1 files changed, 200 insertions, 56 deletions
diff --git a/plugins/sslutils.c b/plugins/sslutils.c
index 3c928413..0e6d7525 100644
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
@@ -26,9 +26,12 @@
 *
 *****************************************************************************/
+#include "output.h"
 #define MAX_CN_LENGTH 256
 #include "common.h"
 #include "netutils.h"
+#include "../lib/monitoringplug.h"
+#include "states.h"
 #ifdef HAVE_SSL
 static SSL_CTX *ctx = NULL;
@@ -36,13 +39,16 @@ static SSL *s = NULL;
 int np_net_ssl_init(int sd) { return np_net_ssl_init_with_hostname(sd, NULL); }
-int np_net_ssl_init_with_hostname(int sd, char *host_name) { return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0); }
+int np_net_ssl_init_with_hostname(int sd, char *host_name) {
+        return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0);
+}
 int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int version) {
        return np_net_ssl_init_with_hostname_version_and_cert(sd, host_name, version, NULL, NULL);
 }
-int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, char *privkey) {
+int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert,
+                                                                                                   char *privkey) {
        long options = 0;
        if ((ctx = SSL_CTX_new(TLS_client_method())) == NULL) {
@@ -74,7 +80,8 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
 #       endif
        case MP_TLSv1_1: /* TLSv1.1 protocol */
 #       if !defined(SSL_OP_NO_TLSv1_1)
-                printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library."));
+                printf("%s\n",
+                           _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library."));
                return STATE_UNKNOWN;
 #       else
                SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);
@@ -83,7 +90,8 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
 #       endif
        case MP_TLSv1_2: /* TLSv1.2 protocol */
 #       if !defined(SSL_OP_NO_TLSv1_2)
-                printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library."));
+                printf("%s\n",
+                           _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library."));
                return STATE_UNKNOWN;
 #       else
                SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
@@ -144,8 +152,9 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
        SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
        if ((s = SSL_new(ctx)) != NULL) {
 #       ifdef SSL_set_tlsext_host_name
-                if (host_name != NULL)
+                if (host_name != NULL) {
                        SSL_set_tlsext_host_name(s, host_name);
+                }
 #       endif
                SSL_set_fd(s, sd);
                if (SSL_connect(s) == 1) {
@@ -181,63 +190,54 @@ int np_net_ssl_write(const void *buf, int num) { return SSL_write(s, buf, num);
 int np_net_ssl_read(void *buf, int num) { return SSL_read(s, buf, num); }
-int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int days_till_exp_crit) {
+mp_state_enum np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn,
+                                                                                   int days_till_exp_crit) {
 #       ifdef USE_OPENSSL
-        X509_NAME *subj = NULL;
-        char timestamp[50] = "";
-        char cn[MAX_CN_LENGTH] = "";
-        char *tz;
-        int cnlen = -1;
-        int status = STATE_UNKNOWN;
-        ASN1_STRING *tm;
-        int offset;
-        struct tm stamp;
-        float time_left;
-        int days_left;
-        int time_remaining;
-        time_t tm_t;
        if (!certificate) {
-                printf("%s\n", _("CRITICAL - Cannot retrieve server certificate."));
+                printf("%s\n", _("CRITICAL - No server certificate present to inspect."));
                return STATE_CRITICAL;
        }
        /* Extract CN from certificate subject */
-        subj = X509_get_subject_name(certificate);
+        X509_NAME *subj = X509_get_subject_name(certificate);
        if (!subj) {
                printf("%s\n", _("CRITICAL - Cannot retrieve certificate subject."));
