diff options
| author | Lorenz Kästle <12514511+RincewindsHat@users.noreply.github.com> | 2025-09-10 13:41:46 +0200 |
|---|---|---|
| committer | Lorenz Kästle <12514511+RincewindsHat@users.noreply.github.com> | 2025-09-10 13:41:46 +0200 |
| commit | a2ca373e2d6a9903126e152254c83245ad202ff8 (patch) | |
| tree | 946ff7bc84e8f1ff52f724e3f556b9aaffb403e5 | |
| parent | 572ad994b136c443c5d59509a28b8343c3e40ab3 (diff) | |
| download | monitoring-plugins-a2ca373e2d6a9903126e152254c83245ad202ff8.tar.gz | |
sslutils: some refactoring to improve readability
| -rw-r--r-- | plugins/sslutils.c | 64 |
1 files changed, 28 insertions, 36 deletions
diff --git a/plugins/sslutils.c b/plugins/sslutils.c index b20a2b2c..bea1307f 100644 --- a/plugins/sslutils.c +++ b/plugins/sslutils.c | |||
| @@ -189,67 +189,54 @@ int np_net_ssl_write(const void *buf, int num) { return SSL_write(s, buf, num); | |||
| 189 | 189 | ||
| 190 | int np_net_ssl_read(void *buf, int num) { return SSL_read(s, buf, num); } | 190 | int np_net_ssl_read(void *buf, int num) { return SSL_read(s, buf, num); } |
| 191 | 191 | ||
| 192 | int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, | 192 | mp_state_enum np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, |
| 193 | int days_till_exp_crit) { | 193 | int days_till_exp_crit) { |
| 194 | # ifdef USE_OPENSSL | 194 | # ifdef USE_OPENSSL |
| 195 | X509_NAME *subj = NULL; | ||
| 196 | char timestamp[50] = ""; | ||
| 197 | char cn[MAX_CN_LENGTH] = ""; | ||
| 198 | char *tz; | ||
| 199 | |||
| 200 | int cnlen = -1; | ||
| 201 | int status = STATE_UNKNOWN; | ||
| 202 | |||
| 203 | ASN1_STRING *tm; | ||
| 204 | int offset; | ||
| 205 | struct tm stamp; | ||
| 206 | float time_left; | ||
| 207 | int days_left; | ||
| 208 | int time_remaining; | ||
| 209 | time_t tm_t; | ||
| 210 | |||
| 211 | if (!certificate) { | 195 | if (!certificate) { |
| 212 | printf("%s\n", _("CRITICAL - No server certificate present to inspect.")); | 196 | printf("%s\n", _("CRITICAL - No server certificate present to inspect.")); |
| 213 | return STATE_CRITICAL; | 197 | return STATE_CRITICAL; |
| 214 | } | 198 | } |
| 215 | 199 | ||
| 216 | /* Extract CN from certificate subject */ | 200 | /* Extract CN from certificate subject */ |
| 217 | subj = X509_get_subject_name(certificate); | 201 | X509_NAME *subj = X509_get_subject_name(certificate); |
| 218 | 202 | ||
| 219 | if (!subj) { | 203 | if (!subj) { |
| 220 | printf("%s\n", _("CRITICAL - Cannot retrieve certificate subject.")); | 204 | printf("%s\n", _("CRITICAL - Cannot retrieve certificate subject.")); |
| 221 | return STATE_CRITICAL; | 205 | return STATE_CRITICAL; |
| 222 | } | 206 | } |
| 223 | cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn)); | 207 | |
| 208 | char cn[MAX_CN_LENGTH] = ""; | ||
| 209 | int cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn)); | ||
| 224 | if (cnlen == -1) { | 210 | if (cnlen == -1) { |
| 225 | strcpy(cn, _("Unknown CN")); | 211 | strcpy(cn, _("Unknown CN")); |
| 226 | } | 212 | } |
| 227 | 213 | ||
| 228 | /* Retrieve timestamp of certificate */ | 214 | /* Retrieve timestamp of certificate */ |
| 229 | tm = X509_get_notAfter(certificate); | 215 | ASN1_STRING *tm = X509_get_notAfter(certificate); |
| 230 | 216 | ||
| 217 | int offset = 0; | ||
| 218 | struct tm stamp = {}; | ||
| 231 | /* Generate tm structure to process timestamp */ | 219 | /* Generate tm structure to process timestamp */ |
| 232 | if (tm->type == V_ASN1_UTCTIME) { | 220 | if (tm->type == V_ASN1_UTCTIME) { |
