Merge branch 'master' of https://github.com/cern-mig/nagios-plugins

* 'master' of https://github.com/cern-mig/nagios-plugins: added support for client authentication via SSL Conflicts: plugins/check_http.c
author: Holger Weiss <holger@zedat.fu-berlin.de> 2013-08-18 21:10:31 (GMT)
committer: Holger Weiss <holger@zedat.fu-berlin.de> 2013-08-18 21:10:31 (GMT)
commit: 8e444095e88428137594d6bd2f04af8daed0a1fb (patch)
tree: ea55fe38cf54324dffb8fe6179d7245878cd954e
parent: 3ccf66613fc01d345d98952b4127b1a8eb3d12f5 (diff)
parent: 2f92d0dab77a3f3b1005dae3401ea1316d6789b2 (diff)
download: monitoring-plugins-8e444095e88428137594d6bd2f04af8daed0a1fb.tar.gz
3 files changed, 54 insertions, 5 deletions
diff --git a/plugins/check_http.c b/plugins/check_http.c
index ea7a673..46c0c13 100644
--- a/plugins/check_http.c
+++ b/plugins/check_http.c
@@ -127,6 +127,8 @@ char *http_method;
 char *http_post_data;
 char *http_content_type;
 char buffer[MAX_INPUT_BUFFER];
+char *client_cert = NULL;
+char *client_privkey = NULL;
 int process_arguments (int, char **);
 int check_http (void);
@@ -178,7 +180,14 @@ main (int argc, char **argv)
  return result;
 }
+/* check whether a file exists */
+void
+test_file (char *path)
+{
+  if (access(path, R_OK) == 0)
+    return;
+  usage2 (_("file does not exist or is not readable"), path);
+}
 /* process command-line arguments */
 int
@@ -216,6 +225,8 @@ process_arguments (int argc, char **argv)
    {"linespan", no_argument, 0, 'l'},
    {"onredirect", required_argument, 0, 'f'},
    {"certificate", required_argument, 0, 'C'},
+    {"client-cert", required_argument, 0, 'J'},
+    {"private-key", required_argument, 0, 'K'},
    {"useragent", required_argument, 0, 'A'},
    {"header", required_argument, 0, 'k'},
    {"no-body", no_argument, 0, 'N'},
@@ -246,7 +257,7 @@ process_arguments (int argc, char **argv)
  }
  while (1) {
-    c = getopt_long (argc, argv, "Vvh46t:c:w:A:k:H:P:j:T:I:a:b:d:e:p:s:R:r:u:f:C:nlLS::m:M:N:E", longopts, &option);
+    c = getopt_long (argc, argv, "Vvh46t:c:w:A:k:H:P:j:T:I:a:b:d:e:p:s:R:r:u:f:C:J:K:nlLS::m:M:N:E", longopts, &option);
    if (c == -1 || c == EOF)
      break;
@@ -311,10 +322,23 @@ process_arguments (int argc, char **argv)
        days_till_exp_warn = atoi (optarg);
      }
      check_cert = TRUE;
-      /* Fall through to -S option */
+      goto enable_ssl;
+#endif
+    case 'J': /* use client certificate */
+#ifdef HAVE_SSL
+      test_file(optarg);
+      client_cert = optarg;
+      goto enable_ssl;
+#endif
+    case 'K': /* use client private key */
+#ifdef HAVE_SSL
+      test_file(optarg);
+      client_privkey = optarg;
+      goto enable_ssl;
 #endif
    case 'S': /* use SSL */
 #ifdef HAVE_SSL
+    enable_ssl:
      use_ssl = TRUE;
      if (optarg == NULL || c != 'S')
        ssl_version = 0;
@@ -326,6 +350,7 @@ process_arguments (int argc, char **argv)
      if (specify_port == FALSE)
        server_port = HTTPS_PORT;
 #else
+      /* -C -J and -K fall through to here without SSL */
      usage4 (_("Invalid option - SSL is not available"));
 #endif
      break;
@@ -514,6 +539,9 @@ process_arguments (int argc, char **argv)
  if (http_method == NULL)
    http_method = strdup ("GET");
+  if (client_cert && !client_privkey) 
+    usage4 (_("If you use a client certificate you must also specify a private key file"));
  return TRUE;
 }