                return STATE_CRITICAL;
        }
-        cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn));
-        if (cnlen == -1)
+        char cn[MAX_CN_LENGTH] = "";
+        int cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn));
+        if (cnlen == -1) {
                strcpy(cn, _("Unknown CN"));
+        }
        /* Retrieve timestamp of certificate */
-        tm = X509_get_notAfter(certificate);
+        ASN1_STRING *tm = X509_get_notAfter(certificate);
+        int offset = 0;
+        struct tm stamp = {};
        /* Generate tm structure to process timestamp */
        if (tm->type == V_ASN1_UTCTIME) {
                if (tm->length < 10) {
                        printf("%s\n", _("CRITICAL - Wrong time format in certificate."));
                        return STATE_CRITICAL;
-                } else {
-                        stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0');
-                        if (stamp.tm_year < 50)
-                                stamp.tm_year += 100;
-                        offset = 0;
                }
+                stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0');
+                if (stamp.tm_year < 50) {
+                        stamp.tm_year += 100;
+                }
+                offset = 0;
        } else {
                if (tm->length < 12) {
                        printf("%s\n", _("CRITICAL - Wrong time format in certificate."));
                        return STATE_CRITICAL;
-                } else {
-                        stamp.tm_year = (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 + (tm->data[2] - '0') * 10 + (tm->data[3] - '0');
-                        stamp.tm_year -= 1900;
-                        offset = 2;
                }
+                stamp.tm_year = (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 +
+                                                (tm->data[2] - '0') * 10 + (tm->data[3] - '0');
+                stamp.tm_year -= 1900;
+                offset = 2;
        }
        stamp.tm_mon = (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1;
        stamp.tm_mday = (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0');
@@ -246,48 +246,60 @@ int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int
        stamp.tm_sec = (tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0');
        stamp.tm_isdst = -1;
-        tm_t = timegm(&stamp);
+        time_t tm_t = timegm(&stamp);
-        time_left = difftime(tm_t, time(NULL));
+        float time_left = difftime(tm_t, time(NULL));
-        days_left = time_left / 86400;
+        int days_left = time_left / 86400;
-        tz = getenv("TZ");
+        char *tz = getenv("TZ");
        setenv("TZ", "GMT", 1);
        tzset();
+        char timestamp[50] = "";
        strftime(timestamp, 50, "%c %z", localtime(&tm_t));
-        if (tz)
+        if (tz) {
                setenv("TZ", tz, 1);
-        else
+        } else {
                unsetenv("TZ");
+        }
        tzset();
+        int time_remaining;
+        mp_state_enum status = STATE_UNKNOWN;
        if (days_left > 0 && days_left <= days_till_exp_warn) {
-                printf(_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn,
+                printf(_("%s - Certificate '%s' expires in %d day(s) (%s).\n"),
-                           days_left, timestamp);
+                           (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, days_left, timestamp);
-                if (days_left > days_till_exp_crit)
+                if (days_left > days_till_exp_crit) {
                        status = STATE_WARNING;
-                else
+                } else {
                        status = STATE_CRITICAL;
+                }
        } else if (days_left == 0 && time_left > 0) {
-                if (time_left >= 3600)
+                if (time_left >= 3600) {
                        time_remaining = (int)time_left / 3600;
-                else
+                } else {
                        time_remaining = (int)time_left / 60;
+                }
-                printf(_("%s - Certificate '%s' expires in %u %s (%s)\n"), (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn,
