diff options
| author | Benoit Mortier <opensides@users.sourceforge.net> | 2004-12-28 23:18:17 +0000 | 
|---|---|---|
| committer | Benoit Mortier <opensides@users.sourceforge.net> | 2004-12-28 23:18:17 +0000 | 
| commit | 6ecaa524bf28b5fb861b161ea075a11119cb3bd2 (patch) | |
| tree | fb5e86f3c4a5d8aa0b790e15f380baa54a8703f1 /plugins | |
| parent | b8fcd0d2587a5415266d7f3eea7ae6764900a7cc (diff) | |
| download | monitoring-plugins-6ecaa524bf28b5fb861b161ea075a11119cb3bd2.tar.gz | |
starttls support for check_smtp #1041576
git-svn-id: https://nagiosplug.svn.sourceforge.net/svnroot/nagiosplug/nagiosplug/trunk@1065 f882894a-f735-0410-b71e-b25c423dba1c
Diffstat (limited to 'plugins')
| -rw-r--r-- | plugins/Makefile.am | 2 | ||||
| -rw-r--r-- | plugins/check_smtp.c | 285 | 
2 files changed, 273 insertions, 14 deletions
| diff --git a/plugins/Makefile.am b/plugins/Makefile.am index 538f9057..51858215 100644 --- a/plugins/Makefile.am +++ b/plugins/Makefile.am | |||
| @@ -69,7 +69,7 @@ check_procs_LDADD = $(BASEOBJS) popen.o | |||
| 69 | check_radius_LDADD = $(NETLIBS) $(RADIUSLIBS) | 69 | check_radius_LDADD = $(NETLIBS) $(RADIUSLIBS) | 
| 70 | check_real_LDADD = $(NETLIBS) | 70 | check_real_LDADD = $(NETLIBS) | 
| 71 | check_snmp_LDADD = $(BASEOBJS) popen.o | 71 | check_snmp_LDADD = $(BASEOBJS) popen.o | 
| 72 | check_smtp_LDADD = $(NETLIBS) | 72 | check_smtp_LDADD = $(NETLIBS) $(SSLLIBS) | 
| 73 | check_ssh_LDADD = $(NETLIBS) | 73 | check_ssh_LDADD = $(NETLIBS) | 
| 74 | check_swap_LDADD = $(BASEOBJS) popen.o | 74 | check_swap_LDADD = $(BASEOBJS) popen.o | 
| 75 | check_tcp_LDADD = $(NETLIBS) $(SSLLIBS) | 75 | check_tcp_LDADD = $(NETLIBS) $(SSLLIBS) | 
| diff --git a/plugins/check_smtp.c b/plugins/check_smtp.c index 55cf5da5..6e5d972a 100644 --- a/plugins/check_smtp.c +++ b/plugins/check_smtp.c | |||
| @@ -27,17 +27,49 @@ const char *email = "nagiosplug-devel@lists.sourceforge.net"; | |||
| 27 | #include "netutils.h" | 27 | #include "netutils.h" | 
| 28 | #include "utils.h" | 28 | #include "utils.h" | 
| 29 | 29 | ||
| 30 | #ifdef HAVE_SSL_H | ||
| 31 | # include <rsa.h> | ||
| 32 | # include <crypto.h> | ||
| 33 | # include <x509.h> | ||
| 34 | # include <pem.h> | ||
| 35 | # include <ssl.h> | ||
| 36 | # include <err.h> | ||
| 37 | #else | ||
| 38 | # ifdef HAVE_OPENSSL_SSL_H | ||
| 39 | # include <openssl/rsa.h> | ||
| 40 | # include <openssl/crypto.h> | ||
| 41 | # include <openssl/x509.h> | ||
| 42 | # include <openssl/pem.h> | ||
| 43 | # include <openssl/ssl.h> | ||
| 44 | # include <openssl/err.h> | ||
| 45 | # endif | ||
| 46 | #endif | ||
| 47 | |||
| 48 | #ifdef HAVE_SSL | ||
| 49 | |||
| 50 | int check_cert = FALSE; | ||
| 51 | int days_till_exp; | ||
| 52 | SSL_CTX *ctx; | ||
| 53 | SSL *ssl; | ||
| 54 | X509 *server_cert; | ||
