diff options
Diffstat (limited to 'plugins/sslutils.c')
-rw-r--r-- | plugins/sslutils.c | 444 |
1 files changed, 286 insertions, 158 deletions
diff --git a/plugins/sslutils.c b/plugins/sslutils.c index 6bc0ba81..0e6d7525 100644 --- a/plugins/sslutils.c +++ b/plugins/sslutils.c | |||
@@ -1,42 +1,43 @@ | |||
1 | /***************************************************************************** | 1 | /***************************************************************************** |
2 | * | 2 | * |
3 | * Monitoring Plugins SSL utilities | 3 | * Monitoring Plugins SSL utilities |
4 | * | 4 | * |
5 | * License: GPL | 5 | * License: GPL |
6 | * Copyright (c) 2005-2010 Monitoring Plugins Development Team | 6 | * Copyright (c) 2005-2024 Monitoring Plugins Development Team |
7 | * | 7 | * |
8 | * Description: | 8 | * Description: |
9 | * | 9 | * |
10 | * This file contains common functions for plugins that require SSL. | 10 | * This file contains common functions for plugins that require SSL. |
11 | * | 11 | * |
12 | * | 12 | * |
13 | * This program is free software: you can redistribute it and/or modify | 13 | * This program is free software: you can redistribute it and/or modify |
14 | * it under the terms of the GNU General Public License as published by | 14 | * it under the terms of the GNU General Public License as published by |
15 | * the Free Software Foundation, either version 3 of the License, or | 15 | * the Free Software Foundation, either version 3 of the License, or |
16 | * (at your option) any later version. | 16 | * (at your option) any later version. |
17 | * | 17 | * |
18 | * This program is distributed in the hope that it will be useful, | 18 | * This program is distributed in the hope that it will be useful, |
19 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | 19 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
20 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | 20 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
21 | * GNU General Public License for more details. | 21 | * GNU General Public License for more details. |
22 | * | 22 | * |
23 | * You should have received a copy of the GNU General Public License | 23 | * You should have received a copy of the GNU General Public License |
24 | * along with this program. If not, see <http://www.gnu.org/licenses/>. | 24 | * along with this program. If not, see <http://www.gnu.org/licenses/>. |
25 | * | 25 | * |
26 | * | 26 | * |
27 | *****************************************************************************/ | 27 | *****************************************************************************/ |
28 | 28 | ||
29 | #include "output.h" | ||
29 | #define MAX_CN_LENGTH 256 | 30 | #define MAX_CN_LENGTH 256 |
30 | #include "common.h" | 31 | #include "common.h" |
31 | #include "netutils.h" | 32 | #include "netutils.h" |
33 | #include "../lib/monitoringplug.h" | ||
34 | #include "states.h" | ||
32 | 35 | ||
33 | #ifdef HAVE_SSL | 36 | #ifdef HAVE_SSL |
34 | static SSL_CTX *ctx=NULL; | 37 | static SSL_CTX *ctx = NULL; |
35 | static SSL *s=NULL; | 38 | static SSL *s = NULL; |
36 | 39 | ||
37 | int np_net_ssl_init(int sd) { | 40 | int np_net_ssl_init(int sd) { return np_net_ssl_init_with_hostname(sd, NULL); } |
38 | return np_net_ssl_init_with_hostname(sd, NULL); | ||
39 | } | ||
40 | 41 | ||
41 | int np_net_ssl_init_with_hostname(int sd, char *host_name) { | 42 | int np_net_ssl_init_with_hostname(int sd, char *host_name) { |
42 | return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0); | 43 | return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0); |
@@ -46,7 +47,8 @@ int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int versi | |||