+                printf(_("%s - Certificate '%s' expires in %u %s (%s)\n"),
-                           time_remaining, time_left >= 3600 ? "hours" : "minutes", timestamp);
+                           (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, time_remaining,
+                           time_left >= 3600 ? "hours" : "minutes", timestamp);
-                if (days_left > days_till_exp_crit)
+                if (days_left > days_till_exp_crit) {
                        status = STATE_WARNING;
-                else
+                } else {
                        status = STATE_CRITICAL;
+                }
        } else if (time_left < 0) {
                printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp);
                status = STATE_CRITICAL;
        } else if (days_left == 0) {
-                printf(_("%s - Certificate '%s' just expired (%s).\n"), (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, timestamp);
+                printf(_("%s - Certificate '%s' just expired (%s).\n"),
-                if (days_left > days_till_exp_crit)
+                           (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, timestamp);
+                if (days_left > days_till_exp_crit) {
                        status = STATE_WARNING;
-                else
+                } else {
                        status = STATE_CRITICAL;
+                }
        } else {
                printf(_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp);
                status = STATE_OK;
@@ -300,7 +312,7 @@ int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int
 #       endif /* USE_OPENSSL */
 }
-int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit) {
+mp_state_enum np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit) {
 #       ifdef USE_OPENSSL
        X509 *certificate = NULL;
        certificate = SSL_get_peer_certificate(s);
@@ -311,4 +323,136 @@ int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit) {
 #       endif /* USE_OPENSSL */
 }
+mp_subcheck mp_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn,
+                                                                                 int days_till_exp_crit) {
+        mp_subcheck sc_cert = mp_subcheck_init();
+#       ifdef USE_OPENSSL
+        if (!certificate) {
+                xasprintf(&sc_cert.output, _("No server certificate present to inspect"));
+                sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL);
+                return sc_cert;
+        }
+        /* Extract CN from certificate subject */
+        X509_NAME *subj = X509_get_subject_name(certificate);
+        if (!subj) {
+                xasprintf(&sc_cert.output, _("Cannot retrieve certificate subject"));
+                sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL);
+                return sc_cert;
+        }
+        char commonName[MAX_CN_LENGTH] = "";
+        int cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, commonName, sizeof(commonName));
+        if (cnlen == -1) {
+                strcpy(commonName, _("Unknown CN"));
+        }
+        /* Retrieve timestamp of certificate */
+        ASN1_STRING *expiry_timestamp = X509_get_notAfter(certificate);
+        int offset = 0;
+        struct tm stamp = {};
+        /* Generate tm structure to process timestamp */
+        if (expiry_timestamp->type == V_ASN1_UTCTIME) {
+                if (expiry_timestamp->length < 10) {
+                        xasprintf(&sc_cert.output, _("Wrong time format in certificate"));
+                        sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL);
+                        return sc_cert;
+                }
+                stamp.tm_year = (expiry_timestamp->data[0] - '0') * 10 + (expiry_timestamp->data[1] - '0');
+                if (stamp.tm_year < 50) {
+                        stamp.tm_year += 100;
+                }
+                offset = 0;
+        } else {
+                if (expiry_timestamp->length < 12) {
+                        xasprintf(&sc_cert.output, _("Wrong time format in certificate"));
+                        sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL);
+                        return sc_cert;
+                }
