diff --git a/plugins/check_smtp.c b/plugins/check_smtp.c
index f0bc7363b3434bba628f5903d259d3eb4e02c4c9..a7a07838f9b10f5d08063467045b5f27f0aeaf25 100644 (file)
--- a/plugins/check_smtp.c
+++ b/plugins/check_smtp.c
/******************************************************************************
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-
- $Id$
-
+*
+* Nagios check_smtp plugin
+*
+* License: GPL
+* Copyright (c) 1999-2006 nagios-plugins team
+*
+* Last Modified: $Date$
+*
+* Description:
+*
+* This file contains the check_smtp plugin
+*
+* This plugin will attempt to open an SMTP connection with the host.
+*
+*
+* License Information:
+*
+* This program is free software; you can redistribute it and/or modify
+* it under the terms of the GNU General Public License as published by
+* the Free Software Foundation; either version 2 of the License, or
+* (at your option) any later version.
+*
+* This program is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+* GNU General Public License for more details.
+*
+* You should have received a copy of the GNU General Public License
+* along with this program; if not, write to the Free Software
+* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*
+*
+* $Id$
+*
******************************************************************************/
const char *progname = "check_smtp";
const char *revision = "$Revision$";
-const char *copyright = "2000-2004";
+const char *copyright = "2000-2006";
const char *email = "nagiosplug-devel@lists.sourceforge.net";
#include "common.h"
#include "netutils.h"
#include "utils.h"
-#ifdef HAVE_SSL_H
-# include <rsa.h>
-# include <crypto.h>
-# include <x509.h>
-# include <pem.h>
-# include <ssl.h>
-# include <err.h>
-#else
-# ifdef HAVE_OPENSSL_SSL_H
-# include <openssl/rsa.h>
-# include <openssl/crypto.h>
-# include <openssl/x509.h>
-# include <openssl/pem.h>
-# include <openssl/ssl.h>
-# include <openssl/err.h>
-# endif
-#endif
-
#ifdef HAVE_SSL
-
int check_cert = FALSE;
int days_till_exp;
-SSL_CTX *ctx;
-SSL *ssl;
-X509 *server_cert;
-int connect_STARTTLS (void);
-int check_certificate (X509 **);
+# define my_recv(buf, len) ((use_ssl && ssl_established) ? np_net_ssl_read(buf, len) : read(sd, buf, len))
+# define my_send(buf, len) ((use_ssl && ssl_established) ? np_net_ssl_write(buf, len) : send(sd, buf, len, 0))
+#else /* ifndef HAVE_SSL */
+# define my_recv(buf, len) read(sd, buf, len)
+# define my_send(buf, len) send(sd, buf, len, 0)
#endif
enum {
SMTP_PORT = 25
};
-const char *SMTP_EXPECT = "220";
-const char *SMTP_HELO = "HELO ";
-const char *SMTP_QUIT = "QUIT\r\n";
-const char *SMTP_STARTTLS = "STARTTLS\r\n";
+#define SMTP_EXPECT "220"
+#define SMTP_HELO "HELO "
+#define SMTP_EHLO "EHLO "
+#define SMTP_QUIT "QUIT\r\n"
+#define SMTP_STARTTLS "STARTTLS\r\n"
+#define SMTP_AUTH_LOGIN "AUTH LOGIN\r\n"
+
+#ifndef HOST_MAX_BYTES
+#define HOST_MAX_BYTES 255
+#endif
+
+#define EHLO_SUPPORTS_STARTTLS 1
int process_arguments (int, char **);
int validate_arguments (void);
void print_help (void);
void print_usage (void);
-int myrecv(void);
int my_close(void);
-#ifdef HAVE_REGEX_H
-#include <regex.h>
+#include "regex.h"
char regex_expect[MAX_INPUT_BUFFER] = "";
regex_t preg;
regmatch_t pmatch[10];
int cflags = REG_EXTENDED | REG_NOSUB | REG_NEWLINE;
int eflags = 0;
int errcode, excode;
-#endif
int server_port = SMTP_PORT;
char *server_address = NULL;
int response_size=0;
char **commands = NULL;
char **responses = NULL;
+char *authtype = NULL;
+char *authuser = NULL;
+char *authpass = NULL;
int warning_time = 0;
int check_warning_time = FALSE;
int critical_time = 0;
int check_critical_time = FALSE;
