summaryrefslogtreecommitdiffstats
path: root/plugins/sslutils.c
diff options
context:
space:
mode:
Diffstat (limited to 'plugins/sslutils.c')
-rw-r--r--plugins/sslutils.c255
1 files changed, 199 insertions, 56 deletions
diff --git a/plugins/sslutils.c b/plugins/sslutils.c
index 719de575..0e6d7525 100644
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
@@ -26,10 +26,12 @@
26 * 26 *
27 *****************************************************************************/ 27 *****************************************************************************/
28 28
29#include "output.h"
29#define MAX_CN_LENGTH 256 30#define MAX_CN_LENGTH 256
30#include "common.h" 31#include "common.h"
31#include "netutils.h" 32#include "netutils.h"
32#include "../lib/monitoringplug.h" 33#include "../lib/monitoringplug.h"
34#include "states.h"
33 35
34#ifdef HAVE_SSL 36#ifdef HAVE_SSL
35static SSL_CTX *ctx = NULL; 37static SSL_CTX *ctx = NULL;
@@ -37,13 +39,16 @@ static SSL *s = NULL;
37 39
38int np_net_ssl_init(int sd) { return np_net_ssl_init_with_hostname(sd, NULL); } 40int np_net_ssl_init(int sd) { return np_net_ssl_init_with_hostname(sd, NULL); }
39 41
40int np_net_ssl_init_with_hostname(int sd, char *host_name) { return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0); } 42int np_net_ssl_init_with_hostname(int sd, char *host_name) {
43 return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0);
44}
41 45
42int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int version) { 46int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int version) {
43 return np_net_ssl_init_with_hostname_version_and_cert(sd, host_name, version, NULL, NULL); 47 return np_net_ssl_init_with_hostname_version_and_cert(sd, host_name, version, NULL, NULL);
44} 48}
45 49
46int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, char *privkey) { 50int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert,
51 char *privkey) {
47 long options = 0; 52 long options = 0;
48 53
49 if ((ctx = SSL_CTX_new(TLS_client_method())) == NULL) { 54 if ((ctx = SSL_CTX_new(TLS_client_method())) == NULL) {
@@ -75,7 +80,8 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
75# endif 80# endif
76 case MP_TLSv1_1: /* TLSv1.1 protocol */ 81 case MP_TLSv1_1: /* TLSv1.1 protocol */
77# if !defined(SSL_OP_NO_TLSv1_1) 82# if !defined(SSL_OP_NO_TLSv1_1)
78 printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library.")); 83 printf("%s\n",
84 _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library."));
79 return STATE_UNKNOWN; 85 return STATE_UNKNOWN;
80# else 86# else
81 SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION); 87 SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);
@@ -84,7 +90,8 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
84# endif 90# endif
85 case MP_TLSv1_2: /* TLSv1.2 protocol */ 91 case MP_TLSv1_2: /* TLSv1.2 protocol */
86# if !defined(SSL_OP_NO_TLSv1_2) 92# if !defined(SSL_OP_NO_TLSv1_2)
87 printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library.")); 93 printf("%s\n",
94 _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library."));
88 return STATE_UNKNOWN; 95 return STATE_UNKNOWN;
89# else 96# else
90 SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); 97 SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
@@ -145,8 +152,9 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
145 SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); 152 SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
146 if ((s = SSL_new(ctx)) != NULL) { 153 if ((s = SSL_new(ctx)) != NULL) {
147# ifdef SSL_set_tlsext_host_name 154# ifdef SSL_set_tlsext_host_name
148 if (host_name != NULL) 155 if (host_name != NULL) {
149 SSL_set_tlsext_host_name(s, host_name); 156 SSL_set_tlsext_host_name(s, host_name);
157 }
150# endif 158# endif
151 SSL_set_fd(s, sd); 159 SSL_set_fd(s, sd);
152 if (SSL_connect(s) == 1) { 160 if (SSL_connect(s) == 1) {
@@ -182,63 +190,54 @@ int np_net_ssl_write(const void *buf, int num) { return SSL_write(s, buf, num);
182 190
183int np_net_ssl_read(void *buf, int num) { return SSL_read(s, buf, num); } 191int np_net_ssl_read(void *buf, int num) { return SSL_read(s, buf, num); }
184 192