+                stamp.tm_year = (expiry_timestamp->data[0] - '0') * 1000 +
+                                                (expiry_timestamp->data[1] - '0') * 100 +
+                                                (expiry_timestamp->data[2] - '0') * 10 + (expiry_timestamp->data[3] - '0');
+                stamp.tm_year -= 1900;
+                offset = 2;
+        }
+        stamp.tm_mon = (expiry_timestamp->data[2 + offset] - '0') * 10 +
+                                   (expiry_timestamp->data[3 + offset] - '0') - 1;
+        stamp.tm_mday = (expiry_timestamp->data[4 + offset] - '0') * 10 +
+                                        (expiry_timestamp->data[5 + offset] - '0');
+        stamp.tm_hour = (expiry_timestamp->data[6 + offset] - '0') * 10 +
+                                        (expiry_timestamp->data[7 + offset] - '0');
+        stamp.tm_min = (expiry_timestamp->data[8 + offset] - '0') * 10 +
+                                   (expiry_timestamp->data[9 + offset] - '0');
+        stamp.tm_sec = (expiry_timestamp->data[10 + offset] - '0') * 10 +
+                                   (expiry_timestamp->data[11 + offset] - '0');
+        stamp.tm_isdst = -1;
+        time_t tm_t = timegm(&stamp);
+        double time_left = difftime(tm_t, time(NULL));
+        int days_left = (int)(time_left / 86400);
+        char *timeZone = getenv("TZ");
+        setenv("TZ", "GMT", 1);
+        tzset();
+        char timestamp[50] = "";
+        strftime(timestamp, 50, "%c %z", localtime(&tm_t));
+        if (timeZone) {
+                setenv("TZ", timeZone, 1);
+        } else {
+                unsetenv("TZ");
+        }
+        tzset();
+        int time_remaining;
+        if (days_left > 0 && days_left <= days_till_exp_warn) {
+                xasprintf(&sc_cert.output, _("Certificate '%s' expires in %d day(s) (%s)"), commonName,
+                                  days_left, timestamp);
+                if (days_left > days_till_exp_crit) {
+                        sc_cert = mp_set_subcheck_state(sc_cert, STATE_WARNING);
+                } else {
+                        sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL);
+                }
+        } else if (days_left == 0 && time_left > 0) {
+                if (time_left >= 3600) {
+                        time_remaining = (int)time_left / 3600;
+                } else {
+                        time_remaining = (int)time_left / 60;
+                }
+                xasprintf(&sc_cert.output, _("Certificate '%s' expires in %u %s (%s)"), commonName,
+                                  time_remaining, time_left >= 3600 ? "hours" : "minutes", timestamp);
+                if (days_left > days_till_exp_crit) {
+                        sc_cert = mp_set_subcheck_state(sc_cert, STATE_WARNING);
+                } else {
+                        sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL);
+                }
+        } else if (time_left < 0) {
+                xasprintf(&sc_cert.output, _("Certificate '%s' expired on %s"), commonName, timestamp);
+                sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL);
+        } else if (days_left == 0) {
+                xasprintf(&sc_cert.output, _("Certificate '%s' just expired (%s)"), commonName, timestamp);
+                if (days_left > days_till_exp_crit) {
+                        sc_cert = mp_set_subcheck_state(sc_cert, STATE_WARNING);
+                } else {
+                        sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL);
+                }
+        } else {
+                xasprintf(&sc_cert.output, _("Certificate '%s' will expire on %s"), commonName, timestamp);
+                sc_cert = mp_set_subcheck_state(sc_cert, STATE_OK);
+        }
+        X509_free(certificate);
+        return sc_cert;
+#       else  /* ifndef USE_OPENSSL */
+        xasprintf(&sc_cert.output, _("Plugin does not support checking certificates"));
+        sc_cert = mp_set_subcheck_state(sc_cert, STATE_WARNING);
+        return sc_cert;
+#       endif /* USE_OPENSSL */
+}
 #endif /* HAVE_SSL */

diff --git a/plugins/sslutils.c b/plugins/sslutils.c index 3c928413..0e6d7525 100644 --- a/plugins/sslutils.c +++ b/plugins/sslutils.c
@@ -26,9 +26,12 @@
26	*	26	*