int verbose = 0;
int use_ssl = FALSE;
+short use_ehlo = FALSE;
+short ssl_established = 0;
+char *localhostname = NULL;
int sd;
char buffer[MAX_INPUT_BUFFER];
enum {
MAXBUF = 1024
};
+/* written by lauri alanko */
+static char *
+base64 (const char *bin, size_t len)
+{
+
+ char *buf = (char *) malloc ((len + 2) / 3 * 4 + 1);
+ size_t i = 0, j = 0;
+
+ char BASE64_END = '=';
+ char base64_table[64];
+ strncpy (base64_table, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/", 64);
+
+ while (j < len - 2) {
+ buf[i++] = base64_table[bin[j] >> 2];
+ buf[i++] = base64_table[((bin[j] & 3) << 4) | (bin[j + 1] >> 4)];
+ buf[i++] = base64_table[((bin[j + 1] & 15) << 2) | (bin[j + 2] >> 6)];
+ buf[i++] = base64_table[bin[j + 2] & 63];
+ j += 3;
+ }
+
+ switch (len - j) {
+ case 1:
+ buf[i++] = base64_table[bin[j] >> 2];
+ buf[i++] = base64_table[(bin[j] & 3) << 4];
+ buf[i++] = BASE64_END;
+ buf[i++] = BASE64_END;
+ break;
+ case 2:
+ buf[i++] = base64_table[bin[j] >> 2];
+ buf[i++] = base64_table[((bin[j] & 3) << 4) | (bin[j + 1] >> 4)];
+ buf[i++] = base64_table[(bin[j + 1] & 15) << 2];
+ buf[i++] = BASE64_END;
+ break;
+ case 0:
+ break;
+ }
+
+ buf[i] = '\0';
+ return buf;
+}
+
int
main (int argc, char **argv)
{
-
+ short supports_tls=FALSE;
int n = 0;
double elapsed_time;
long microsec;
int result = STATE_UNKNOWN;
char *cmd_str = NULL;
char *helocmd = NULL;
+ char *error_msg = "";
struct timeval tv;
setlocale (LC_ALL, "");
if (process_arguments (argc, argv) == ERROR)
usage4 (_("Could not parse arguments"));
- /* initialize the HELO command with the localhostname */
-#ifndef HOST_MAX_BYTES
-#define HOST_MAX_BYTES 255
-#endif
- helocmd = malloc (HOST_MAX_BYTES);
- gethostname(helocmd, HOST_MAX_BYTES);
- asprintf (&helocmd, "%s%s%s", SMTP_HELO, helocmd, "\r\n");
+ /* If localhostname not set on command line, use gethostname to set */
+ if(! localhostname){
+ localhostname = malloc (HOST_MAX_BYTES);
+ if(!localhostname){
+ printf(_("malloc() failed!\n"));
+ return STATE_CRITICAL;
+ }
+ if(gethostname(localhostname, HOST_MAX_BYTES)){
+ printf(_("gethostname() failed!\n"));
+ return STATE_CRITICAL;
+ }
+ }
+ if(use_ehlo)
+ asprintf (&helocmd, "%s%s%s", SMTP_EHLO, localhostname, "\r\n");
+ else
+ asprintf (&helocmd, "%s%s%s", SMTP_HELO, localhostname, "\r\n");
+
+ if (verbose)
+ printf("HELOCMD: %s", helocmd);
/* initialize the MAIL command with optional FROM command */
asprintf (&cmd_str, "%sFROM: %s%s", mail_command, from_arg, "\r\n");
}
}
- /* send the HELO command */
+ /* send the HELO/EHLO command */
send(sd, helocmd, strlen(helocmd), 0);
/* allow for response to helo command to reach us */
- read (sd, buffer, MAXBUF - 1);
+ if(read (sd, buffer, MAXBUF - 1) < 0){
+ printf (_("recv() failed\n"));
+ return STATE_WARNING;
+ } else if(use_ehlo){
+ buffer[MAXBUF-1]='\0';
+ if(strstr(buffer, "250 STARTTLS") != NULL ||
+ strstr(buffer, "250-STARTTLS") != NULL){
+ supports_tls=TRUE;
+ }
+ }
+
+ if(use_ssl && ! supports_tls){
+ printf(_("WARNING - TLS not supported by server\n"));
+ send (sd, SMTP_QUIT, strlen (SMTP_QUIT), 0);
+ return STATE_WARNING;
+ }
#ifdef HAVE_SSL
if(use_ssl) {
recv(sd,buffer, MAX_INPUT_BUFFER-1, 0); /* wait for it */
if (!strstr (buffer, server_expect)) {
printf (_("Server does not support STARTTLS\n"));
+ send (sd, SMTP_QUIT, strlen (SMTP_QUIT), 0);
return STATE_UNKNOWN;
}
- if(connect_STARTTLS() != OK) {
+ result = np_net_ssl_init(sd);
+ if(result != STATE_OK) {
printf (_("CRITICAL - Cannot create SSL context.\n"));
+ np_net_ssl_cleanup();
+ close(sd);
return STATE_CRITICAL;
+ } else {
+ ssl_established = 1;
}
+
+ /*
+ * Resend the EHLO command.