| 55 | int connect_STARTTLS (void); | ||
| 56 | int check_certificate (X509 **); | ||
| 57 | #endif | ||
| 58 | |||
| 30 | enum { | 59 | enum { | 
| 31 | SMTP_PORT = 25 | 60 | SMTP_PORT = 25 | 
| 32 | }; | 61 | }; | 
| 33 | const char *SMTP_EXPECT = "220"; | 62 | const char *SMTP_EXPECT = "220"; | 
| 34 | const char *SMTP_HELO = "HELO "; | 63 | const char *SMTP_HELO = "HELO "; | 
| 35 | const char *SMTP_QUIT = "QUIT\r\n"; | 64 | const char *SMTP_QUIT = "QUIT\r\n"; | 
| 65 | const char *SMTP_STARTTLS = "STARTTLS\r\n"; | ||
| 36 | 66 | ||
| 37 | int process_arguments (int, char **); | 67 | int process_arguments (int, char **); | 
| 38 | int validate_arguments (void); | 68 | int validate_arguments (void); | 
| 39 | void print_help (void); | 69 | void print_help (void); | 
| 40 | void print_usage (void); | 70 | void print_usage (void); | 
| 71 | int myrecv(void); | ||
| 72 | int my_close(void); | ||
| 41 | 73 | ||
| 42 | #ifdef HAVE_REGEX_H | 74 | #ifdef HAVE_REGEX_H | 
| 43 | #include <regex.h> | 75 | #include <regex.h> | 
| @@ -68,18 +100,23 @@ int check_warning_time = FALSE; | |||
| 68 | int critical_time = 0; | 100 | int critical_time = 0; | 
| 69 | int check_critical_time = FALSE; | 101 | int check_critical_time = FALSE; | 
| 70 | int verbose = 0; | 102 | int verbose = 0; | 
| 71 | 103 | int use_ssl = FALSE; | |
| 72 | 104 | int sd; | |
| 105 | char buffer[MAX_INPUT_BUFFER]; | ||
| 106 | enum { | ||
| 107 | TCP_PROTOCOL = 1, | ||
| 108 | UDP_PROTOCOL = 2, | ||
| 109 | MAXBUF = 1024 | ||
| 110 | }; | ||
| 73 | 111 | ||
| 74 | int | 112 | int | 
| 75 | main (int argc, char **argv) | 113 | main (int argc, char **argv) | 
| 76 | { | 114 | { | 
| 77 | int sd; | 115 | |
| 78 | int n = 0; | 116 | int n = 0; | 
| 79 | double elapsed_time; | 117 | double elapsed_time; | 
| 80 | long microsec; | 118 | long microsec; | 
| 81 | int result = STATE_UNKNOWN; | 119 | int result = STATE_UNKNOWN; | 
| 82 | char buffer[MAX_INPUT_BUFFER]; | ||
| 83 | char *cmd_str = NULL; | 120 | char *cmd_str = NULL; | 
| 84 | char *helocmd = NULL; | 121 | char *helocmd = NULL; | 
| 85 | struct timeval tv; | 122 | struct timeval tv; | 
| @@ -140,12 +177,45 @@ main (int argc, char **argv) | |||
| 140 | result = STATE_WARNING; | 177 | result = STATE_WARNING; | 
| 141 | } | 178 | } | 
| 142 | } | 179 | } | 
| 143 | 180 | #ifdef HAVE_SSL | |
| 181 | if(use_ssl) { | ||
| 182 | /* send the STARTTLS command */ | ||
| 183 | send(sd, SMTP_STARTTLS, strlen(SMTP_STARTTLS), 0); | ||
| 184 | |||
| 185 | recv(sd,buffer, MAX_INPUT_BUFFER-1, 0); // wait for it | ||
| 186 | if (!strstr (buffer, server_expect)) { | ||
| 187 | printf (_("Server does not support STARTTLS\n")); | ||
| 188 | return STATE_UNKNOWN; | ||
| 189 | } | ||
| 190 | if(connect_STARTTLS() != OK) { | ||
| 191 | printf (_("ERROR: Cannot create SSL context.\n")); | ||