27	*****************************************************************************/	27	*****************************************************************************/
28		28
		29	#include "output.h"
29	#define MAX_CN_LENGTH 256	30	#define MAX_CN_LENGTH 256
30	#include "common.h"	31	#include "common.h"
31	#include "netutils.h"	32	#include "netutils.h"
		33	#include "../lib/monitoringplug.h"
		34	#include "states.h"
32		35
33	#ifdef HAVE_SSL	36	#ifdef HAVE_SSL
34	static SSL_CTX *ctx = NULL;	37	static SSL_CTX *ctx = NULL;
@@ -36,13 +39,16 @@ static SSL *s = NULL;
36		39
37	int np_net_ssl_init(int sd) { return np_net_ssl_init_with_hostname(sd, NULL); }	40	int np_net_ssl_init(int sd) { return np_net_ssl_init_with_hostname(sd, NULL); }
38		41
39	int np_net_ssl_init_with_hostname(int sd, char *host_name) { return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0); }	42	int np_net_ssl_init_with_hostname(int sd, char *host_name) {
		43	return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0);
		44	}
40		45
41	int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int version) {	46	int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int version) {
42	return np_net_ssl_init_with_hostname_version_and_cert(sd, host_name, version, NULL, NULL);	47	return np_net_ssl_init_with_hostname_version_and_cert(sd, host_name, version, NULL, NULL);
43	}	48	}
44		49
45	int np_net_ssl_init_with_hostname_version_and_cert(int sd, char host_name, int version, char cert, char *privkey) {	50	int np_net_ssl_init_with_hostname_version_and_cert(int sd, char host_name, int version, char cert,
		51	char *privkey) {
46	long options = 0;	52	long options = 0;
47		53
48	if ((ctx = SSL_CTX_new(TLS_client_method())) == NULL) {	54	if ((ctx = SSL_CTX_new(TLS_client_method())) == NULL) {
@@ -74,7 +80,8 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
74	# endif	80	# endif
75	case MP_TLSv1_1: /* TLSv1.1 protocol */	81	case MP_TLSv1_1: /* TLSv1.1 protocol */
76	# if !defined(SSL_OP_NO_TLSv1_1)	82	# if !defined(SSL_OP_NO_TLSv1_1)
77	printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library."));	83	printf("%s\n",
		84	_("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library."));
78	return STATE_UNKNOWN;	85	return STATE_UNKNOWN;
79	# else	86	# else
80	SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);	87	SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);
@@ -83,7 +90,8 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
83	# endif	90	# endif
84	case MP_TLSv1_2: /* TLSv1.2 protocol */	91	case MP_TLSv1_2: /* TLSv1.2 protocol */
85	# if !defined(SSL_OP_NO_TLSv1_2)	92	# if !defined(SSL_OP_NO_TLSv1_2)
86	printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library."));	93	printf("%s\n",
		94	_("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library."));
87	return STATE_UNKNOWN;	95	return STATE_UNKNOWN;
88	# else	96	# else
89	SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);	97	SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
@@ -144,8 +152,9 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
144	SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);	152	SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
145	if ((s = SSL_new(ctx)) != NULL) {	153	if ((s = SSL_new(ctx)) != NULL) {
146	# ifdef SSL_set_tlsext_host_name	154	# ifdef SSL_set_tlsext_host_name
147	if (host_name != NULL)	155	if (host_name != NULL) {
148	SSL_set_tlsext_host_name(s, host_name);	156	SSL_set_tlsext_host_name(s, host_name);
		157	}
149	# endif	158	# endif
150	SSL_set_fd(s, sd);	159	SSL_set_fd(s, sd);
151	if (SSL_connect(s) == 1) {	160	if (SSL_connect(s) == 1) {
@@ -181,63 +190,54 @@ int np_net_ssl_write(const void *buf, int num) { return SSL_write(s, buf, num);
181		190
182	int np_net_ssl_read(void *buf, int num) { return SSL_read(s, buf, num); }	191	int np_net_ssl_read(void *buf, int num) { return SSL_read(s, buf, num); }
183		192
184	int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int days_till_exp_crit) {	193	mp_state_enum np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn,
		194	int days_till_exp_crit) {
185	# ifdef USE_OPENSSL	195	# ifdef USE_OPENSSL
186	X509_NAME *subj = NULL;
187	char timestamp[50] = "";
188	char cn[MAX_CN_LENGTH] = "";
189	char *tz;
190
191	int cnlen = -1;
