From cf66a717e9e8f55315d50b3b33a70b8a6f140981 Mon Sep 17 00:00:00 2001 From: "M. Sean Finney" Date: Wed, 19 Oct 2005 20:22:00 +0000 Subject: all plugins now using centralized ssl functions in netutils.c git-svn-id: https://nagiosplug.svn.sourceforge.net/svnroot/nagiosplug/nagiosplug/trunk@1257 f882894a-f735-0410-b71e-b25c423dba1c diff --git a/plugins/check_http.c b/plugins/check_http.c index 294866b..413d501 100644 --- a/plugins/check_http.c +++ b/plugins/check_http.c @@ -37,38 +37,17 @@ enum { HTTPS_PORT = 443 }; -#ifdef HAVE_SSL_H -#include -#include -#include -#include -#include -#include -#include -#else -# ifdef HAVE_OPENSSL_SSL_H -# include -# include -# include -# include -# include -# include -# include -# endif -#endif - #ifdef HAVE_SSL int check_cert = FALSE; int days_till_exp; char *randbuff; -SSL_CTX *ctx; -SSL *ssl; X509 *server_cert; -int connect_SSL (void); -# ifdef USE_OPENSSL -int check_certificate (X509 **); -# endif -#endif +# define my_recv(buf, len) ((use_ssl) ? np_net_ssl_read(buf, len) : read(sd, buf, len)) +# define my_send(buf, len) ((use_ssl) ? np_net_ssl_write(buf, len) : send(sd, buf, len, 0)) +#else /* ifndef HAVE_SSL */ +# define my_recv(buf, len) read(sd, buf, len) +# define my_send(buf, len) send(sd, buf, len, 0) +#endif /* HAVE_SSL */ int no_body = FALSE; int maximum_age = -1; @@ -132,8 +111,6 @@ int server_type_check(const char *type); int server_port_check(int ssl_flag); char *perfd_time (double microsec); char *perfd_size (int page_len); -int my_recv (void); -int my_close (void); void print_help (void); void print_usage (void); @@ -168,29 +145,7 @@ main (int argc, char **argv) (void) alarm (socket_timeout); gettimeofday (&tv, NULL); -#ifdef USE_OPENSSL - if (use_ssl && check_cert == TRUE) { - if (connect_SSL () != OK) - die (STATE_CRITICAL, _("HTTP CRITICAL - Could not make SSL connection\n")); - if ((server_cert = SSL_get_peer_certificate (ssl)) != NULL) { - result = check_certificate (&server_cert); - X509_free (server_cert); - } - else { - printf (_("CRITICAL - Cannot retrieve server certificate.\n")); - result = STATE_CRITICAL; - } - SSL_shutdown (ssl); - SSL_free (ssl); - SSL_CTX_free (ctx); - close (sd); - } - else { - result = check_http (); - } -#else result = check_http (); -#endif return result; } @@ -790,34 +745,27 @@ check_http (void) long microsec; double elapsed_time; int page_len = 0; + int result = STATE_UNKNOWN; #ifdef HAVE_SSL int sslerr; #endif /* try to connect to the host at the given port number */ + if (my_tcp_connect (server_address, server_port, &sd) != STATE_OK) + die (STATE_CRITICAL, _("Unable to open TCP socket\n")); #ifdef HAVE_SSL if (use_ssl == TRUE) { - - if (connect_SSL () != OK) { - die (STATE_CRITICAL, _("Unable to open TCP socket\n")); - } -# ifdef USE_OPENSSL - if ((server_cert = SSL_get_peer_certificate (ssl)) != NULL) { - X509_free (server_cert); - } - else { - printf (_("CRITICAL - Cannot retrieve server certificate.