From 4c77862ce3dacfad980977490d4dec76fdbdf3d8 Mon Sep 17 00:00:00 2001 From: "M. Sean Finney" Date: Sun, 23 Oct 2005 11:59:43 +0000 Subject: - compartmentalized ssl code into seperate sslutils.c - ssl-related cleanups in configure.in, and now openssl/gnutls options automatically disable each other. git-svn-id: https://nagiosplug.svn.sourceforge.net/svnroot/nagiosplug/nagiosplug/trunk@1258 f882894a-f735-0410-b71e-b25c423dba1c --- plugins/Makefile.am | 23 ++++---- plugins/netutils.c | 127 ---------------------------------------- plugins/sslutils.c | 162 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 175 insertions(+), 137 deletions(-) create mode 100644 plugins/sslutils.c (limited to 'plugins') diff --git a/plugins/Makefile.am b/plugins/Makefile.am index beefb32f..92227712 100644 --- a/plugins/Makefile.am +++ b/plugins/Makefile.am @@ -24,13 +24,15 @@ EXTRA_PROGRAMS = check_mysql check_radius check_pgsql check_snmp check_hpjd \ check_nagios check_by_ssh check_dns check_nt check_ide_smart \ check_procs -EXTRA_DIST = t utils.c netutils.c popen.c utils.h netutils.h popen.h common.h \ - getaddrinfo.c getaddrinfo.h gethostbyname.c gethostbyname.h +EXTRA_DIST = t utils.c netutils.c sslutils.c popen.c utils.h netutils.h \ + popen.h common.h getaddrinfo.c getaddrinfo.h \ + gethostbyname.c gethostbyname.h PLUGINHDRS = common.h BASEOBJS = utils.o ../lib/libnagiosplug.a ../lib/libcoreutils.a NETOBJS = netutils.o $(BASEOBJS) $(EXTRA_NETOBJS) +SSLOBJS = sslutils.o NETLIBS = $(NETOBJS) $(SOCKETLIBS) TESTS_ENVIRONMENT = perl -I $(top_builddir) -I $(top_srcdir) @@ -51,7 +53,7 @@ check_dns_LDADD = $(NETLIBS) popen.o check_dummy_LDADD = $(BASEOBJS) check_fping_LDADD = $(NETLIBS) popen.o check_game_LDADD = $(BASEOBJS) popen.o -check_http_LDADD = $(NETLIBS) +check_http_LDADD = $(SSLOBJS) $(NETLIBS) check_hpjd_LDADD = $(NETLIBS) popen.o check_ldap_LDADD = $(NETLIBS) $(LDAPLIBS) check_load_LDADD = $(BASEOBJS) popen.o @@ -68,12 +70,12 @@ check_procs_LDADD = $(BASEOBJS) popen.o check_radius_LDADD = $(NETLIBS) $(RADIUSLIBS) check_real_LDADD = $(NETLIBS) check_snmp_LDADD = $(BASEOBJS) popen.o -check_smtp_LDADD = $(NETLIBS) +check_smtp_LDADD = $(SSLOBJS) $(NETLIBS) check_ssh_LDADD = $(NETLIBS) check_swap_LDADD = $(MATHLIBS) $(BASEOBJS) popen.o -check_tcp_LDADD = $(NETLIBS) +check_tcp_LDADD = $(SSLOBJS) $(NETLIBS) check_time_LDADD = $(NETLIBS) -check_udp_LDADD = $(NETLIBS) +check_udp_LDADD = $(SSLOBJS) $(NETLIBS) check_ups_LDADD = $(NETLIBS) check_users_LDADD = $(BASEOBJS) popen.o check_by_ssh_LDADD = $(NETLIBS) popen.o @@ -87,7 +89,7 @@ check_dns_DEPENDENCIES = check_dns.c $(NETOBJS) popen.o $(DEPLIBS) check_dummy_DEPENDENCIES = check_dummy.c $(DEPLIBS) check_fping_DEPENDENCIES = check_fping.c $(NETOBJS) popen.o $(DEPLIBS) check_game_DEPENDENCIES = check_game.c $(DEPLIBS) -check_http_DEPENDENCIES = check_http.c $(NETOBJS) $(DEPLIBS) +check_http_DEPENDENCIES = check_http.c $(SSLOBJS) $(NETOBJS) $(DEPLIBS) check_hpjd_DEPENDENCIES = check_hpjd.c $(NETOBJS) popen.o $(DEPLIBS) check_ide_smart_DEPENDENCIES = check_ide_smart.c $(BASEOBJS) $(DEPLIBS) check_ldap_DEPENDENCIES = check_ldap.c $(NETOBJS) $(DEPLIBS) @@ -105,12 +107,12 @@ check_procs_DEPENDENCIES = check_procs.c $(BASEOBJS) popen.o $(DEPLIBS) check_radius_DEPENDENCIES = check_radius.c $(NETOBJS) $(DEPLIBS) check_real_DEPENDENCIES = check_real.c $(NETOBJS) $(DEPLIBS) check_snmp_DEPENDENCIES = check_snmp.c $(BASEOBJS) popen.o $(DEPLIBS) -check_smtp_DEPENDENCIES = check_smtp.c $(NETOBJS) $(DEPLIBS) +check_smtp_DEPENDENCIES = check_smtp.c $(SSLOBJS) $(NETOBJS) $(DEPLIBS) check_ssh_DEPENDENCIES = check_ssh.c $(NETOBJS) $(DEPLIBS) check_swap_DEPENDENCIES = check_swap.c $(BASEOBJS) popen.o $(DEPLIBS) -check_tcp_DEPENDENCIES = check_tcp.c $(NETOBJS) $(DEPLIBS) +check_tcp_DEPENDENCIES = check_tcp.c $(SSLOBJS) $(NETOBJS) $(DEPLIBS) check_time_DEPENDENCIES = check_time.c $(NETOBJS) $(DEPLIBS) -check_udp_DEPENDENCIES = check_udp.c $(NETOBJS) $(DEPLIBS) +check_udp_DEPENDENCIES = check_udp.c $(SSLOBJS) $(NETOBJS) $(DEPLIBS) check_ups_DEPENDENCIES = check_ups.c $(NETOBJS) $(DEPLIBS) check_users_DEPENDENCIES = check_users.c $(BASEOBJS) popen.o $(DEPLIBS) check_by_ssh_DEPENDENCIES = check_by_ssh.c $(NETOBJS) popen.o $(DEPLIBS) @@ -125,6 +127,7 @@ popen.o: popen.c popen.h $(PLUGINHDRS) utils.o: utils.c utils.h $(PLUGINHDRS) netutils.o: netutils.c netutils.h $(PLUGINHDRS) +sslutils.o: sslutils.c netutils.h $(PLUGINHDRS) getaddrinfo.o: getaddrinfo.h $(PLUGINHDRS) diff --git a/plugins/netutils.c b/plugins/netutils.c index 2678f911..db64ef09 100644 --- a/plugins/netutils.c +++ b/plugins/netutils.c @@ -234,133 +234,6 @@ np_net_connect (const char *host_name, int port, int *sd, int proto) } } -#ifdef HAVE_SSL -static SSL_CTX *c=NULL; -static SSL *s=NULL; - -int np_net_ssl_init (int sd){ - SSL_METHOD *m=NULL; - /* Initialize SSL context */ - SSLeay_add_ssl_algorithms (); - m = SSLv23_client_method (); - SSL_load_error_strings (); - OpenSSL_add_all_algorithms(); - if ((c = SSL_CTX_new (m)) == NULL) { - printf (_("CRITICAL - Cannot create SSL context.\n")); - return STATE_CRITICAL; - } - if ((s = SSL_new (c)) != NULL){ - SSL_set_fd (s, sd); - if (SSL_connect(s) == 1){ - return OK; - } else { - printf (_("CRITICAL - Cannot make SSL connection ")); -#ifdef USE_OPENSSL /* XXX look into ERR_error_string */ - ERR_print_errors_fp (stdout); -#endif /* USE_OPENSSL */ - } - } else { - printf (_("CRITICAL - Cannot initiate SSL handshake.\n")); - } - return STATE_CRITICAL; -} - -void np_net_ssl_cleanup (){ - if(s){ - SSL_shutdown (s); - SSL_free (s); - if(c) SSL_CTX_free (c); - } -} - -int np_net_ssl_write(const void *buf, int num){ - return SSL_write(s, buf, num); -} - -int np_net_ssl_read(void *buf, int num){ - return SSL_read(s, buf, num); -} - -int np_net_ssl_check_cert(int days_till_exp){ -# ifdef USE_OPENSSL - X509 *certificate=NULL; - ASN1_STRING *tm; - int offset; - struct tm stamp; - int days_left; - char timestamp[17] = ""; - - certificate=SSL_get_peer_certificate(s); - if(! certificate){ - printf (_("CRITICAL - Cannot retrieve server certificate.\n")); - return STATE_CRITICAL; - } - - /* Retrieve timestamp of certificate */ - tm = X509_get_notAfter (certificate); - - /* Generate tm structure to process timestamp */ - if (tm->type == V_ASN1_UTCTIME) { - if (tm->length < 10) { - printf (_("CRITICAL - Wrong time format in certificate.