192	int status = STATE_UNKNOWN;
193
194	ASN1_STRING *tm;
195	int offset;
196	struct tm stamp;
197	float time_left;
198	int days_left;
199	int time_remaining;
200	time_t tm_t;
201
202	if (!certificate) {	196	if (!certificate) {
203	printf("%s\n", _("CRITICAL - Cannot retrieve server certificate."));	197	printf("%s\n", _("CRITICAL - No server certificate present to inspect."));
204	return STATE_CRITICAL;	198	return STATE_CRITICAL;
205	}	199	}
206		200
207	/* Extract CN from certificate subject */	201	/* Extract CN from certificate subject */
208	subj = X509_get_subject_name(certificate);	202	X509_NAME *subj = X509_get_subject_name(certificate);
209		203
210	if (!subj) {	204	if (!subj) {
211	printf("%s\n", _("CRITICAL - Cannot retrieve certificate subject."));	205	printf("%s\n", _("CRITICAL - Cannot retrieve certificate subject."));
212	return STATE_CRITICAL;	206	return STATE_CRITICAL;
213	}	207	}
214	cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn));	208
215	if (cnlen == -1)	209	char cn[MAX_CN_LENGTH] = "";
		210	int cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn));
		211	if (cnlen == -1) {
216	strcpy(cn, _("Unknown CN"));	212	strcpy(cn, _("Unknown CN"));
		213	}
217		214
218	/* Retrieve timestamp of certificate */	215	/* Retrieve timestamp of certificate */
219	tm = X509_get_notAfter(certificate);	216	ASN1_STRING *tm = X509_get_notAfter(certificate);
220		217
		218	int offset = 0;
		219	struct tm stamp = {};
221	/* Generate tm structure to process timestamp */	220	/* Generate tm structure to process timestamp */
222	if (tm->type == V_ASN1_UTCTIME) {	221	if (tm->type == V_ASN1_UTCTIME) {
223	if (tm->length < 10) {	222	if (tm->length < 10) {
224	printf("%s\n", _("CRITICAL - Wrong time format in certificate."));	223	printf("%s\n", _("CRITICAL - Wrong time format in certificate."));
225	return STATE_CRITICAL;	224	return STATE_CRITICAL;
226	} else {
227	stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0');
228	if (stamp.tm_year < 50)
229	stamp.tm_year += 100;
230	offset = 0;
231	}	225	}
		226	stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0');
		227	if (stamp.tm_year < 50) {
		228	stamp.tm_year += 100;
		229	}
		230	offset = 0;
		231
232	} else {	232	} else {
233	if (tm->length < 12) {	233	if (tm->length < 12) {
234	printf("%s\n", _("CRITICAL - Wrong time format in certificate."));	234	printf("%s\n", _("CRITICAL - Wrong time format in certificate."));
235	return STATE_CRITICAL;	235	return STATE_CRITICAL;
236	} else {
237	stamp.tm_year = (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 + (tm->data[2] - '0') * 10 + (tm->data[3] - '0');
238	stamp.tm_year -= 1900;
239	offset = 2;
240	}	236	}
		237	stamp.tm_year = (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 +
		238	(tm->data[2] - '0') * 10 + (tm->data[3] - '0');
		239	stamp.tm_year -= 1900;
		240	offset = 2;
241	}	241	}
242	stamp.tm_mon = (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1;	242	stamp.tm_mon = (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1;
243	stamp.tm_mday = (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0');	243	stamp.tm_mday = (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0');
@@ -246,48 +246,60 @@ int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int
246	stamp.tm_sec = (tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0');	246	stamp.tm_sec = (tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0');
247	stamp.tm_isdst = -1;	247	stamp.tm_isdst = -1;
248		248
249	tm_t = timegm(&stamp);	249	time_t tm_t = timegm(&stamp);
250	time_left = difftime(tm_t, time(NULL));	250	float time_left = difftime(tm_t, time(NULL));
251	days_left = time_left / 86400;	251	int days_left = time_left / 86400;
252	tz = getenv("TZ");	252	char *tz = getenv("TZ");
253	setenv("TZ", "GMT", 1);	253	setenv("TZ", "GMT", 1);
254	tzset();	254	tzset();
		255
		256	char timestamp[50] = "";
255	strftime(timestamp, 50, "%c %z", localtime(&tm_t));	257	strftime(timestamp, 50, "%c %z", localtime(&tm_t));
256	if (tz)	258	if (tz) {
257	setenv("TZ", tz, 1);	259	setenv("TZ", tz, 1);
258	else	260	} else {
259	unsetenv("TZ");	261	unsetenv("TZ");
		262	}
		263
260	tzset();	264	tzset();
261		265
		266	int time_remaining;
		267	mp_state_enum status = STATE_UNKNOWN;