185int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int days_till_exp_crit) { 193mp_state_enum np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn,
194 int days_till_exp_crit) {
186# ifdef USE_OPENSSL 195# ifdef USE_OPENSSL
187 X509_NAME *subj = NULL;
188 char timestamp[50] = "";
189 char cn[MAX_CN_LENGTH] = "";
190 char *tz;
191
192 int cnlen = -1;
193 int status = STATE_UNKNOWN;
194
195 ASN1_STRING *tm;
196 int offset;
197 struct tm stamp;
198 float time_left;
199 int days_left;
200 int time_remaining;
201 time_t tm_t;
202
203 if (!certificate) { 196 if (!certificate) {
204 printf("%s\n", _("CRITICAL - Cannot retrieve server certificate.")); 197 printf("%s\n", _("CRITICAL - No server certificate present to inspect."));
205 return STATE_CRITICAL; 198 return STATE_CRITICAL;
206 } 199 }
207 200
208 /* Extract CN from certificate subject */ 201 /* Extract CN from certificate subject */
209 subj = X509_get_subject_name(certificate); 202 X509_NAME *subj = X509_get_subject_name(certificate);
210 203
211 if (!subj) { 204 if (!subj) {
212 printf("%s\n", _("CRITICAL - Cannot retrieve certificate subject.")); 205 printf("%s\n", _("CRITICAL - Cannot retrieve certificate subject."));
213 return STATE_CRITICAL; 206 return STATE_CRITICAL;
214 } 207 }
215 cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn)); 208
216 if (cnlen == -1) 209 char cn[MAX_CN_LENGTH] = "";
210 int cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn));
211 if (cnlen == -1) {
217 strcpy(cn, _("Unknown CN")); 212 strcpy(cn, _("Unknown CN"));
213 }
218 214
219 /* Retrieve timestamp of certificate */ 215 /* Retrieve timestamp of certificate */
220 tm = X509_get_notAfter(certificate); 216 ASN1_STRING *tm = X509_get_notAfter(certificate);
221 217
218 int offset = 0;
219 struct tm stamp = {};
222 /* Generate tm structure to process timestamp */ 220 /* Generate tm structure to process timestamp */
223 if (tm->type == V_ASN1_UTCTIME) { 221 if (tm->type == V_ASN1_UTCTIME) {
224 if (tm->length < 10) { 222 if (tm->length < 10) {
225 printf("%s\n", _("CRITICAL - Wrong time format in certificate.")); 223 printf("%s\n", _("CRITICAL - Wrong time format in certificate."));
226 return STATE_CRITICAL; 224 return STATE_CRITICAL;
227 } else {
228 stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0');
229 if (stamp.tm_year < 50)
230 stamp.tm_year += 100;
231 offset = 0;
232 } 225 }
226 stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0');
227 if (stamp.tm_year < 50) {
228 stamp.tm_year += 100;
229 }
230 offset = 0;
231
233 } else { 232 } else {
234 if (tm->length < 12) { 233 if (tm->length < 12) {
235 printf("%s\n", _("CRITICAL - Wrong time format in certificate.")); 234 printf("%s\n", _("CRITICAL - Wrong time format in certificate."));
236 return STATE_CRITICAL; 235 return STATE_CRITICAL;
237 } else {
238 stamp.tm_year = (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 + (tm->data[2] - '0') * 10 + (tm->data[3] - '0');
239 stamp.tm_year -= 1900;
240 offset = 2;
241 } 236 }
237 stamp.tm_year = (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 +
238 (tm->data[2] - '0') * 10 + (tm->data[3] - '0');
239 stamp.tm_year -= 1900;
240 offset = 2;
242 } 241 }
243 stamp.tm_mon = (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1; 242 stamp.tm_mon = (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1;
244 stamp.tm_mday = (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0'); 243 stamp.tm_mday = (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0');
@@ -247,48 +246,60 @@ int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int
247 stamp.tm_sec = (tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0'); 246 stamp.tm_sec = (tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0');
248 stamp.tm_isdst = -1; 247 stamp.tm_isdst = -1;
249 248
250 tm_t = timegm(&stamp); 249 time_t tm_t = timegm(&stamp);
251 time_left = difftime(tm_t, time(NULL)); 250 float time_left = difftime(tm_t, time(NULL));
252 days_left = time_left / 86400; 251 int days_left = time_left / 86400;
253 tz = getenv("TZ"); 252 char *tz = getenv("TZ");
254 setenv("TZ", "GMT", 1); 253 setenv("TZ", "GMT", 1);
255 tzset(); 254 tzset();
255
256 char timestamp[50] = "";
256 strftime(timestamp, 50, "%c %z", localtime(&tm_t)); 257 strftime(timestamp, 50, "%c %z", localtime(&tm_t));
