1 files changed, 106 insertions, 122 deletions
diff --git a/plugins/sslutils.c b/plugins/sslutils.c
index 6bc0ba8..b8cbc7c 100644
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
@@ -1,46 +1,42 @@
 /*****************************************************************************
-*
+ *
-* Monitoring Plugins SSL utilities
+ * Monitoring Plugins SSL utilities
-*
+ *
-* License: GPL
+ * License: GPL
-* Copyright (c) 2005-2010 Monitoring Plugins Development Team
+ * Copyright (c) 2005-2010 Monitoring Plugins Development Team
-*
+ *
-* Description:
+ * Description:
-*
+ *
-* This file contains common functions for plugins that require SSL.
+ * This file contains common functions for plugins that require SSL.
-*
+ *
-*
+ *
-* This program is free software: you can redistribute it and/or modify
+ * This program is free software: you can redistribute it and/or modify
-* it under the terms of the GNU General Public License as published by
+ * it under the terms of the GNU General Public License as published by
-* the Free Software Foundation, either version 3 of the License, or
+ * the Free Software Foundation, either version 3 of the License, or
-* (at your option) any later version.
+ * (at your option) any later version.
-*
+ *
-* This program is distributed in the hope that it will be useful,
+ * This program is distributed in the hope that it will be useful,
-* but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
-* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-* GNU General Public License for more details.
+ * GNU General Public License for more details.
-*
+ *
-* You should have received a copy of the GNU General Public License
+ * You should have received a copy of the GNU General Public License
-* along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
-*
+ *
-*
+ *
-*****************************************************************************/
+ *****************************************************************************/
 #define MAX_CN_LENGTH 256
 #include "common.h"
 #include "netutils.h"
 #ifdef HAVE_SSL
-static SSL_CTX *ctx=NULL;
+static SSL_CTX *ctx = NULL;
-static SSL *s=NULL;
+static SSL *s = NULL;
-int np_net_ssl_init(int sd) {
+int np_net_ssl_init(int sd) { return np_net_ssl_init_with_hostname(sd, NULL); }
-        return np_net_ssl_init_with_hostname(sd, NULL);
-}
-int np_net_ssl_init_with_hostname(int sd, char *host_name) {
+int np_net_ssl_init_with_hostname(int sd, char *host_name) { return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0); }
-        return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0);
-}
 int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int version) {
        return np_net_ssl_init_with_hostname_version_and_cert(sd, host_name, version, NULL, NULL);
@@ -59,145 +55,141 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
                printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library."));
                return STATE_UNKNOWN;
        case MP_SSLv3: /* SSLv3 protocol */
-#if defined(OPENSSL_NO_SSL3)
+#       if defined(OPENSSL_NO_SSL3)
                printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library."));
                return STATE_UNKNOWN;
-#else
+#       else
                SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);
                SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION);
                break;
-#endif
+#       endif
        case MP_TLSv1: /* TLSv1 protocol */
-#if defined(OPENSSL_NO_TLS1)
+#       if defined(OPENSSL_NO_TLS1)
                printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library."));
                return STATE_UNKNOWN;
-#else
+#       else
                SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
                SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION);
                break;
-#endif
+#       endif
        case MP_TLSv1_1: /* TLSv1.1 protocol */
-#if !defined(SSL_OP_NO_TLSv1_1)
+#       if !defined(SSL_OP_NO_TLSv1_1)
                printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library."));
                return STATE_UNKNOWN;
-#else
+#       else
                SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);
                SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION);
                break;
-#endif
+#       endif
        case MP_TLSv1_2: /* TLSv1.2 protocol */
-#if !defined(SSL_OP_NO_TLSv1_2)
+#       if !defined(SSL_OP_NO_TLSv1_2)
                printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library."));
                return STATE_UNKNOWN;
-#else
+#       else
                SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
                SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION);
                break;
-#endif
+#       endif
        case MP_TLSv1_2_OR_NEWER:
-#if !defined(SSL_OP_NO_TLSv1_1)
+#       if !defined(SSL_OP_NO_TLSv1_1)
                printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library."));
                return STATE_UNKNOWN;
-#else
+#       else
                SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
                break;
-#endif
+#       endif
        case MP_TLSv1_1_OR_NEWER:
-#if !defined(SSL_OP_NO_TLSv1)
+#       if !defined(SSL_OP_NO_TLSv1)
                printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library."));
                return STATE_UNKNOWN;
-#else
+#       else
                SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);
                break;
-#endif
+#       endif
        case MP_TLSv1_OR_NEWER:
-#if defined(SSL_OP_NO_SSLv3)
+#       if defined(SSL_OP_NO_SSLv3)
                SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
                break;
-#endif
+#       endif
        case MP_SSLv3_OR_NEWER:
-#if defined(SSL_OP_NO_SSLv2)
+#       if defined(SSL_OP_NO_SSLv2)
                SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);
                break;
-#endif
+#       endif
        }
        if (cert && privkey) {
-#ifdef USE_OPENSSL
+#       ifdef USE_OPENSSL
                if (!SSL_CTX_use_certificate_chain_file(ctx, cert)) {
-#elif  USE_GNUTLS
+#       elif USE_GNUTLS
                if (!SSL_CTX_use_certificate_file(ctx, cert, SSL_FILETYPE_PEM)) {
-#else
+#       else
-#error Unported for unknown SSL library
+#               error Unported for unknown SSL library
-#endif
+#       endif
-                        printf ("%s\n", _("CRITICAL - Unable to open certificate chain file!\n"));
+                        printf("%s\n", _("CRITICAL - Unable to open certificate chain file!\n"));
                        return STATE_CRITICAL;
                }
                SSL_CTX_use_PrivateKey_file(ctx, privkey, SSL_FILETYPE_PEM);
-#ifdef USE_OPENSSL
+#       ifdef USE_OPENSSL
                if (!SSL_CTX_check_private_key(ctx)) {
-                        printf ("%s\n", _("CRITICAL - Private key does not seem to match certificate!\n"));
+                        printf("%s\n", _("CRITICAL - Private key does not seem to match certificate!\n"));
                        return STATE_CRITICAL;
                }
-#endif
+#       endif
        }
-#ifdef SSL_OP_NO_TICKET
+#       ifdef SSL_OP_NO_TICKET
        options |= SSL_OP_NO_TICKET;
-#endif
+#       endif
        SSL_CTX_set_options(ctx, options);
        SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
        if ((s = SSL_new(ctx)) != NULL) {
-#ifdef SSL_set_tlsext_host_name
+#       ifdef SSL_set_tlsext_host_name
                if (host_name != NULL)
                        SSL_set_tlsext_host_name(s, host_name);
-#endif
+#       endif
                SSL_set_fd(s, sd);
                if (SSL_connect(s) == 1) {
                        return OK;
                } else {
                        printf("%s\n", _("CRITICAL - Cannot make SSL connection."));
-#  ifdef USE_OPENSSL /* XXX look into ERR_error_string */
+#       ifdef USE_OPENSSL /* XXX look into ERR_error_string */
                        ERR_print_errors_fp(stdout);
-#  endif /* USE_OPENSSL */
+#       endif /* USE_OPENSSL */
                }
        } else {
-                        printf("%s\n", _("CRITICAL - Cannot initiate SSL handshake."));
+                printf("%s\n", _("CRITICAL - Cannot initiate SSL handshake."));
        }
        return STATE_CRITICAL;
 }
 void np_net_ssl_cleanup() {
        if (s) {
-#ifdef SSL_set_tlsext_host_name
+#       ifdef SSL_set_tlsext_host_name
                SSL_set_tlsext_host_name(s, NULL);
-#endif
+#       endif
                SSL_shutdown(s);
                SSL_free(s);
                if (ctx) {
                        SSL_CTX_free(ctx);
-                        ctx=NULL;
+                        ctx = NULL;
                }
-                s=NULL;
+                s = NULL;
        }
 }
-int np_net_ssl_write(const void *buf, int num) {
