diff options
Diffstat (limited to 'web/attachments/448048-nagios-plugins-1.4.16-check_ldap_certificate.patch')
-rw-r--r-- | web/attachments/448048-nagios-plugins-1.4.16-check_ldap_certificate.patch | 188 |
1 files changed, 188 insertions, 0 deletions
diff --git a/web/attachments/448048-nagios-plugins-1.4.16-check_ldap_certificate.patch b/web/attachments/448048-nagios-plugins-1.4.16-check_ldap_certificate.patch new file mode 100644 index 0000000..6eb2b0c --- /dev/null +++ b/web/attachments/448048-nagios-plugins-1.4.16-check_ldap_certificate.patch | |||
@@ -0,0 +1,188 @@ | |||
1 | diff -Naur -x '*~' -x '*.orig' -x '*.rej' nagios-plugins-1.4.16/plugins/check_ldap.c nagios-plugins-1.4.16-check_ldap_certificate/plugins/check_ldap.c | ||
2 | --- nagios-plugins-1.4.16/plugins/check_ldap.c 2012-06-27 19:32:47.000000000 +0200 | ||
3 | +++ nagios-plugins-1.4.16-check_ldap_certificate/plugins/check_ldap.c 2012-07-06 12:57:15.562316155 +0200 | ||
4 | @@ -72,6 +72,9 @@ | ||
5 | int ssl_on_connect = FALSE; | ||
6 | int verbose = 0; | ||
7 | |||
8 | +int check_cert = FALSE; | ||
9 | +int days_till_exp_warn, days_till_exp_crit; | ||
10 | + | ||
11 | /* for ldap tls */ | ||
12 | |||
13 | char *SERVICE = "LDAP"; | ||
14 | @@ -157,6 +160,9 @@ | ||
15 | printf (_("Could not init TLS at port %i!\n"), ld_port); | ||
16 | return STATE_CRITICAL; | ||
17 | } | ||
18 | + | ||
19 | + if (check_cert == TRUE) | ||
20 | + return ldap_check_cert(ld); | ||
21 | #else | ||
22 | printf (_("TLS not supported by the libraries!\n")); | ||
23 | return STATE_CRITICAL; | ||
24 | @@ -181,6 +187,9 @@ | ||
25 | printf (_("Could not init startTLS at port %i!\n"), ld_port); | ||
26 | return STATE_CRITICAL; | ||
27 | } | ||
28 | + | ||
29 | + if (check_cert == TRUE) | ||
30 | + return ldap_check_cert(ld); | ||
31 | #else | ||
32 | printf (_("startTLS not supported by the library, needs LDAPv3!\n")); | ||
33 | return STATE_CRITICAL; | ||
34 | @@ -240,6 +249,7 @@ | ||
35 | process_arguments (int argc, char **argv) | ||
36 | { | ||
37 | int c; | ||
38 | + char *temp; | ||
39 | |||
40 | int option = 0; | ||
41 | /* initialize the long option struct */ | ||
42 | @@ -258,6 +268,7 @@ | ||
43 | #endif | ||
44 | {"starttls", no_argument, 0, 'T'}, | ||
45 | {"ssl", no_argument, 0, 'S'}, | ||
46 | + {"certificate", required_argument, 0, 'C'}, | ||
47 | {"use-ipv4", no_argument, 0, '4'}, | ||
48 | {"use-ipv6", no_argument, 0, '6'}, | ||
49 | {"port", required_argument, 0, 'p'}, | ||
50 | @@ -276,7 +287,7 @@ | ||
51 | } | ||
52 | |||
53 | while (1) { | ||
54 | - c = getopt_long (argc, argv, "hvV234TS6t:c:w:H:b:p:a:D:P:", longopts, &option); | ||
55 | + c = getopt_long (argc, argv, "hvV234TS6t:c:w:H:b:p:a:D:P:C:", longopts, &option); | ||
56 | |||
57 | if (c == -1 || c == EOF) | ||
58 | break; | ||
59 | @@ -338,6 +349,33 @@ | ||
60 | else | ||
61 | usage_va(_("%s cannot be combined with %s"), "-T/--starttls", "-S/--ssl"); | ||
62 | break; | ||
63 | + case 'C': /* Check SSL cert validity */ | ||
64 | +#ifndef HAVE_SSL | ||
65 | + usage4 (_("Invalid option - SSL is not available")); | ||
66 | +#else | ||