\n")); - return STATE_CRITICAL; + np_net_ssl_init(sd); + if (check_cert == TRUE) { + result = np_net_ssl_check_cert(days_till_exp); + if(result != STATE_OK){ + np_net_ssl_cleanup(); + if(sd) close(sd); + return result; + } } -# endif /* USE_OPENSSL */ - } - else { -#endif - if (my_tcp_connect (server_address, server_port, &sd) != STATE_OK) - die (STATE_CRITICAL, _("Unable to open TCP socket\n")); -#ifdef HAVE_SSL } -#endif +#endif /* HAVE_SSL */ asprintf (&buf, "%s %s HTTP/1.0\r\n%s\r\n", http_method, server_url, user_agent); @@ -853,28 +801,12 @@ check_http (void) asprintf (&buf, "%s%s", buf, CRLF); } - if (verbose) - printf ("%s\n", buf); - -#ifdef HAVE_SSL - if (use_ssl == TRUE) { - if (SSL_write (ssl, buf, (int)strlen(buf)) == -1) { -# ifdef USE_OPENSSL - ERR_print_errors_fp (stderr); -# endif - return STATE_CRITICAL; - } - } - else { -#endif - send (sd, buf, strlen (buf), 0); -#ifdef HAVE_SSL - } -#endif + if (verbose) printf ("%s\n", buf); + my_send (buf, strlen (buf)); /* fetch the page */ full_page = strdup(""); - while ((i = my_recv ()) > 0) { + while ((i = my_recv (buffer, MAX_INPUT_BUFFER-1)) > 0) { buffer[i] = '\0'; asprintf (&full_page, "%s%s", full_page, buffer); pagesize += i; @@ -887,6 +819,7 @@ check_http (void) if (i < 0 && errno != ECONNRESET) { #ifdef HAVE_SSL + /* if (use_ssl) { sslerr=SSL_get_error(ssl, i); if ( sslerr == SSL_ERROR_SSL ) { @@ -896,10 +829,13 @@ check_http (void) } } else { + */ #endif die (STATE_CRITICAL, _("Error on receive\n")); #ifdef HAVE_SSL + /* XXX } + */ #endif } @@ -908,7 +844,10 @@ check_http (void) die (STATE_CRITICAL, _("No data received %s\n"), timestamp); /* close the connection */ - my_close (); +#ifdef HAVE_SSL + np_net_ssl_cleanup(); +#endif + if(sd) close(sd); /* reset the alarm */ alarm (0); @@ -1248,143 +1187,6 @@ server_port_check (int ssl_flag) return HTTP_PORT; } - - -#ifdef HAVE_SSL -int connect_SSL (void) -{ - SSL_METHOD *meth; - - asprintf (&randbuff, "%s", "qwertyuiopasdfghjklqwertyuiopasdfghjkl"); - RAND_seed (randbuff, (int)strlen(randbuff)); - if (verbose) - printf(_("SSL seeding: %s\n"), (RAND_status()==1 ? _("OK") : _("Failed")) ); - - /* Initialize SSL context */ - SSLeay_add_ssl_algorithms (); - meth = SSLv23_client_method (); - SSL_load_error_strings (); - if ((ctx = SSL_CTX_new (meth)) == NULL) { - printf (_("CRITICAL - Cannot create SSL context.\n")); - return STATE_CRITICAL; - } - - /* Initialize alarm signal handling */ - signal (SIGALRM, socket_timeout_alarm_handler); - - /* Set socket timeout */ - alarm (socket_timeout); - - /* Save start time */ - gettimeofday (&tv, NULL); - - /* Make TCP connection */ - if (my_tcp_connect (server_address, server_port, &sd) == STATE_OK) { - /* Do the SSL handshake */ - if ((ssl = SSL_new (ctx)) != NULL) { -#ifdef USE_OPENSSL - SSL_set_cipher_list(ssl, "ALL"); -#endif - SSL_set_fd (ssl, sd); - if (SSL_connect (ssl) != -1) - return OK; -#ifdef USE_OPENSSL - ERR_print_errors_fp (stderr); -#endif - } - else { - printf (_("CRITICAL - Cannot initiate SSL handshake.\n")); - } - SSL_free (ssl); - } - - SSL_CTX_free (ctx); - close (sd); - - return STATE_CRITICAL; -} -#endif - - - -#ifdef USE_OPENSSL -int -check_certificate (X509 ** certificate) -{ - ASN1_STRING *tm; - int offset; - struct tm stamp; - int days_left; - - - /* Retrieve timestamp of certificate */ - tm = X509_get_notAfter (*certificate); - - /* Generate tm structure to process timestamp */ - if (tm->type == V_ASN1_UTCTIME) { - if (tm->length < 10) { - printf (_("CRITICAL - Wrong time format in certificate.