+int np_net_ssl_write(const void *buf, int num) { return SSL_write(s, buf, num); }
-        return SSL_write(s, buf, num);
-}
-int np_net_ssl_read(void *buf, int num) {
+int np_net_ssl_read(void *buf, int num) { return SSL_read(s, buf, num); }
-        return SSL_read(s, buf, num);
-}
-int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int days_till_exp_crit){
+int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int days_till_exp_crit) {
-#  ifdef USE_OPENSSL
+#       ifdef USE_OPENSSL
-        X509_NAME *subj=NULL;
+        X509_NAME *subj = NULL;
        char timestamp[50] = "";
-        char cn[MAX_CN_LENGTH]= "";
+        char cn[MAX_CN_LENGTH] = "";
        char *tz;
-        int cnlen =-1;
+        int cnlen = -1;
-        int status=STATE_UNKNOWN;
+        int status = STATE_UNKNOWN;
        ASN1_STRING *tm;
        int offset;
@@ -208,15 +200,15 @@ int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int
        time_t tm_t;
        if (!certificate) {
-                printf("%s\n",_("CRITICAL - Cannot retrieve server certificate."));
+                printf("%s\n", _("CRITICAL - Cannot retrieve server certificate."));
                return STATE_CRITICAL;
        }
        /* Extract CN from certificate subject */
-        subj=X509_get_subject_name(certificate);
+        subj = X509_get_subject_name(certificate);
        if (!subj) {
-                printf("%s\n",_("CRITICAL - Cannot retrieve certificate subject."));
+                printf("%s\n", _("CRITICAL - Cannot retrieve certificate subject."));
                return STATE_CRITICAL;
        }
        cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn));
@@ -242,23 +234,16 @@ int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int
                        printf("%s\n", _("CRITICAL - Wrong time format in certificate."));
                        return STATE_CRITICAL;
                } else {
-                        stamp.tm_year =
+                        stamp.tm_year = (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 + (tm->data[2] - '0') * 10 + (tm->data[3] - '0');
-                                (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 +
-                                (tm->data[2] - '0') * 10 + (tm->data[3] - '0');
                        stamp.tm_year -= 1900;
                        offset = 2;
                }
        }
-        stamp.tm_mon =
+        stamp.tm_mon = (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1;
-                (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1;
+        stamp.tm_mday = (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0');
-        stamp.tm_mday =
+        stamp.tm_hour = (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0');
-                (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0');
+        stamp.tm_min = (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0');
-        stamp.tm_hour =
+        stamp.tm_sec = (tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0');
-                (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0');
-        stamp.tm_min =
-                (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0');
-        stamp.tm_sec =
-                (tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0');
        stamp.tm_isdst = -1;
        tm_t = timegm(&stamp);
@@ -275,30 +260,30 @@ int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int
        tzset();
        if (days_left > 0 && days_left <= days_till_exp_warn) {
-                printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, days_left, timestamp);
+                printf(_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn,
+                           days_left, timestamp);
                if (days_left > days_till_exp_crit)
                        status = STATE_WARNING;
                else
                        status = STATE_CRITICAL;
        } else if (days_left == 0 && time_left > 0) {
                if (time_left >= 3600)
-                        time_remaining = (int) time_left / 3600;
+                        time_remaining = (int)time_left / 3600;
                else
-                        time_remaining = (int) time_left / 60;
+                        time_remaining = (int)time_left / 60;
-                printf (_("%s - Certificate '%s' expires in %u %s (%s)\n"),
+                printf(_("%s - Certificate '%s' expires in %u %s (%s)\n"), (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn,