| 192 | return STATE_CRITICAL; | ||
| 193 | } | ||
| 194 | if ( check_cert ) { | ||
| 195 | if ((server_cert = SSL_get_peer_certificate (ssl)) != NULL) { | ||
| 196 | result = check_certificate (&server_cert); | ||
| 197 | X509_free(server_cert); | ||
| 198 | } | ||
| 199 | else { | ||
| 200 | printf (_("ERROR: Cannot retrieve server certificate.\n")); | ||
| 201 | result = STATE_CRITICAL; | ||
| 202 | |||
| 203 | } | ||
| 204 | my_close(); | ||
| 205 | return result; | ||
| 206 | } | ||
| 207 | } | ||
| 208 | #endif | ||
| 144 | /* send the HELO command */ | 209 | /* send the HELO command */ | 
| 210 | #ifdef HAVE_SSL | ||
| 211 | if (use_ssl) | ||
| 212 | SSL_write(ssl, helocmd, strlen(helocmd)); | ||
| 213 | else | ||
| 214 | #endif | ||
| 145 | send(sd, helocmd, strlen(helocmd), 0); | 215 | send(sd, helocmd, strlen(helocmd), 0); | 
| 146 | 216 | ||
| 147 | /* allow for response to helo command to reach us */ | 217 | /* allow for response to helo command to reach us */ | 
| 148 | recv(sd, buffer, MAX_INPUT_BUFFER-1, 0); | 218 | myrecv(); | 
| 149 | 219 | ||
| 150 | /* sendmail will syslog a "NOQUEUE" error if session does not attempt | 220 | /* sendmail will syslog a "NOQUEUE" error if session does not attempt | 
| 151 | * to do something useful. This can be prevented by giving a command | 221 | * to do something useful. This can be prevented by giving a command | 
| @@ -158,16 +228,26 @@ main (int argc, char **argv) | |||
| 158 | * Use the -f option to provide a FROM address | 228 | * Use the -f option to provide a FROM address | 
| 159 | */ | 229 | */ | 
| 160 | if (smtp_use_dummycmd) { | 230 | if (smtp_use_dummycmd) { | 
| 161 | send(sd, cmd_str, strlen(cmd_str), 0); | 231 | #ifdef HAVE_SSL | 
| 162 | recv(sd, buffer, MAX_INPUT_BUFFER-1, 0); | 232 | if (use_ssl) | 
| 163 | if (verbose) | 233 | SSL_write(ssl, cmd_str, strlen(cmd_str)); | 
| 164 | printf("%s", buffer); | 234 | else | 
| 235 | #endif | ||
| 236 | send(sd, cmd_str, strlen(cmd_str), 0); | ||
| 237 | myrecv(); | ||
| 238 | if (verbose) | ||
| 239 | printf("%s", buffer); | ||
| 165 | } | 240 | } | 
| 166 | 241 | ||
| 167 | while (n < ncommands) { | 242 | while (n < ncommands) { | 
| 168 | asprintf (&cmd_str, "%s%s", commands[n], "\r\n"); | 243 | asprintf (&cmd_str, "%s%s", commands[n], "\r\n"); | 
| 244 | #ifdef HAVE_SSL | ||
| 245 | if (use_ssl) | ||
| 246 | SSL_write(ssl,cmd_str, strlen(cmd_str)); | ||
| 247 | else | ||
| 248 | #endif | ||
| 169 | send(sd, cmd_str, strlen(cmd_str), 0); | 249 | send(sd, cmd_str, strlen(cmd_str), 0); | 
| 170 | recv(sd, buffer, MAX_INPUT_BUFFER-1, 0); | 250 | myrecv(); | 
| 171 | if (verbose) | 251 | if (verbose) | 
| 172 | printf("%s", buffer); | 252 | printf("%s", buffer); | 
| 173 | strip (buffer); | 253 | strip (buffer); | 