46 | return np_net_ssl_init_with_hostname_version_and_cert(sd, host_name, version, NULL, NULL); | 47 | return np_net_ssl_init_with_hostname_version_and_cert(sd, host_name, version, NULL, NULL); |
47 | } | 48 | } |
48 | 49 | ||
49 | int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, char *privkey) { | 50 | int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, |
51 | char *privkey) { | ||
50 | long options = 0; | 52 | long options = 0; |
51 | 53 | ||
52 | if ((ctx = SSL_CTX_new(TLS_client_method())) == NULL) { | 54 | if ((ctx = SSL_CTX_new(TLS_client_method())) == NULL) { |
@@ -59,272 +61,398 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int | |||
59 | printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library.")); | 61 | printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library.")); |
60 | return STATE_UNKNOWN; | 62 | return STATE_UNKNOWN; |
61 | case MP_SSLv3: /* SSLv3 protocol */ | 63 | case MP_SSLv3: /* SSLv3 protocol */ |
62 | #if defined(OPENSSL_NO_SSL3) | 64 | # if defined(OPENSSL_NO_SSL3) |
63 | printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library.")); | 65 | printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library.")); |
64 | return STATE_UNKNOWN; | 66 | return STATE_UNKNOWN; |
65 | #else | 67 | # else |
66 | SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION); | 68 | SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION); |
67 | SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION); | 69 | SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION); |
68 | break; | 70 | break; |
69 | #endif | 71 | # endif |
70 | case MP_TLSv1: /* TLSv1 protocol */ | 72 | case MP_TLSv1: /* TLSv1 protocol */ |
71 | #if defined(OPENSSL_NO_TLS1) | 73 | # if defined(OPENSSL_NO_TLS1) |
72 | printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library.")); | 74 | printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library.")); |
73 | return STATE_UNKNOWN; | 75 | return STATE_UNKNOWN; |
74 | #else | 76 | # else |
75 | SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); | 77 | SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); |
76 | SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION); | 78 | SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION); |
77 | break; | 79 | break; |
78 | #endif | 80 | # endif |
79 | case MP_TLSv1_1: /* TLSv1.1 protocol */ | 81 | case MP_TLSv1_1: /* TLSv1.1 protocol */ |
80 | #if !defined(SSL_OP_NO_TLSv1_1) | 82 | # if !defined(SSL_OP_NO_TLSv1_1) |
81 | printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library.")); | 83 | printf("%s\n", |
84 | _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library.")); | ||
82 | return STATE_UNKNOWN; | 85 | return STATE_UNKNOWN; |
83 | #else | 86 | # else |
84 | SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION); | 87 | SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION); |
85 | SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION); | 88 | SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION); |
86 | break; | 89 | break; |
87 | #endif | 90 | # endif |
88 | case MP_TLSv1_2: /* TLSv1.2 protocol */ | 91 | case MP_TLSv1_2: /* TLSv1.2 protocol */ |
89 | #if !defined(SSL_OP_NO_TLSv1_2) | 92 | # if !defined(SSL_OP_NO_TLSv1_2) |
90 | printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library.")); | 93 | printf("%s\n", |
94 | _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library.")); | ||
91 | return STATE_UNKNOWN; | 95 | return STATE_UNKNOWN; |
92 | #else | 96 | # else |
93 | SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); | 97 | SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); |