-                        (days_left>days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, time_remaining,
+                           time_remaining, time_left >= 3600 ? "hours" : "minutes", timestamp);
-                        time_left >= 3600 ? "hours" : "minutes", timestamp);
-                if ( days_left > days_till_exp_crit)
+                if (days_left > days_till_exp_crit)
                        status = STATE_WARNING;
                else
                        status = STATE_CRITICAL;
        } else if (time_left < 0) {
                printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp);
-                status=STATE_CRITICAL;
+                status = STATE_CRITICAL;
        } else if (days_left == 0) {
-                printf (_("%s - Certificate '%s' just expired (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, timestamp);
+                printf(_("%s - Certificate '%s' just expired (%s).\n"), (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, timestamp);
                if (days_left > days_till_exp_crit)
                        status = STATE_WARNING;
                else
@@ -309,22 +294,21 @@ int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int
        }
        X509_free(certificate);
        return status;
-#  else /* ifndef USE_OPENSSL */
+#       else  /* ifndef USE_OPENSSL */
        printf("%s\n", _("WARNING - Plugin does not support checking certificates."));
        return STATE_WARNING;
-#  endif /* USE_OPENSSL */
+#       endif /* USE_OPENSSL */
 }
-int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
+int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit) {
-#  ifdef USE_OPENSSL
+#       ifdef USE_OPENSSL
        X509 *certificate = NULL;
-        certificate=SSL_get_peer_certificate(s);
+        certificate = SSL_get_peer_certificate(s);
-        return(np_net_ssl_check_certificate(certificate, days_till_exp_warn, days_till_exp_crit));
+        return (np_net_ssl_check_certificate(certificate, days_till_exp_warn, days_till_exp_crit));
-#  else /* ifndef USE_OPENSSL */
+#       else  /* ifndef USE_OPENSSL */
        printf("%s\n", _("WARNING - Plugin does not support checking certificates."));
        return STATE_WARNING;
-#  endif /* USE_OPENSSL */
+#       endif /* USE_OPENSSL */
 }
 #endif /* HAVE_SSL */

diff --git a/plugins/sslutils.c b/plugins/sslutils.c index 6bc0ba8..b8cbc7c 100644 --- a/plugins/sslutils.c +++ b/plugins/sslutils.c
@@ -1,46 +1,42 @@
1	/*****************************************************************************	1	/*****************************************************************************
2	*	2	*
3	* Monitoring Plugins SSL utilities	3	* Monitoring Plugins SSL utilities
4	*	4	*
5	* License: GPL	5	* License: GPL
6	* Copyright (c) 2005-2010 Monitoring Plugins Development Team	6	* Copyright (c) 2005-2010 Monitoring Plugins Development Team
7	*	7	*
8	* Description:	8	* Description:
9	*	9	*
10	* This file contains common functions for plugins that require SSL.	10	* This file contains common functions for plugins that require SSL.
11	*	11	*
12	*	12	*
13	* This program is free software: you can redistribute it and/or modify	13	* This program is free software: you can redistribute it and/or modify
14	* it under the terms of the GNU General Public License as published by	14	* it under the terms of the GNU General Public License as published by
15	* the Free Software Foundation, either version 3 of the License, or	15	* the Free Software Foundation, either version 3 of the License, or
16	* (at your option) any later version.	16	* (at your option) any later version.
17	*	17	*
18	* This program is distributed in the hope that it will be useful,	18	* This program is distributed in the hope that it will be useful,
19	* but WITHOUT ANY WARRANTY; without even the implied warranty of	19	* but WITHOUT ANY WARRANTY; without even the implied warranty of
20	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the	20	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21	* GNU General Public License for more details.	21	* GNU General Public License for more details.
22	*	22	*
23	* You should have received a copy of the GNU General Public License	23	* You should have received a copy of the GNU General Public License
24	* along with this program. If not, see <http://www.gnu.org/licenses/>.	24	* along with this program. If not, see <http://www.gnu.org/licenses/>.