257 if (tz) 258 if (tz) {
258 setenv("TZ", tz, 1); 259 setenv("TZ", tz, 1);
259 else 260 } else {
260 unsetenv("TZ"); 261 unsetenv("TZ");
262 }
263
261 tzset(); 264 tzset();
262 265
266 int time_remaining;
267 mp_state_enum status = STATE_UNKNOWN;
263 if (days_left > 0 && days_left <= days_till_exp_warn) { 268 if (days_left > 0 && days_left <= days_till_exp_warn) {
264 printf(_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, 269 printf(_("%s - Certificate '%s' expires in %d day(s) (%s).\n"),
265 days_left, timestamp); 270 (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, days_left, timestamp);
266 if (days_left > days_till_exp_crit) 271 if (days_left > days_till_exp_crit) {
267 status = STATE_WARNING; 272 status = STATE_WARNING;
268 else 273 } else {
269 status = STATE_CRITICAL; 274 status = STATE_CRITICAL;
275 }
270 } else if (days_left == 0 && time_left > 0) { 276 } else if (days_left == 0 && time_left > 0) {
271 if (time_left >= 3600) 277 if (time_left >= 3600) {
272 time_remaining = (int)time_left / 3600; 278 time_remaining = (int)time_left / 3600;
273 else 279 } else {
274 time_remaining = (int)time_left / 60; 280 time_remaining = (int)time_left / 60;
281 }
275 282
276 printf(_("%s - Certificate '%s' expires in %u %s (%s)\n"), (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, 283 printf(_("%s - Certificate '%s' expires in %u %s (%s)\n"),
277 time_remaining, time_left >= 3600 ? "hours" : "minutes", timestamp); 284 (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, time_remaining,
285 time_left >= 3600 ? "hours" : "minutes", timestamp);
278 286
279 if (days_left > days_till_exp_crit) 287 if (days_left > days_till_exp_crit) {
280 status = STATE_WARNING; 288 status = STATE_WARNING;
281 else 289 } else {
282 status = STATE_CRITICAL; 290 status = STATE_CRITICAL;
291 }
283 } else if (time_left < 0) { 292 } else if (time_left < 0) {
284 printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp); 293 printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp);
285 status = STATE_CRITICAL; 294 status = STATE_CRITICAL;
286 } else if (days_left == 0) { 295 } else if (days_left == 0) {
287 printf(_("%s - Certificate '%s' just expired (%s).\n"), (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, timestamp); 296 printf(_("%s - Certificate '%s' just expired (%s).\n"),
288 if (days_left > days_till_exp_crit) 297 (days_left > days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, timestamp);
298 if (days_left > days_till_exp_crit) {
289 status = STATE_WARNING; 299 status = STATE_WARNING;
290 else 300 } else {
291 status = STATE_CRITICAL; 301 status = STATE_CRITICAL;
302 }
292 } else { 303 } else {
293 printf(_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp); 304 printf(_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp);
294 status = STATE_OK; 305 status = STATE_OK;
@@ -301,7 +312,7 @@ int np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn, int
301# endif /* USE_OPENSSL */ 312# endif /* USE_OPENSSL */
302} 313}
303 314
304int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit) { 315mp_state_enum np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit) {
305# ifdef USE_OPENSSL 316# ifdef USE_OPENSSL
306 X509 *certificate = NULL; 317 X509 *certificate = NULL;
307 certificate = SSL_get_peer_certificate(s); 318 certificate = SSL_get_peer_certificate(s);
@@ -312,4 +323,136 @@ int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit) {
312# endif /* USE_OPENSSL */ 323# endif /* USE_OPENSSL */
313} 324}
314 325
326mp_subcheck mp_net_ssl_check_certificate(X509 *certificate, int days_till_exp_warn,
327 int days_till_exp_crit) {
328 mp_subcheck sc_cert = mp_subcheck_init();
329# ifdef USE_OPENSSL
330 if (!certificate) {
331 xasprintf(&sc_cert.output, _("No server certificate present to inspect"));
332 sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL);
333 return sc_cert;
334 }
335
336 /* Extract CN from certificate subject */
337 X509_NAME *subj = X509_get_subject_name(certificate);
338
339 if (!subj) {
340 xasprintf(&sc_cert.output, _("Cannot retrieve certificate subject"));
341 sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL);
342 return sc_cert;
343 }
344
345 char commonName[MAX_CN_LENGTH] = "";