262	if (days_left > 0 && days_left <= days_till_exp_warn) {	268	if (days_left > 0 && days_left <= days_till_exp_warn) {
263	printf(_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn,	269	printf(_("%s - Certificate '%s' expires in %d day(s) (%s).\n"),
264	days_left, timestamp);	270	(days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, days_left, timestamp);
265	if (days_left > days_till_exp_crit)	271	if (days_left > days_till_exp_crit) {
266	status = STATE_WARNING;	272	status = STATE_WARNING;
267	else	273	} else {
268	status = STATE_CRITICAL;	274	status = STATE_CRITICAL;
		275	}
269	} else if (days_left == 0 && time_left > 0) {	276	} else if (days_left == 0 && time_left > 0) {
270	if (time_left >= 3600)	277	if (time_left >= 3600) {
271	time_remaining = (int)time_left / 3600;	278	time_remaining = (int)time_left / 3600;
272	else	279	} else {
273	time_remaining = (int)time_left / 60;	280	time_remaining = (int)time_left / 60;
		281	}
274		282
275	printf(_("%s - Certificate '%s' expires in %u %s (%s)\n"), (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn,	283	printf(_("%s - Certificate '%s' expires in %u %s (%s)\n"),
276	time_remaining, time_left >= 3600 ? "hours" : "minutes", timestamp);	284	(days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, time_remaining,
		285	time_left >= 3600 ? "hours" : "minutes", timestamp);
277		286
278	if (days_left > days_till_exp_crit)	287	if (days_left > days_till_exp_crit) {
279	status = STATE_WARNING;	288	status = STATE_WARNING;
280	else	289	} else {
281	status = STATE_CRITICAL;	290	status = STATE_CRITICAL;
		291	}
282	} else if (time_left < 0) {	292	} else if (time_left < 0) {
283	printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp);	293	printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp);
284	status = STATE_CRITICAL;	294	status = STATE_CRITICAL;
285	} else if (days_left == 0) {	295	} else if (days_left == 0) {
286	printf(_("%s - Certificate '%s' just expired (%s).\n"), (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, timestamp);	296	printf(_("%s - Certificate '%s' just expired (%s).\n"),
287	if (days_left > days_till_exp_crit)	297	(days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, timestamp);
		298	if (days_left > days_till_exp_crit) {
288	status = STATE_WARNING;	299	status = STATE_WARNING;
289	else	300	} else {
290	status = STATE_CRITICAL;	301	status = STATE_CRITICAL;
		302	}
291	} else {	303	} else {
292	printf(_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp);	304	printf(_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp);
293	status = STATE_OK;	305	status = STATE_OK;
@@ -300,7 +312,7 @@ int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int
300	# endif /* USE_OPENSSL */	312	# endif /* USE_OPENSSL */
301	}	313	}
302		314
303	int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit) {	315	mp_state_enum np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit) {
304	# ifdef USE_OPENSSL	316	# ifdef USE_OPENSSL
305	X509 *certificate = NULL;	317	X509 *certificate = NULL;
306	certificate = SSL_get_peer_certificate(s);	318	certificate = SSL_get_peer_certificate(s);
@@ -311,4 +323,136 @@ int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit) {
311	# endif /* USE_OPENSSL */	323	# endif /* USE_OPENSSL */
312	}	324	}
313		325
		326	mp_subcheck mp_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn,
		327	int days_till_exp_crit) {
		328	mp_subcheck sc_cert = mp_subcheck_init();
		329	# ifdef USE_OPENSSL
		330	if (!certificate) {
		331	xasprintf(&sc_cert.output, _("No server certificate present to inspect"));
		332	sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL);
		333	return sc_cert;
		334	}
		335
		336	/* Extract CN from certificate subject */
		337	X509_NAME *subj = X509_get_subject_name(certificate);
		338
		339	if (!subj) {
		340	xasprintf(&sc_cert.output, _("Cannot retrieve certificate subject"));
		341	sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL);
		342	return sc_cert;
		343	}
		344
		345	char commonName[MAX_CN_LENGTH] = "";
		346	int cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, commonName, sizeof(commonName));
		347	if (cnlen == -1) {
		348	strcpy(commonName, _("Unknown CN"));
		349	}
		350
		351	/* Retrieve timestamp of certificate */
