sslutils.c 9.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322
  1. /*****************************************************************************
  2. *
  3. * Monitoring Plugins SSL utilities
  4. *
  5. * License: GPL
  6. * Copyright (c) 2005-2010 Monitoring Plugins Development Team
  7. *
  8. * Description:
  9. *
  10. * This file contains common functions for plugins that require SSL.
  11. *
  12. *
  13. * This program is free software: you can redistribute it and/or modify
  14. * it under the terms of the GNU General Public License as published by
  15. * the Free Software Foundation, either version 3 of the License, or
  16. * (at your option) any later version.
  17. *
  18. * This program is distributed in the hope that it will be useful,
  19. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  20. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  21. * GNU General Public License for more details.
  22. *
  23. * You should have received a copy of the GNU General Public License
  24. * along with this program. If not, see <http://www.gnu.org/licenses/>.
  25. *
  26. *
  27. *****************************************************************************/
  28. #define MAX_CN_LENGTH 256
  29. #include "common.h"
  30. #include "netutils.h"
  31. #ifdef HAVE_SSL
  32. static SSL_CTX *c=NULL;
  33. static SSL *s=NULL;
  34. static int initialized=0;
  35. int np_net_ssl_init(int sd) {
  36. return np_net_ssl_init_with_hostname(sd, NULL);
  37. }
  38. int np_net_ssl_init_with_hostname(int sd, char *host_name) {
  39. return np_net_ssl_init_with_hostname_and_version(sd, host_name, 0);
  40. }
  41. int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int version) {
  42. return np_net_ssl_init_with_hostname_version_and_cert(sd, host_name, version, NULL, NULL);
  43. }
  44. int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, char *privkey) {
  45. const SSL_METHOD *method = NULL;
  46. long options = 0;
  47. switch (version) {
  48. case MP_SSLv2: /* SSLv2 protocol */
  49. #if defined(USE_GNUTLS) || defined(OPENSSL_NO_SSL2)
  50. printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library."));
  51. return STATE_UNKNOWN;
  52. #else
  53. method = SSLv2_client_method();
  54. break;
  55. #endif
  56. case MP_SSLv3: /* SSLv3 protocol */
  57. #if defined(OPENSSL_NO_SSL3)
  58. printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library."));
  59. return STATE_UNKNOWN;
  60. #else
  61. method = SSLv3_client_method();
  62. break;
  63. #endif
  64. case MP_TLSv1: /* TLSv1 protocol */
  65. #if defined(OPENSSL_NO_TLS1)
  66. printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library."));
  67. return STATE_UNKNOWN;
  68. #else
  69. method = TLSv1_client_method();
  70. break;
  71. #endif
  72. case MP_TLSv1_1: /* TLSv1.1 protocol */
  73. #if !defined(SSL_OP_NO_TLSv1_1)
  74. printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library."));
  75. return STATE_UNKNOWN;
  76. #else
  77. method = TLSv1_1_client_method();
  78. break;
  79. #endif
  80. case MP_TLSv1_2: /* TLSv1.2 protocol */
  81. #if !defined(SSL_OP_NO_TLSv1_2)
  82. printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library."));
  83. return STATE_UNKNOWN;
  84. #else
  85. method = TLSv1_2_client_method();
  86. break;
  87. #endif
  88. case MP_TLSv1_2_OR_NEWER:
  89. #if !defined(SSL_OP_NO_TLSv1_1)
  90. printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library."));
  91. return STATE_UNKNOWN;
  92. #else