\n")); - return STATE_CRITICAL; - } else { - stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0'); - if (stamp.tm_year < 50) - stamp.tm_year += 100; - offset = 0; - } - } else { - if (tm->length < 12) { - printf (_("CRITICAL - Wrong time format in certificate.\n")); - return STATE_CRITICAL; - } else { - stamp.tm_year = - (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 + - (tm->data[2] - '0') * 10 + (tm->data[3] - '0'); - stamp.tm_year -= 1900; - offset = 2; - } - } - stamp.tm_mon = - (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1; - stamp.tm_mday = - (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0'); - stamp.tm_hour = - (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0'); - stamp.tm_min = - (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0'); - stamp.tm_sec = 0; - stamp.tm_isdst = -1; - - days_left = (mktime (&stamp) - time (NULL)) / 86400; - snprintf - (timestamp, 17, "%02d/%02d/%04d %02d:%02d", - stamp.tm_mon + 1, - stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min); - - if (days_left > 0 && days_left <= days_till_exp) { - printf (_("WARNING - Certificate expires in %d day(s) (%s).\n"), days_left, timestamp); - return STATE_WARNING; - } else if (days_left < 0) { - printf (_("CRITICAL - Certificate expired on %s.\n"), timestamp); - return STATE_CRITICAL; - } else if (days_left == 0) { - printf (_("WARNING - Certificate expires today (%s).\n"), timestamp); - return STATE_WARNING; - } - - printf (_("OK - Certificate will expire on %s.\n"), timestamp); - X509_free (certificate); - return STATE_OK; -# else /* ifndef USE_OPENSSL */ - printf (_("WARNING - Plugin does not support checking certificates.\n")); - return STATE_WARNING; -# endif /* USE_OPENSSL */ -} - -#endif /* HAVE_SSL */ - int send_request (int sd, int proto, const char *send_buffer, char *recv_buffer, int recv_size) { diff --git a/plugins/sslutils.c b/plugins/sslutils.c new file mode 100644 index 00000000..d785fb75 --- /dev/null +++ b/plugins/sslutils.c @@ -0,0 +1,162 @@ +/**************************************************************************** +* +* Nagios plugins SSL utilities +* +* License: GPL +* Copyright (c) 2005 nagios-plugins team +* +* Last Modified: $Date$ +* +* Description: +* +* This file contains common functions for plugins that require SSL. +* +* License Information: +* +* This program is free software; you can redistribute it and/or modify +* it under the terms of the GNU General Public License as published by +* the Free Software Foundation; either version 2 of the License, or +* (at your option) any later version. +* +* This program is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU General Public License for more details. +* +* You should have received a copy of the GNU General Public License +* along with this program; if not, write to the Free Software +* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +* +* $Id$ +* +****************************************************************************/ + +#include "common.h" +#include "netutils.h" + +#ifdef HAVE_SSL +static SSL_CTX *c=NULL; +static SSL *s=NULL; + +int np_net_ssl_init (int sd){ + SSL_METHOD *m=NULL; + /* Initialize SSL context */ + SSLeay_add_ssl_algorithms (); + m = SSLv23_client_method (); + SSL_load_error_strings (); + OpenSSL_add_all_algorithms(); + if ((c = SSL_CTX_new (m)) == NULL) { + printf (_("CRITICAL - Cannot create SSL context.