#elif USE_GNUTLS 132# elif USE_GNUTLS
129 if (!SSL_CTX_use_certificate_file(ctx, cert, SSL_FILETYPE_PEM)) { 133 if (!SSL_CTX_use_certificate_file(ctx, cert, SSL_FILETYPE_PEM)) {
130#else 134# else
131#error Unported for unknown SSL library 135# error Unported for unknown SSL library
132#endif 136# endif
133 printf ("%s\n", _("CRITICAL - Unable to open certificate chain file!\n")); 137 printf("%s\n", _("CRITICAL - Unable to open certificate chain file!\n"));
134 return STATE_CRITICAL; 138 return STATE_CRITICAL;
135 } 139 }
136 SSL_CTX_use_PrivateKey_file(ctx, privkey, SSL_FILETYPE_PEM); 140 SSL_CTX_use_PrivateKey_file(ctx, privkey, SSL_FILETYPE_PEM);
137#ifdef USE_OPENSSL 141# ifdef USE_OPENSSL
138 if (!SSL_CTX_check_private_key(ctx)) { 142 if (!SSL_CTX_check_private_key(ctx)) {
139 printf ("%s\n", _("CRITICAL - Private key does not seem to match certificate!\n")); 143 printf("%s\n", _("CRITICAL - Private key does not seem to match certificate!\n"));
140 return STATE_CRITICAL; 144 return STATE_CRITICAL;
141 } 145 }
142#endif 146# endif
143 } 147 }
144#ifdef SSL_OP_NO_TICKET 148# ifdef SSL_OP_NO_TICKET
145 options |= SSL_OP_NO_TICKET; 149 options |= SSL_OP_NO_TICKET;
146#endif 150# endif
147 SSL_CTX_set_options(ctx, options); 151 SSL_CTX_set_options(ctx, options);
148 SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); 152 SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
149 if ((s = SSL_new(ctx)) != NULL) { 153 if ((s = SSL_new(ctx)) != NULL) {
150#ifdef SSL_set_tlsext_host_name 154# ifdef SSL_set_tlsext_host_name
151 if (host_name != NULL) 155 if (host_name != NULL) {
152 SSL_set_tlsext_host_name(s, host_name); 156 SSL_set_tlsext_host_name(s, host_name);
153#endif 157 }
158# endif
154 SSL_set_fd(s, sd); 159 SSL_set_fd(s, sd);
155 if (SSL_connect(s) == 1) { 160 if (SSL_connect(s) == 1) {
156 return OK; 161 return OK;
157 } else { 162 } else {
158 printf("%s\n", _("CRITICAL - Cannot make SSL connection.")); 163 printf("%s\n", _("CRITICAL - Cannot make SSL connection."));
159# ifdef USE_OPENSSL /* XXX look into ERR_error_string */ 164# ifdef USE_OPENSSL /* XXX look into ERR_error_string */
160 ERR_print_errors_fp(stdout); 165 ERR_print_errors_fp(stdout);
161# endif /* USE_OPENSSL */ 166# endif /* USE_OPENSSL */
162 } 167 }
163 } else { 168 } else {
164 printf("%s\n", _("CRITICAL - Cannot initiate SSL handshake.")); 169 printf("%s\n", _("CRITICAL - Cannot initiate SSL handshake."));
165 } 170 }
166 return STATE_CRITICAL; 171 return STATE_CRITICAL;
167} 172}
168 173
169void np_net_ssl_cleanup() { 174void np_net_ssl_cleanup() {
170 if (s) { 175 if (s) {
171#ifdef SSL_set_tlsext_host_name 176# ifdef SSL_set_tlsext_host_name
172 SSL_set_tlsext_host_name(s, NULL); 177 SSL_set_tlsext_host_name(s, NULL);
173#endif 178# endif
174 SSL_shutdown(s); 179 SSL_shutdown(s);
175 SSL_free(s); 180 SSL_free(s);
176 if (ctx) { 181 if (ctx) {
177 SSL_CTX_free(ctx); 182 SSL_CTX_free(ctx);
178 ctx=NULL; 183 ctx = NULL;
179 } 184 }
180 s=NULL; 185 s = NULL;
181 } 186 }
182} 187}
183 188
184int np_net_ssl_write(const void *buf, int num) { 189int np_net_ssl_write(const void *buf, int num) { return SSL_write(s, buf, num); }
185 return SSL_write(s, buf, num);
186}
187
188int np_net_ssl_read(void *buf, int num) {
189 return SSL_read(s, buf, num);
190}
191 190
192int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int days_till_exp_crit){ 191int np_net_ssl_read(void *buf, int num) { return SSL_read(s, buf, num); }
193# ifdef USE_OPENSSL
194 X509_NAME *subj=NULL;
195 char timestamp[50] = "";