94 | SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION); | 98 | SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION); |
95 | break; | 99 | break; |
96 | #endif | 100 | # endif |
97 | case MP_TLSv1_2_OR_NEWER: | 101 | case MP_TLSv1_2_OR_NEWER: |
98 | #if !defined(SSL_OP_NO_TLSv1_1) | 102 | # if !defined(SSL_OP_NO_TLSv1_1) |
99 | printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library.")); | 103 | printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library.")); |
100 | return STATE_UNKNOWN; | 104 | return STATE_UNKNOWN; |
101 | #else | 105 | # else |
102 | SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); | 106 | SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); |
103 | break; | 107 | break; |
104 | #endif | 108 | # endif |
105 | case MP_TLSv1_1_OR_NEWER: | 109 | case MP_TLSv1_1_OR_NEWER: |
106 | #if !defined(SSL_OP_NO_TLSv1) | 110 | # if !defined(SSL_OP_NO_TLSv1) |
107 | printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library.")); | 111 | printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library.")); |
108 | return STATE_UNKNOWN; | 112 | return STATE_UNKNOWN; |
109 | #else | 113 | # else |
110 | SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION); | 114 | SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION); |
111 | break; | 115 | break; |
112 | #endif | 116 | # endif |
113 | case MP_TLSv1_OR_NEWER: | 117 | case MP_TLSv1_OR_NEWER: |
114 | #if defined(SSL_OP_NO_SSLv3) | 118 | # if defined(SSL_OP_NO_SSLv3) |
115 | SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); | 119 | SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); |
116 | break; | 120 | break; |
117 | #endif | 121 | # endif |
118 | case MP_SSLv3_OR_NEWER: | 122 | case MP_SSLv3_OR_NEWER: |
119 | #if defined(SSL_OP_NO_SSLv2) | 123 | # if defined(SSL_OP_NO_SSLv2) |
120 | SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION); | 124 | SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION); |
121 | break; | 125 | break; |
122 | #endif | 126 | # endif |
123 | } | 127 | } |
124 | 128 | ||
125 | if (cert && privkey) { | 129 | if (cert && privkey) { |
126 | #ifdef USE_OPENSSL | 130 | # ifdef USE_OPENSSL |
127 | if (!SSL_CTX_use_certificate_chain_file(ctx, cert)) { | 131 | if (!SSL_CTX_use_certificate_chain_file(ctx, cert)) { |
128 | #elif USE_GNUTLS | 132 | # elif USE_GNUTLS |
129 | if (!SSL_CTX_use_certificate_file(ctx, cert, SSL_FILETYPE_PEM)) { | 133 | if (!SSL_CTX_use_certificate_file(ctx, cert, SSL_FILETYPE_PEM)) { |
130 | #else | 134 | # else |
131 | #error Unported for unknown SSL library | 135 | # error Unported for unknown SSL library |
132 | #endif | 136 | # endif |
133 | printf ("%s\n", _("CRITICAL - Unable to open certificate chain file!\n")); | 137 | printf("%s\n", _("CRITICAL - Unable to open certificate chain file!\n")); |
134 | return STATE_CRITICAL; | 138 | return STATE_CRITICAL; |
135 | } | 139 | } |
136 | SSL_CTX_use_PrivateKey_file(ctx, privkey, SSL_FILETYPE_PEM); | 140 | SSL_CTX_use_PrivateKey_file(ctx, privkey, SSL_FILETYPE_PEM); |
137 | #ifdef USE_OPENSSL | 141 | # ifdef USE_OPENSSL |
138 | if (!SSL_CTX_check_private_key(ctx)) { | 142 | if (!SSL_CTX_check_private_key(ctx)) { |
139 | printf ("%s\n", _("CRITICAL - Private key does not seem to match certificate!\n")); | 143 | printf("%s\n", _("CRITICAL - Private key does not seem to match certificate!\n")); |
140 | return STATE_CRITICAL; | 144 | return STATE_CRITICAL; |
141 | } | 145 | } |
142 | #endif | 146 | # endif |
143 | } | 147 | } |
144 | #ifdef SSL_OP_NO_TICKET | 148 | # ifdef SSL_OP_NO_TICKET |
145 | options |= SSL_OP_NO_TICKET; | 149 | options |= SSL_OP_NO_TICKET; |
146 | #endif | 150 | # endif |
