summaryrefslogtreecommitdiffstats
path: root/plugins/sslutils.c
diff options
context:
space:
mode:
Diffstat (limited to 'plugins/sslutils.c')
-rw-r--r--plugins/sslutils.c228
1 files changed, 106 insertions, 122 deletions
diff --git a/plugins/sslutils.c b/plugins/sslutils.c
index 6bc0ba81..3c928413 100644
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
@@ -1,46 +1,42 @@
1/***************************************************************************** 1/*****************************************************************************
2* 2 *
3* Monitoring Plugins SSL utilities 3 * Monitoring Plugins SSL utilities
4* 4 *
5* License: GPL 5 * License: GPL
6* Copyright (c) 2005-2010 Monitoring Plugins Development Team 6 * Copyright (c) 2005-2024 Monitoring Plugins Development Team
7* 7 *
8* Description: 8 * Description:
9* 9 *
10* This file contains common functions for plugins that require SSL. 10 * This file contains common functions for plugins that require SSL.
11* 11 *
12* 12 *
13* This program is free software: you can redistribute it and/or modify 13 * This program is free software: you can redistribute it and/or modify
14* it under the terms of the GNU General Public License as published by 14 * it under the terms of the GNU General Public License as published by
15* the Free Software Foundation, either version 3 of the License, or 15 * the Free Software Foundation, either version 3 of the License, or
16* (at your option) any later version. 16 * (at your option) any later version.
17* 17 *
18* This program is distributed in the hope that it will be useful, 18 * This program is distributed in the hope that it will be useful,
19* but WITHOUT ANY WARRANTY; without even the implied warranty of 19 * but WITHOUT ANY WARRANTY; without even the implied warranty of
20* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 20 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21* GNU General Public License for more details. 21 * GNU General Public License for more details.
22* 22 *
23* You should have received a copy of the GNU General Public License 23 * You should have received a copy of the GNU General Public License
24* along with this program. If not, see <http://www.gnu.org/licenses/>. 24 * along with this program. If not, see <http://www.gnu.org/licenses/>.
25* 25 *
26* 26 *
27*****************************************************************************/ 27 *****************************************************************************/
28 28
29#define MAX_CN_LENGTH 256 29#define MAX_CN_LENGTH 256
30#include "common.h" 30#include "common.h"
31#include "netutils.h" 31#include "netutils.h"
32 32
33#ifdef HAVE_SSL 33#ifdef HAVE_SSL
34static SSL_CTX *ctx=NULL; 34static SSL_CTX *ctx = NULL;
35static SSL *s=NULL; 35static SSL *s = NULL;
36 36
37int np_net_ssl_init(int sd) { 37int np_net_ssl_init(int sd) { return np_net_ssl_init_with_hostname(sd, NULL); }
38 return np_net_ssl_init_with_hostname(sd, NULL);
39}
40 38
41int np_net_ssl_init_with_hostname(int sd, char *host_name) { 39int np_net_ssl_init_with_hostname(int sd, char *host_name) { return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0); }
42 return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0);
43}
44 40
45int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int version) { 41int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int version) {
46 return np_net_ssl_init_with_hostname_version_and_cert(sd, host_name, version, NULL, NULL); 42 return np_net_ssl_init_with_hostname_version_and_cert(sd, host_name, version, NULL, NULL);
@@ -59,145 +55,141 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
59 printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library.")); 55 printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library."));
60 return STATE_UNKNOWN; 56 return STATE_UNKNOWN;
61 case MP_SSLv3: /* SSLv3 protocol */ 57 case MP_SSLv3: /* SSLv3 protocol */
62#if defined(OPENSSL_NO_SSL3) 58# if defined(OPENSSL_NO_SSL3)
63 printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library.")); 59 printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library."));
64 return STATE_UNKNOWN; 60 return STATE_UNKNOWN;
65#else 61# else
66 SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION); 62 SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);
67 SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION); 63 SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION);
68 break; 64 break;
69#endif 65# endif
70 case MP_TLSv1: /* TLSv1 protocol */ 66 case MP_TLSv1: /* TLSv1 protocol */
71#if defined(OPENSSL_NO_TLS1) 67# if defined(OPENSSL_NO_TLS1)