+ *
+ * RFC 3207 (4.2) says: ``The client MUST discard any knowledge
+ * obtained from the server, such as the list of SMTP service
+ * extensions, which was not obtained from the TLS negotiation
+ * itself. The client SHOULD send an EHLO command as the first
+ * command after a successful TLS negotiation.'' For this
+ * reason, some MTAs will not allow an AUTH LOGIN command before
+ * we resent EHLO via TLS.
+ */
+ if (my_send(helocmd, strlen(helocmd)) <= 0) {
+ printf("%s\n", _("SMTP UNKNOWN - Cannot send EHLO command via TLS."));
+ my_close();
+ return STATE_UNKNOWN;
+ }
+ if (verbose)
+ printf(_("sent %s"), helocmd);
+ if ((n = my_recv(buffer, MAX_INPUT_BUFFER - 1)) <= 0) {
+ printf("%s\n", _("SMTP UNKNOWN - Cannot read EHLO response via TLS."));
+ my_close();
+ return STATE_UNKNOWN;
+ }
+ if (verbose) {
+ buffer[n] = '\0';
+ printf("%s", buffer);
+ }
+
+# ifdef USE_OPENSSL
if ( check_cert ) {
- if ((server_cert = SSL_get_peer_certificate (ssl)) != NULL) {
- result = check_certificate (&server_cert);
- X509_free(server_cert);
- }
- else {
- printf (_("CRITICAL - Cannot retrieve server certificate.\n"));
- result = STATE_CRITICAL;
-
+ result = np_net_ssl_check_cert(days_till_exp);
+ if(result != STATE_OK){
+ printf ("%s\n", _("CRITICAL - Cannot retrieve server certificate."));
}
my_close();
return result;
}
+# endif /* USE_OPENSSL */
}
#endif
* Use the -f option to provide a FROM address
*/
if (smtp_use_dummycmd) {
-#ifdef HAVE_SSL
- if (use_ssl)
- SSL_write(ssl, cmd_str, strlen(cmd_str));
- else
-#endif
- send(sd, cmd_str, strlen(cmd_str), 0);
- myrecv();
+ my_send(cmd_str, strlen(cmd_str));
+ my_recv(buffer, MAX_INPUT_BUFFER-1);
if (verbose)
printf("%s", buffer);
}
while (n < ncommands) {
asprintf (&cmd_str, "%s%s", commands[n], "\r\n");
-#ifdef HAVE_SSL
- if (use_ssl)
- SSL_write(ssl,cmd_str, strlen(cmd_str));
- else
-#endif
- send(sd, cmd_str, strlen(cmd_str), 0);
- myrecv();
+ my_send(cmd_str, strlen(cmd_str));
+ my_recv(buffer, MAX_INPUT_BUFFER-1);
if (verbose)
printf("%s", buffer);
strip (buffer);
if (n < nresponses) {
-#ifdef HAVE_REGEX_H
cflags |= REG_EXTENDED | REG_NOSUB | REG_NEWLINE;
errcode = regcomp (&preg, responses[n], cflags);
if (errcode != 0) {
printf (_("Execute Error: %s\n"), errbuf);
result = STATE_UNKNOWN;
}
-#else
- if (strstr(buffer, responses[n])!=buffer) {
- result = STATE_WARNING;
- printf (_("SMTP %s - Invalid response '%s' to command '%s'\n"), state_text (result), buffer, commands[n]);
- }
-#endif
}
n++;
}
+ if (authtype != NULL) {
+ if (strcmp (authtype, "LOGIN") == 0) {
+ char *abuf;
+ int ret;
+ do {
+ if (authuser == NULL) {
+ result = STATE_CRITICAL;
+ asprintf(&error_msg, _("no authuser specified, "));
+ break;
+ }
+ if (authpass == NULL) {
+ result = STATE_CRITICAL;
+ asprintf(&error_msg, _("no authpass specified, "));
+ break;
+ }
+
+ /* send AUTH LOGIN */
+ my_send(SMTP_AUTH_LOGIN, strlen(SMTP_AUTH_LOGIN));
+ if (verbose)
+ printf (_("sent %s\n"), "AUTH LOGIN");
+
+ if((ret = my_recv(buffer, MAXBUF - 1)) < 0){
+ asprintf(&error_msg, _("recv() failed after AUTH LOGIN, "));
+ result = STATE_WARNING;
+ break;
+ }
+ buffer[ret] = 0;
+ if (verbose)
+ printf (_("received %s\n"), buffer);
+