147 | SSL_CTX_set_options(ctx, options); | 151 | SSL_CTX_set_options(ctx, options); |
148 | SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); | 152 | SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); |
149 | if ((s = SSL_new(ctx)) != NULL) { | 153 | if ((s = SSL_new(ctx)) != NULL) { |
150 | #ifdef SSL_set_tlsext_host_name | 154 | # ifdef SSL_set_tlsext_host_name |
151 | if (host_name != NULL) | 155 | if (host_name != NULL) { |
152 | SSL_set_tlsext_host_name(s, host_name); | 156 | SSL_set_tlsext_host_name(s, host_name); |
153 | #endif | 157 | } |
158 | # endif | ||
154 | SSL_set_fd(s, sd); | 159 | SSL_set_fd(s, sd); |
155 | if (SSL_connect(s) == 1) { | 160 | if (SSL_connect(s) == 1) { |
156 | return OK; | 161 | return OK; |
157 | } else { | 162 | } else { |
158 | printf("%s\n", _("CRITICAL - Cannot make SSL connection.")); | 163 | printf("%s\n", _("CRITICAL - Cannot make SSL connection.")); |
159 | # ifdef USE_OPENSSL /* XXX look into ERR_error_string */ | 164 | # ifdef USE_OPENSSL /* XXX look into ERR_error_string */ |
160 | ERR_print_errors_fp(stdout); | 165 | ERR_print_errors_fp(stdout); |
161 | # endif /* USE_OPENSSL */ | 166 | # endif /* USE_OPENSSL */ |
162 | } | 167 | } |
163 | } else { | 168 | } else { |
164 | printf("%s\n", _("CRITICAL - Cannot initiate SSL handshake.")); | 169 | printf("%s\n", _("CRITICAL - Cannot initiate SSL handshake.")); |
165 | } | 170 | } |
166 | return STATE_CRITICAL; | 171 | return STATE_CRITICAL; |
167 | } | 172 | } |
168 | 173 | ||
169 | void np_net_ssl_cleanup() { | 174 | void np_net_ssl_cleanup() { |
170 | if (s) { | 175 | if (s) { |
171 | #ifdef SSL_set_tlsext_host_name | 176 | # ifdef SSL_set_tlsext_host_name |
172 | SSL_set_tlsext_host_name(s, NULL); | 177 | SSL_set_tlsext_host_name(s, NULL); |
173 | #endif | 178 | # endif |
174 | SSL_shutdown(s); | 179 | SSL_shutdown(s); |
175 | SSL_free(s); | 180 | SSL_free(s); |
176 | if (ctx) { | 181 | if (ctx) { |
177 | SSL_CTX_free(ctx); | 182 | SSL_CTX_free(ctx); |
178 | ctx=NULL; | 183 | ctx = NULL; |
179 | } | 184 | } |
180 | s=NULL; | 185 | s = NULL; |
181 | } | 186 | } |
182 | } | 187 | } |
183 | 188 | ||
184 | int np_net_ssl_write(const void *buf, int num) { | 189 | int np_net_ssl_write(const void *buf, int num) { return SSL_write(s, buf, num); } |
185 | return SSL_write(s, buf, num); | ||
186 | } | ||
187 | |||
188 | int np_net_ssl_read(void *buf, int num) { | ||
189 | return SSL_read(s, buf, num); | ||
190 | } | ||
191 | 190 | ||
192 | int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int days_till_exp_crit){ | 191 | int np_net_ssl_read(void *buf, int num) { return SSL_read(s, buf, num); } |
193 | # ifdef USE_OPENSSL | ||
194 | X509_NAME *subj=NULL; | ||
195 | char timestamp[50] = ""; | ||
196 | char cn[MAX_CN_LENGTH]= ""; | ||
197 | char *tz; | ||
198 | |||
199 | int cnlen =-1; | ||
200 | int status=STATE_UNKNOWN; | ||
201 | |||
202 | ASN1_STRING *tm; | ||
203 | int offset; | ||
204 | struct tm stamp; | ||
205 | float time_left; | ||
206 | int days_left; | ||
207 | int time_remaining; | ||
208 | time_t tm_t; | ||
209 | 192 | ||
193 | mp_state_enum np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, | ||
194 | int days_till_exp_crit) { | ||
195 | # ifdef USE_OPENSSL | ||
210 | if (!certificate) { | 196 | if (!certificate) { |
211 | printf("%s\n",_("CRITICAL - Cannot retrieve server certificate.")); | 197 | printf("%s\n", _("CRITICAL - No server certificate present to inspect.")); |
212 | return STATE_CRITICAL; | 198 | return STATE_CRITICAL; |
213 | } | 199 | } |
214 | 200 | ||
215 | /* Extract CN from certificate subject */ | 201 | /* Extract CN from certificate subject */ |
216 | subj=X509_get_subject_name(certificate); | 202 | X509_NAME *subj = X509_get_subject_name(certificate); |
