sslutils: some refactoring to improve readability

author: Lorenz Kästle <12514511+RincewindsHat@users.noreply.github.com> 2025-09-10 13:41:46 +0200
committer: Lorenz Kästle <12514511+RincewindsHat@users.noreply.github.com> 2025-09-10 13:41:46 +0200
commit: a2ca373e2d6a9903126e152254c83245ad202ff8 (patch)
tree: 946ff7bc84e8f1ff52f724e3f556b9aaffb403e5 /plugins
parent: 572ad994b136c443c5d59509a28b8343c3e40ab3 (diff)
download: monitoring-plugins-a2ca373e2d6a9903126e152254c83245ad202ff8.tar.gz
1 files changed, 28 insertions, 36 deletions
diff --git a/plugins/sslutils.c b/plugins/sslutils.c
index b20a2b2c..bea1307f 100644
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
@@ -189,67 +189,54 @@ int np_net_ssl_write(const void *buf, int num) { return SSL_write(s, buf, num);
 int np_net_ssl_read(void *buf, int num) { return SSL_read(s, buf, num); }
-int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn,
+mp_state_enum np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn,
-                                                                 int days_till_exp_crit) {
+                                                                                   int days_till_exp_crit) {
 #       ifdef USE_OPENSSL
-        X509_NAME *subj = NULL;
-        char timestamp[50] = "";
-        char cn[MAX_CN_LENGTH] = "";
-        char *tz;
-        int cnlen = -1;
-        int status = STATE_UNKNOWN;
-        ASN1_STRING *tm;
-        int offset;
-        struct tm stamp;
-        float time_left;
-        int days_left;
-        int time_remaining;
-        time_t tm_t;
        if (!certificate) {
                printf("%s\n", _("CRITICAL - No server certificate present to inspect."));
                return STATE_CRITICAL;
        }
        /* Extract CN from certificate subject */
-        subj = X509_get_subject_name(certificate);
+        X509_NAME *subj = X509_get_subject_name(certificate);
        if (!subj) {
                printf("%s\n", _("CRITICAL - Cannot retrieve certificate subject."));
                return STATE_CRITICAL;
        }
-        cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn));
+        char cn[MAX_CN_LENGTH] = "";
+        int cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn));
        if (cnlen == -1) {
                strcpy(cn, _("Unknown CN"));
        }
        /* Retrieve timestamp of certificate */
-        tm = X509_get_notAfter(certificate);
+        ASN1_STRING *tm = X509_get_notAfter(certificate);
+        int offset = 0;
+        struct tm stamp = {};
        /* Generate tm structure to process timestamp */
        if (tm->type == V_ASN1_UTCTIME) {
                if (tm->length < 10) {
                        printf("%s\n", _("CRITICAL - Wrong time format in certificate."));
                        return STATE_CRITICAL;
-                } else {
-                        stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0');
-                        if (stamp.tm_year < 50) {
-                                stamp.tm_year += 100;
-                        }
-                        offset = 0;
                }
+                stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0');
+                if (stamp.tm_year < 50) {
+                        stamp.tm_year += 100;
+                }
+                offset = 0;
        } else {
                if (tm->length < 12) {
                        printf("%s\n", _("CRITICAL - Wrong time format in certificate."));
                        return STATE_CRITICAL;
-                } else {
-                        stamp.tm_year = (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 +
-                                                        (tm->data[2] - '0') * 10 + (tm->data[3] - '0');