  93. options |= SSL_OP_NO_TLSv1_1;
  94. #endif
  95. /* FALLTHROUGH */
  96. case MP_TLSv1_1_OR_NEWER:
  97. #if !defined(SSL_OP_NO_TLSv1)
  98. printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library."));
  99. return STATE_UNKNOWN;
  100. #else
  101. options |= SSL_OP_NO_TLSv1;
  102. #endif
  103. /* FALLTHROUGH */
  104. case MP_TLSv1_OR_NEWER:
  105. #if defined(SSL_OP_NO_SSLv3)
  106. options |= SSL_OP_NO_SSLv3;
  107. #endif
  108. /* FALLTHROUGH */
  109. case MP_SSLv3_OR_NEWER:
  110. #if defined(SSL_OP_NO_SSLv2)
  111. options |= SSL_OP_NO_SSLv2;
  112. #endif
  113. case MP_SSLv2_OR_NEWER:
  114. /* FALLTHROUGH */
  115. default: /* Default to auto negotiation */
  116. method = SSLv23_client_method();
  117. }
  118. if (!initialized) {
  119. /* Initialize SSL context */
  120. SSLeay_add_ssl_algorithms();
  121. SSL_load_error_strings();
  122. OpenSSL_add_all_algorithms();
  123. initialized = 1;
  124. }
  125. if ((c = SSL_CTX_new(method)) == NULL) {
  126. printf("%s\n", _("CRITICAL - Cannot create SSL context."));
  127. return STATE_CRITICAL;
  128. }
  129. if (cert && privkey) {
  130. SSL_CTX_use_certificate_file(c, cert, SSL_FILETYPE_PEM);
  131. SSL_CTX_use_PrivateKey_file(c, privkey, SSL_FILETYPE_PEM);
  132. #ifdef USE_OPENSSL
  133. if (!SSL_CTX_check_private_key(c)) {
  134. printf ("%s\n", _("CRITICAL - Private key does not seem to match certificate!\n"));
  135. return STATE_CRITICAL;
  136. }
  137. #endif
  138. }
  139. #ifdef SSL_OP_NO_TICKET
  140. options |= SSL_OP_NO_TICKET;
  141. #endif
  142. SSL_CTX_set_options(c, options);
  143. SSL_CTX_set_mode(c, SSL_MODE_AUTO_RETRY);
  144. if ((s = SSL_new(c)) != NULL) {
  145. #ifdef SSL_set_tlsext_host_name
  146. if (host_name != NULL)
  147. SSL_set_tlsext_host_name(s, host_name);
  148. #endif
  149. SSL_set_fd(s, sd);
  150. if (SSL_connect(s) == 1) {
  151. return OK;
  152. } else {
  153. printf("%s\n", _("CRITICAL - Cannot make SSL connection."));
  154. # ifdef USE_OPENSSL /* XXX look into ERR_error_string */
  155. ERR_print_errors_fp(stdout);
  156. # endif /* USE_OPENSSL */
  157. }
  158. } else {
  159. printf("%s\n", _("CRITICAL - Cannot initiate SSL handshake."));
  160. }
  161. return STATE_CRITICAL;
  162. }
  163. void np_net_ssl_cleanup() {
  164. if (s) {
  165. #ifdef SSL_set_tlsext_host_name
  166. SSL_set_tlsext_host_name(s, NULL);
  167. #endif
  168. SSL_shutdown(s);
  169. SSL_free(s);
  170. if (c) {
  171. SSL_CTX_free(c);
  172. c=NULL;
  173. }
  174. s=NULL;
  175. }
  176. }
  177. int np_net_ssl_write(const void *buf, int num) {
  178. return SSL_write(s, buf, num);
  179. }
  180. int np_net_ssl_read(void *buf, int num) {
  181. return SSL_read(s, buf, num);
  182. }
  183. int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
  184. # ifdef USE_OPENSSL
  185. X509 *certificate=NULL;
  186. X509_NAME *subj=NULL;
  187. char timestamp[50] = "";
  188. char cn[MAX_CN_LENGTH]= "";
  189. char *tz;
  190. int cnlen =-1;
  191. int status=STATE_UNKNOWN;
  192. ASN1_STRING *tm;
  193. int offset;
  194. struct tm stamp;
  195. float time_left;
  196. int days_left;
  197. int time_remaining;
  198. time_t tm_t;
  199. certificate=SSL_get_peer_certificate(s);
  200. if (!certificate) {
  201. printf("%s\n",_("CRITICAL - Cannot retrieve server certificate."));
  202. return STATE_CRITICAL;
  203. }
  204. /* Extract CN from certificate subject */
  205. subj=X509_get_subject_name(certificate);
  206. if (!subj) {