25	*	25	*
26	*	26	*
27	*****************************************************************************/	27	*****************************************************************************/
28		28
29	#define MAX_CN_LENGTH 256	29	#define MAX_CN_LENGTH 256
30	#include "common.h"	30	#include "common.h"
31	#include "netutils.h"	31	#include "netutils.h"
32		32
33	#ifdef HAVE_SSL	33	#ifdef HAVE_SSL
34	static SSL_CTX *ctx=NULL;	34	static SSL_CTX *ctx = NULL;
35	static SSL *s=NULL;	35	static SSL *s = NULL;
36		36
37	int np_net_ssl_init(int sd) {	37	int np_net_ssl_init(int sd) { return np_net_ssl_init_with_hostname(sd, NULL); }
38	return np_net_ssl_init_with_hostname(sd, NULL);
39	}
40		38
41	int np_net_ssl_init_with_hostname(int sd, char *host_name) {	39	int np_net_ssl_init_with_hostname(int sd, char *host_name) { return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0); }
42	return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0);
43	}
44		40
45	int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int version) {	41	int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int version) {
46	return np_net_ssl_init_with_hostname_version_and_cert(sd, host_name, version, NULL, NULL);	42	return np_net_ssl_init_with_hostname_version_and_cert(sd, host_name, version, NULL, NULL);
@@ -59,145 +55,141 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
59	printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library."));	55	printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library."));
60	return STATE_UNKNOWN;	56	return STATE_UNKNOWN;
61	case MP_SSLv3: /* SSLv3 protocol */	57	case MP_SSLv3: /* SSLv3 protocol */
62	#if defined(OPENSSL_NO_SSL3)	58	# if defined(OPENSSL_NO_SSL3)
63	printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library."));	59	printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library."));
64	return STATE_UNKNOWN;	60	return STATE_UNKNOWN;
65	#else	61	# else
66	SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);	62	SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);
67	SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION);	63	SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION);
68	break;	64	break;
69	#endif	65	# endif
70	case MP_TLSv1: /* TLSv1 protocol */	66	case MP_TLSv1: /* TLSv1 protocol */
71	#if defined(OPENSSL_NO_TLS1)	67	# if defined(OPENSSL_NO_TLS1)
72	printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library."));	68	printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library."));
73	return STATE_UNKNOWN;	69	return STATE_UNKNOWN;
74	#else	70	# else
75	SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);	71	SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
76	SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION);	72	SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION);
77	break;	73	break;
78	#endif	74	# endif
79	case MP_TLSv1_1: /* TLSv1.1 protocol */	75	case MP_TLSv1_1: /* TLSv1.1 protocol */
80	#if !defined(SSL_OP_NO_TLSv1_1)	76	# if !defined(SSL_OP_NO_TLSv1_1)
81	printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library."));	77	printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library."));
82	return STATE_UNKNOWN;	78	return STATE_UNKNOWN;
83	#else	79	# else
84	SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);	80	SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);
85	SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION);	81	SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION);
86	break;	82	break;
87	#endif	83	# endif
88	case MP_TLSv1_2: /* TLSv1.2 protocol */	84	case MP_TLSv1_2: /* TLSv1.2 protocol */
89	#if !defined(SSL_OP_NO_TLSv1_2)	85	# if !defined(SSL_OP_NO_TLSv1_2)
90	printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library."));	86	printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library."));
91	return STATE_UNKNOWN;	87	return STATE_UNKNOWN;
92	#else	88	# else
93	SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);	89	SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
94	SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION);	90	SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION);