+ if (strncmp (buffer, "334", 3) != 0) {
+ result = STATE_CRITICAL;
+ asprintf(&error_msg, _("invalid response received after AUTH LOGIN, "));
+ break;
+ }
+
+ /* encode authuser with base64 */
+ abuf = base64 (authuser, strlen(authuser));
+ strcat (abuf, "\r\n");
+ my_send(abuf, strlen(abuf));
+ if (verbose)
+ printf (_("sent %s\n"), abuf);
+
+ if ((ret = my_recv(buffer, MAX_INPUT_BUFFER-1)) == -1) {
+ result = STATE_CRITICAL;
+ asprintf(&error_msg, _("recv() failed after sending authuser, "));
+ break;
+ }
+ buffer[ret] = 0;
+ if (verbose) {
+ printf (_("received %s\n"), buffer);
+ }
+ if (strncmp (buffer, "334", 3) != 0) {
+ result = STATE_CRITICAL;
+ asprintf(&error_msg, _("invalid response received after authuser, "));
+ break;
+ }
+ /* encode authpass with base64 */
+ abuf = base64 (authpass, strlen(authpass));
+ strcat (abuf, "\r\n");
+ my_send(abuf, strlen(abuf));
+ if (verbose) {
+ printf (_("sent %s\n"), abuf);
+ }
+ if ((ret = my_recv(buffer, MAX_INPUT_BUFFER-1)) == -1) {
+ result = STATE_CRITICAL;
+ asprintf(&error_msg, _("recv() failed after sending authpass, "));
+ break;
+ }
+ buffer[ret] = 0;
+ if (verbose) {
+ printf (_("received %s\n"), buffer);
+ }
+ if (strncmp (buffer, "235", 3) != 0) {
+ result = STATE_CRITICAL;
+ asprintf(&error_msg, _("invalid response received after authpass, "));
+ break;
+ }
+ break;
+ } while (0);
+ } else {
+ result = STATE_CRITICAL;
+ asprintf(&error_msg, _("only authtype LOGIN is supported, "));
+ }
+ }
+
/* tell the server we're done */
-#ifdef HAVE_SSL
- if (use_ssl)
- SSL_write(ssl,SMTP_QUIT, strlen (SMTP_QUIT));
- else
-#endif
- send (sd, SMTP_QUIT, strlen (SMTP_QUIT), 0);
+ my_send (SMTP_QUIT, strlen (SMTP_QUIT));
/* finally close the connection */
close (sd);
result = STATE_WARNING;
}
- printf (_("SMTP %s - %.3f sec. response time%s%s|%s\n"),
- state_text (result), elapsed_time,
- verbose?", ":"", verbose?buffer:"",
- fperfdata ("time", elapsed_time, "s",
- (int)check_warning_time, warning_time,
- (int)check_critical_time, critical_time,
- TRUE, 0, FALSE, 0));
+ printf (_("SMTP %s - %s%.3f sec. response time%s%s|%s\n"),
+ state_text (result),
+ error_msg,
+ elapsed_time,
+ verbose?", ":"", verbose?buffer:"",
+ fperfdata ("time", elapsed_time, "s",
+ (int)check_warning_time, warning_time,
+ (int)check_critical_time, critical_time,
+ TRUE, 0, FALSE, 0));
return result;
}
{"timeout", required_argument, 0, 't'},
{"port", required_argument, 0, 'p'},
{"from", required_argument, 0, 'f'},
+ {"fqdn", required_argument, 0, 'F'},
+ {"authtype", required_argument, 0, 'A'},
+ {"authuser", required_argument, 0, 'U'},
+ {"authpass", required_argument, 0, 'P'},
{"command", required_argument, 0, 'C'},
{"response", required_argument, 0, 'R'},
{"nocommand", required_argument, 0, 'n'},
}
while (1) {
- c = getopt_long (argc, argv, "+hVv46t:p:f:e:c:w:H:C:R:SD:",
+ c = getopt_long (argc, argv, "+hVv46t:p:f:e:c:w:H:C:R:SD:F:A:U:P:",
longopts, &option);
if (c == -1 || c == EOF)
else
usage4 (_("Port must be a positive integer"));
break;
+ case 'F':
+ /* localhostname */
+ localhostname = strdup(optarg);
+ break;
case 'f': /* from argument */
from_arg = optarg;
smtp_use_dummycmd = 1;
break;
+ case 'A':