-                        stamp.tm_year -= 1900;
-                        offset = 2;
                }
+                stamp.tm_year = (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 +
+                                                (tm->data[2] - '0') * 10 + (tm->data[3] - '0');
+                stamp.tm_year -= 1900;
+                offset = 2;
        }
        stamp.tm_mon = (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1;
        stamp.tm_mday = (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0');
@@ -258,20 +245,25 @@ int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn,
        stamp.tm_sec = (tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0');
        stamp.tm_isdst = -1;
-        tm_t = timegm(&stamp);
+        time_t tm_t = timegm(&stamp);
-        time_left = difftime(tm_t, time(NULL));
+        float time_left = difftime(tm_t, time(NULL));
-        days_left = time_left / 86400;
+        int days_left = time_left / 86400;
-        tz = getenv("TZ");
+        char *tz = getenv("TZ");
        setenv("TZ", "GMT", 1);
        tzset();
+        char timestamp[50] = "";
        strftime(timestamp, 50, "%c %z", localtime(&tm_t));
        if (tz) {
                setenv("TZ", tz, 1);
        } else {
                unsetenv("TZ");
        }
        tzset();
+        int time_remaining;
+        mp_state_enum status = STATE_UNKNOWN;
        if (days_left > 0 && days_left <= days_till_exp_warn) {
                printf(_("%s - Certificate '%s' expires in %d day(s) (%s).\n"),
                           (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, days_left, timestamp);
author	Lorenz Kästle <12514511+RincewindsHat@users.noreply.github.com>	2025-09-10 13:41:46 +0200
committer	Lorenz Kästle <12514511+RincewindsHat@users.noreply.github.com>	2025-09-10 13:41:46 +0200
commit	a2ca373e2d6a9903126e152254c83245ad202ff8 (patch)
tree	946ff7bc84e8f1ff52f724e3f556b9aaffb403e5 /plugins
parent	572ad994b136c443c5d59509a28b8343c3e40ab3 (diff)
download	monitoring-plugins-a2ca373e2d6a9903126e152254c83245ad202ff8.tar.gz

diff --git a/plugins/sslutils.c b/plugins/sslutils.c index b20a2b2c..bea1307f 100644 --- a/plugins/sslutils.c +++ b/plugins/sslutils.c
@@ -189,67 +189,54 @@ int np_net_ssl_write(const void *buf, int num) { return SSL_write(s, buf, num);
189		189
190	int np_net_ssl_read(void *buf, int num) { return SSL_read(s, buf, num); }	190	int np_net_ssl_read(void *buf, int num) { return SSL_read(s, buf, num); }
191		191
192	int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn,	192	mp_state_enum np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn,
193	int days_till_exp_crit) {	193	int days_till_exp_crit) {
194	# ifdef USE_OPENSSL	194	# ifdef USE_OPENSSL
195	X509_NAME *subj = NULL;
196	char timestamp[50] = "";
197	char cn[MAX_CN_LENGTH] = "";
198	char *tz;
199
200	int cnlen = -1;
201	int status = STATE_UNKNOWN;
202
203	ASN1_STRING *tm;
204	int offset;
205	struct tm stamp;
206	float time_left;
207	int days_left;
208	int time_remaining;
209	time_t tm_t;
210
211	if (!certificate) {	195	if (!certificate) {
212	printf("%s\n", _("CRITICAL - No server certificate present to inspect."));	196	printf("%s\n", _("CRITICAL - No server certificate present to inspect."));
213	return STATE_CRITICAL;	197	return STATE_CRITICAL;
214	}	198	}
215		199
216	/* Extract CN from certificate subject */	200	/* Extract CN from certificate subject */
217	subj = X509_get_subject_name(certificate);	201	X509_NAME *subj = X509_get_subject_name(certificate);
218		202
219	if (!subj) {	203	if (!subj) {
220	printf("%s\n", _("CRITICAL - Cannot retrieve certificate subject."));	204	printf("%s\n", _("CRITICAL - Cannot retrieve certificate subject."));
221	return STATE_CRITICAL;	205	return STATE_CRITICAL;
222	}	206	}