| @@ -206,6 +286,11 @@ main (int argc, char **argv) | |||
| 206 | } | 286 | } | 
| 207 | 287 | ||
| 208 | /* tell the server we're done */ | 288 | /* tell the server we're done */ | 
| 289 | #ifdef HAVE_SSL | ||
| 290 | if (use_ssl) | ||
| 291 | SSL_write(ssl,SMTP_QUIT, strlen (SMTP_QUIT)); | ||
| 292 | else | ||
| 293 | #endif | ||
| 209 | send (sd, SMTP_QUIT, strlen (SMTP_QUIT), 0); | 294 | send (sd, SMTP_QUIT, strlen (SMTP_QUIT), 0); | 
| 210 | 295 | ||
| 211 | /* finally close the connection */ | 296 | /* finally close the connection */ | 
| @@ -261,6 +346,8 @@ process_arguments (int argc, char **argv) | |||
| 261 | {"use-ipv4", no_argument, 0, '4'}, | 346 | {"use-ipv4", no_argument, 0, '4'}, | 
| 262 | {"use-ipv6", no_argument, 0, '6'}, | 347 | {"use-ipv6", no_argument, 0, '6'}, | 
| 263 | {"help", no_argument, 0, 'h'}, | 348 | {"help", no_argument, 0, 'h'}, | 
| 349 | {"starttls",no_argument,0,'S'}, | ||
| 350 | {"certificate",required_argument,0,'D'}, | ||
| 264 | {0, 0, 0, 0} | 351 | {0, 0, 0, 0} | 
| 265 | }; | 352 | }; | 
| 266 | 353 | ||
| @@ -277,7 +364,7 @@ process_arguments (int argc, char **argv) | |||
| 277 | } | 364 | } | 
| 278 | 365 | ||
| 279 | while (1) { | 366 | while (1) { | 
| 280 | c = getopt_long (argc, argv, "+hVv46t:p:f:e:c:w:H:C:R:", | 367 | c = getopt_long (argc, argv, "+hVv46t:p:f:e:c:w:H:C:R:SD:", | 
| 281 | longopts, &option); | 368 | longopts, &option); | 
| 282 | 369 | ||
| 283 | if (c == -1 || c == EOF) | 370 | if (c == -1 || c == EOF) | 
| @@ -354,6 +441,22 @@ process_arguments (int argc, char **argv) | |||
| 354 | usage4 (_("Timeout interval must be a positive integer")); | 441 | usage4 (_("Timeout interval must be a positive integer")); | 
| 355 | } | 442 | } | 
| 356 | break; | 443 | break; | 
| 444 | case 'S': | ||
| 445 | /* starttls */ | ||
| 446 | use_ssl = TRUE; | ||
| 447 | break; | ||
| 448 | case 'D': | ||
| 449 | /* Check SSL cert validity */ | ||
| 450 | #ifdef HAVE_SSL | ||
| 451 | if (!is_intnonneg (optarg)) | ||
| 452 | usage2 ("Invalid certificate expiration period",optarg); | ||
| 453 | days_till_exp = atoi (optarg); | ||
| 454 | check_cert = TRUE; | ||
| 455 | #else | ||
| 456 | terminate (STATE_UNKNOWN, | ||
| 457 | "SSL support not available. Install OpenSSL and recompile."); | ||
| 458 | #endif | ||
| 459 | break; | ||
| 357 | case '4': | 460 | case '4': | 
| 358 | address_family = AF_INET; | 461 | address_family = AF_INET; | 
| 359 | break; | 462 | break; | 
| @@ -443,6 +546,13 @@ print_help (void) | |||
| 443 | -f, --from=STRING\n\ | 546 | -f, --from=STRING\n\ | 
| 444 | FROM-address to include in MAIL command, required by Exchange 2000\n"), | 547 | FROM-address to include in MAIL command, required by Exchange 2000\n"), | 
| 445 | SMTP_EXPECT); | 548 | SMTP_EXPECT); | 
| 549 | #ifdef HAVE_SSL | ||