		352	ASN1_STRING *expiry_timestamp = X509_get_notAfter(certificate);
		353
		354	int offset = 0;
		355	struct tm stamp = {};
		356	/* Generate tm structure to process timestamp */
		357	if (expiry_timestamp->type == V_ASN1_UTCTIME) {
		358	if (expiry_timestamp->length < 10) {
		359	xasprintf(&sc_cert.output, _("Wrong time format in certificate"));
		360	sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL);
		361	return sc_cert;
		362	}
		363
		364	stamp.tm_year = (expiry_timestamp->data[0] - '0') * 10 + (expiry_timestamp->data[1] - '0');
		365	if (stamp.tm_year < 50) {
		366	stamp.tm_year += 100;
		367	}
		368
		369	offset = 0;
		370	} else {
		371	if (expiry_timestamp->length < 12) {
		372	xasprintf(&sc_cert.output, _("Wrong time format in certificate"));
		373	sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL);
		374	return sc_cert;
		375	}
		376	stamp.tm_year = (expiry_timestamp->data[0] - '0') * 1000 +
		377	(expiry_timestamp->data[1] - '0') * 100 +
		378	(expiry_timestamp->data[2] - '0') * 10 + (expiry_timestamp->data[3] - '0');
		379	stamp.tm_year -= 1900;
		380	offset = 2;
		381	}
		382
		383	stamp.tm_mon = (expiry_timestamp->data[2 + offset] - '0') * 10 +
		384	(expiry_timestamp->data[3 + offset] - '0') - 1;
		385	stamp.tm_mday = (expiry_timestamp->data[4 + offset] - '0') * 10 +
		386	(expiry_timestamp->data[5 + offset] - '0');
		387	stamp.tm_hour = (expiry_timestamp->data[6 + offset] - '0') * 10 +
		388	(expiry_timestamp->data[7 + offset] - '0');
		389	stamp.tm_min = (expiry_timestamp->data[8 + offset] - '0') * 10 +
		390	(expiry_timestamp->data[9 + offset] - '0');
		391	stamp.tm_sec = (expiry_timestamp->data[10 + offset] - '0') * 10 +
		392	(expiry_timestamp->data[11 + offset] - '0');
		393	stamp.tm_isdst = -1;
		394
		395	time_t tm_t = timegm(&stamp);
		396	double time_left = difftime(tm_t, time(NULL));
		397	int days_left = (int)(time_left / 86400);
		398	char *timeZone = getenv("TZ");
		399	setenv("TZ", "GMT", 1);
		400	tzset();
		401
		402	char timestamp[50] = "";
		403	strftime(timestamp, 50, "%c %z", localtime(&tm_t));
		404	if (timeZone) {
		405	setenv("TZ", timeZone, 1);
		406	} else {
		407	unsetenv("TZ");
		408	}
		409
		410	tzset();
		411
		412	int time_remaining;
		413	if (days_left > 0 && days_left <= days_till_exp_warn) {
		414	xasprintf(&sc_cert.output, _("Certificate '%s' expires in %d day(s) (%s)"), commonName,
		415	days_left, timestamp);
		416	if (days_left > days_till_exp_crit) {
		417	sc_cert = mp_set_subcheck_state(sc_cert, STATE_WARNING);
		418	} else {
		419	sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL);
		420	}
		421	} else if (days_left == 0 && time_left > 0) {
		422	if (time_left >= 3600) {
		423	time_remaining = (int)time_left / 3600;
		424	} else {
		425	time_remaining = (int)time_left / 60;
		426	}
		427
		428	xasprintf(&sc_cert.output, _("Certificate '%s' expires in %u %s (%s)"), commonName,
		429	time_remaining, time_left >= 3600 ? "hours" : "minutes", timestamp);
		430
		431	if (days_left > days_till_exp_crit) {
		432	sc_cert = mp_set_subcheck_state(sc_cert, STATE_WARNING);
		433	} else {
		434	sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL);
		435	}
		436	} else if (time_left < 0) {
		437	xasprintf(&sc_cert.output, _("Certificate '%s' expired on %s"), commonName, timestamp);
		438	sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL);
		439	} else if (days_left == 0) {
		440	xasprintf(&sc_cert.output, _("Certificate '%s' just expired (%s)"), commonName, timestamp);
		441	if (days_left > days_till_exp_crit) {
		442	sc_cert = mp_set_subcheck_state(sc_cert, STATE_WARNING);
		443	} else {
		444	sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL);
		445	}
		446	} else {
		447	xasprintf(&sc_cert.output, _("Certificate '%s' will expire on %s"), commonName, timestamp);
		448	sc_cert = mp_set_subcheck_state(sc_cert, STATE_OK);
		449	}
		450	X509_free(certificate);
		451	return sc_cert;
		452	# else /* ifndef USE_OPENSSL */
		453	xasprintf(&sc_cert.output, _("Plugin does not support checking certificates"));
		454	sc_cert = mp_set_subcheck_state(sc_cert, STATE_WARNING);
		455	return sc_cert;
		456	# endif /* USE_OPENSSL */
		457	}
314	#endif /* HAVE_SSL */	458	#endif /* HAVE_SSL */