95	break;	91	break;
96	#endif	92	# endif
97	case MP_TLSv1_2_OR_NEWER:	93	case MP_TLSv1_2_OR_NEWER:
98	#if !defined(SSL_OP_NO_TLSv1_1)	94	# if !defined(SSL_OP_NO_TLSv1_1)
99	printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library."));	95	printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library."));
100	return STATE_UNKNOWN;	96	return STATE_UNKNOWN;
101	#else	97	# else
102	SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);	98	SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
103	break;	99	break;
104	#endif	100	# endif
105	case MP_TLSv1_1_OR_NEWER:	101	case MP_TLSv1_1_OR_NEWER:
106	#if !defined(SSL_OP_NO_TLSv1)	102	# if !defined(SSL_OP_NO_TLSv1)
107	printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library."));	103	printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library."));
108	return STATE_UNKNOWN;	104	return STATE_UNKNOWN;
109	#else	105	# else
110	SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);	106	SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);
111	break;	107	break;
112	#endif	108	# endif
113	case MP_TLSv1_OR_NEWER:	109	case MP_TLSv1_OR_NEWER:
114	#if defined(SSL_OP_NO_SSLv3)	110	# if defined(SSL_OP_NO_SSLv3)
115	SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);	111	SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
116	break;	112	break;
117	#endif	113	# endif
118	case MP_SSLv3_OR_NEWER:	114	case MP_SSLv3_OR_NEWER:
119	#if defined(SSL_OP_NO_SSLv2)	115	# if defined(SSL_OP_NO_SSLv2)
120	SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);	116	SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);
121	break;	117	break;
122	#endif	118	# endif
123	}	119	}
124		120
125	if (cert && privkey) {	121	if (cert && privkey) {
126	#ifdef USE_OPENSSL	122	# ifdef USE_OPENSSL
127	if (!SSL_CTX_use_certificate_chain_file(ctx, cert)) {	123	if (!SSL_CTX_use_certificate_chain_file(ctx, cert)) {
128	#elif USE_GNUTLS	124	# elif USE_GNUTLS
129	if (!SSL_CTX_use_certificate_file(ctx, cert, SSL_FILETYPE_PEM)) {	125	if (!SSL_CTX_use_certificate_file(ctx, cert, SSL_FILETYPE_PEM)) {
130	#else	126	# else
131	#error Unported for unknown SSL library	127	# error Unported for unknown SSL library
132	#endif	128	# endif
133	printf ("%s\n", _("CRITICAL - Unable to open certificate chain file!\n"));	129	printf("%s\n", _("CRITICAL - Unable to open certificate chain file!\n"));
134	return STATE_CRITICAL;	130	return STATE_CRITICAL;
135	}	131	}
136	SSL_CTX_use_PrivateKey_file(ctx, privkey, SSL_FILETYPE_PEM);	132	SSL_CTX_use_PrivateKey_file(ctx, privkey, SSL_FILETYPE_PEM);
137	#ifdef USE_OPENSSL	133	# ifdef USE_OPENSSL
138	if (!SSL_CTX_check_private_key(ctx)) {	134	if (!SSL_CTX_check_private_key(ctx)) {
139	printf ("%s\n", _("CRITICAL - Private key does not seem to match certificate!\n"));	135	printf("%s\n", _("CRITICAL - Private key does not seem to match certificate!\n"));
140	return STATE_CRITICAL;	136	return STATE_CRITICAL;
141	}	137	}
142	#endif	138	# endif
143	}	139	}
144	#ifdef SSL_OP_NO_TICKET	140	# ifdef SSL_OP_NO_TICKET
145	options \|= SSL_OP_NO_TICKET;	141	options \|= SSL_OP_NO_TICKET;
146	#endif	142	# endif
147	SSL_CTX_set_options(ctx, options);	143	SSL_CTX_set_options(ctx, options);
148	SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);	144	SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
149	if ((s = SSL_new(ctx)) != NULL) {	145	if ((s = SSL_new(ctx)) != NULL) {
150	#ifdef SSL_set_tlsext_host_name	146	# ifdef SSL_set_tlsext_host_name
151	if (host_name != NULL)	147	if (host_name != NULL)
152	SSL_set_tlsext_host_name(s, host_name);	148	SSL_set_tlsext_host_name(s, host_name);
153	#endif	149	# endif
154	SSL_set_fd(s, sd);	150	SSL_set_fd(s, sd);
155	if (SSL_connect(s) == 1) {	151	if (SSL_connect(s) == 1) {
156	return OK;	152	return OK;
157	} else {	153	} else {
158	printf("%s\n", _("CRITICAL - Cannot make SSL connection."));	154	printf("%s\n", _("CRITICAL - Cannot make SSL connection."));
159	# ifdef USE_OPENSSL /* XXX look into ERR_error_string */	155	# ifdef USE_OPENSSL /* XXX look into ERR_error_string */
160	ERR_print_errors_fp(stdout);	156	ERR_print_errors_fp(stdout);