196 char cn[MAX_CN_LENGTH]= "";
197 char *tz;
198
199 int cnlen =-1;
200 int status=STATE_UNKNOWN;
201
202 ASN1_STRING *tm;
203 int offset;
204 struct tm stamp;
205 float time_left;
206 int days_left;
207 int time_remaining;
208 time_t tm_t;
209 192
193mp_state_enum np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn,
194 int days_till_exp_crit) {
195# ifdef USE_OPENSSL
210 if (!certificate) { 196 if (!certificate) {
211 printf("%s\n",_("CRITICAL - Cannot retrieve server certificate.")); 197 printf("%s\n", _("CRITICAL - No server certificate present to inspect."));
212 return STATE_CRITICAL; 198 return STATE_CRITICAL;
213 } 199 }
214 200
215 /* Extract CN from certificate subject */ 201 /* Extract CN from certificate subject */
216 subj=X509_get_subject_name(certificate); 202 X509_NAME *subj = X509_get_subject_name(certificate);
217 203
218 if (!subj) { 204 if (!subj) {
219 printf("%s\n",_("CRITICAL - Cannot retrieve certificate subject.")); 205 printf("%s\n", _("CRITICAL - Cannot retrieve certificate subject."));
220 return STATE_CRITICAL; 206 return STATE_CRITICAL;
221 } 207 }
222 cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn)); 208
223 if (cnlen == -1) 209 char cn[MAX_CN_LENGTH] = "";
210 int cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn));
211 if (cnlen == -1) {
224 strcpy(cn, _("Unknown CN")); 212 strcpy(cn, _("Unknown CN"));
213 }
225 214
226 /* Retrieve timestamp of certificate */ 215 /* Retrieve timestamp of certificate */
227 tm = X509_get_notAfter(certificate); 216 ASN1_STRING *tm = X509_get_notAfter(certificate);
228 217
218 int offset = 0;
219 struct tm stamp = {};
229 /* Generate tm structure to process timestamp */ 220 /* Generate tm structure to process timestamp */
230 if (tm->type == V_ASN1_UTCTIME) { 221 if (tm->type == V_ASN1_UTCTIME) {
231 if (tm->length < 10) { 222 if (tm->length < 10) {
232 printf("%s\n", _("CRITICAL - Wrong time format in certificate.")); 223 printf("%s\n", _("CRITICAL - Wrong time format in certificate."));
233 return STATE_CRITICAL; 224 return STATE_CRITICAL;
234 } else {
235 stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0');
236 if (stamp.tm_year < 50)
237 stamp.tm_year += 100;
238 offset = 0;
239 } 225 }
226 stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0');
227 if (stamp.tm_year < 50) {
228 stamp.tm_year += 100;
229 }
230 offset = 0;
231
240 } else { 232 } else {
241 if (tm->length < 12) { 233 if (tm->length < 12) {
242 printf("%s\n", _("CRITICAL - Wrong time format in certificate.")); 234 printf("%s\n", _("CRITICAL - Wrong time format in certificate."));
243 return STATE_CRITICAL; 235 return STATE_CRITICAL;
244 } else {
245 stamp.tm_year =
246 (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 +
247 (tm->data[2] - '0') * 10 + (tm->data[3] - '0');
248 stamp.tm_year -= 1900;
249 offset = 2;
250 } 236 }
237 stamp.tm_year = (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 +
238 (tm->data[2] - '0') * 10 + (tm->data[3] - '0');
239 stamp.tm_year -= 1900;
240 offset = 2;
251 } 241 }
252 stamp.tm_mon = 242 stamp.tm_mon = (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1;
253 (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1; 243 stamp.tm_mday = (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0');
254 stamp.tm_mday = 244 stamp.tm_hour = (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0');
255 (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0'); 245 stamp.tm_min = (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0');
256 stamp.tm_hour = 246 stamp.tm_sec = (tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0');