217 | 203 | ||
218 | if (!subj) { | 204 | if (!subj) { |
219 | printf("%s\n",_("CRITICAL - Cannot retrieve certificate subject.")); | 205 | printf("%s\n", _("CRITICAL - Cannot retrieve certificate subject.")); |
220 | return STATE_CRITICAL; | 206 | return STATE_CRITICAL; |
221 | } | 207 | } |
222 | cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn)); | 208 | |
223 | if (cnlen == -1) | 209 | char cn[MAX_CN_LENGTH] = ""; |
210 | int cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn)); | ||
211 | if (cnlen == -1) { | ||
224 | strcpy(cn, _("Unknown CN")); | 212 | strcpy(cn, _("Unknown CN")); |
213 | } | ||
225 | 214 | ||
226 | /* Retrieve timestamp of certificate */ | 215 | /* Retrieve timestamp of certificate */ |
227 | tm = X509_get_notAfter(certificate); | 216 | ASN1_STRING *tm = X509_get_notAfter(certificate); |
228 | 217 | ||
218 | int offset = 0; | ||
219 | struct tm stamp = {}; | ||
229 | /* Generate tm structure to process timestamp */ | 220 | /* Generate tm structure to process timestamp */ |
230 | if (tm->type == V_ASN1_UTCTIME) { | 221 | if (tm->type == V_ASN1_UTCTIME) { |
231 | if (tm->length < 10) { | 222 | if (tm->length < 10) { |
232 | printf("%s\n", _("CRITICAL - Wrong time format in certificate.")); | 223 | printf("%s\n", _("CRITICAL - Wrong time format in certificate.")); |
233 | return STATE_CRITICAL; | 224 | return STATE_CRITICAL; |
234 | } else { | ||
235 | stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0'); | ||
236 | if (stamp.tm_year < 50) | ||
237 | stamp.tm_year += 100; | ||
238 | offset = 0; | ||
239 | } | 225 | } |
226 | stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0'); | ||
227 | if (stamp.tm_year < 50) { | ||
228 | stamp.tm_year += 100; | ||
229 | } | ||
230 | offset = 0; | ||
231 | |||
240 | } else { | 232 | } else { |
241 | if (tm->length < 12) { | 233 | if (tm->length < 12) { |
242 | printf("%s\n", _("CRITICAL - Wrong time format in certificate.")); | 234 | printf("%s\n", _("CRITICAL - Wrong time format in certificate.")); |
243 | return STATE_CRITICAL; | 235 | return STATE_CRITICAL; |
244 | } else { | ||
245 | stamp.tm_year = | ||
246 | (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 + | ||
247 | (tm->data[2] - '0') * 10 + (tm->data[3] - '0'); | ||
248 | stamp.tm_year -= 1900; | ||
249 | offset = 2; | ||
250 | } | 236 | } |
237 | stamp.tm_year = (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 + | ||
238 | (tm->data[2] - '0') * 10 + (tm->data[3] - '0'); | ||
239 | stamp.tm_year -= 1900; | ||
240 | offset = 2; | ||
251 | } | 241 | } |
252 | stamp.tm_mon = | 242 | stamp.tm_mon = (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1; |
253 | (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1; | 243 | stamp.tm_mday = (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0'); |
254 | stamp.tm_mday = | 244 | stamp.tm_hour = (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0'); |
255 | (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0'); | 245 | stamp.tm_min = (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0'); |
256 | stamp.tm_hour = | 246 | stamp.tm_sec = (tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0'); |
257 | (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0'); | ||
258 | stamp.tm_min = | ||
259 | (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0'); | ||
260 | stamp.tm_sec = | ||
261 | (tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0'); | ||
262 | stamp.tm_isdst = -1; | 247 | stamp.tm_isdst = -1; |
263 | 248 | ||
264 | tm_t = timegm(&stamp); | 249 | time_t tm_t = timegm(&stamp); |
265 | time_left = difftime(tm_t, time(NULL)); | 250 | float time_left = difftime(tm_t, time(NULL)); |
