diff options
Diffstat (limited to 'plugins/sslutils.c')
| -rw-r--r-- | plugins/sslutils.c | 77 |
1 files changed, 33 insertions, 44 deletions
diff --git a/plugins/sslutils.c b/plugins/sslutils.c index 666a012..6bc0ba8 100644 --- a/plugins/sslutils.c +++ b/plugins/sslutils.c | |||
| @@ -31,9 +31,8 @@ | |||
| 31 | #include "netutils.h" | 31 | #include "netutils.h" |
| 32 | 32 | ||
| 33 | #ifdef HAVE_SSL | 33 | #ifdef HAVE_SSL |
| 34 | static SSL_CTX *c=NULL; | 34 | static SSL_CTX *ctx=NULL; |
| 35 | static SSL *s=NULL; | 35 | static SSL *s=NULL; |
| 36 | static int initialized=0; | ||
| 37 | 36 | ||
| 38 | int np_net_ssl_init(int sd) { | 37 | int np_net_ssl_init(int sd) { |
| 39 | return np_net_ssl_init_with_hostname(sd, NULL); | 38 | return np_net_ssl_init_with_hostname(sd, NULL); |
| @@ -48,24 +47,24 @@ int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int versi | |||
| 48 | } | 47 | } |
| 49 | 48 | ||
| 50 | int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, char *privkey) { | 49 | int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, char *privkey) { |
| 51 | const SSL_METHOD *method = NULL; | ||
| 52 | long options = 0; | 50 | long options = 0; |
| 53 | 51 | ||
| 52 | if ((ctx = SSL_CTX_new(TLS_client_method())) == NULL) { | ||
| 53 | printf("%s\n", _("CRITICAL - Cannot create SSL context.")); | ||
| 54 | return STATE_CRITICAL; | ||
| 55 | } | ||
| 56 | |||
| 54 | switch (version) { | 57 | switch (version) { |
| 55 | case MP_SSLv2: /* SSLv2 protocol */ | 58 | case MP_SSLv2: /* SSLv2 protocol */ |
| 56 | #if defined(USE_GNUTLS) || defined(OPENSSL_NO_SSL2) | ||
| 57 | printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library.")); | 59 | printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library.")); |
| 58 | return STATE_UNKNOWN; | 60 | return STATE_UNKNOWN; |
| 59 | #else | ||
| 60 | method = SSLv2_client_method(); | ||
| 61 | break; | ||
| 62 | #endif | ||
| 63 | case MP_SSLv3: /* SSLv3 protocol */ | 61 | case MP_SSLv3: /* SSLv3 protocol */ |
| 64 | #if defined(OPENSSL_NO_SSL3) | 62 | #if defined(OPENSSL_NO_SSL3) |
| 65 | printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library.")); | 63 | printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library.")); |
| 66 | return STATE_UNKNOWN; | 64 | return STATE_UNKNOWN; |
| 67 | #else | 65 | #else |
| 68 | method = SSLv3_client_method(); | 66 | SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION); |
| 67 | SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION); | ||
| 69 | break; | 68 | break; |
| 70 | #endif | 69 | #endif |
| 71 | case MP_TLSv1: /* TLSv1 protocol */ | 70 | case MP_TLSv1: /* TLSv1 protocol */ |
| @@ -73,7 +72,8 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int | |||
| 73 | printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library.")); | 72 | printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library.")); |
| 74 | return STATE_UNKNOWN; | 73 | return STATE_UNKNOWN; |
| 75 | #else | 74 | #else |
| 76 | method = TLSv1_client_method(); | 75 | SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); |
| 76 | SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION); | ||
| 77 | break; | 77 | break; |