67 | + if (starttls || ssl_on_connect || strstr(argv[0],"check_ldaps")) { | ||
68 | + if ((temp=strchr(optarg,','))!=NULL) { | ||
69 | + *temp = '\0'; | ||
70 | + if (!is_intnonneg (temp)) | ||
71 | + usage2 (_("Invalid certificate expiration period"), optarg); | ||
72 | + days_till_exp_warn = atoi(optarg); | ||
73 | + *temp = ','; | ||
74 | + temp++; | ||
75 | + if (!is_intnonneg (temp)) | ||
76 | + usage2 (_("Invalid certificate expiration period"), temp); | ||
77 | + days_till_exp_crit = atoi (temp); | ||
78 | + } else { | ||
79 | + days_till_exp_crit = 0; | ||
80 | + if (!is_intnonneg (optarg)) | ||
81 | + usage2 (_("Invalid certificate expiration period"), optarg); | ||
82 | + days_till_exp_warn = atoi (optarg); | ||
83 | + } | ||
84 | + check_cert = TRUE; | ||
85 | + } else { | ||
86 | + usage_va(_("%s requires either %s or %s"), "-C/--certificate", "-S/--ssl", "-T/--starttls"); | ||
87 | + } | ||
88 | + break; | ||
89 | +#endif | ||
90 | case 'S': | ||
91 | if (! starttls) { | ||
92 | ssl_on_connect = TRUE; | ||
93 | @@ -420,6 +458,9 @@ | ||
94 | printf (" %s\n", "-S [--ssl]"); | ||
95 | printf (" %s %i\n", _("use ldaps (ldap v2 ssl method). this also sets the default port to"), LDAPS_PORT); | ||
96 | |||
97 | + printf (" %s\n", "-C [--certificate]"); | ||
98 | + printf (" %s\n", _("Minimum number of days a certificate has to be valid")); | ||
99 | + | ||
100 | #ifdef HAVE_LDAP_SET_OPTION | ||
101 | printf (" %s\n", "-2 [--ver2]"); | ||
102 | printf (" %s\n", _("use ldap protocol version 2")); | ||
103 | @@ -455,7 +496,7 @@ | ||
104 | { | ||
105 | printf ("%s\n", _("Usage:")); | ||
106 | printf (" %s -H <host> -b <base_dn> [-p <port>] [-a <attr>] [-D <binddn>]",progname); | ||
107 | - printf ("\n [-P <password>] [-w <warn_time>] [-c <crit_time>] [-t timeout]%s\n", | ||
108 | + printf ("\n [-P <password>] [-w <warn_time>] [-c <crit_time>] [-t timeout] [-C <age>]%s\n", | ||
109 | #ifdef HAVE_LDAP_SET_OPTION | ||
110 | "\n [-2|-3] [-4|-6]" | ||
111 | #else | ||
112 | @@ -463,3 +504,16 @@ | ||
113 | #endif | ||
114 | ); | ||
115 | } | ||
116 | + | ||
117 | +int ldap_check_cert (LDAP *ld) | ||
118 | +{ | ||
119 | + SSL *ssl; | ||
120 | + int rc; | ||
121 | + | ||
122 | + rc = ldap_get_option(ld, LDAP_OPT_X_TLS_SSL_CTX, &ssl); | ||
123 | + if (rc == LDAP_OPT_ERROR || ssl == NULL) { | ||
124 | + printf ("%s\n",_("CRITICAL - Cannot retrieve ssl session from connection.")); | ||
125 | + return STATE_CRITICAL; | ||
126 | + } | ||
127 | + return np_net_ssl_check_cert_real(ssl, days_till_exp_warn, days_till_exp_crit); | ||
128 | +} | ||
129 | diff -Naur -x '*~' -x '*.orig' -x '*.rej' nagios-plugins-1.4.16/plugins/Makefile.am nagios-plugins-1.4.16-check_ldap_certificate/plugins/Makefile.am | ||
130 | --- nagios-plugins-1.4.16/plugins/Makefile.am 2012-06-27 19:32:47.000000000 +0200 | ||
131 | +++ nagios-plugins-1.4.16-check_ldap_certificate/plugins/Makefile.am 2012-07-04 11:03:00.888343446 +0200 | ||
132 | @@ -72,7 +72,7 @@ | ||
133 | check_game_LDADD = $(BASEOBJS) runcmd.o | ||
134 | check_http_LDADD = $(SSLOBJS) $(NETLIBS) $(SSLLIBS) | ||
135 | check_hpjd_LDADD = $(NETLIBS) popen.o | ||