  207. printf("%s\n",_("CRITICAL - Cannot retrieve certificate subject."));
  208. return STATE_CRITICAL;
  209. }
  210. cnlen = X509_NAME_get_text_by_NID(subj, NID_commonName, cn, sizeof(cn));
  211. if (cnlen == -1)
  212. strcpy(cn, _("Unknown CN"));
  213. /* Retrieve timestamp of certificate */
  214. tm = X509_get_notAfter(certificate);
  215. /* Generate tm structure to process timestamp */
  216. if (tm->type == V_ASN1_UTCTIME) {
  217. if (tm->length < 10) {
  218. printf("%s\n", _("CRITICAL - Wrong time format in certificate."));
  219. return STATE_CRITICAL;
  220. } else {
  221. stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0');
  222. if (stamp.tm_year < 50)
  223. stamp.tm_year += 100;
  224. offset = 0;
  225. }
  226. } else {
  227. if (tm->length < 12) {
  228. printf("%s\n", _("CRITICAL - Wrong time format in certificate."));
  229. return STATE_CRITICAL;
  230. } else {
  231. stamp.tm_year =
  232. (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 +
  233. (tm->data[2] - '0') * 10 + (tm->data[3] - '0');
  234. stamp.tm_year -= 1900;
  235. offset = 2;
  236. }
  237. }
  238. stamp.tm_mon =
  239. (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1;
  240. stamp.tm_mday =
  241. (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0');
  242. stamp.tm_hour =
  243. (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0');
  244. stamp.tm_min =
  245. (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0');
  246. stamp.tm_sec =
  247. (tm->data[10 + offset] - '0') * 10 + (tm->data[11 + offset] - '0');
  248. stamp.tm_isdst = -1;
  249. tm_t = timegm(&stamp);
  250. time_left = difftime(tm_t, time(NULL));
  251. days_left = time_left / 86400;
  252. tz = getenv("TZ");
  253. setenv("TZ", "GMT", 1);
  254. tzset();
  255. strftime(timestamp, 50, "%c %z", localtime(&tm_t));
  256. if (tz)
  257. setenv("TZ", tz, 1);
  258. else
  259. unsetenv("TZ");
  260. tzset();
  261. if (days_left > 0 && days_left <= days_till_exp_warn) {
  262. printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, days_left, timestamp);
  263. if (days_left > days_till_exp_crit)
  264. status = STATE_WARNING;
  265. else
  266. status = STATE_CRITICAL;
  267. } else if (days_left == 0 && time_left > 0) {
  268. if (time_left >= 3600)
  269. time_remaining = (int) time_left / 3600;
  270. else
  271. time_remaining = (int) time_left / 60;
  272. printf (_("%s - Certificate '%s' expires in %u %s (%s)\n"),
  273. (days_left>days_till_exp_crit) ? "WARNING" : "CRITICAL", cn, time_remaining,
  274. time_left >= 3600 ? "hours" : "minutes", timestamp);
  275. if ( days_left > days_till_exp_crit)
  276. status = STATE_WARNING;
  277. else
  278. status = STATE_CRITICAL;
  279. } else if (time_left < 0) {
  280. printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp);
  281. status=STATE_CRITICAL;
  282. } else if (days_left == 0) {
  283. printf (_("%s - Certificate '%s' just expired (%s).\n"), (days_left>days_till_exp_crit)?"WARNING":"CRITICAL", cn, timestamp);
  284. if (days_left > days_till_exp_crit)
  285. status = STATE_WARNING;
  286. else
  287. status = STATE_CRITICAL;
  288. } else {
  289. printf(_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp);
  290. status = STATE_OK;
  291. }
  292. X509_free(certificate);
  293. return status;
  294. # else /* ifndef USE_OPENSSL */
  295. printf("%s\n", _("WARNING - Plugin does not support checking certificates."));
  296. return STATE_WARNING;
  297. # endif /* USE_OPENSSL */
  298. }
  299. #endif /* HAVE_SSL */