\n")); - return STATE_CRITICAL; - } - else { - stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0'); - if (stamp.tm_year < 50) - stamp.tm_year += 100; - offset = 0; - } - } - else { - if (tm->length < 12) { - printf (_("CRITICAL - Wrong time format in certificate.\n")); - return STATE_CRITICAL; - } - else { - stamp.tm_year = - (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 + - (tm->data[2] - '0') * 10 + (tm->data[3] - '0'); - stamp.tm_year -= 1900; - offset = 2; - } - } - stamp.tm_mon = - (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1; - stamp.tm_mday = - (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0'); - stamp.tm_hour = - (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0'); - stamp.tm_min = - (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0'); - stamp.tm_sec = 0; - stamp.tm_isdst = -1; - - days_left = (mktime (&stamp) - time (NULL)) / 86400; - snprintf - (timestamp, 17, "%02d/%02d/%04d %02d:%02d", - stamp.tm_mon + 1, - stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min); - - if (days_left > 0 && days_left <= days_till_exp) { - printf (_("WARNING - Certificate expires in %d day(s) (%s).\n"), days_left, timestamp); - return STATE_WARNING; - } - if (days_left < 0) { - printf (_("CRITICAL - Certificate expired on %s.\n"), timestamp); - return STATE_CRITICAL; - } - - if (days_left == 0) { - printf (_("WARNING - Certificate expires today (%s).\n"), timestamp); - return STATE_WARNING; - } - - printf (_("OK - Certificate will expire on %s.\n"), timestamp); - - return STATE_OK; -} -#endif - - - char *perfd_time (double elapsed_time) { return fperfdata ("time", elapsed_time, "s", @@ -1403,47 +1205,6 @@ char *perfd_size (int page_len) TRUE, 0, FALSE, 0); } - - -int -my_recv (void) -{ - int i; -#ifdef HAVE_SSL - if (use_ssl) { - i = SSL_read (ssl, buffer, MAX_INPUT_BUFFER - 1); - } - else { - i = recv (sd, buffer, MAX_INPUT_BUFFER - 1, 0); - } -#else - i = recv (sd, buffer, MAX_INPUT_BUFFER - 1, 0); -#endif - return i; -} - - - -int -my_close (void) -{ -#ifdef HAVE_SSL - if (use_ssl == TRUE) { - SSL_shutdown (ssl); - SSL_free (ssl); - SSL_CTX_free (ctx); - return 0; - } - else { -#endif - return close (sd); -#ifdef HAVE_SSL - } -#endif -} - - - void print_help (void) { diff --git a/plugins/check_smtp.c b/plugins/check_smtp.c index 19e9aea..ad85c7f 100644 --- a/plugins/check_smtp.c +++ b/plugins/check_smtp.c @@ -27,35 +27,14 @@ const char *email = "nagiosplug-devel@lists.sourceforge.net"; #include "netutils.h" #include "utils.h" -#ifdef HAVE_SSL_H -# include -# include -# include -# include -# include -# include -#else -# ifdef HAVE_OPENSSL_SSL_H -# include -# include -# include -# include -# include -# include -# endif -#endif - #ifdef HAVE_SSL - int check_cert = FALSE; int days_till_exp; -SSL_CTX *ctx; -SSL *ssl; -X509 *server_cert; -int connect_STARTTLS (void); -# ifdef USE_OPENSSL -int check_certificate (X509 **); -# endif +# define my_recv(buf, len) ((use_ssl && ssl_established) ? np_net_ssl_read(buf, len) : read(sd, buf, len)) +# define my_send(buf, len) ((use_ssl && ssl_established) ? np_net_ssl_write(buf, len) : send(sd, buf, len, 0)) +#else /* ifndef HAVE_SSL */ +# define my_recv(buf, len) read(sd, buf, len) +# define my_send(buf, len) send(sd, buf, len, 0) #endif enum { @@ -77,7 +56,6 @@ int process_arguments (int, char **); int validate_arguments (void); void print_help (void); void print_usage (void); -int myrecv(void); int my_close(void); #ifdef HAVE_REGEX_H @@ -111,7 +89,7 @@ int check_critical_time = FALSE; int verbose = 0; int use_ssl = FALSE; short use_ehlo = FALSE; -short ssl_established = TRUE; +short ssl_established = 0; char *localhostname = NULL; int sd; char buffer[MAX_INPUT_BUFFER]; @@ -237,22 +215,20 @@ main (int argc, char **argv) send (sd, SMTP_QUIT, strlen (SMTP_QUIT), 0); return STATE_UNKNOWN; } - if(connect_STARTTLS() != OK) { + result = np_net_ssl_init(sd); + if(result != STATE_OK) { printf (_("CRITICAL - Cannot create SSL context.\n")); + np_net_ssl_cleanup(); + close(sd); return STATE_CRITICAL; } else { - ssl_established = TRUE; + ssl_established = 1; } # ifdef USE_OPENSSL if ( check_cert ) { - if ((server_cert = SSL_get_peer_certificate (ssl)) != NULL) { - result = check_certificate (&server_cert); - X509_free(server_cert); - } - else { + result = np_net_ssl_check_cert(days_till_exp); + if(result != STATE_OK){ printf (_("CRITICAL - Cannot retrieve server certificate.\n")); - result = STATE_CRITICAL; - } my_close(); return result; @@ -272,26 +248,16 @@ main (int argc, char **argv) * Use the -f option to provide a FROM address */ if (smtp_use_dummycmd) { -#ifdef HAVE_SSL - if (use_ssl) - SSL_write(ssl, cmd_str, strlen(cmd_str)); - else -#endif - send(sd, cmd_str, strlen(cmd_str), 0); - myrecv(); + my_send(cmd_str, strlen(cmd_str)); + my_recv(buffer, MAX_INPUT_BUFFER-1); if (verbose) printf("%s", buffer); } while (n < ncommands) { asprintf (&cmd_str, "%s%s", commands[n], "\r\n"); -#ifdef HAVE_SSL - if (use_ssl) - SSL_write(ssl,cmd_str, strlen(cmd_str)); - else -#endif - send(sd, cmd_str, strlen(cmd_str), 0); - myrecv(); + my_send(cmd_str, strlen(cmd_str)); + my_recv(buffer, MAX_INPUT_BUFFER-1); if (verbose) printf("%s", buffer); strip (buffer); @@ -328,12 +294,7 @@ main (int argc, char **argv) } /* tell the server we're done */ -#ifdef HAVE_SSL - if (use_ssl) - SSL_write(ssl,SMTP_QUIT, strlen (SMTP_QUIT)); - else -#endif - send (sd, SMTP_QUIT, strlen (SMTP_QUIT), 0); + my_send (SMTP_QUIT, strlen (SMTP_QUIT)); /* finally close the connection */ close (sd); @@ -626,150 +587,11 @@ Usage: %s -H host [-p port] [-e expect] [-C command] [-f from addr]\n\ [-w warn] [-c crit] [-t timeout] [-S] [-D days] [-n] [-v] [-4|-6]\n", progname); } -#ifdef HAVE_SSL -int -connect_STARTTLS (void) -{ - SSL_METHOD *meth; - - /* Initialize SSL context */ - SSLeay_add_ssl_algorithms (); - meth = SSLv23_client_method (); - SSL_load_error_strings (); - if ((ctx = SSL_CTX_new (meth)) == NULL) - { - printf(_("CRITICAL - Cannot create SSL context.\n")); - return STATE_CRITICAL; - } - /* do the SSL handshake */ - if ((ssl = SSL_new (ctx)) != NULL) - { - SSL_set_fd (ssl, sd); - /* original version checked for -1 - I look for success instead (1) */ - if (SSL_connect (ssl) == 1) - return OK; -# ifdef USE_OPENSSL - ERR_print_errors_fp (stderr); -# endif - } - else - { - printf (_("CRITICAL - Cannot initiate SSL handshake.