72 printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library.")); 68 printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library."));
73 return STATE_UNKNOWN; 69 return STATE_UNKNOWN;
74#else 70# else
75 SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); 71 SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
76 SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION); 72 SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION);
77 break; 73 break;
78#endif 74# endif
79 case MP_TLSv1_1: /* TLSv1.1 protocol */ 75 case MP_TLSv1_1: /* TLSv1.1 protocol */
80#if !defined(SSL_OP_NO_TLSv1_1) 76# if !defined(SSL_OP_NO_TLSv1_1)
81 printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library.")); 77 printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library."));
82 return STATE_UNKNOWN; 78 return STATE_UNKNOWN;
83#else 79# else
84 SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION); 80 SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);
85 SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION); 81 SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION);
86 break; 82 break;
87#endif 83# endif
88 case MP_TLSv1_2: /* TLSv1.2 protocol */ 84 case MP_TLSv1_2: /* TLSv1.2 protocol */
89#if !defined(SSL_OP_NO_TLSv1_2) 85# if !defined(SSL_OP_NO_TLSv1_2)
90 printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library.")); 86 printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library."));
91 return STATE_UNKNOWN; 87 return STATE_UNKNOWN;
92#else 88# else
93 SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); 89 SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
94 SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION); 90 SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION);
95 break; 91 break;
96#endif 92# endif
97 case MP_TLSv1_2_OR_NEWER: 93 case MP_TLSv1_2_OR_NEWER:
98#if !defined(SSL_OP_NO_TLSv1_1) 94# if !defined(SSL_OP_NO_TLSv1_1)
99 printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library.")); 95 printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library."));
100 return STATE_UNKNOWN; 96 return STATE_UNKNOWN;
101#else 97# else
102 SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); 98 SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
103 break; 99 break;
104#endif 100# endif
105 case MP_TLSv1_1_OR_NEWER: 101 case MP_TLSv1_1_OR_NEWER:
106#if !defined(SSL_OP_NO_TLSv1) 102# if !defined(SSL_OP_NO_TLSv1)
107 printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library.")); 103 printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library."));
108 return STATE_UNKNOWN; 104 return STATE_UNKNOWN;
109#else 105# else
110 SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION); 106 SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);
111 break; 107 break;
112#endif 108# endif
113 case MP_TLSv1_OR_NEWER: 109 case MP_TLSv1_OR_NEWER:
114#if defined(SSL_OP_NO_SSLv3) 110# if defined(SSL_OP_NO_SSLv3)
115 SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); 111 SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
116 break; 112 break;
117#endif 113# endif
118 case MP_SSLv3_OR_NEWER: 114 case MP_SSLv3_OR_NEWER:
119#if defined(SSL_OP_NO_SSLv2) 115# if defined(SSL_OP_NO_SSLv2)
120 SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION); 116 SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);
121 break; 117 break;
122#endif 118# endif
123 } 119 }
124 120
125 if (cert && privkey) { 121 if (cert && privkey) {
126#ifdef USE_OPENSSL 122# ifdef USE_OPENSSL
127 if (!SSL_CTX_use_certificate_chain_file(ctx, cert)) { 123 if (!SSL_CTX_use_certificate_chain_file(ctx, cert)) {
128#elif USE_GNUTLS 124# elif USE_GNUTLS
129 if (!SSL_CTX_use_certificate_file(ctx, cert, SSL_FILETYPE_PEM)) { 125 if (!SSL_CTX_use_certificate_file(ctx, cert, SSL_FILETYPE_PEM)) {
130#else 126# else
131#error Unported for unknown SSL library 127# error Unported for unknown SSL library
132#endif 128# endif
133 printf ("%s\n", _("CRITICAL - Unable to open certificate chain file!\n")); 129 printf("%s\n", _("CRITICAL - Unable to open certificate chain file!\n"));
134 return STATE_CRITICAL; 130 return STATE_CRITICAL;
135 } 131 }
136 SSL_CTX_use_PrivateKey_file(ctx, privkey, SSL_FILETYPE_PEM); 132 SSL_CTX_use_PrivateKey_file(ctx, privkey, SSL_FILETYPE_PEM);
137#ifdef USE_OPENSSL 133# ifdef USE_OPENSSL
138 if (!SSL_CTX_check_private_key(ctx)) { 134 if (!SSL_CTX_check_private_key(ctx)) {
139 printf ("%s\n", _("CRITICAL - Private key does not seem to match certificate!\n")); 135 printf("%s\n", _("CRITICAL - Private key does not seem to match certificate!\n"));
140 return STATE_CRITICAL; 136 return STATE_CRITICAL;
141 } 137 }