161	# endif /* USE_OPENSSL */	157	# endif /* USE_OPENSSL */
162	}	158	}
163	} else {	159	} else {
164	printf("%s\n", _("CRITICAL - Cannot initiate SSL handshake."));	160	printf("%s\n", _("CRITICAL - Cannot initiate SSL handshake."));
165	}	161	}
166	return STATE_CRITICAL;	162	return STATE_CRITICAL;
167	}	163	}
168		164
169	void np_net_ssl_cleanup() {	165	void np_net_ssl_cleanup() {
170	if (s) {	166	if (s) {
171	#ifdef SSL_set_tlsext_host_name	167	# ifdef SSL_set_tlsext_host_name
172	SSL_set_tlsext_host_name(s, NULL);	168	SSL_set_tlsext_host_name(s, NULL);
173	#endif	169	# endif
174	SSL_shutdown(s);	170	SSL_shutdown(s);
175	SSL_free(s);	171	SSL_free(s);
176	if (ctx) {	172	if (ctx) {
177	SSL_CTX_free(ctx);	173	SSL_CTX_free(ctx);
178	ctx=NULL;	174	ctx = NULL;
179	}	175	}
180	s=NULL;	176	s = NULL;
181	}	177	}
182	}	178	}
183		179
184	int np_net_ssl_write(const void *buf, int num) {	180	int np_net_ssl_write(const void *buf, int num) { return SSL_write(s, buf, num); }
185	return SSL_write(s, buf, num);
186	}
187		181
188	int np_net_ssl_read(void *buf, int num) {	182	int np_net_ssl_read(void *buf, int num) { return SSL_read(s, buf, num); }
189	return SSL_read(s, buf, num);
190	}
191		183
192	int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int days_till_exp_crit){	184	int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int days_till_exp_crit) {
193	# ifdef USE_OPENSSL	185	# ifdef USE_OPENSSL
194	X509_NAME *subj=NULL;	186	X509_NAME *subj = NULL;
195	char timestamp[50] = "";	187	char timestamp[50] = "";
196	char cn[MAX_CN_LENGTH]= "";	188	char cn[MAX_CN_LENGTH] = "";
197	char *tz;	189	char *tz;
198		190
199	int cnlen =-1;	191	int cnlen = -1;
200	int status=STATE_UNKNOWN;	192	int status = STATE_UNKNOWN;
201		193
202	ASN1_STRING *tm;	194	ASN1_STRING *tm;
203	int offset;	195	int offset;
@@ -208,15 +200,15 @@ int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int
208	time_t tm_t;	200	time_t tm_t;
209		201
210	if (!certificate) {	202	if (!certificate) {
211	printf("%s\n",_("CRITICAL - Cannot retrieve server certificate."));	203	printf("%s\n", _("CRITICAL - Cannot retrieve server certificate."));
212	return STATE_CRITICAL;	204	return STATE_CRITICAL;
213	}	205	}
214		206
215	/* Extract CN from certificate subject */	207	/* Extract CN from certificate subject */
216	subj=X509_get_subject_name(certificate);	208	subj = X509_get_subject_name(certificate);
217		209
218	if (!subj) {	210	if (!subj) {
219	printf("%s\n",_("CRITICAL - Cannot retrieve certificate subject."));	211	printf("%s\n", _("CRITICAL - Cannot retrieve certificate subject."));
220	return STATE_CRITICAL;	212	return STATE_CRITICAL;
221	}	213	}
222	cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn));	214	cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn));
@@ -242,23 +234,16 @@ int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int
242	printf("%s\n", _("CRITICAL - Wrong time format in certificate."));	234	printf("%s\n", _("CRITICAL - Wrong time format in certificate."));
243	return STATE_CRITICAL;	235	return STATE_CRITICAL;
244	} else {	236	} else {
245	stamp.tm_year =	237	stamp.tm_year = (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 + (tm->data[2] - '0') * 10 + (tm->data[3] - '0');
246	(tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 +
247	(tm->data[2] - '0') * 10 + (tm->data[3] - '0');
248	stamp.tm_year -= 1900;	238	stamp.tm_year -= 1900;
249	offset = 2;	239	offset = 2;
250	}	240	}
251	}	241	}
252	stamp.tm_mon =	242	stamp.tm_mon = (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1;
253	(tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1;	243	stamp.tm_mday = (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0');
254	stamp.tm_mday =	244	stamp.tm_hour = (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0');
255	(tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0');	245	stamp.tm_min = (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0');
256	stamp.tm_hour =	246	stamp.tm_sec = (tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0');
257	(tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0');