346 int cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, commonName, sizeof(commonName));
347 if (cnlen == -1) {
348 strcpy(commonName, _("Unknown CN"));
349 }
350
351 /* Retrieve timestamp of certificate */
352 ASN1_STRING *expiry_timestamp = X509_get_notAfter(certificate);
353
354 int offset = 0;
355 struct tm stamp = {};
356 /* Generate tm structure to process timestamp */
357 if (expiry_timestamp->type == V_ASN1_UTCTIME) {
358 if (expiry_timestamp->length < 10) {
359 xasprintf(&sc_cert.output, _("Wrong time format in certificate"));
360 sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL);
361 return sc_cert;
362 }
363
364 stamp.tm_year = (expiry_timestamp->data[0] - '0') * 10 + (expiry_timestamp->data[1] - '0');
365 if (stamp.tm_year < 50) {
366 stamp.tm_year += 100;
367 }
368
369 offset = 0;
370 } else {
371 if (expiry_timestamp->length < 12) {
372 xasprintf(&sc_cert.output, _("Wrong time format in certificate"));
373 sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL);
374 return sc_cert;
375 }
376 stamp.tm_year = (expiry_timestamp->data[0] - '0') * 1000 +
377 (expiry_timestamp->data[1] - '0') * 100 +
378 (expiry_timestamp->data[2] - '0') * 10 + (expiry_timestamp->data[3] - '0');
379 stamp.tm_year -= 1900;
380 offset = 2;
381 }
382
383 stamp.tm_mon = (expiry_timestamp->data[2 + offset] - '0') * 10 +
384 (expiry_timestamp->data[3 + offset] - '0') - 1;
385 stamp.tm_mday = (expiry_timestamp->data[4 + offset] - '0') * 10 +
386 (expiry_timestamp->data[5 + offset] - '0');
387 stamp.tm_hour = (expiry_timestamp->data[6 + offset] - '0') * 10 +
388 (expiry_timestamp->data[7 + offset] - '0');
389 stamp.tm_min = (expiry_timestamp->data[8 + offset] - '0') * 10 +
390 (expiry_timestamp->data[9 + offset] - '0');
391 stamp.tm_sec = (expiry_timestamp->data[10 + offset] - '0') * 10 +
392 (expiry_timestamp->data[11 + offset] - '0');
393 stamp.tm_isdst = -1;
394
395 time_t tm_t = timegm(&stamp);
396 double time_left = difftime(tm_t, time(NULL));
397 int days_left = (int)(time_left / 86400);
398 char *timeZone = getenv("TZ");
399 setenv("TZ", "GMT", 1);
400 tzset();
401
402 char timestamp[50] = "";
403 strftime(timestamp, 50, "%c %z", localtime(&tm_t));
404 if (timeZone) {
405 setenv("TZ", timeZone, 1);
406 } else {
407 unsetenv("TZ");
408 }
409
410 tzset();
411
412 int time_remaining;
413 if (days_left > 0 && days_left <= days_till_exp_warn) {
414 xasprintf(&sc_cert.output, _("Certificate '%s' expires in %d day(s) (%s)"), commonName,
415 days_left, timestamp);
416 if (days_left > days_till_exp_crit) {
417 sc_cert = mp_set_subcheck_state(sc_cert, STATE_WARNING);
418 } else {
419 sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL);
420 }
421 } else if (days_left == 0 && time_left > 0) {
422 if (time_left >= 3600) {
423 time_remaining = (int)time_left / 3600;
424 } else {
425 time_remaining = (int)time_left / 60;
426 }
427
428 xasprintf(&sc_cert.output, _("Certificate '%s' expires in %u %s (%s)"), commonName,
429 time_remaining, time_left >= 3600 ? "hours" : "minutes", timestamp);
430
431 if (days_left > days_till_exp_crit) {
432 sc_cert = mp_set_subcheck_state(sc_cert, STATE_WARNING);
433 } else {
434 sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL);
435 }
436 } else if (time_left < 0) {
437 xasprintf(&sc_cert.output, _("Certificate '%s' expired on %s"), commonName, timestamp);
438 sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL);
439 } else if (days_left == 0) {
440 xasprintf(&sc_cert.output, _("Certificate '%s' just expired (%s)"), commonName, timestamp);
441 if (days_left > days_till_exp_crit) {
442 sc_cert = mp_set_subcheck_state(sc_cert, STATE_WARNING);
443 } else {
444 sc_cert = mp_set_subcheck_state(sc_cert, STATE_CRITICAL);
445 }
446 } else {
447 xasprintf(&sc_cert.output, _("Certificate '%s' will expire on %s"), commonName, timestamp);
448 sc_cert = mp_set_subcheck_state(sc_cert, STATE_OK);
449 }
450 X509_free(certificate);
451 return sc_cert;
452# else /* ifndef USE_OPENSSL */
453 xasprintf(&sc_cert.output, _("Plugin does not support checking certificates"));
454 sc_cert = mp_set_subcheck_state(sc_cert, STATE_WARNING);
455 return sc_cert;
456# endif /* USE_OPENSSL */
457}
315#endif /* HAVE_SSL */ 458#endif /* HAVE_SSL */