summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--plugins/sslutils.c64
1 files changed, 28 insertions, 36 deletions
diff --git a/plugins/sslutils.c b/plugins/sslutils.c
index b20a2b2c..bea1307f 100644
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
@@ -189,67 +189,54 @@ int np_net_ssl_write(const void *buf, int num) { return SSL_write(s, buf, num);
189 189
190int np_net_ssl_read(void *buf, int num) { return SSL_read(s, buf, num); } 190int np_net_ssl_read(void *buf, int num) { return SSL_read(s, buf, num); }
191 191
192int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, 192mp_state_enum np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn,
193 int days_till_exp_crit) { 193 int days_till_exp_crit) {
194# ifdef USE_OPENSSL 194# ifdef USE_OPENSSL
195 X509_NAME *subj = NULL;
196 char timestamp[50] = "";
197 char cn[MAX_CN_LENGTH] = "";
198 char *tz;
199
200 int cnlen = -1;
201 int status = STATE_UNKNOWN;
202
203 ASN1_STRING *tm;
204 int offset;
205 struct tm stamp;
206 float time_left;
207 int days_left;
208 int time_remaining;
209 time_t tm_t;
210
211 if (!certificate) { 195 if (!certificate) {
212 printf("%s\n", _("CRITICAL - No server certificate present to inspect.")); 196 printf("%s\n", _("CRITICAL - No server certificate present to inspect."));
213 return STATE_CRITICAL; 197 return STATE_CRITICAL;
214 } 198 }
215 199
216 /* Extract CN from certificate subject */ 200 /* Extract CN from certificate subject */
217 subj = X509_get_subject_name(certificate); 201 X509_NAME *subj = X509_get_subject_name(certificate);
218 202
219 if (!subj) { 203 if (!subj) {
220 printf("%s\n", _("CRITICAL - Cannot retrieve certificate subject.")); 204 printf("%s\n", _("CRITICAL - Cannot retrieve certificate subject."));
221 return STATE_CRITICAL; 205 return STATE_CRITICAL;
222 } 206 }
223 cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn)); 207
208 char cn[MAX_CN_LENGTH] = "";
209 int cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn));
224 if (cnlen == -1) { 210 if (cnlen == -1) {
225 strcpy(cn, _("Unknown CN")); 211 strcpy(cn, _("Unknown CN"));
226 } 212 }
227 213
228 /* Retrieve timestamp of certificate */ 214 /* Retrieve timestamp of certificate */
229 tm = X509_get_notAfter(certificate); 215 ASN1_STRING *tm = X509_get_notAfter(certificate);
230 216
217 int offset = 0;
218 struct tm stamp = {};
231 /* Generate tm structure to process timestamp */ 219 /* Generate tm structure to process timestamp */
232 if (tm->type == V_ASN1_UTCTIME) { 220 if (tm->type == V_ASN1_UTCTIME) {
233 if (tm->length < 10) { 221 if (tm->length < 10) {
234 printf("%s\n", _("CRITICAL - Wrong time format in certificate.")); 222 printf("%s\n", _("CRITICAL - Wrong time format in certificate."));
235 return STATE_CRITICAL; 223 return STATE_CRITICAL;
236 } else {
237 stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0');
238 if (stamp.tm_year < 50) {
239 stamp.tm_year += 100;
240 }
241 offset = 0;
242 } 224 }
225 stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0');
226 if (stamp.tm_year < 50) {
227 stamp.tm_year += 100;
228 }
229 offset = 0;
230
243 } else { 231 } else {
244 if (tm->length < 12) { 232 if (tm->length < 12) {
245 printf("%s\n", _("CRITICAL - Wrong time format in certificate.")); 233 printf("%s\n", _("CRITICAL - Wrong time format in certificate."));
246 return STATE_CRITICAL; 234 return STATE_CRITICAL;
247 } else {
248 stamp.tm_year = (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 +
249 (tm->data[2] - '0') * 10 + (tm->data[3] - '0');
250 stamp.tm_year -= 1900;
251 offset = 2;
252 } 235 }
236 stamp.tm_year = (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 +
237 (tm->data[2] - '0') * 10 + (tm->data[3] - '0');
238 stamp.tm_year -= 1900;
239 offset = 2;
253 } 240 }
254 stamp.tm_mon = (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1; 241 stamp.tm_mon = (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1;
255 stamp.tm_mday = (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0'); 242 stamp.tm_mday = (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0');
@@ -258,20 +245,25 @@ int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn,
258 stamp.tm_sec = (tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0'); 245 stamp.tm_sec = (tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0');
259 stamp.tm_isdst = -1; 246 stamp.tm_isdst = -1;
260 247
261 tm_t = timegm(&stamp); 248 time_t tm_t = timegm(&stamp);
262 time_left = difftime(tm_t, time(NULL)); 249 float time_left = difftime(tm_t, time(NULL));
263 days_left = time_left / 86400; 250 int days_left = time_left / 86400;
264 tz = getenv("TZ"); 251 char *tz = getenv("TZ");
265 setenv("TZ", "GMT", 1); 252 setenv("TZ", "GMT", 1);
266 tzset(); 253 tzset();
254
255 char timestamp[50] = "";
267 strftime(timestamp, 50, "%c %z", localtime(&tm_t)); 256 strftime(timestamp, 50, "%c %z", localtime(&tm_t));
268 if (tz) { 257 if (tz) {
269 setenv("TZ", tz, 1); 258 setenv("TZ", tz, 1);
270 } else { 259 } else {
271 unsetenv("TZ"); 260 unsetenv("TZ");
272 } 261 }
262
273 tzset(); 263 tzset();
274 264
265 int time_remaining;
266 mp_state_enum status = STATE_UNKNOWN;
275 if (days_left > 0 && days_left <= days_till_exp_warn) { 267 if (days_left > 0 && days_left <= days_till_exp_warn) {
276 printf(_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), 268 printf(_("%s - Certificate '%s' expires in %d day(s) (%s).\n"),
277 (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, days_left, timestamp); 269 (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, days_left, timestamp);