136 | -check_ldap_LDADD = $(NETLIBS) $(LDAPLIBS) | ||
137 | +check_ldap_LDADD = $(SSLOBJS) $(NETLIBS) $(LDAPLIBS) $(SSLLIBS) | ||
138 | check_load_LDADD = $(BASEOBJS) popen.o | ||
139 | check_mrtg_LDADD = $(BASEOBJS) | ||
140 | check_mrtgtraf_LDADD = $(BASEOBJS) | ||
141 | @@ -118,7 +118,7 @@ | ||
142 | check_http_DEPENDENCIES = check_http.c $(SSLOBJS) $(NETOBJS) $(DEPLIBS) | ||
143 | check_hpjd_DEPENDENCIES = check_hpjd.c $(NETOBJS) popen.o $(DEPLIBS) | ||
144 | check_ide_smart_DEPENDENCIES = check_ide_smart.c $(BASEOBJS) $(DEPLIBS) | ||
145 | -check_ldap_DEPENDENCIES = check_ldap.c $(NETOBJS) $(DEPLIBS) | ||
146 | +check_ldap_DEPENDENCIES = check_ldap.c $(SSLOBJS) $(NETOBJS) $(DEPLIBS) | ||
147 | check_load_DEPENDENCIES = check_load.c $(BASEOBJS) popen.o $(DEPLIBS) | ||
148 | check_mrtg_DEPENDENCIES = check_mrtg.c $(DEPLIBS) | ||
149 | check_mrtgtraf_DEPENDENCIES = check_mrtgtraf.c $(DEPLIBS) | ||
150 | diff -Naur -x '*~' -x '*.orig' -x '*.rej' nagios-plugins-1.4.16/plugins/netutils.h nagios-plugins-1.4.16-check_ldap_certificate/plugins/netutils.h | ||
151 | --- nagios-plugins-1.4.16/plugins/netutils.h 2012-06-27 19:32:47.000000000 +0200 | ||
152 | +++ nagios-plugins-1.4.16-check_ldap_certificate/plugins/netutils.h 2012-07-04 11:03:56.291891100 +0200 | ||
153 | @@ -104,6 +104,7 @@ | ||
154 | int np_net_ssl_write(const void *buf, int num); | ||
155 | int np_net_ssl_read(void *buf, int num); | ||
156 | int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit); | ||
157 | +int np_net_ssl_check_cert_real(SSL *ssl, int days_till_exp_warn, int days_till_exp_crit); | ||
158 | #endif /* HAVE_SSL */ | ||
159 | |||
160 | #endif /* _NETUTILS_H_ */ | ||
161 | diff -Naur -x '*~' -x '*.orig' -x '*.rej' nagios-plugins-1.4.16/plugins/sslutils.c nagios-plugins-1.4.16-check_ldap_certificate/plugins/sslutils.c | ||
162 | --- nagios-plugins-1.4.16/plugins/sslutils.c 2012-06-27 19:32:47.000000000 +0200 | ||
163 | +++ nagios-plugins-1.4.16-check_ldap_certificate/plugins/sslutils.c 2012-07-06 13:11:37.469453627 +0200 | ||
164 | @@ -128,6 +128,15 @@ | ||
165 | |||
166 | int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){ | ||
167 | # ifdef USE_OPENSSL | ||
168 | + return np_net_ssl_check_cert_real(s, days_till_exp_warn, days_till_exp_crit); | ||
169 | +# else /* ifndef USE_OPENSSL */ | ||
170 | + printf ("%s\n", _("WARNING - Plugin does not support checking certificates.")); | ||
171 | + return STATE_WARNING; | ||
172 | +# endif /* USE_OPENSSL */ | ||
173 | +} | ||
174 | + | ||
175 | +int np_net_ssl_check_cert_real(SSL *ssl, int days_till_exp_warn, int days_till_exp_crit){ | ||
176 | +# ifdef USE_OPENSSL | ||
177 | X509 *certificate=NULL; | ||
178 | X509_NAME *subj=NULL; | ||
179 | char cn[MAX_CN_LENGTH]= ""; | ||
180 | @@ -141,7 +150,7 @@ | ||
181 | int days_left; | ||
182 | char timestamp[17] = ""; | ||
183 | |||
184 | - certificate=SSL_get_peer_certificate(s); | ||
185 | + certificate=SSL_get_peer_certificate(ssl); | ||
186 | if (!certificate) { | ||
187 | printf("%s\n",_("CRITICAL - Cannot retrieve server certificate.")); | ||
188 | return STATE_CRITICAL; | ||