@@ -851,7 +879,7 @@ check_http (void)
  elapsed_time_connect = (double)microsec_connect / 1.0e6;
  if (use_ssl == TRUE) {
    gettimeofday (&tv_temp, NULL);
-    result = np_net_ssl_init_with_hostname_and_version(sd, (use_sni ? host_name : NULL), ssl_version);
+    result = np_net_ssl_init_with_hostname_version_and_certificate(sd, (use_sni ? host_name : NULL), ssl_version, client_cert, client_privkey);
    if (result != STATE_OK)
      return result;
    microsec_ssl = deltime (tv_temp);
@@ -1444,7 +1472,13 @@ print_help (void)
  printf ("    %s\n", _("Enable SSL/TLS hostname extension support (SNI)"));
  printf (" %s\n", "-C, --certificate=INTEGER[,INTEGER]");
  printf ("    %s\n", _("Minimum number of days a certificate has to be valid. Port defaults to 443"));
-  printf ("    %s\n", _("(when this option is used the URL is not checked.)\n"));
+  printf ("    %s\n", _("(when this option is used the URL is not checked.)"));
+  printf (" %s\n", "-J, --client-cert=FILE");
+  printf ("   %s\n", _("Name of file that contains the client certificate (PEM format)"));
+  printf ("   %s\n", _("to be used in establishing the SSL session"));
+  printf (" %s\n", "-K, --private-key=FILE");
+  printf ("   %s\n", _("Name of file containing the private key (PEM format)"));
+  printf ("   %s\n", _("matching the client certificate"));
 #endif
  printf (" %s\n", "-e, --expect=STRING");
@@ -1553,6 +1587,7 @@ print_usage (void)
 {
  printf ("%s\n", _("Usage:"));
  printf (" %s -H <vhost> | -I <IP-address> [-u <uri>] [-p <port>]\n",progname);
+  printf ("       [-J <client certificate file>] [-K <private key>]\n");
  printf ("       [-w <warn time>] [-c <critical time>] [-t <timeout>] [-L] [-a auth]\n");
  printf ("       [-b proxy_auth] [-f <ok|warning|critcal|follow|sticky|stickyport>]\n");
  printf ("       [-e <expect>] [-d string] [-s string] [-l] [-r <regex> | -R <case-insensitive regex>]\n");
diff --git a/plugins/netutils.h b/plugins/netutils.h
index 21017f1..765b3d5 100644
--- a/plugins/netutils.h
+++ b/plugins/netutils.h
@@ -100,6 +100,8 @@ extern int address_family;
 /* maybe this could be merged with the above np_net_connect, via some flags */
 int np_net_ssl_init(int sd);
 int np_net_ssl_init_with_hostname(int sd, char *host_name);
+int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int version);
+int np_net_ssl_init_with_hostname_version_and_certificate(int sd, char *host_name, int version, char *cert, char *privkey);
 void np_net_ssl_cleanup();
 int np_net_ssl_write(const void *buf, int num);
 int np_net_ssl_read(void *buf, int num);
diff --git a/plugins/sslutils.c b/plugins/sslutils.c
index a1ce560..4927e36 100644
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
@@ -45,6 +45,10 @@ int np_net_ssl_init_with_hostname(int sd, char *host_name) {
 }
 int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int version) {
+        return np_net_ssl_init_with_hostname_version_and_certificate(sd, host_name, version, NULL, NULL);
+}
+int np_net_ssl_init_with_hostname_version_and_certificate(int sd, char *host_name, int version, char *cert, char *privkey) {
        const SSL_METHOD *method = NULL;
        switch (version) {
@@ -80,6 +84,14 @@ int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int versi
                printf("%s\n", _("CRITICAL - Cannot create SSL context."));
                return STATE_CRITICAL;
        }