266 | days_left = time_left / 86400; | 251 | int days_left = time_left / 86400; |
267 | tz = getenv("TZ"); | 252 | char *tz = getenv("TZ"); |
268 | setenv("TZ", "GMT", 1); | 253 | setenv("TZ", "GMT", 1); |
269 | tzset(); | 254 | tzset(); |
255 | |||
256 | char timestamp[50] = ""; | ||
270 | strftime(timestamp, 50, "%c %z", localtime(&tm_t)); | 257 | strftime(timestamp, 50, "%c %z", localtime(&tm_t)); |
271 | if (tz) | 258 | if (tz) { |
272 | setenv("TZ", tz, 1); | 259 | setenv("TZ", tz, 1); |
273 | else | 260 | } else { |
274 | unsetenv("TZ"); | 261 | unsetenv("TZ"); |
262 | } | ||
263 | |||
275 | tzset(); | 264 | tzset(); |
276 | 265 | ||
266 | int time_remaining; | ||
267 | mp_state_enum status = STATE_UNKNOWN; | ||
277 | if (days_left > 0 && days_left <= days_till_exp_warn) { | 268 | if (days_left > 0 && days_left <= days_till_exp_warn) { |
278 | printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, days_left, timestamp); | 269 | printf(_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), |
279 | if (days_left > days_till_exp_crit) | 270 | (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, days_left, timestamp); |
271 | if (days_left > days_till_exp_crit) { | ||
280 | status = STATE_WARNING; | 272 | status = STATE_WARNING; |
281 | else | 273 | } else { |
282 | status = STATE_CRITICAL; | 274 | status = STATE_CRITICAL; |
275 | } | ||
283 | } else if (days_left == 0 && time_left > 0) { | 276 | } else if (days_left == 0 && time_left > 0) { |
284 | if (time_left >= 3600) | 277 | if (time_left >= 3600) { |
285 | time_remaining = (int) time_left / 3600; | 278 | time_remaining = (int)time_left / 3600; |
286 | else | 279 | } else { |
287 | time_remaining = (int) time_left / 60; | 280 | time_remaining = (int)time_left / 60; |
281 | } | ||
288 | 282 | ||
289 | printf (_("%s - Certificate '%s' expires in %u %s (%s)\n"), | 283 | printf(_("%s - Certificate '%s' expires in %u %s (%s)\n"), |
290 | (days_left>days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, time_remaining, | 284 | (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, time_remaining, |
291 | time_left >= 3600 ? "hours" : "minutes", timestamp); | 285 | time_left >= 3600 ? "hours" : "minutes", timestamp); |
292 | 286 | ||
293 | if ( days_left > days_till_exp_crit) | 287 | if (days_left > days_till_exp_crit) { |
294 | status = STATE_WARNING; | 288 | status = STATE_WARNING; |
295 | else | 289 | } else { |
296 | status = STATE_CRITICAL; | 290 | status = STATE_CRITICAL; |
291 | } | ||
297 | } else if (time_left < 0) { | 292 | } else if (time_left < 0) { |
298 | printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp); | 293 | printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp); |
299 | status=STATE_CRITICAL; | 294 | status = STATE_CRITICAL; |
300 | } else if (days_left == 0) { | 295 | } else if (days_left == 0) { |
301 | printf (_("%s - Certificate '%s' just expired (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, timestamp); | 296 | printf(_("%s - Certificate '%s' just expired (%s).\n"), |
302 | if (days_left > days_till_exp_crit) | 297 | (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, timestamp); |
298 | if (days_left > days_till_exp_crit) { | ||
303 | status = STATE_WARNING; | 299 | status = STATE_WARNING; |
304 | else | 300 | } else { |
305 | status = STATE_CRITICAL; | 301 | status = STATE_CRITICAL; |
302 | } | ||
306 | } else { | 303 | } else { |
307 | printf(_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp); | 304 | printf(_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp); |
308 | status = STATE_OK; | 305 | status = STATE_OK; |
309 | } | 306 | } |