257 (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0');
258 stamp.tm_min =
259 (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0');
260 stamp.tm_sec =
261 (tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0');
262 stamp.tm_isdst = -1; 247 stamp.tm_isdst = -1;
263 248
264 tm_t = timegm(&stamp); 249 time_t tm_t = timegm(&stamp);
265 time_left = difftime(tm_t, time(NULL)); 250 float time_left = difftime(tm_t, time(NULL));
266 days_left = time_left / 86400; 251 int days_left = time_left / 86400;
267 tz = getenv("TZ"); 252 char *tz = getenv("TZ");
268 setenv("TZ", "GMT", 1); 253 setenv("TZ", "GMT", 1);
269 tzset(); 254 tzset();
255
256 char timestamp[50] = "";
270 strftime(timestamp, 50, "%c %z", localtime(&tm_t)); 257 strftime(timestamp, 50, "%c %z", localtime(&tm_t));
271 if (tz) 258 if (tz) {
272 setenv("TZ", tz, 1); 259 setenv("TZ", tz, 1);
273 else 260 } else {
274 unsetenv("TZ"); 261 unsetenv("TZ");
262 }
263
275 tzset(); 264 tzset();
276 265
266 int time_remaining;
267 mp_state_enum status = STATE_UNKNOWN;
277 if (days_left > 0 && days_left <= days_till_exp_warn) { 268 if (days_left > 0 && days_left <= days_till_exp_warn) {
278 printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, days_left, timestamp); 269 printf(_("%s - Certificate '%s' expires in %d day(s) (%s).\n"),
279 if (days_left > days_till_exp_crit) 270 (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, days_left, timestamp);
271 if (days_left > days_till_exp_crit) {
280 status = STATE_WARNING; 272 status = STATE_WARNING;
281 else 273 } else {
282 status = STATE_CRITICAL; 274 status = STATE_CRITICAL;
275 }
283 } else if (days_left == 0 && time_left > 0) { 276 } else if (days_left == 0 && time_left > 0) {
284 if (time_left >= 3600) 277 if (time_left >= 3600) {
285 time_remaining = (int) time_left / 3600; 278 time_remaining = (int)time_left / 3600;
286 else 279 } else {
287 time_remaining = (int) time_left / 60; 280 time_remaining = (int)time_left / 60;
281 }
288 282
289 printf (_("%s - Certificate '%s' expires in %u %s (%s)\n"), 283 printf(_("%s - Certificate '%s' expires in %u %s (%s)\n"),
290 (days_left>days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, time_remaining, 284 (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, time_remaining,
291 time_left >= 3600 ? "hours" : "minutes", timestamp); 285 time_left >= 3600 ? "hours" : "minutes", timestamp);
292 286
293 if ( days_left > days_till_exp_crit) 287 if (days_left > days_till_exp_crit) {
294 status = STATE_WARNING; 288 status = STATE_WARNING;
295 else 289 } else {
296 status = STATE_CRITICAL; 290 status = STATE_CRITICAL;
291 }
297 } else if (time_left < 0) { 292 } else if (time_left < 0) {
298 printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp); 293 printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp);
299 status=STATE_CRITICAL; 294 status = STATE_CRITICAL;
300 } else if (days_left == 0) { 295 } else if (days_left == 0) {
301 printf (_("%s - Certificate '%s' just expired (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, timestamp); 296 printf(_("%s - Certificate '%s' just expired (%s).\n"),
302 if (days_left > days_till_exp_crit) 297 (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, timestamp);
298 if (days_left > days_till_exp_crit) {
303 status = STATE_WARNING; 299 status = STATE_WARNING;
304 else 300 } else {
305 status = STATE_CRITICAL; 301 status = STATE_CRITICAL;
302 }
306 } else { 303 } else {
307 printf(_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp); 304 printf(_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp);