| 233 | if (tm->length < 10) { | 221 | if (tm->length < 10) { |
| 234 | printf("%s\n", _("CRITICAL - Wrong time format in certificate.")); | 222 | printf("%s\n", _("CRITICAL - Wrong time format in certificate.")); |
| 235 | return STATE_CRITICAL; | 223 | return STATE_CRITICAL; |
| 236 | } else { | ||
| 237 | stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0'); | ||
| 238 | if (stamp.tm_year < 50) { | ||
| 239 | stamp.tm_year += 100; | ||
| 240 | } | ||
| 241 | offset = 0; | ||
| 242 | } | 224 | } |
| 225 | stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0'); | ||
| 226 | if (stamp.tm_year < 50) { | ||
| 227 | stamp.tm_year += 100; | ||
| 228 | } | ||
| 229 | offset = 0; | ||
| 230 | |||
| 243 | } else { | 231 | } else { |
| 244 | if (tm->length < 12) { | 232 | if (tm->length < 12) { |
| 245 | printf("%s\n", _("CRITICAL - Wrong time format in certificate.")); | 233 | printf("%s\n", _("CRITICAL - Wrong time format in certificate.")); |
| 246 | return STATE_CRITICAL; | 234 | return STATE_CRITICAL; |
| 247 | } else { | ||
| 248 | stamp.tm_year = (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 + | ||
| 249 | (tm->data[2] - '0') * 10 + (tm->data[3] - '0'); | ||
| 250 | stamp.tm_year -= 1900; | ||
| 251 | offset = 2; | ||
| 252 | } | 235 | } |
| 236 | stamp.tm_year = (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 + | ||
| 237 | (tm->data[2] - '0') * 10 + (tm->data[3] - '0'); | ||
| 238 | stamp.tm_year -= 1900; | ||
| 239 | offset = 2; | ||
| 253 | } | 240 | } |
| 254 | stamp.tm_mon = (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1; | 241 | stamp.tm_mon = (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1; |
| 255 | stamp.tm_mday = (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0'); | 242 | stamp.tm_mday = (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0'); |
| @@ -258,20 +245,25 @@ int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, | |||
| 258 | stamp.tm_sec = (tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0'); | 245 | stamp.tm_sec = (tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0'); |
| 259 | stamp.tm_isdst = -1; | 246 | stamp.tm_isdst = -1; |
| 260 | 247 | ||
| 261 | tm_t = timegm(&stamp); | 248 | time_t tm_t = timegm(&stamp); |
| 262 | time_left = difftime(tm_t, time(NULL)); | 249 | float time_left = difftime(tm_t, time(NULL)); |
| 263 | days_left = time_left / 86400; | 250 | int days_left = time_left / 86400; |
| 264 | tz = getenv("TZ"); | 251 | char *tz = getenv("TZ"); |
| 265 | setenv("TZ", "GMT", 1); | 252 | setenv("TZ", "GMT", 1); |
| 266 | tzset(); | 253 | tzset(); |
| 254 | |||
| 255 | char timestamp[50] = ""; | ||
| 267 | strftime(timestamp, 50, "%c %z", localtime(&tm_t)); | 256 | strftime(timestamp, 50, "%c %z", localtime(&tm_t)); |
| 268 | if (tz) { | 257 | if (tz) { |
| 269 | setenv("TZ", tz, 1); | 258 | setenv("TZ", tz, 1); |
| 270 | } else { | 259 | } else { |
| 271 | unsetenv("TZ"); | 260 | unsetenv("TZ"); |
| 272 | } | 261 | } |
| 262 | |||
| 273 | tzset(); | 263 | tzset(); |
| 274 | 264 | ||
| 265 | int time_remaining; | ||
| 266 | mp_state_enum status = STATE_UNKNOWN; | ||
| 275 | if (days_left > 0 && days_left <= days_till_exp_warn) { | 267 | if (days_left > 0 && days_left <= days_till_exp_warn) { |
| 276 | printf(_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), | 268 | printf(_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), |
| 277 | (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, days_left, timestamp); | 269 | (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, days_left, timestamp); |