223	cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn));	207
		208	char cn[MAX_CN_LENGTH] = "";
		209	int cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn));
224	if (cnlen == -1) {	210	if (cnlen == -1) {
225	strcpy(cn, _("Unknown CN"));	211	strcpy(cn, _("Unknown CN"));
226	}	212	}
227		213
228	/* Retrieve timestamp of certificate */	214	/* Retrieve timestamp of certificate */
229	tm = X509_get_notAfter(certificate);	215	ASN1_STRING *tm = X509_get_notAfter(certificate);
230		216
		217	int offset = 0;
		218	struct tm stamp = {};
231	/* Generate tm structure to process timestamp */	219	/* Generate tm structure to process timestamp */
232	if (tm->type == V_ASN1_UTCTIME) {	220	if (tm->type == V_ASN1_UTCTIME) {
233	if (tm->length < 10) {	221	if (tm->length < 10) {
234	printf("%s\n", _("CRITICAL - Wrong time format in certificate."));	222	printf("%s\n", _("CRITICAL - Wrong time format in certificate."));
235	return STATE_CRITICAL;	223	return STATE_CRITICAL;
236	} else {
237	stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0');
238	if (stamp.tm_year < 50) {
239	stamp.tm_year += 100;
240	}
241	offset = 0;
242	}	224	}
		225	stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0');
		226	if (stamp.tm_year < 50) {
		227	stamp.tm_year += 100;
		228	}
		229	offset = 0;
		230
243	} else {	231	} else {
244	if (tm->length < 12) {	232	if (tm->length < 12) {
245	printf("%s\n", _("CRITICAL - Wrong time format in certificate."));	233	printf("%s\n", _("CRITICAL - Wrong time format in certificate."));
246	return STATE_CRITICAL;	234	return STATE_CRITICAL;
247	} else {
248	stamp.tm_year = (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 +
249	(tm->data[2] - '0') * 10 + (tm->data[3] - '0');
250	stamp.tm_year -= 1900;
251	offset = 2;
252	}	235	}
		236	stamp.tm_year = (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 +
		237	(tm->data[2] - '0') * 10 + (tm->data[3] - '0');
		238	stamp.tm_year -= 1900;
		239	offset = 2;
253	}	240	}
254	stamp.tm_mon = (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1;	241	stamp.tm_mon = (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1;
255	stamp.tm_mday = (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0');	242	stamp.tm_mday = (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0');
@@ -258,20 +245,25 @@ int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn,
258	stamp.tm_sec = (tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0');	245	stamp.tm_sec = (tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0');
259	stamp.tm_isdst = -1;	246	stamp.tm_isdst = -1;
260		247
261	tm_t = timegm(&stamp);	248	time_t tm_t = timegm(&stamp);
262	time_left = difftime(tm_t, time(NULL));	249	float time_left = difftime(tm_t, time(NULL));
263	days_left = time_left / 86400;	250	int days_left = time_left / 86400;
264	tz = getenv("TZ");	251	char *tz = getenv("TZ");
265	setenv("TZ", "GMT", 1);	252	setenv("TZ", "GMT", 1);
266	tzset();	253	tzset();
		254
		255	char timestamp[50] = "";
267	strftime(timestamp, 50, "%c %z", localtime(&tm_t));	256	strftime(timestamp, 50, "%c %z", localtime(&tm_t));
268	if (tz) {	257	if (tz) {
269	setenv("TZ", tz, 1);	258	setenv("TZ", tz, 1);
270	} else {	259	} else {
271	unsetenv("TZ");	260	unsetenv("TZ");
272	}	261	}
		262
273	tzset();	263	tzset();
274		264
		265	int time_remaining;
		266	mp_state_enum status = STATE_UNKNOWN;
275	if (days_left > 0 && days_left <= days_till_exp_warn) {	267	if (days_left > 0 && days_left <= days_till_exp_warn) {
276	printf(_("%s - Certificate '%s' expires in %d day(s) (%s).\n"),	268	printf(_("%s - Certificate '%s' expires in %d day(s) (%s).\n"),
277	(days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, days_left, timestamp);	269	(days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, days_left, timestamp);