| 78 | #endif | 78 | #endif |
| 79 | case MP_TLSv1_1: /* TLSv1.1 protocol */ | 79 | case MP_TLSv1_1: /* TLSv1.1 protocol */ |
| @@ -81,7 +81,8 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int | |||
| 81 | printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library.")); | 81 | printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library.")); |
| 82 | return STATE_UNKNOWN; | 82 | return STATE_UNKNOWN; |
| 83 | #else | 83 | #else |
| 84 | method = TLSv1_1_client_method(); | 84 | SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION); |
| 85 | SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION); | ||
| 85 | break; | 86 | break; |
| 86 | #endif | 87 | #endif |
| 87 | case MP_TLSv1_2: /* TLSv1.2 protocol */ | 88 | case MP_TLSv1_2: /* TLSv1.2 protocol */ |
| @@ -89,7 +90,8 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int | |||
| 89 | printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library.")); | 90 | printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library.")); |
| 90 | return STATE_UNKNOWN; | 91 | return STATE_UNKNOWN; |
| 91 | #else | 92 | #else |
| 92 | method = TLSv1_2_client_method(); | 93 | SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); |
| 94 | SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION); | ||
| 93 | break; | 95 | break; |
| 94 | #endif | 96 | #endif |
| 95 | case MP_TLSv1_2_OR_NEWER: | 97 | case MP_TLSv1_2_OR_NEWER: |
| @@ -97,56 +99,43 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int | |||
| 97 | printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library.")); | 99 | printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library.")); |
| 98 | return STATE_UNKNOWN; | 100 | return STATE_UNKNOWN; |
| 99 | #else | 101 | #else |
| 100 | options |= SSL_OP_NO_TLSv1_1; | 102 | SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); |
| 103 | break; | ||
| 101 | #endif | 104 | #endif |
| 102 | /* FALLTHROUGH */ | ||
| 103 | case MP_TLSv1_1_OR_NEWER: | 105 | case MP_TLSv1_1_OR_NEWER: |
| 104 | #if !defined(SSL_OP_NO_TLSv1) | 106 | #if !defined(SSL_OP_NO_TLSv1) |
| 105 | printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library.")); | 107 | printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library.")); |
| 106 | return STATE_UNKNOWN; | 108 | return STATE_UNKNOWN; |
| 107 | #else | 109 | #else |
| 108 | options |= SSL_OP_NO_TLSv1; | 110 | SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION); |
| 111 | break; | ||
| 109 | #endif | 112 | #endif |
| 110 | /* FALLTHROUGH */ | ||
| 111 | case MP_TLSv1_OR_NEWER: | 113 | case MP_TLSv1_OR_NEWER: |
| 112 | #if defined(SSL_OP_NO_SSLv3) | 114 | #if defined(SSL_OP_NO_SSLv3) |
| 113 | options |= SSL_OP_NO_SSLv3; | 115 | SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); |
| 116 | break; | ||
| 114 | #endif | 117 | #endif |
| 115 | /* FALLTHROUGH */ | ||
| 116 | case MP_SSLv3_OR_NEWER: | 118 | case MP_SSLv3_OR_NEWER: |
| 117 | #if defined(SSL_OP_NO_SSLv2) | 119 | #if defined(SSL_OP_NO_SSLv2) |
| 118 | options |= SSL_OP_NO_SSLv2; | 120 | SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION); |
| 121 | break; | ||
| 119 | #endif | 122 | #endif |
| 120 | case MP_SSLv2_OR_NEWER: | ||