308 status = STATE_OK; 305 status = STATE_OK;
309 } 306 }
310 X509_free(certificate); 307 X509_free(certificate);
311 return status; 308 return status;
312# else /* ifndef USE_OPENSSL */ 309# else /* ifndef USE_OPENSSL */
313 printf("%s\n", _("WARNING - Plugin does not support checking certificates.")); 310 printf("%s\n", _("WARNING - Plugin does not support checking certificates."));
314 return STATE_WARNING; 311 return STATE_WARNING;
315# endif /* USE_OPENSSL */ 312# endif /* USE_OPENSSL */
316} 313}
317 314
318int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){ 315retrieve_expiration_time_result np_net_ssl_get_cert_expiration(X509 *certificate) {
319# ifdef USE_OPENSSL 316# ifdef USE_OPENSSL
317 retrieve_expiration_time_result result = {
318 .errors = ALL_OK,
319 .remaining_seconds = 0,
320 };
321
322 if (!certificate) {
323 // printf("%s\n", _("CRITICAL - No server certificate present to inspect."));
324 result.errors = NO_SERVER_CERTIFICATE_PRESENT;
325 return result;
326 }
327
328 /* Extract CN from certificate subject */
329 X509_NAME *subj = X509_get_subject_name(certificate);
330
331 if (!subj) {
332 // printf("%s\n", _("CRITICAL - Cannot retrieve certificate subject."));
333 result.errors = UNABLE_TO_RETRIEVE_CERTIFICATE_SUBJECT;
334 return result;
335 }
336
337 char cn[MAX_CN_LENGTH] = "";
338 int cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn));
339 if (cnlen == -1) {
340 strcpy(cn, _("Unknown CN"));
341 }
342
343 /* Retrieve timestamp of certificate */
344 ASN1_STRING *expiration_timestamp = X509_get_notAfter(certificate);
345
346 int offset = 0;
347 struct tm stamp = {};
348 /* Generate tm structure to process timestamp */
349 if (expiration_timestamp->type == V_ASN1_UTCTIME) {
350 if (expiration_timestamp->length < 10) {
351 result.errors = WRONG_TIME_FORMAT_IN_CERTIFICATE;
352 return result;
353 }
354
355 stamp.tm_year =
356 (expiration_timestamp->data[0] - '0') * 10 + (expiration_timestamp->data[1] - '0');
357 if (stamp.tm_year < 50) {
358 stamp.tm_year += 100;
359 }
360 offset = 0;
361 } else {
362 if (expiration_timestamp->length < 12) {
363 result.errors = WRONG_TIME_FORMAT_IN_CERTIFICATE;
364 return result;
365 }
366
367 stamp.tm_year = (expiration_timestamp->data[0] - '0') * 1000 +
368 (expiration_timestamp->data[1] - '0') * 100 +
369 (expiration_timestamp->data[2] - '0') * 10 +
370 (expiration_timestamp->data[3] - '0');
371 stamp.tm_year -= 1900;
372 offset = 2;
373 }
374 stamp.tm_mon = (expiration_timestamp->data[2 + offset] - '0') * 10 +
375 (expiration_timestamp->data[3 + offset] - '0') - 1;
376 stamp.tm_mday = (expiration_timestamp->data[4 + offset] - '0') * 10 +
377 (expiration_timestamp->data[5 + offset] - '0');
378 stamp.tm_hour = (expiration_timestamp->data[6 + offset] - '0') * 10 +
379 (expiration_timestamp->data[7 + offset] - '0');
380 stamp.tm_min = (expiration_timestamp->data[8 + offset] - '0') * 10 +
381 (expiration_timestamp->data[9 + offset] - '0');
382 stamp.tm_sec = (expiration_timestamp->data[10 + offset] - '0') * 10 +
383 (expiration_timestamp->data[11 + offset] - '0');
384 stamp.tm_isdst = -1;
385
386 time_t tm_t = timegm(&stamp);
387 double time_left = difftime(tm_t, time(NULL));
388 result.remaining_seconds = time_left;
389
390 char *timezone = getenv("TZ");
391 setenv("TZ", "GMT", 1);
392 tzset();
393
394 char timestamp[50] = "";
395 strftime(timestamp, 50, "%c %z", localtime(&tm_t));
396 if (timezone) {
397 setenv("TZ", timezone, 1);
398 } else {
399 unsetenv("TZ");