+ authtype = optarg;
+ break;
+ case 'U':
+ authuser = optarg;
+ break;
+ case 'P':
+ authpass = optarg;
+ break;
case 'e': /* server expect string on 220 */
server_expect = optarg;
break;
case 'C': /* commands */
if (ncommands >= command_size) {
- commands = realloc (commands, command_size+8);
+ command_size+=8;
+ commands = realloc (commands, sizeof(char *) * command_size);
if (commands == NULL)
die (STATE_UNKNOWN,
_("Could not realloc() units [%d]\n"), ncommands);
}
- commands[ncommands] = optarg;
+ commands[ncommands] = (char *) malloc (sizeof(char) * 255);
+ strncpy (commands[ncommands], optarg, 255);
ncommands++;
break;
case 'R': /* server responses */
if (nresponses >= response_size) {
- responses = realloc (responses, response_size+8);
+ response_size += 8;
+ responses = realloc (responses, sizeof(char *) * response_size);
if (responses == NULL)
die (STATE_UNKNOWN,
_("Could not realloc() units [%d]\n"), nresponses);
}
- responses[nresponses] = optarg;
+ responses[nresponses] = (char *) malloc (sizeof(char) * 255);
+ strncpy (responses[nresponses], optarg, 255);
nresponses++;
break;
case 'c': /* critical time threshold */
case 'S':
/* starttls */
use_ssl = TRUE;
+ use_ehlo = TRUE;
break;
case 'D':
/* Check SSL cert validity */
-#ifdef HAVE_SSL
+#ifdef USE_OPENSSL
if (!is_intnonneg (optarg))
usage2 ("Invalid certificate expiration period",optarg);
days_till_exp = atoi (optarg);
print_help ();
exit (STATE_OK);
case '?': /* help */
- usage2 (_("Unknown argument"), optarg);
+ usage5 ();
}
}
}
+int
+my_close (void)
+{
+#ifdef HAVE_SSL
+ np_net_ssl_cleanup();
+#endif
+ return close(sd);
+}
+
void
print_help (void)
printf ("Copyright (c) 1999-2001 Ethan Galstad <nagios@nagios.org>\n");
printf (COPYRIGHT, copyright, email);
- printf(_("This plugin will attempt to open an SMTP connection with the host.\n\n"));
+ printf("%s\n", _("This plugin will attempt to open an SMTP connection with the host."));
+
+ printf ("\n\n");
print_usage ();
printf (_(UT_IPv46));
- printf (_("\
- -e, --expect=STRING\n\
- String to expect in first line of server response (default: '%s')\n\
- -n, nocommand\n\
- Suppress SMTP command\n\
- -C, --command=STRING\n\
- SMTP command (may be used repeatedly)\n\
- -R, --command=STRING\n\
- Expected response to command (may be used repeatedly)\n\
- -f, --from=STRING\n\
- FROM-address to include in MAIL command, required by Exchange 2000\n"),
- SMTP_EXPECT);
+ printf (" %s\n", "-e, --expect=STRING");
+ printf (_(" String to expect in first line of server response (default: '%s')\n"), SMTP_EXPECT);
+ printf (" %s\n", "-n, nocommand");
+ printf (" %s\n", _("Suppress SMTP command"));
+ printf (" %s\n", "-C, --command=STRING");
+ printf (" %s\n", _("SMTP command (may be used repeatedly)"));
+ printf (" %s\n", "-R, --command=STRING");
+ printf (" %s\n", _("Expected response to command (may be used repeatedly)"));
+ printf (" %s\n", "-f, --from=STRING");
+ printf (" %s\n", _("FROM-address to include in MAIL command, required by Exchange 2000")),
#ifdef HAVE_SSL
- printf (_("\
- -D, --certificate=INTEGER\n\
- Minimum number of days a certificate has to be valid.\n\
- -S, --starttls\n\
- Use STARTTLS for the connection.\n"));