258	stamp.tm_min =
259	(tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0');
260	stamp.tm_sec =
261	(tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0');
262	stamp.tm_isdst = -1;	247	stamp.tm_isdst = -1;
263		248
264	tm_t = timegm(&stamp);	249	tm_t = timegm(&stamp);
@@ -275,30 +260,30 @@ int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int
275	tzset();	260	tzset();
276		261
277	if (days_left > 0 && days_left <= days_till_exp_warn) {	262	if (days_left > 0 && days_left <= days_till_exp_warn) {
278	printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, days_left, timestamp);	263	printf(_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn,
		264	days_left, timestamp);
279	if (days_left > days_till_exp_crit)	265	if (days_left > days_till_exp_crit)
280	status = STATE_WARNING;	266	status = STATE_WARNING;
281	else	267	else
282	status = STATE_CRITICAL;	268	status = STATE_CRITICAL;
283	} else if (days_left == 0 && time_left > 0) {	269	} else if (days_left == 0 && time_left > 0) {
284	if (time_left >= 3600)	270	if (time_left >= 3600)
285	time_remaining = (int) time_left / 3600;	271	time_remaining = (int)time_left / 3600;
286	else	272	else
287	time_remaining = (int) time_left / 60;	273	time_remaining = (int)time_left / 60;
288		274
289	printf (_("%s - Certificate '%s' expires in %u %s (%s)\n"),	275	printf(_("%s - Certificate '%s' expires in %u %s (%s)\n"), (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn,
290	(days_left>days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, time_remaining,	276	time_remaining, time_left >= 3600 ? "hours" : "minutes", timestamp);
291	time_left >= 3600 ? "hours" : "minutes", timestamp);
292		277
293	if ( days_left > days_till_exp_crit)	278	if (days_left > days_till_exp_crit)
294	status = STATE_WARNING;	279	status = STATE_WARNING;
295	else	280	else
296	status = STATE_CRITICAL;	281	status = STATE_CRITICAL;
297	} else if (time_left < 0) {	282	} else if (time_left < 0) {
298	printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp);	283	printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp);
299	status=STATE_CRITICAL;	284	status = STATE_CRITICAL;
300	} else if (days_left == 0) {	285	} else if (days_left == 0) {
301	printf (_("%s - Certificate '%s' just expired (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, timestamp);	286	printf(_("%s - Certificate '%s' just expired (%s).\n"), (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, timestamp);
302	if (days_left > days_till_exp_crit)	287	if (days_left > days_till_exp_crit)
303	status = STATE_WARNING;	288	status = STATE_WARNING;
304	else	289	else
@@ -309,22 +294,21 @@ int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int
309	}	294	}
310	X509_free(certificate);	295	X509_free(certificate);
311	return status;	296	return status;
312	# else /* ifndef USE_OPENSSL */	297	# else /* ifndef USE_OPENSSL */
313	printf("%s\n", _("WARNING - Plugin does not support checking certificates."));	298	printf("%s\n", _("WARNING - Plugin does not support checking certificates."));
314	return STATE_WARNING;	299	return STATE_WARNING;
315	# endif /* USE_OPENSSL */	300	# endif /* USE_OPENSSL */
316	}	301	}
317		302
318	int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){	303	int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit) {
319	# ifdef USE_OPENSSL	304	# ifdef USE_OPENSSL
320	X509 *certificate = NULL;	305	X509 *certificate = NULL;
321	certificate=SSL_get_peer_certificate(s);	306	certificate = SSL_get_peer_certificate(s);
322	return(np_net_ssl_check_certificate(certificate, days_till_exp_warn, days_till_exp_crit));	307	return (np_net_ssl_check_certificate(certificate, days_till_exp_warn, days_till_exp_crit));
323	# else /* ifndef USE_OPENSSL */	308	# else /* ifndef USE_OPENSSL */
324	printf("%s\n", _("WARNING - Plugin does not support checking certificates."));	309	printf("%s\n", _("WARNING - Plugin does not support checking certificates."));
325	return STATE_WARNING;	310	return STATE_WARNING;
326	# endif /* USE_OPENSSL */	311	# endif /* USE_OPENSSL */
327	}	312	}
328		313
329
330	#endif /* HAVE_SSL */	314	#endif /* HAVE_SSL */