+        if (cert && privkey) {
+                SSL_CTX_use_certificate_file(c, cert, SSL_FILETYPE_PEM);
+                SSL_CTX_use_PrivateKey_file(c, privkey, SSL_FILETYPE_PEM);
+                if (!SSL_CTX_check_private_key(c)) {
+                        printf ("%s\n", _("CRITICAL - Private key does not seem to match certificate!\n"));
+                        return STATE_CRITICAL;
+                }
+        }
 #ifdef SSL_OP_NO_TICKET
        SSL_CTX_set_options(c, SSL_OP_NO_TICKET);
 #endif
author	Holger Weiss <holger@zedat.fu-berlin.de>	2013-08-18 21:10:31 (GMT)
committer	Holger Weiss <holger@zedat.fu-berlin.de>	2013-08-18 21:10:31 (GMT)
commit	8e444095e88428137594d6bd2f04af8daed0a1fb (patch)
tree	ea55fe38cf54324dffb8fe6179d7245878cd954e
parent	3ccf66613fc01d345d98952b4127b1a8eb3d12f5 (diff)
parent	2f92d0dab77a3f3b1005dae3401ea1316d6789b2 (diff)
download	monitoring-plugins-8e444095e88428137594d6bd2f04af8daed0a1fb.tar.gz

diff --git a/plugins/check_http.c b/plugins/check_http.c index ea7a673..46c0c13 100644 --- a/plugins/check_http.c +++ b/plugins/check_http.c
@@ -127,6 +127,8 @@ char *http_method;
127	char *http_post_data;	127	char *http_post_data;
128	char *http_content_type;	128	char *http_content_type;
129	char buffer[MAX_INPUT_BUFFER];	129	char buffer[MAX_INPUT_BUFFER];
		130	char *client_cert = NULL;
		131	char *client_privkey = NULL;
130		132
131	int process_arguments (int, char **);	133	int process_arguments (int, char **);
132	int check_http (void);	134	int check_http (void);
@@ -178,7 +180,14 @@ main (int argc, char **argv)
178	return result;	180	return result;
179	}	181	}
180		182
181		183	/* check whether a file exists */
		184	void
		185	test_file (char *path)
		186	{
		187	if (access(path, R_OK) == 0)
		188	return;
		189	usage2 (_("file does not exist or is not readable"), path);
		190	}
182		191
183	/* process command-line arguments */	192	/* process command-line arguments */
184	int	193	int
@@ -216,6 +225,8 @@ process_arguments (int argc, char **argv)
216	{"linespan", no_argument, 0, 'l'},	225	{"linespan", no_argument, 0, 'l'},
217	{"onredirect", required_argument, 0, 'f'},	226	{"onredirect", required_argument, 0, 'f'},
218	{"certificate", required_argument, 0, 'C'},	227	{"certificate", required_argument, 0, 'C'},
		228	{"client-cert", required_argument, 0, 'J'},
		229	{"private-key", required_argument, 0, 'K'},
219	{"useragent", required_argument, 0, 'A'},	230	{"useragent", required_argument, 0, 'A'},
220	{"header", required_argument, 0, 'k'},	231	{"header", required_argument, 0, 'k'},
221	{"no-body", no_argument, 0, 'N'},	232	{"no-body", no_argument, 0, 'N'},
@@ -246,7 +257,7 @@ process_arguments (int argc, char **argv)
246	}	257	}
247		258
248	while (1) {	259	while (1) {
249	c = getopt_long (argc, argv, "Vvh46t:c:w:A:k:H:P:j:T:I:a:b:d:e:p:s:R:r:u:f:C:nlLS::m:M:N:E", longopts, &option);	260	c = getopt_long (argc, argv, "Vvh46t:c:w:A:k:H:P:j:T:I:a:b:d:e:p:s:R:r:u:f:C:J:K:nlLS::m:M:N:E", longopts, &option);
250	if (c == -1 \|\| c == EOF)	261	if (c == -1 \|\| c == EOF)
251	break;	262	break;
252		263
@@ -311,10 +322,23 @@ process_arguments (int argc, char **argv)
311	days_till_exp_warn = atoi (optarg);	322	days_till_exp_warn = atoi (optarg);
312	}	323	}
313	check_cert = TRUE;	324	check_cert = TRUE;
314	/* Fall through to -S option */	325	goto enable_ssl;
		326	#endif
		327	case 'J': /* use client certificate */