\n")); + return STATE_CRITICAL; + } + if ((s = SSL_new (c)) != NULL){ + SSL_set_fd (s, sd); + if (SSL_connect(s) == 1){ + return OK; + } else { + printf (_("CRITICAL - Cannot make SSL connection ")); +# ifdef USE_OPENSSL /* XXX look into ERR_error_string */ + ERR_print_errors_fp (stdout); +# endif /* USE_OPENSSL */ + } + } else { + printf (_("CRITICAL - Cannot initiate SSL handshake.\n")); + } + return STATE_CRITICAL; +} + +void np_net_ssl_cleanup (){ + if(s){ + SSL_shutdown (s); + SSL_free (s); + if(c) SSL_CTX_free (c); + } +} + +int np_net_ssl_write(const void *buf, int num){ + return SSL_write(s, buf, num); +} + +int np_net_ssl_read(void *buf, int num){ + return SSL_read(s, buf, num); +} + +int np_net_ssl_check_cert(int days_till_exp){ +# ifdef USE_OPENSSL + X509 *certificate=NULL; + ASN1_STRING *tm; + int offset; + struct tm stamp; + int days_left; + char timestamp[17] = ""; + + certificate=SSL_get_peer_certificate(s); + if(! certificate){ + printf (_("CRITICAL - Cannot retrieve server certificate.\n")); + return STATE_CRITICAL; + } + + /* Retrieve timestamp of certificate */ + tm = X509_get_notAfter (certificate); + + /* Generate tm structure to process timestamp */ + if (tm->type == V_ASN1_UTCTIME) { + if (tm->length < 10) { + printf (_("CRITICAL - Wrong time format in certificate.\n")); + return STATE_CRITICAL; + } else { + stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0'); + if (stamp.tm_year < 50) + stamp.tm_year += 100; + offset = 0; + } + } else { + if (tm->length < 12) { + printf (_("CRITICAL - Wrong time format in certificate.\n")); + return STATE_CRITICAL; + } else { + stamp.tm_year = + (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 + + (tm->data[2] - '0') * 10 + (tm->data[3] - '0'); + stamp.tm_year -= 1900; + offset = 2; + } + } + stamp.tm_mon = + (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1; + stamp.tm_mday = + (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0'); + stamp.tm_hour = + (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0'); + stamp.tm_min = + (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0'); + stamp.tm_sec = 0; + stamp.tm_isdst = -1; + + days_left = (mktime (&stamp) - time (NULL)) / 86400; + snprintf + (timestamp, 17, "%02d/%02d/%04d %02d:%02d", + stamp.tm_mon + 1, + stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min); + + if (days_left > 0 && days_left <= days_till_exp) { + printf (_("WARNING - Certificate expires in %d day(s) (%s).\n"), days_left, timestamp); + return STATE_WARNING; + } else if (days_left < 0) { + printf (_("CRITICAL - Certificate expired on %s.\n"), timestamp); + return STATE_CRITICAL; + } else if (days_left == 0) { + printf (_("WARNING - Certificate expires today (%s).\n"), timestamp); + return STATE_WARNING; + } + + printf (_("OK - Certificate will expire on %s.\n"), timestamp); + X509_free (certificate); + return STATE_OK; +# else /* ifndef USE_OPENSSL */ + printf (_("WARNING - Plugin does not support checking certificates.\n")); + return STATE_WARNING; +# endif /* USE_OPENSSL */ +} + +#endif /* HAVE_SSL */ -- cgit v1.2.3