\n")); - } - my_close(); - - return STATE_CRITICAL; -} - -# ifdef USE_OPENSSL -int -check_certificate (X509 ** certificate) -{ - ASN1_STRING *tm; - int offset; - struct tm stamp; - int days_left; - - /* Retrieve timestamp of certificate */ - tm = X509_get_notAfter (*certificate); - - /* Generate tm structure to process timestamp */ - if (tm->type == V_ASN1_UTCTIME) { - if (tm->length < 10) { - printf (_("CRITICAL - Wrong time format in certificate.\n")); - return STATE_CRITICAL; - } - else { - stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0'); - if (stamp.tm_year < 50) - stamp.tm_year += 100; - offset = 0; - } - } - else { - if (tm->length < 12) { - printf (_("CRITICAL - Wrong time format in certificate.\n")); - return STATE_CRITICAL; - } - else { - stamp.tm_year = - (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 + - (tm->data[2] - '0') * 10 + (tm->data[3] - '0'); - stamp.tm_year -= 1900; - offset = 2; - } - } - stamp.tm_mon = - (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1; - stamp.tm_mday = - (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0'); - stamp.tm_hour = - (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0'); - stamp.tm_min = - (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0'); - stamp.tm_sec = 0; - stamp.tm_isdst = -1; - - days_left = (mktime (&stamp) - time (NULL)) / 86400; - snprintf - (timestamp, sizeof(timestamp), "%02d/%02d/%04d %02d:%02d", - stamp.tm_mon + 1, - stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min); - - if (days_left > 0 && days_left <= days_till_exp) { - printf ("Certificate expires in %d day(s) (%s).\n", days_left, timestamp); - return STATE_WARNING; - } - if (days_left < 0) { - printf ("Certificate expired on %s.\n", timestamp); - return STATE_CRITICAL; - } - - if (days_left == 0) { - printf ("Certificate expires today (%s).\n", timestamp); - return STATE_WARNING; - } - - printf ("Certificate will expire on %s.\n", timestamp); - - return STATE_OK; -} -# endif /* USE_OPENSSL */ -#endif - -int -myrecv (void) -{ - int i; - -#ifdef HAVE_SSL - if (use_ssl) { - i = SSL_read (ssl, buffer, MAXBUF - 1); - } - else { -#endif - i = read (sd, buffer, MAXBUF - 1); -#ifdef HAVE_SSL - } -#endif - return i; -} - int my_close (void) { #ifdef HAVE_SSL - if (use_ssl == TRUE && ssl_established == TRUE) { - SSL_shutdown (ssl); - SSL_free (ssl); - SSL_CTX_free (ctx); - return 0; - } - else { -#endif - return close(sd); -#ifdef HAVE_SSL - } + np_net_ssl_cleanup(); #endif + return close(sd); } diff --git a/plugins/check_tcp.c b/plugins/check_tcp.c index 3ffa4cd..1b6513b 100644 --- a/plugins/check_tcp.c +++ b/plugins/check_tcp.c @@ -32,10 +32,6 @@ const char *email = "nagiosplug-devel@lists.sourceforge.net"; static int check_cert = FALSE; static int days_till_exp; static char *randbuff = ""; -static X509 *server_cert; -# ifdef USE_OPENSSL -static int check_certificate (X509 **); -# endif /* USE_OPENSSL */ # define my_recv(buf, len) ((flags & FLAG_SSL) ? np_net_ssl_read(buf, len) : read(sd, buf, len)) # define my_send(buf, len) ((flags & FLAG_SSL) ? np_net_ssl_write(buf, len) : send(sd, buf, len, 0)) #else @@ -43,7 +39,6 @@ static int check_certificate (X509 **); # define my_send(buf, len) send(sd, buf, len, 0) #endif - /* int my_recv(char *, size_t); */ static int process_arguments (int, char **); void print_help (void); @@ -217,34 +212,19 @@ main (int argc, char **argv) #ifdef HAVE_SSL if (flags & FLAG_SSL){ result = np_net_ssl_init(sd); - if(result != STATE_OK) return result; - /* XXX does np_net_ssl take care of printing an error? - die (STATE_CRITICAL,_("CRITICAL - Could not make SSL connection\n")); - */ - } -# ifdef USE_OPENSSL /* XXX gnutls does cert checking differently */ - /* - if (flags & FLAG_SSL && check_cert == TRUE) { - if ((server_cert = SSL_get_peer_certificate (ssl)) != NULL) { - result = check_certificate (&server_cert); - X509_free(server_cert); - } - else { - printf(_("CRITICAL - Cannot retrieve server certificate.\n")); - result = STATE_CRITICAL; + if (result == STATE_OK && check_cert == TRUE) { + result = np_net_ssl_check_cert(days_till_exp); + if(result != STATE_OK) { + printf(_("CRITICAL - Cannot retrieve server certificate.\n")); + } } } - */ -# endif /* USE_OPENSSL */ -#endif - if(result != STATE_OK){ -#ifdef HAVE_SSL np_net_ssl_cleanup(); -#endif if(sd) close(sd); return result; } +#endif /* HAVE_SSL */ if (server_send != NULL) { /* Something to send? */ my_send(server_send, strlen(server_send)); @@ -567,86 +547,6 @@ process_arguments (int argc, char **argv) } -/* SSL-specific functions */ -#ifdef HAVE_SSL -# ifdef USE_OPENSSL /* XXX */ -static int -check_certificate (X509 ** certificate) -{ - ASN1_STRING *tm; - int offset; - struct tm stamp; - int days_left; - - - /* Retrieve timestamp of certificate */ - tm = X509_get_notAfter (*certificate); - - /* Generate tm structure to process timestamp */ - if (tm->type == V_ASN1_UTCTIME) { - if (tm->length < 10) { - printf (_("CRITICAL - Wrong time format in certificate.\n")); - return STATE_CRITICAL; - } - else { - stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0'); - if (stamp.tm_year < 50) - stamp.tm_year += 100; - offset = 0; - } - } - else { - if (tm->length < 12) { - printf (_("CRITICAL - Wrong time format in certificate.\n")); - return STATE_CRITICAL; - } - else { - stamp.tm_year = - (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 + - (tm->data[2] - '0') * 10 + (tm->data[3] - '0'); - stamp.tm_year -= 1900; - offset = 2; - } - } - stamp.tm_mon = - (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1; - stamp.tm_mday = - (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0'); - stamp.tm_hour = - (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0'); - stamp.tm_min = - (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0'); - stamp.tm_sec = 0; - stamp.tm_isdst = -1; - - days_left = (mktime (&stamp) - time (NULL)) / 86400; - snprintf - (timestamp, 16, "%02d/%02d/%04d %02d:%02d", - stamp.tm_mon + 1, - stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min); - - if (days_left > 0 && days_left <= days_till_exp) { - printf (_("Certificate expires in %d day(s) (%s).\n"), days_left, timestamp); - return STATE_WARNING; - } - if (days_left < 0) { - printf (_("Certificate expired on %s.\n"), timestamp); - return STATE_CRITICAL; - } - - if (days_left == 0) { - printf (_("Certificate expires today (%s).