		328	#ifdef HAVE_SSL
		329	test_file(optarg);
		330	client_cert = optarg;
		331	goto enable_ssl;
		332	#endif
		333	case 'K': /* use client private key */
		334	#ifdef HAVE_SSL
		335	test_file(optarg);
		336	client_privkey = optarg;
		337	goto enable_ssl;
315	#endif	338	#endif
316	case 'S': /* use SSL */	339	case 'S': /* use SSL */
317	#ifdef HAVE_SSL	340	#ifdef HAVE_SSL
		341	enable_ssl:
318	use_ssl = TRUE;	342	use_ssl = TRUE;
319	if (optarg == NULL \|\| c != 'S')	343	if (optarg == NULL \|\| c != 'S')
320	ssl_version = 0;	344	ssl_version = 0;
@@ -326,6 +350,7 @@ process_arguments (int argc, char **argv)
326	if (specify_port == FALSE)	350	if (specify_port == FALSE)
327	server_port = HTTPS_PORT;	351	server_port = HTTPS_PORT;
328	#else	352	#else
		353	/* -C -J and -K fall through to here without SSL */
329	usage4 (_("Invalid option - SSL is not available"));	354	usage4 (_("Invalid option - SSL is not available"));
330	#endif	355	#endif
331	break;	356	break;
@@ -514,6 +539,9 @@ process_arguments (int argc, char **argv)
514	if (http_method == NULL)	539	if (http_method == NULL)
515	http_method = strdup ("GET");	540	http_method = strdup ("GET");
516		541
		542	if (client_cert && !client_privkey)
		543	usage4 (_("If you use a client certificate you must also specify a private key file"));
		544
517	return TRUE;	545	return TRUE;
518	}	546	}
519		547
@@ -851,7 +879,7 @@ check_http (void)
851	elapsed_time_connect = (double)microsec_connect / 1.0e6;	879	elapsed_time_connect = (double)microsec_connect / 1.0e6;
852	if (use_ssl == TRUE) {	880	if (use_ssl == TRUE) {
853	gettimeofday (&tv_temp, NULL);	881	gettimeofday (&tv_temp, NULL);
854	result = np_net_ssl_init_with_hostname_and_version(sd, (use_sni ? host_name : NULL), ssl_version);	882	result = np_net_ssl_init_with_hostname_version_and_certificate(sd, (use_sni ? host_name : NULL), ssl_version, client_cert, client_privkey);
855	if (result != STATE_OK)	883	if (result != STATE_OK)
856	return result;	884	return result;
857	microsec_ssl = deltime (tv_temp);	885	microsec_ssl = deltime (tv_temp);
@@ -1444,7 +1472,13 @@ print_help (void)
1444	printf (" %s\n", _("Enable SSL/TLS hostname extension support (SNI)"));	1472	printf (" %s\n", _("Enable SSL/TLS hostname extension support (SNI)"));
1445	printf (" %s\n", "-C, --certificate=INTEGER[,INTEGER]");	1473	printf (" %s\n", "-C, --certificate=INTEGER[,INTEGER]");
1446	printf (" %s\n", _("Minimum number of days a certificate has to be valid. Port defaults to 443"));	1474	printf (" %s\n", _("Minimum number of days a certificate has to be valid. Port defaults to 443"));
1447	printf (" %s\n", _("(when this option is used the URL is not checked.)\n"));	1475	printf (" %s\n", _("(when this option is used the URL is not checked.)"));
		1476	printf (" %s\n", "-J, --client-cert=FILE");
		1477	printf (" %s\n", _("Name of file that contains the client certificate (PEM format)"));
		1478	printf (" %s\n", _("to be used in establishing the SSL session"));
		1479	printf (" %s\n", "-K, --private-key=FILE");
		1480	printf (" %s\n", _("Name of file containing the private key (PEM format)"));
		1481	printf (" %s\n", _("matching the client certificate"));
1448	#endif	1482	#endif
1449		1483
1450	printf (" %s\n", "-e, --expect=STRING");	1484	printf (" %s\n", "-e, --expect=STRING");
@@ -1553,6 +1587,7 @@ print_usage (void)
1553	{	1587	{