| 121 | /* FALLTHROUGH */ | ||
| 122 | default: /* Default to auto negotiation */ | ||
| 123 | method = SSLv23_client_method(); | ||
| 124 | } | ||
| 125 | if (!initialized) { | ||
| 126 | /* Initialize SSL context */ | ||
| 127 | SSLeay_add_ssl_algorithms(); | ||
| 128 | SSL_load_error_strings(); | ||
| 129 | OpenSSL_add_all_algorithms(); | ||
| 130 | initialized = 1; | ||
| 131 | } | ||
| 132 | if ((c = SSL_CTX_new(method)) == NULL) { | ||
| 133 | printf("%s\n", _("CRITICAL - Cannot create SSL context.")); | ||
| 134 | return STATE_CRITICAL; | ||
| 135 | } | 123 | } |
| 124 | |||
| 136 | if (cert && privkey) { | 125 | if (cert && privkey) { |
| 137 | #ifdef USE_OPENSSL | 126 | #ifdef USE_OPENSSL |
| 138 | if (!SSL_CTX_use_certificate_chain_file(c, cert)) { | 127 | if (!SSL_CTX_use_certificate_chain_file(ctx, cert)) { |
| 139 | #elif USE_GNUTLS | 128 | #elif USE_GNUTLS |
| 140 | if (!SSL_CTX_use_certificate_file(c, cert, SSL_FILETYPE_PEM)) { | 129 | if (!SSL_CTX_use_certificate_file(ctx, cert, SSL_FILETYPE_PEM)) { |
| 141 | #else | 130 | #else |
| 142 | #error Unported for unknown SSL library | 131 | #error Unported for unknown SSL library |
| 143 | #endif | 132 | #endif |
| 144 | printf ("%s\n", _("CRITICAL - Unable to open certificate chain file!\n")); | 133 | printf ("%s\n", _("CRITICAL - Unable to open certificate chain file!\n")); |
| 145 | return STATE_CRITICAL; | 134 | return STATE_CRITICAL; |
| 146 | } | 135 | } |
| 147 | SSL_CTX_use_PrivateKey_file(c, privkey, SSL_FILETYPE_PEM); | 136 | SSL_CTX_use_PrivateKey_file(ctx, privkey, SSL_FILETYPE_PEM); |
| 148 | #ifdef USE_OPENSSL | 137 | #ifdef USE_OPENSSL |
| 149 | if (!SSL_CTX_check_private_key(c)) { | 138 | if (!SSL_CTX_check_private_key(ctx)) { |
| 150 | printf ("%s\n", _("CRITICAL - Private key does not seem to match certificate!\n")); | 139 | printf ("%s\n", _("CRITICAL - Private key does not seem to match certificate!\n")); |
| 151 | return STATE_CRITICAL; | 140 | return STATE_CRITICAL; |
| 152 | } | 141 | } |
| @@ -155,9 +144,9 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int | |||
| 155 | #ifdef SSL_OP_NO_TICKET | 144 | #ifdef SSL_OP_NO_TICKET |
| 156 | options |= SSL_OP_NO_TICKET; | 145 | options |= SSL_OP_NO_TICKET; |
| 157 | #endif | 146 | #endif |
| 158 | SSL_CTX_set_options(c, options); | 147 | SSL_CTX_set_options(ctx, options); |
| 159 | SSL_CTX_set_mode(c, SSL_MODE_AUTO_RETRY); | 148 | SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); |
| 160 | if ((s = SSL_new(c)) != NULL) { | 149 | if ((s = SSL_new(ctx)) != NULL) { |
| 161 | #ifdef SSL_set_tlsext_host_name | 150 | #ifdef SSL_set_tlsext_host_name |
| 162 | if (host_name != NULL) | 151 | if (host_name != NULL) |
| 163 | SSL_set_tlsext_host_name(s, host_name); | 152 | SSL_set_tlsext_host_name(s, host_name); |
| @@ -184,9 +173,9 @@ void np_net_ssl_cleanup() { | |||
| 184 | #endif | 173 | #endif |
| 185 | SSL_shutdown(s); | 174 | SSL_shutdown(s); |
| 186 | SSL_free(s); | 175 | SSL_free(s); |
| 187 | if (c) { | 176 | if (ctx) { |
| 188 | SSL_CTX_free(c); | 177 | SSL_CTX_free(ctx); |
| 189 | c=NULL; | 178 | ctx=NULL; |
| 190 | } | 179 | } |
| 191 | s=NULL; | 180 | s=NULL; |
| 192 | } | 181 | } |