| 550 | printf (_("\ | ||
| 551 | -D, --certificate=INTEGER\n\ | ||
| 552 | Minimum number of days a certificate has to be valid.\n\ | ||
| 553 | -S, --starttls\n\ | ||
| 554 | Use STARTTLS for the connection.\n")); | ||
| 555 | #endif | ||
| 446 | 556 | ||
| 447 | printf (_(UT_WARN_CRIT)); | 557 | printf (_(UT_WARN_CRIT)); | 
| 448 | 558 | ||
| @@ -466,5 +576,154 @@ print_usage (void) | |||
| 466 | { | 576 | { | 
| 467 | printf ("\ | 577 | printf ("\ | 
| 468 | Usage: %s -H host [-p port] [-e expect] [-C command] [-f from addr]\n\ | 578 | Usage: %s -H host [-p port] [-e expect] [-C command] [-f from addr]\n\ | 
| 469 | [-w warn] [-c crit] [-t timeout] [-n] [-v] [-4|-6]\n", progname); | 579 | [-w warn] [-c crit] [-t timeout] [-S] [-D days] [-n] [-v] [-4|-6]\n", progname); | 
| 580 | } | ||
| 581 | |||
| 582 | #ifdef HAVE_SSL | ||
| 583 | int | ||
| 584 | connect_STARTTLS (void) | ||
| 585 | { | ||
| 586 | SSL_METHOD *meth; | ||
| 587 | |||
| 588 | /* Initialize SSL context */ | ||
| 589 | SSLeay_add_ssl_algorithms (); | ||
| 590 | meth = SSLv2_client_method (); | ||
| 591 | SSL_load_error_strings (); | ||
| 592 | if ((ctx = SSL_CTX_new (meth)) == NULL) | ||
| 593 | { | ||
| 594 | printf(_("ERROR: Cannot create SSL context.\n")); | ||
| 595 | return STATE_CRITICAL; | ||
| 596 | } | ||
| 597 | /* do the SSL handshake */ | ||
| 598 | if ((ssl = SSL_new (ctx)) != NULL) | ||
| 599 | { | ||
| 600 | SSL_set_fd (ssl, sd); | ||
| 601 | /* original version checked for -1 | ||
| 602 | I look for success instead (1) */ | ||
| 603 | if (SSL_connect (ssl) == 1) | ||
| 604 | return OK; | ||
| 605 | ERR_print_errors_fp (stderr); | ||
| 606 | } | ||
| 607 | else | ||
| 608 | { | ||
| 609 | printf (_("ERROR: Cannot initiate SSL handshake.\n")); | ||
| 610 | } | ||
| 611 | /* this causes a seg faul | ||
| 612 | not sure why, being sloppy | ||
| 613 | and commenting it out */ | ||
| 614 | // SSL_free (ssl); | ||
| 615 | SSL_CTX_free(ctx); | ||
| 616 | my_close(); | ||
| 617 | |||
| 618 | return STATE_CRITICAL; | ||
| 619 | } | ||
| 620 | |||
| 621 | int | ||
| 622 | check_certificate (X509 ** certificate) | ||
| 623 | { | ||
| 624 | ASN1_STRING *tm; | ||
| 625 | int offset; | ||
| 626 | struct tm stamp; | ||
| 627 | int days_left; | ||
| 628 | |||
| 629 | /* Retrieve timestamp of certificate */ | ||
| 630 | tm = X509_get_notAfter (*certificate); | ||
| 631 | |||
| 632 | /* Generate tm structure to process timestamp */ | ||
| 633 | if (tm->type == V_ASN1_UTCTIME) { | ||
| 634 | if (tm->length < 10) { | ||
| 635 | printf (_("ERROR: Wrong time format in certificate.\n")); | ||
| 636 | return STATE_CRITICAL; | ||
| 637 | } | ||
| 638 | else { | ||
| 639 | stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0'); | ||
| 640 | if (stamp.tm_year < 50) | ||