400 }
401
402 tzset();
403
404 X509_free(certificate);
405
406 return result;
407# else /* ifndef USE_OPENSSL */
408 printf("%s\n", _("WARNING - Plugin does not support checking certificates."));
409 return STATE_WARNING;
410# endif /* USE_OPENSSL */
411}
412
413net_ssl_check_cert_result np_net_ssl_check_cert2(int days_till_exp_warn, int days_till_exp_crit) {
414# ifdef USE_OPENSSL
320 X509 *certificate = NULL; 415 X509 *certificate = NULL;
321 certificate=SSL_get_peer_certificate(s); 416 certificate = SSL_get_peer_certificate(s);
322 return(np_net_ssl_check_certificate(certificate, days_till_exp_warn, days_till_exp_crit)); 417
323# else /* ifndef USE_OPENSSL */ 418 retrieve_expiration_time_result expiration_date = np_net_ssl_get_cert_expiration(certificate);
419
420 net_ssl_check_cert_result result = {
421 .result_state = STATE_UNKNOWN,
422 .remaining_seconds = expiration_date.remaining_seconds,
423 .errors = expiration_date.errors,
424 };
425
426 if (expiration_date.errors == ALL_OK) {
427 // got a valid expiration date
428 unsigned int remaining_days = result.remaining_seconds / 86400;
429
430 if (remaining_days < days_till_exp_crit) {
431 result.result_state = STATE_CRITICAL;
432 } else if (remaining_days < days_till_exp_warn) {
433 result.result_state = STATE_WARNING;
434 } else {
435 result.result_state = STATE_OK;
436 }
437 }
438
439 return result;
440
441# else /* ifndef USE_OPENSSL */
442 printf("%s\n", _("WARNING - Plugin does not support checking certificates."));
443 return STATE_WARNING;
444# endif /* USE_OPENSSL */
445}
446
447mp_state_enum np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit) {
448# ifdef USE_OPENSSL
449 X509 *certificate = NULL;
450 certificate = SSL_get_peer_certificate(s);
451 return (np_net_ssl_check_certificate(certificate, days_till_exp_warn, days_till_exp_crit));
452# else /* ifndef USE_OPENSSL */
324 printf("%s\n", _("WARNING - Plugin does not support checking certificates.")); 453 printf("%s\n", _("WARNING - Plugin does not support checking certificates."));
325 return STATE_WARNING; 454 return STATE_WARNING;
326# endif /* USE_OPENSSL */ 455# endif /* USE_OPENSSL */
327} 456}
328 457
458mp_subcheck mp_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn,
459 int days_till_exp_crit) {
460 mp_subcheck sc_cert = mp_subcheck_init();
461# ifdef USE_OPENSSL
462 if (!certificate) {
463 xasprintf(&sc_cert.output, _("No server certificate present to inspect"));
464 sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL);
465 return sc_cert;
466 }
467
468 /* Extract CN from certificate subject */
469 X509_NAME *subj = X509_get_subject_name(certificate);
470
471 if (!subj) {
472 xasprintf(&sc_cert.output, _("Cannot retrieve certificate subject"));
473 sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL);
474 return sc_cert;
475 }
476
477 char commonName[MAX_CN_LENGTH] = "";
478 int cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, commonName, sizeof(commonName));
479 if (cnlen == -1) {
480 strcpy(commonName, _("Unknown CN"));
481 }
482
483 /* Retrieve timestamp of certificate */
484 ASN1_STRING *expiry_timestamp = X509_get_notAfter(certificate);
485
486 int offset = 0;
487 struct tm stamp = {};
488 /* Generate tm structure to process timestamp */
489 if (expiry_timestamp->type == V_ASN1_UTCTIME) {
490 if (expiry_timestamp->length < 10) {
491 xasprintf(&sc_cert.output, _("Wrong time format in certificate"));
492 sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL);
493 return sc_cert;
494 }
495