310 | X509_free(certificate); | 307 | X509_free(certificate); |
311 | return status; | 308 | return status; |
312 | # else /* ifndef USE_OPENSSL */ | 309 | # else /* ifndef USE_OPENSSL */ |
313 | printf("%s\n", _("WARNING - Plugin does not support checking certificates.")); | 310 | printf("%s\n", _("WARNING - Plugin does not support checking certificates.")); |
314 | return STATE_WARNING; | 311 | return STATE_WARNING; |
315 | # endif /* USE_OPENSSL */ | 312 | # endif /* USE_OPENSSL */ |
316 | } | 313 | } |
317 | 314 | ||
318 | int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){ | 315 | mp_state_enum np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit) { |
319 | # ifdef USE_OPENSSL | 316 | # ifdef USE_OPENSSL |
320 | X509 *certificate = NULL; | 317 | X509 *certificate = NULL; |
321 | certificate=SSL_get_peer_certificate(s); | 318 | certificate = SSL_get_peer_certificate(s); |
322 | return(np_net_ssl_check_certificate(certificate, days_till_exp_warn, days_till_exp_crit)); | 319 | return (np_net_ssl_check_certificate(certificate, days_till_exp_warn, days_till_exp_crit)); |
323 | # else /* ifndef USE_OPENSSL */ | 320 | # else /* ifndef USE_OPENSSL */ |
324 | printf("%s\n", _("WARNING - Plugin does not support checking certificates.")); | 321 | printf("%s\n", _("WARNING - Plugin does not support checking certificates.")); |
325 | return STATE_WARNING; | 322 | return STATE_WARNING; |
326 | # endif /* USE_OPENSSL */ | 323 | # endif /* USE_OPENSSL */ |
327 | } | 324 | } |
328 | 325 | ||
326 | mp_subcheck mp_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, | ||
327 | int days_till_exp_crit) { | ||
328 | mp_subcheck sc_cert = mp_subcheck_init(); | ||
329 | # ifdef USE_OPENSSL | ||
330 | if (!certificate) { | ||
331 | xasprintf(&sc_cert.output, _("No server certificate present to inspect")); | ||
332 | sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL); | ||
333 | return sc_cert; | ||
334 | } | ||
335 | |||
336 | /* Extract CN from certificate subject */ | ||
337 | X509_NAME *subj = X509_get_subject_name(certificate); | ||
338 | |||
339 | if (!subj) { | ||
340 | xasprintf(&sc_cert.output, _("Cannot retrieve certificate subject")); | ||
341 | sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL); | ||
342 | return sc_cert; | ||
343 | } | ||
344 | |||
345 | char commonName[MAX_CN_LENGTH] = ""; | ||
346 | int cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, commonName, sizeof(commonName)); | ||
347 | if (cnlen == -1) { | ||
348 | strcpy(commonName, _("Unknown CN")); | ||
349 | } | ||
329 | 350 | ||
351 | /* Retrieve timestamp of certificate */ | ||
352 | ASN1_STRING *expiry_timestamp = X509_get_notAfter(certificate); | ||
353 | |||
354 | int offset = 0; | ||
355 | struct tm stamp = {}; | ||
356 | /* Generate tm structure to process timestamp */ | ||
357 | if (expiry_timestamp->type == V_ASN1_UTCTIME) { | ||
358 | if (expiry_timestamp->length < 10) { | ||
359 | xasprintf(&sc_cert.output, _("Wrong time format in certificate")); | ||
360 | sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL); | ||
361 | return sc_cert; | ||
362 | } | ||
363 | |||
364 | stamp.tm_year = (expiry_timestamp->data[0] - '0') * 10 + (expiry_timestamp->data[1] - '0'); | ||
365 | if (stamp.tm_year < 50) { | ||
366 | stamp.tm_year += 100; | ||
367 | } | ||
368 | |||
369 | offset = 0; | ||
370 | } else { | ||
371 | if (expiry_timestamp->length < 12) { | ||
372 | xasprintf(&sc_cert.output, _("Wrong time format in certificate")); | ||
373 | sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL); | ||
374 | return sc_cert; | ||
375 | } | ||
376 | stamp.tm_year = (expiry_timestamp->data[0] - '0') * 1000 + | ||