142#endif 138# endif
143 } 139 }
144#ifdef SSL_OP_NO_TICKET 140# ifdef SSL_OP_NO_TICKET
145 options |= SSL_OP_NO_TICKET; 141 options |= SSL_OP_NO_TICKET;
146#endif 142# endif
147 SSL_CTX_set_options(ctx, options); 143 SSL_CTX_set_options(ctx, options);
148 SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); 144 SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
149 if ((s = SSL_new(ctx)) != NULL) { 145 if ((s = SSL_new(ctx)) != NULL) {
150#ifdef SSL_set_tlsext_host_name 146# ifdef SSL_set_tlsext_host_name
151 if (host_name != NULL) 147 if (host_name != NULL)
152 SSL_set_tlsext_host_name(s, host_name); 148 SSL_set_tlsext_host_name(s, host_name);
153#endif 149# endif
154 SSL_set_fd(s, sd); 150 SSL_set_fd(s, sd);
155 if (SSL_connect(s) == 1) { 151 if (SSL_connect(s) == 1) {
156 return OK; 152 return OK;
157 } else { 153 } else {
158 printf("%s\n", _("CRITICAL - Cannot make SSL connection.")); 154 printf("%s\n", _("CRITICAL - Cannot make SSL connection."));
159# ifdef USE_OPENSSL /* XXX look into ERR_error_string */ 155# ifdef USE_OPENSSL /* XXX look into ERR_error_string */
160 ERR_print_errors_fp(stdout); 156 ERR_print_errors_fp(stdout);
161# endif /* USE_OPENSSL */ 157# endif /* USE_OPENSSL */
162 } 158 }
163 } else { 159 } else {
164 printf("%s\n", _("CRITICAL - Cannot initiate SSL handshake.")); 160 printf("%s\n", _("CRITICAL - Cannot initiate SSL handshake."));
165 } 161 }
166 return STATE_CRITICAL; 162 return STATE_CRITICAL;
167} 163}
168 164
169void np_net_ssl_cleanup() { 165void np_net_ssl_cleanup() {
170 if (s) { 166 if (s) {
171#ifdef SSL_set_tlsext_host_name 167# ifdef SSL_set_tlsext_host_name
172 SSL_set_tlsext_host_name(s, NULL); 168 SSL_set_tlsext_host_name(s, NULL);
173#endif 169# endif
174 SSL_shutdown(s); 170 SSL_shutdown(s);
175 SSL_free(s); 171 SSL_free(s);
176 if (ctx) { 172 if (ctx) {
177 SSL_CTX_free(ctx); 173 SSL_CTX_free(ctx);
178 ctx=NULL; 174 ctx = NULL;
179 } 175 }
180 s=NULL; 176 s = NULL;
181 } 177 }
182} 178}
183 179
184int np_net_ssl_write(const void *buf, int num) { 180int np_net_ssl_write(const void *buf, int num) { return SSL_write(s, buf, num); }
185 return SSL_write(s, buf, num);
186}
187 181
188int np_net_ssl_read(void *buf, int num) { 182int np_net_ssl_read(void *buf, int num) { return SSL_read(s, buf, num); }
189 return SSL_read(s, buf, num);
190}
191 183
192int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int days_till_exp_crit){ 184int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int days_till_exp_crit) {
193# ifdef USE_OPENSSL 185# ifdef USE_OPENSSL
194 X509_NAME *subj=NULL; 186 X509_NAME *subj = NULL;
195 char timestamp[50] = ""; 187 char timestamp[50] = "";
196 char cn[MAX_CN_LENGTH]= ""; 188 char cn[MAX_CN_LENGTH] = "";
197 char *tz; 189 char *tz;
198 190
199 int cnlen =-1; 191 int cnlen = -1;
200 int status=STATE_UNKNOWN; 192 int status = STATE_UNKNOWN;
201 193
202 ASN1_STRING *tm; 194 ASN1_STRING *tm;
203 int offset; 195 int offset;
@@ -208,15 +200,15 @@ int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int
208 time_t tm_t; 200 time_t tm_t;
209 201
210 if (!certificate) { 202 if (!certificate) {
211 printf("%s\n",_("CRITICAL - Cannot retrieve server certificate.")); 203 printf("%s\n", _("CRITICAL - Cannot retrieve server certificate."));
212 return STATE_CRITICAL; 204 return STATE_CRITICAL;
213 } 205 }
214 206
215 /* Extract CN from certificate subject */ 207 /* Extract CN from certificate subject */
216 subj=X509_get_subject_name(certificate); 208 subj = X509_get_subject_name(certificate);
217 209
218 if (!subj) { 210 if (!subj) {
219 printf("%s\n",_("CRITICAL - Cannot retrieve certificate subject.")); 211 printf("%s\n", _("CRITICAL - Cannot retrieve certificate subject."));
220 return STATE_CRITICAL; 212 return STATE_CRITICAL;
221 } 213 }
222 cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn)); 214 cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn));
@@ -242,23 +234,16 @@ int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int
242 printf("%s\n", _("CRITICAL - Wrong time format in certificate.")); 234 printf("%s\n", _("CRITICAL - Wrong time format in certificate."));
243 return STATE_CRITICAL; 235 return STATE_CRITICAL;
244 } else { 236 } else {
245 stamp.tm_year = 237 stamp.tm_year = (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 + (tm->data[2] - '0') * 10 + (tm->data[3] - '0');
246 (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 +
247 (tm->data[2] - '0') * 10 + (tm->data[3] - '0');
248 stamp.tm_year -= 1900; 238 stamp.tm_year -= 1900;
249 offset = 2; 239 offset = 2;
250 } 240 }
251 } 241 }
252 stamp.tm_mon = 242 stamp.tm_mon = (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1;