| 641 | stamp.tm_year += 100; | ||
| 642 | offset = 0; | ||
| 643 | } | ||
| 644 | } | ||
| 645 | else { | ||
| 646 | if (tm->length < 12) { | ||
| 647 | printf (_("ERROR: Wrong time format in certificate.\n")); | ||
| 648 | return STATE_CRITICAL; | ||
| 649 | } | ||
| 650 | else { | ||
| 651 | stamp.tm_year = | ||
| 652 | (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 + | ||
| 653 | (tm->data[2] - '0') * 10 + (tm->data[3] - '0'); | ||
| 654 | stamp.tm_year -= 1900; | ||
| 655 | offset = 2; | ||
| 656 | } | ||
| 657 | } | ||
| 658 | stamp.tm_mon = | ||
| 659 | (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1; | ||
| 660 | stamp.tm_mday = | ||
| 661 | (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0'); | ||
| 662 | stamp.tm_hour = | ||
| 663 | (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0'); | ||
| 664 | stamp.tm_min = | ||
| 665 | (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0'); | ||
| 666 | stamp.tm_sec = 0; | ||
| 667 | stamp.tm_isdst = -1; | ||
| 668 | |||
| 669 | days_left = (mktime (&stamp) - time (NULL)) / 86400; | ||
| 670 | snprintf | ||
| 671 | (timestamp, 16, "%02d/%02d/%04d %02d:%02d", | ||
| 672 | stamp.tm_mon + 1, | ||
| 673 | stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min); | ||
| 674 | |||
| 675 | if (days_left > 0 && days_left <= days_till_exp) { | ||
| 676 | printf ("Certificate expires in %d day(s) (%s).\n", days_left, timestamp); | ||
| 677 | return STATE_WARNING; | ||
| 678 | } | ||
| 679 | if (days_left < 0) { | ||
| 680 | printf ("Certificate expired on %s.\n", timestamp); | ||
| 681 | return STATE_CRITICAL; | ||
| 682 | } | ||
| 683 | |||
| 684 | if (days_left == 0) { | ||
| 685 | printf ("Certificate expires today (%s).\n", timestamp); | ||
| 686 | return STATE_WARNING; | ||
| 687 | } | ||
| 688 | |||
| 689 | printf ("Certificate will expire on %s.\n", timestamp); | ||
| 690 | |||
| 691 | return STATE_OK; | ||
| 692 | } | ||
| 693 | #endif | ||
| 694 | |||
| 695 | int | ||
| 696 | myrecv (void) | ||
| 697 | { | ||
| 698 | int i; | ||
| 699 | |||
| 700 | #ifdef HAVE_SSL | ||
| 701 | if (use_ssl) { | ||
| 702 | i = SSL_read (ssl, buffer, MAXBUF - 1); | ||
| 703 | } | ||
| 704 | else { | ||
| 705 | #endif | ||
| 706 | i = read (sd, buffer, MAXBUF - 1); | ||
| 707 | #ifdef HAVE_SSL | ||
| 708 | } | ||
| 709 | #endif | ||
| 710 | return i; | ||
| 711 | } | ||
| 712 | |||
| 713 | int | ||
| 714 | my_close (void) | ||
| 715 | { | ||
| 716 | #ifdef HAVE_SSL | ||
| 717 | if (use_ssl == TRUE) { | ||
| 718 | SSL_shutdown (ssl); | ||
| 719 | SSL_free (ssl); | ||
| 720 | SSL_CTX_free (ctx); | ||
| 721 | return 0; | ||
| 722 | } | ||
| 723 | else { | ||
| 724 | #endif | ||
| 725 | return close(sd); | ||
| 726 | #ifdef HAVE_SSL | ||
| 727 | } | ||
| 728 | #endif | ||
| 470 | } | 729 | } | 
