From cf66a717e9e8f55315d50b3b33a70b8a6f140981 Mon Sep 17 00:00:00 2001 From: "M. Sean Finney" Date: Wed, 19 Oct 2005 20:22:00 +0000 Subject: all plugins now using centralized ssl functions in netutils.c git-svn-id: https://nagiosplug.svn.sourceforge.net/svnroot/nagiosplug/nagiosplug/trunk@1257 f882894a-f735-0410-b71e-b25c423dba1c --- plugins/check_http.c | 297 +++++---------------------------------------------- 1 file changed, 29 insertions(+), 268 deletions(-) (limited to 'plugins/check_http.c') diff --git a/plugins/check_http.c b/plugins/check_http.c index 294866b0..413d501d 100644 --- a/plugins/check_http.c +++ b/plugins/check_http.c @@ -37,38 +37,17 @@ enum { HTTPS_PORT = 443 }; -#ifdef HAVE_SSL_H -#include -#include -#include -#include -#include -#include -#include -#else -# ifdef HAVE_OPENSSL_SSL_H -# include -# include -# include -# include -# include -# include -# include -# endif -#endif - #ifdef HAVE_SSL int check_cert = FALSE; int days_till_exp; char *randbuff; -SSL_CTX *ctx; -SSL *ssl; X509 *server_cert; -int connect_SSL (void); -# ifdef USE_OPENSSL -int check_certificate (X509 **); -# endif -#endif +# define my_recv(buf, len) ((use_ssl) ? np_net_ssl_read(buf, len) : read(sd, buf, len)) +# define my_send(buf, len) ((use_ssl) ? np_net_ssl_write(buf, len) : send(sd, buf, len, 0)) +#else /* ifndef HAVE_SSL */ +# define my_recv(buf, len) read(sd, buf, len) +# define my_send(buf, len) send(sd, buf, len, 0) +#endif /* HAVE_SSL */ int no_body = FALSE; int maximum_age = -1; @@ -132,8 +111,6 @@ int server_type_check(const char *type); int server_port_check(int ssl_flag); char *perfd_time (double microsec); char *perfd_size (int page_len); -int my_recv (void); -int my_close (void); void print_help (void); void print_usage (void); @@ -168,29 +145,7 @@ main (int argc, char **argv) (void) alarm (socket_timeout); gettimeofday (&tv, NULL); -#ifdef USE_OPENSSL - if (use_ssl && check_cert == TRUE) { - if (connect_SSL () != OK) - die (STATE_CRITICAL, _("HTTP CRITICAL - Could not make SSL connection\n")); - if ((server_cert = SSL_get_peer_certificate (ssl)) != NULL) { - result = check_certificate (&server_cert); - X509_free (server_cert); - } - else { - printf (_("CRITICAL - Cannot retrieve server certificate.\n")); - result = STATE_CRITICAL; - } - SSL_shutdown (ssl); - SSL_free (ssl); - SSL_CTX_free (ctx); - close (sd); - } - else { - result = check_http (); - } -#else result = check_http (); -#endif return result; } @@ -790,34 +745,27 @@ check_http (void) long microsec; double elapsed_time; int page_len = 0; + int result = STATE_UNKNOWN; #ifdef HAVE_SSL int sslerr; #endif /* try to connect to the host at the given port number */ + if (my_tcp_connect (server_address, server_port, &sd) != STATE_OK) + die (STATE_CRITICAL, _("Unable to open TCP socket\n")); #ifdef HAVE_SSL if (use_ssl == TRUE) { - - if (connect_SSL () != OK) { - die (STATE_CRITICAL, _("Unable to open TCP socket\n")); - } -# ifdef USE_OPENSSL - if ((server_cert = SSL_get_peer_certificate (ssl)) != NULL) { - X509_free (server_cert); - } - else { - printf (_("CRITICAL - Cannot retrieve server certificate.\n")); - return STATE_CRITICAL; + np_net_ssl_init(sd); + if (check_cert == TRUE) { + result = np_net_ssl_check_cert(days_till_exp); + if(result != STATE_OK){ + np_net_ssl_cleanup(); + if(sd) close(sd); + return result; + } } -# endif /* USE_OPENSSL */ - } - else { -#endif - if (my_tcp_connect (server_address, server_port, &sd) != STATE_OK) - die (STATE_CRITICAL, _("Unable to open TCP socket\n")); -#ifdef HAVE_SSL } -#endif +#endif /* HAVE_SSL */ asprintf (&buf, "%s %s HTTP/1.0\r\n%s\r\n", http_method, server_url, user_agent); @@ -853,28 +801,12 @@ check_http (void) asprintf (&buf, "%s%s", buf, CRLF); } - if (verbose) - printf ("%s\n", buf); - -#ifdef HAVE_SSL - if (use_ssl == TRUE) { - if (SSL_write (ssl, buf, (int)strlen(buf)) == -1) { -# ifdef USE_OPENSSL - ERR_print_errors_fp (stderr); -# endif - return STATE_CRITICAL; - } - } - else { -#endif - send (sd, buf, strlen (buf), 0); -#ifdef HAVE_SSL - } -#endif + if (verbose) printf ("%s\n", buf); + my_send (buf, strlen (buf)); /* fetch the page */ full_page = strdup(""); - while ((i = my_recv ()) > 0) { + while ((i = my_recv (buffer, MAX_INPUT_BUFFER-1)) > 0) { buffer[i] = '\0'; asprintf (&full_page, "%s%s", full_page, buffer); pagesize += i; @@ -887,6 +819,7 @@ check_http (void) if (i < 0 && errno != ECONNRESET) { #ifdef HAVE_SSL + /* if (use_ssl) { sslerr=SSL_get_error(ssl, i); if ( sslerr == SSL_ERROR_SSL ) { @@ -896,10 +829,13 @@ check_http (void) } } else { + */ #endif die (STATE_CRITICAL, _("Error on receive\n")); #ifdef HAVE_SSL + /* XXX } + */ #endif } @@ -908,7 +844,10 @@ check_http (void) die (STATE_CRITICAL, _("No data received %s\n"), timestamp); /* close the connection */ - my_close (); +#ifdef HAVE_SSL + np_net_ssl_cleanup(); +#endif + if(sd) close(sd); /* reset the alarm */ alarm (0); @@ -1248,143 +1187,6 @@ server_port_check (int ssl_flag) return HTTP_PORT; } - - -#ifdef HAVE_SSL -int connect_SSL (void) -{ - SSL_METHOD *meth; - - asprintf (&randbuff, "%s", "qwertyuiopasdfghjklqwertyuiopasdfghjkl"); - RAND_seed (randbuff, (int)strlen(randbuff)); - if (verbose) - printf(_("SSL seeding: %s\n"), (RAND_status()==1 ? _("OK") : _("Failed")) ); - - /* Initialize SSL context */ - SSLeay_add_ssl_algorithms (); - meth = SSLv23_client_method (); - SSL_load_error_strings (); - if ((ctx = SSL_CTX_new (meth)) == NULL) { - printf (_("CRITICAL - Cannot create SSL context.\n")); - return STATE_CRITICAL; - } - - /* Initialize alarm signal handling */ - signal (SIGALRM, socket_timeout_alarm_handler); - - /* Set socket timeout */ - alarm (socket_timeout); - - /* Save start time */ - gettimeofday (&tv, NULL); - - /* Make TCP connection */ - if (my_tcp_connect (server_address, server_port, &sd) == STATE_OK) { - /* Do the SSL handshake */ - if ((ssl = SSL_new (ctx)) != NULL) { -#ifdef USE_OPENSSL - SSL_set_cipher_list(ssl, "ALL"); -#endif - SSL_set_fd (ssl, sd); - if (SSL_connect (ssl) != -1) - return OK; -#ifdef USE_OPENSSL - ERR_print_errors_fp (stderr); -#endif - } - else { - printf (_("CRITICAL - Cannot initiate SSL handshake.\n")); - } - SSL_free (ssl); - } - - SSL_CTX_free (ctx); - close (sd); - - return STATE_CRITICAL; -} -#endif - - - -#ifdef USE_OPENSSL -int -check_certificate (X509 ** certificate) -{ - ASN1_STRING *tm; - int offset; - struct tm stamp; - int days_left; - - - /* Retrieve timestamp of certificate */ - tm = X509_get_notAfter (*certificate); - - /* Generate tm structure to process timestamp */ - if (tm->type == V_ASN1_UTCTIME) { - if (tm->length < 10) { - printf (_("CRITICAL - Wrong time format in certificate.\n")); - return STATE_CRITICAL; - } - else { - stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0'); - if (stamp.tm_year < 50) - stamp.tm_year += 100; - offset = 0; - } - } - else { - if (tm->length < 12) { - printf (_("CRITICAL - Wrong time format in certificate.\n")); - return STATE_CRITICAL; - } - else { - stamp.tm_year = - (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 + - (tm->data[2] - '0') * 10 + (tm->data[3] - '0'); - stamp.tm_year -= 1900; - offset = 2; - } - } - stamp.tm_mon = - (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1; - stamp.tm_mday = - (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0'); - stamp.tm_hour = - (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0'); - stamp.tm_min = - (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0'); - stamp.tm_sec = 0; - stamp.tm_isdst = -1; - - days_left = (mktime (&stamp) - time (NULL)) / 86400; - snprintf - (timestamp, 17, "%02d/%02d/%04d %02d:%02d", - stamp.tm_mon + 1, - stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min); - - if (days_left > 0 && days_left <= days_till_exp) { - printf (_("WARNING - Certificate expires in %d day(s) (%s).\n"), days_left, timestamp); - return STATE_WARNING; - } - if (days_left < 0) { - printf (_("CRITICAL - Certificate expired on %s.\n"), timestamp); - return STATE_CRITICAL; - } - - if (days_left == 0) { - printf (_("WARNING - Certificate expires today (%s).\n"), timestamp); - return STATE_WARNING; - } - - printf (_("OK - Certificate will expire on %s.\n"), timestamp); - - return STATE_OK; -} -#endif - - - char *perfd_time (double elapsed_time) { return fperfdata ("time", elapsed_time, "s", @@ -1403,47 +1205,6 @@ char *perfd_size (int page_len) TRUE, 0, FALSE, 0); } - - -int -my_recv (void) -{ - int i; -#ifdef HAVE_SSL - if (use_ssl) { - i = SSL_read (ssl, buffer, MAX_INPUT_BUFFER - 1); - } - else { - i = recv (sd, buffer, MAX_INPUT_BUFFER - 1, 0); - } -#else - i = recv (sd, buffer, MAX_INPUT_BUFFER - 1, 0); -#endif - return i; -} - - - -int -my_close (void) -{ -#ifdef HAVE_SSL - if (use_ssl == TRUE) { - SSL_shutdown (ssl); - SSL_free (ssl); - SSL_CTX_free (ctx); - return 0; - } - else { -#endif - return close (sd); -#ifdef HAVE_SSL - } -#endif -} - - - void print_help (void) { -- cgit v1.2.3