253 (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1; 243 stamp.tm_mday = (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0');
254 stamp.tm_mday = 244 stamp.tm_hour = (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0');
255 (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0'); 245 stamp.tm_min = (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0');
256 stamp.tm_hour = 246 stamp.tm_sec = (tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0');
257 (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0');
258 stamp.tm_min =
259 (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0');
260 stamp.tm_sec =
261 (tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0');
262 stamp.tm_isdst = -1; 247 stamp.tm_isdst = -1;
263 248
264 tm_t = timegm(&stamp); 249 tm_t = timegm(&stamp);
@@ -275,30 +260,30 @@ int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int
275 tzset(); 260 tzset();
276 261
277 if (days_left > 0 && days_left <= days_till_exp_warn) { 262 if (days_left > 0 && days_left <= days_till_exp_warn) {
278 printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, days_left, timestamp); 263 printf(_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn,
264 days_left, timestamp);
279 if (days_left > days_till_exp_crit) 265 if (days_left > days_till_exp_crit)
280 status = STATE_WARNING; 266 status = STATE_WARNING;
281 else 267 else
282 status = STATE_CRITICAL; 268 status = STATE_CRITICAL;
283 } else if (days_left == 0 && time_left > 0) { 269 } else if (days_left == 0 && time_left > 0) {
284 if (time_left >= 3600) 270 if (time_left >= 3600)
285 time_remaining = (int) time_left / 3600; 271 time_remaining = (int)time_left / 3600;
286 else 272 else
287 time_remaining = (int) time_left / 60; 273 time_remaining = (int)time_left / 60;
288 274
289 printf (_("%s - Certificate '%s' expires in %u %s (%s)\n"), 275 printf(_("%s - Certificate '%s' expires in %u %s (%s)\n"), (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn,
290 (days_left>days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, time_remaining, 276 time_remaining, time_left >= 3600 ? "hours" : "minutes", timestamp);
291 time_left >= 3600 ? "hours" : "minutes", timestamp);
292 277
293 if ( days_left > days_till_exp_crit) 278 if (days_left > days_till_exp_crit)
294 status = STATE_WARNING; 279 status = STATE_WARNING;
295 else 280 else
296 status = STATE_CRITICAL; 281 status = STATE_CRITICAL;
297 } else if (time_left < 0) { 282 } else if (time_left < 0) {
298 printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp); 283 printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp);
299 status=STATE_CRITICAL; 284 status = STATE_CRITICAL;
300 } else if (days_left == 0) { 285 } else if (days_left == 0) {
301 printf (_("%s - Certificate '%s' just expired (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, timestamp); 286 printf(_("%s - Certificate '%s' just expired (%s).\n"), (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, timestamp);
302 if (days_left > days_till_exp_crit) 287 if (days_left > days_till_exp_crit)
303 status = STATE_WARNING; 288 status = STATE_WARNING;
304 else 289 else
@@ -309,22 +294,21 @@ int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int
309 } 294 }
310 X509_free(certificate); 295 X509_free(certificate);
311 return status; 296 return status;
312# else /* ifndef USE_OPENSSL */ 297# else /* ifndef USE_OPENSSL */
313 printf("%s\n", _("WARNING - Plugin does not support checking certificates.")); 298 printf("%s\n", _("WARNING - Plugin does not support checking certificates."));
314 return STATE_WARNING; 299 return STATE_WARNING;
315# endif /* USE_OPENSSL */ 300# endif /* USE_OPENSSL */
316} 301}
317 302
318int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){ 303int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit) {
319# ifdef USE_OPENSSL 304# ifdef USE_OPENSSL
320 X509 *certificate = NULL; 305 X509 *certificate = NULL;
321 certificate=SSL_get_peer_certificate(s); 306 certificate = SSL_get_peer_certificate(s);
322 return(np_net_ssl_check_certificate(certificate, days_till_exp_warn, days_till_exp_crit)); 307 return (np_net_ssl_check_certificate(certificate, days_till_exp_warn, days_till_exp_crit));
323# else /* ifndef USE_OPENSSL */ 308# else /* ifndef USE_OPENSSL */
324 printf("%s\n", _("WARNING - Plugin does not support checking certificates.")); 309 printf("%s\n", _("WARNING - Plugin does not support checking certificates."));
325 return STATE_WARNING; 310 return STATE_WARNING;
326# endif /* USE_OPENSSL */ 311# endif /* USE_OPENSSL */
327} 312}
328 313
329
330#endif /* HAVE_SSL */ 314#endif /* HAVE_SSL */