1554	printf ("%s\n", _("Usage:"));	1588	printf ("%s\n", _("Usage:"));
1555	printf (" %s -H <vhost> \| -I <IP-address> [-u <uri>] [-p <port>]\n",progname);	1589	printf (" %s -H <vhost> \| -I <IP-address> [-u <uri>] [-p <port>]\n",progname);
		1590	printf (" [-J <client certificate file>] [-K <private key>]\n");
1556	printf (" [-w <warn time>] [-c <critical time>] [-t <timeout>] [-L] [-a auth]\n");	1591	printf (" [-w <warn time>] [-c <critical time>] [-t <timeout>] [-L] [-a auth]\n");
1557	printf (" [-b proxy_auth] [-f <ok\|warning\|critcal\|follow\|sticky\|stickyport>]\n");	1592	printf (" [-b proxy_auth] [-f <ok\|warning\|critcal\|follow\|sticky\|stickyport>]\n");
1558	printf (" [-e <expect>] [-d string] [-s string] [-l] [-r <regex> \| -R <case-insensitive regex>]\n");	1593	printf (" [-e <expect>] [-d string] [-s string] [-l] [-r <regex> \| -R <case-insensitive regex>]\n");


diff --git a/plugins/netutils.h b/plugins/netutils.h index 21017f1..765b3d5 100644 --- a/plugins/netutils.h +++ b/plugins/netutils.h
@@ -100,6 +100,8 @@ extern int address_family;
100	/* maybe this could be merged with the above np_net_connect, via some flags */	100	/* maybe this could be merged with the above np_net_connect, via some flags */
101	int np_net_ssl_init(int sd);	101	int np_net_ssl_init(int sd);
102	int np_net_ssl_init_with_hostname(int sd, char *host_name);	102	int np_net_ssl_init_with_hostname(int sd, char *host_name);
		103	int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int version);
		104	int np_net_ssl_init_with_hostname_version_and_certificate(int sd, char host_name, int version, char cert, char *privkey);
103	void np_net_ssl_cleanup();	105	void np_net_ssl_cleanup();
104	int np_net_ssl_write(const void *buf, int num);	106	int np_net_ssl_write(const void *buf, int num);
105	int np_net_ssl_read(void *buf, int num);	107	int np_net_ssl_read(void *buf, int num);


diff --git a/plugins/sslutils.c b/plugins/sslutils.c index a1ce560..4927e36 100644 --- a/plugins/sslutils.c +++ b/plugins/sslutils.c
@@ -45,6 +45,10 @@ int np_net_ssl_init_with_hostname(int sd, char *host_name) {
45	}	45	}
46		46
47	int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int version) {	47	int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int version) {
		48	return np_net_ssl_init_with_hostname_version_and_certificate(sd, host_name, version, NULL, NULL);
		49	}
		50
		51	int np_net_ssl_init_with_hostname_version_and_certificate(int sd, char host_name, int version, char cert, char *privkey) {
48	const SSL_METHOD *method = NULL;	52	const SSL_METHOD *method = NULL;
49		53
50	switch (version) {	54	switch (version) {
@@ -80,6 +84,14 @@ int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int versi
80	printf("%s\n", _("CRITICAL - Cannot create SSL context."));	84	printf("%s\n", _("CRITICAL - Cannot create SSL context."));
81	return STATE_CRITICAL;	85	return STATE_CRITICAL;
82	}	86	}
		87	if (cert && privkey) {
		88	SSL_CTX_use_certificate_file(c, cert, SSL_FILETYPE_PEM);
		89	SSL_CTX_use_PrivateKey_file(c, privkey, SSL_FILETYPE_PEM);
		90	if (!SSL_CTX_check_private_key(c)) {
		91	printf ("%s\n", _("CRITICAL - Private key does not seem to match certificate!\n"));
		92	return STATE_CRITICAL;
		93	}
		94	}
83	#ifdef SSL_OP_NO_TICKET	95	#ifdef SSL_OP_NO_TICKET
84	SSL_CTX_set_options(c, SSL_OP_NO_TICKET);	96	SSL_CTX_set_options(c, SSL_OP_NO_TICKET);
85	#endif	97	#endif