1 /*****************************************************************************
2 *
3 * Nagios plugins SSL utilities
4 *
5 * License: GPL
6 * Copyright (c) 2005-2007 Nagios Plugins Development Team
7 *
8 * Description:
9 *
10 * This file contains common functions for plugins that require SSL.
11 *
12 *
13 * This program is free software: you can redistribute it and/or modify
14 * it under the terms of the GNU General Public License as published by
15 * the Free Software Foundation, either version 3 of the License, or
16 * (at your option) any later version.
17 *
18 * This program is distributed in the hope that it will be useful,
19 * but WITHOUT ANY WARRANTY; without even the implied warranty of
20 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21 * GNU General Public License for more details.
22 *
23 * You should have received a copy of the GNU General Public License
24 * along with this program. If not, see <http://www.gnu.org/licenses/>.
25 *
26 *
27 *****************************************************************************/
29 #define LOCAL_TIMEOUT_ALARM_HANDLER
30 #include "common.h"
31 #include "netutils.h"
33 /* Max length of timestamps, ex: "03/05/2009 00:13 GMT". Calculate up to 6
34 * chars for the timezone (ex: "GMT-10") and one terminating \0 */
35 #define TS_LENGTH 24
37 #ifdef HAVE_SSL
38 static SSL_CTX *c=NULL;
39 static SSL *s=NULL;
40 static int initialized=0;
42 int np_net_ssl_init (int sd){
43 if (!initialized) {
44 /* Initialize SSL context */
45 SSLeay_add_ssl_algorithms ();
46 SSL_load_error_strings ();
47 OpenSSL_add_all_algorithms ();
48 initialized = 1;
49 }
50 if ((c = SSL_CTX_new (SSLv23_client_method ())) == NULL) {
51 printf ("%s\n", _("CRITICAL - Cannot create SSL context."));
52 return STATE_CRITICAL;
53 }
54 if ((s = SSL_new (c)) != NULL){
55 SSL_set_fd (s, sd);
56 if (SSL_connect(s) == 1){
57 return OK;
58 } else {
59 printf ("%s\n", _("CRITICAL - Cannot make SSL connection "));
60 # ifdef USE_OPENSSL /* XXX look into ERR_error_string */
61 ERR_print_errors_fp (stdout);
62 # endif /* USE_OPENSSL */
63 }
64 } else {
65 printf ("%s\n", _("CRITICAL - Cannot initiate SSL handshake."));
66 }
67 return STATE_CRITICAL;
68 }
70 void np_net_ssl_cleanup (){
71 if(s){
72 SSL_shutdown (s);
73 SSL_free (s);
74 if(c) {
75 SSL_CTX_free (c);
76 c=NULL;
77 }
78 s=NULL;
79 }
80 }
82 int np_net_ssl_write(const void *buf, int num){
83 return SSL_write(s, buf, num);
84 }
86 int np_net_ssl_read(void *buf, int num){
87 return SSL_read(s, buf, num);
88 }
90 int np_net_ssl_check_cert(int days_till_exp){
91 # ifdef USE_OPENSSL
92 X509 *certificate=NULL;
93 ASN1_STRING *tm;
94 int offset;
95 struct tm stamp;
96 int days_left;
97 char timestamp[TS_LENGTH] = "";
99 certificate=SSL_get_peer_certificate(s);
100 if(! certificate){
101 printf ("%s\n",_("CRITICAL - Cannot retrieve server certificate."));
102 return STATE_CRITICAL;
103 }
105 /* Retrieve timestamp of certificate */
106 tm = X509_get_notAfter (certificate);
108 /* Generate tm structure to process timestamp */
109 if (tm->type == V_ASN1_UTCTIME) {
110 if (tm->length < 10) {
111 printf ("%s\n", _("CRITICAL - Wrong time format in certificate."));
112 return STATE_CRITICAL;
113 } else {
114 stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0');
115 if (stamp.tm_year < 50)
116 stamp.tm_year += 100;
117 offset = 0;
118 }
119 } else {
120 if (tm->length < 12) {
121 printf ("%s\n", _("CRITICAL - Wrong time format in certificate."));
122 return STATE_CRITICAL;
123 } else {
124 stamp.tm_year =
125 (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 +
126 (tm->data[2] - '0') * 10 + (tm->data[3] - '0');
127 stamp.tm_year -= 1900;
128 offset = 2;
129 }
130 }
131 stamp.tm_mon =
132 (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1;
133 stamp.tm_mday =
134 (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0');
135 stamp.tm_hour =
136 (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0');
137 stamp.tm_min =
138 (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0');
139 stamp.tm_sec = 0;
140 stamp.tm_isdst = -1;
142 float time_left = difftime(timegm(&stamp), time(NULL));
143 days_left = time_left / 86400;
144 snprintf
145 (timestamp, TS_LENGTH, "%02d/%02d/%04d %02d:%02d %s",
146 stamp.tm_mon + 1,
147 stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min, stamp.tm_zone);
149 if (days_left > 0 && days_left <= days_till_exp) {
150 printf (_("WARNING - Certificate expires in %d day(s) (%s).\n"), days_left, timestamp);
151 return STATE_WARNING;
152 } else if (time_left < 0) {
153 printf (_("CRITICAL - Certificate expired on %s.\n"), timestamp);
154 return STATE_CRITICAL;
155 } else if (days_left == 0) {
156 printf (_("WARNING - Certificate expires today (%s).\n"), timestamp);
157 return STATE_WARNING;
158 }
160 printf (_("OK - Certificate will expire on %s.\n"), timestamp);
161 X509_free (certificate);
162 return STATE_OK;
163 # else /* ifndef USE_OPENSSL */
164 printf ("%s\n", _("WARNING - Plugin does not support checking certificates."));
165 return STATE_WARNING;
166 # endif /* USE_OPENSSL */
167 }
169 #endif /* HAVE_SSL */