496 stamp.tm_year = (expiry_timestamp->data[0] - '0') * 10 + (expiry_timestamp->data[1] - '0');
497 if (stamp.tm_year < 50) {
498 stamp.tm_year += 100;
499 }
500
501 offset = 0;
502 } else {
503 if (expiry_timestamp->length < 12) {
504 xasprintf(&sc_cert.output, _("Wrong time format in certificate"));
505 sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL);
506 return sc_cert;
507 }
508 stamp.tm_year = (expiry_timestamp->data[0] - '0') * 1000 +
509 (expiry_timestamp->data[1] - '0') * 100 +
510 (expiry_timestamp->data[2] - '0') * 10 + (expiry_timestamp->data[3] - '0');
511 stamp.tm_year -= 1900;
512 offset = 2;
513 }
514
515 stamp.tm_mon = (expiry_timestamp->data[2 + offset] - '0') * 10 +
516 (expiry_timestamp->data[3 + offset] - '0') - 1;
517 stamp.tm_mday = (expiry_timestamp->data[4 + offset] - '0') * 10 +
518 (expiry_timestamp->data[5 + offset] - '0');
519 stamp.tm_hour = (expiry_timestamp->data[6 + offset] - '0') * 10 +
520 (expiry_timestamp->data[7 + offset] - '0');
521 stamp.tm_min = (expiry_timestamp->data[8 + offset] - '0') * 10 +
522 (expiry_timestamp->data[9 + offset] - '0');
523 stamp.tm_sec = (expiry_timestamp->data[10 + offset] - '0') * 10 +
524 (expiry_timestamp->data[11 + offset] - '0');
525 stamp.tm_isdst = -1;
526
527 time_t tm_t = timegm(&stamp);
528 double time_left = difftime(tm_t, time(NULL));
529 int days_left = (int)(time_left / 86400);
530 char *timeZone = getenv("TZ");
531 setenv("TZ", "GMT", 1);
532 tzset();
533
534 char timestamp[50] = "";
535 strftime(timestamp, 50, "%c %z", localtime(&tm_t));
536 if (timeZone) {
537 setenv("TZ", timeZone, 1);
538 } else {
539 unsetenv("TZ");
540 }
541
542 tzset();
543
544 int time_remaining;
545 if (days_left > 0 && days_left <= days_till_exp_warn) {
546 xasprintf(&sc_cert.output, _("Certificate '%s' expires in %d day(s) (%s)"), commonName,
547 days_left, timestamp);
548 if (days_left > days_till_exp_crit) {
549 sc_cert = mp_set_subcheck_state(sc_cert, STATE_WARNING);
550 } else {
551 sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL);
552 }
553 } else if (days_left == 0 && time_left > 0) {
554 if (time_left >= 3600) {
555 time_remaining = (int)time_left / 3600;
556 } else {
557 time_remaining = (int)time_left / 60;
558 }
559
560 xasprintf(&sc_cert.output, _("Certificate '%s' expires in %u %s (%s)"), commonName,
561 time_remaining, time_left >= 3600 ? "hours" : "minutes", timestamp);
329 562
563 if (days_left > days_till_exp_crit) {
564 sc_cert = mp_set_subcheck_state(sc_cert, STATE_WARNING);
565 } else {
566 sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL);
567 }
568 } else if (time_left < 0) {
569 xasprintf(&sc_cert.output, _("Certificate '%s' expired on %s"), commonName, timestamp);
570 sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL);
571 } else if (days_left == 0) {
572 xasprintf(&sc_cert.output, _("Certificate '%s' just expired (%s)"), commonName, timestamp);
573 if (days_left > days_till_exp_crit) {
574 sc_cert = mp_set_subcheck_state(sc_cert, STATE_WARNING);
575 } else {
576 sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL);
577 }
578 } else {
579 xasprintf(&sc_cert.output, _("Certificate '%s' will expire on %s"), commonName, timestamp);
580 sc_cert = mp_set_subcheck_state(sc_cert, STATE_OK);
581 }
582 X509_free(certificate);
583 return sc_cert;
584# else /* ifndef USE_OPENSSL */
585 xasprintf(&sc_cert.output, _("Plugin does not support checking certificates"));
586 sc_cert = mp_set_subcheck_state(sc_cert, STATE_WARNING);
587 return sc_cert;
588# endif /* USE_OPENSSL */
589}
330#endif /* HAVE_SSL */ 590#endif /* HAVE_SSL */