377 | (expiry_timestamp->data[1] - '0') * 100 + | ||
378 | (expiry_timestamp->data[2] - '0') * 10 + (expiry_timestamp->data[3] - '0'); | ||
379 | stamp.tm_year -= 1900; | ||
380 | offset = 2; | ||
381 | } | ||
382 | |||
383 | stamp.tm_mon = (expiry_timestamp->data[2 + offset] - '0') * 10 + | ||
384 | (expiry_timestamp->data[3 + offset] - '0') - 1; | ||
385 | stamp.tm_mday = (expiry_timestamp->data[4 + offset] - '0') * 10 + | ||
386 | (expiry_timestamp->data[5 + offset] - '0'); | ||
387 | stamp.tm_hour = (expiry_timestamp->data[6 + offset] - '0') * 10 + | ||
388 | (expiry_timestamp->data[7 + offset] - '0'); | ||
389 | stamp.tm_min = (expiry_timestamp->data[8 + offset] - '0') * 10 + | ||
390 | (expiry_timestamp->data[9 + offset] - '0'); | ||
391 | stamp.tm_sec = (expiry_timestamp->data[10 + offset] - '0') * 10 + | ||
392 | (expiry_timestamp->data[11 + offset] - '0'); | ||
393 | stamp.tm_isdst = -1; | ||
394 | |||
395 | time_t tm_t = timegm(&stamp); | ||
396 | double time_left = difftime(tm_t, time(NULL)); | ||
397 | int days_left = (int)(time_left / 86400); | ||
398 | char *timeZone = getenv("TZ"); | ||
399 | setenv("TZ", "GMT", 1); | ||
400 | tzset(); | ||
401 | |||
402 | char timestamp[50] = ""; | ||
403 | strftime(timestamp, 50, "%c %z", localtime(&tm_t)); | ||
404 | if (timeZone) { | ||
405 | setenv("TZ", timeZone, 1); | ||
406 | } else { | ||
407 | unsetenv("TZ"); | ||
408 | } | ||
409 | |||
410 | tzset(); | ||
411 | |||
412 | int time_remaining; | ||
413 | if (days_left > 0 && days_left <= days_till_exp_warn) { | ||
414 | xasprintf(&sc_cert.output, _("Certificate '%s' expires in %d day(s) (%s)"), commonName, | ||
415 | days_left, timestamp); | ||
416 | if (days_left > days_till_exp_crit) { | ||
417 | sc_cert = mp_set_subcheck_state(sc_cert, STATE_WARNING); | ||
418 | } else { | ||
419 | sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL); | ||
420 | } | ||
421 | } else if (days_left == 0 && time_left > 0) { | ||
422 | if (time_left >= 3600) { | ||
423 | time_remaining = (int)time_left / 3600; | ||
424 | } else { | ||
425 | time_remaining = (int)time_left / 60; | ||
426 | } | ||
427 | |||
428 | xasprintf(&sc_cert.output, _("Certificate '%s' expires in %u %s (%s)"), commonName, | ||
429 | time_remaining, time_left >= 3600 ? "hours" : "minutes", timestamp); | ||
430 | |||
431 | if (days_left > days_till_exp_crit) { | ||
432 | sc_cert = mp_set_subcheck_state(sc_cert, STATE_WARNING); | ||
433 | } else { | ||
434 | sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL); | ||
435 | } | ||
436 | } else if (time_left < 0) { | ||
437 | xasprintf(&sc_cert.output, _("Certificate '%s' expired on %s"), commonName, timestamp); | ||
438 | sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL); | ||
439 | } else if (days_left == 0) { | ||
440 | xasprintf(&sc_cert.output, _("Certificate '%s' just expired (%s)"), commonName, timestamp); | ||
441 | if (days_left > days_till_exp_crit) { | ||
442 | sc_cert = mp_set_subcheck_state(sc_cert, STATE_WARNING); | ||
443 | } else { | ||
444 | sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL); | ||
445 | } | ||
446 | } else { | ||
447 | xasprintf(&sc_cert.output, _("Certificate '%s' will expire on %s"), commonName, timestamp); | ||
448 | sc_cert = mp_set_subcheck_state(sc_cert, STATE_OK); | ||
449 | } | ||
450 | X509_free(certificate); | ||
451 | return sc_cert; | ||
452 | # else /* ifndef USE_OPENSSL */ | ||
453 | xasprintf(&sc_cert.output, _("Plugin does not support checking certificates")); | ||
454 | sc_cert = mp_set_subcheck_state(sc_cert, STATE_WARNING); | ||
455 | return sc_cert; | ||
456 | # endif /* USE_OPENSSL */ | ||
457 | } | ||
330 | #endif /* HAVE_SSL */ | 458 | #endif /* HAVE_SSL */ |