\n"), timestamp); - return STATE_WARNING; - } - - printf (_("Certificate will expire on %s.\n"), timestamp); - - return STATE_OK; -} -# endif /* USE_OPENSSL */ -#endif /* HAVE_SSL */ - - void print_help (void) { diff --git a/plugins/netutils.c b/plugins/netutils.c index e3fbb3a..2678f91 100644 --- a/plugins/netutils.c +++ b/plugins/netutils.c @@ -281,6 +281,84 @@ int np_net_ssl_read(void *buf, int num){ return SSL_read(s, buf, num); } +int np_net_ssl_check_cert(int days_till_exp){ +# ifdef USE_OPENSSL + X509 *certificate=NULL; + ASN1_STRING *tm; + int offset; + struct tm stamp; + int days_left; + char timestamp[17] = ""; + + certificate=SSL_get_peer_certificate(s); + if(! certificate){ + printf (_("CRITICAL - Cannot retrieve server certificate.\n")); + return STATE_CRITICAL; + } + + /* Retrieve timestamp of certificate */ + tm = X509_get_notAfter (certificate); + + /* Generate tm structure to process timestamp */ + if (tm->type == V_ASN1_UTCTIME) { + if (tm->length < 10) { + printf (_("CRITICAL - Wrong time format in certificate.\n")); + return STATE_CRITICAL; + } else { + stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0'); + if (stamp.tm_year < 50) + stamp.tm_year += 100; + offset = 0; + } + } else { + if (tm->length < 12) { + printf (_("CRITICAL - Wrong time format in certificate.\n")); + return STATE_CRITICAL; + } else { + stamp.tm_year = + (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 + + (tm->data[2] - '0') * 10 + (tm->data[3] - '0'); + stamp.tm_year -= 1900; + offset = 2; + } + } + stamp.tm_mon = + (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1; + stamp.tm_mday = + (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0'); + stamp.tm_hour = + (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0'); + stamp.tm_min = + (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0'); + stamp.tm_sec = 0; + stamp.tm_isdst = -1; + + days_left = (mktime (&stamp) - time (NULL)) / 86400; + snprintf + (timestamp, 17, "%02d/%02d/%04d %02d:%02d", + stamp.tm_mon + 1, + stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min); + + if (days_left > 0 && days_left <= days_till_exp) { + printf (_("WARNING - Certificate expires in %d day(s) (%s).\n"), days_left, timestamp); + return STATE_WARNING; + } else if (days_left < 0) { + printf (_("CRITICAL - Certificate expired on %s.\n"), timestamp); + return STATE_CRITICAL; + } else if (days_left == 0) { + printf (_("WARNING - Certificate expires today (%s).\n"), timestamp); + return STATE_WARNING; + } + + printf (_("OK - Certificate will expire on %s.\n"), timestamp); + X509_free (certificate); + return STATE_OK; +# else /* ifndef USE_OPENSSL */ + printf (_("WARNING - Plugin does not support checking certificates.\n")); + return STATE_WARNING; +# endif /* USE_OPENSSL */ +} + #endif /* HAVE_SSL */ int diff --git a/plugins/netutils.h b/plugins/netutils.h index 85b5aa9..9b0557d 100644 --- a/plugins/netutils.h +++ b/plugins/netutils.h @@ -89,6 +89,7 @@ int np_net_ssl_init(int sd); void np_net_ssl_cleanup(); int np_net_ssl_write(const void *buf, int num); int np_net_ssl_read(void *buf, int num); +int np_net_ssl_check_cert(int days_till_exp); #endif /* HAVE_SSL */ #endif /* _NETUTILS_H_ */ -- cgit v0.10-9-g596f