+ printf (" %s\n", "-D, --certificate=INTEGER");
+ printf (" %s\n", _("Minimum number of days a certificate has to be valid."));
+ printf (" %s\n", "-S, --starttls");
+ printf (" %s\n", _("Use STARTTLS for the connection."));
#endif
+ printf (" %s\n", "-A, --authtype=STRING");
+ printf (" %s\n", _("SMTP AUTH type to check (default none, only LOGIN supported)"));
+ printf (" %s\n", "-U, --authuser=STRING");
+ printf (" %s\n", _("SMTP AUTH username"));
+ printf (" %s\n", "-P, --authpass=STRING");
+ printf (" %s\n", _("SMTP AUTH password"));
+
printf (_(UT_WARN_CRIT));
printf (_(UT_TIMEOUT), DEFAULT_SOCKET_TIMEOUT);
printf (_(UT_VERBOSE));
- printf(_("\n\
-Successul connects return STATE_OK, refusals and timeouts return\n\
-STATE_CRITICAL, other errors return STATE_UNKNOWN. Successful\n\
-connects, but incorrect reponse messages from the host result in\n\
-STATE_WARNING return values.\n"));
+ printf("\n");
+ printf ("%s\n", _("Successul connects return STATE_OK, refusals and timeouts return"));
+ printf ("%s\n", _("STATE_CRITICAL, other errors return STATE_UNKNOWN. Successful"));
+ printf ("%s\n", _("connects, but incorrect reponse messages from the host result in"));
+ printf ("%s\n", _("STATE_WARNING return values."));
printf (_(UT_SUPPORT));
}
void
print_usage (void)
{
- printf ("\
-Usage: %s -H host [-p port] [-e expect] [-C command] [-f from addr]\n\
- [-w warn] [-c crit] [-t timeout] [-S] [-D days] [-n] [-v] [-4|-6]\n", progname);
+ printf (_("Usage:"));
+ printf ("%s -H host [-p port] [-e expect] [-C command] [-f from addr]", progname);
+ printf ("[-A authtype -U authuser -P authpass] [-w warn] [-c crit] [-t timeout]\n");
+ printf ("[-S] [-D days] [-n] [-v] [-4|-6]\n");
}
-#ifdef HAVE_SSL
-int
-connect_STARTTLS (void)
-{
- SSL_METHOD *meth;
-
- /* Initialize SSL context */
- SSLeay_add_ssl_algorithms ();
- meth = SSLv2_client_method ();
- SSL_load_error_strings ();
- if ((ctx = SSL_CTX_new (meth)) == NULL)
- {
- printf(_("CRITICAL - Cannot create SSL context.\n"));
- return STATE_CRITICAL;
- }
- /* do the SSL handshake */
- if ((ssl = SSL_new (ctx)) != NULL)
- {
- SSL_set_fd (ssl, sd);
- /* original version checked for -1
- I look for success instead (1) */
- if (SSL_connect (ssl) == 1)
- return OK;
- ERR_print_errors_fp (stderr);
- }
- else
- {
- printf (_("CRITICAL - Cannot initiate SSL handshake.\n"));
- }
- /* this causes a seg faul
- not sure why, being sloppy
- and commenting it out */
- /* SSL_free (ssl); */
- SSL_CTX_free(ctx);
- my_close();
-
- return STATE_CRITICAL;
-}
-
-int
-check_certificate (X509 ** certificate)
-{
- ASN1_STRING *tm;
- int offset;
- struct tm stamp;
- int days_left;
-
- /* Retrieve timestamp of certificate */
- tm = X509_get_notAfter (*certificate);
-
- /* Generate tm structure to process timestamp */
- if (tm->type == V_ASN1_UTCTIME) {
- if (tm->length < 10) {
- printf (_("CRITICAL - Wrong time format in certificate.\n"));
- return STATE_CRITICAL;
- }
- else {
- stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0');
- if (stamp.tm_year < 50)
- stamp.tm_year += 100;
- offset = 0;
- }
- }
- else {
- if (tm->length < 12) {
- printf (_("CRITICAL - Wrong time format in certificate.\n"));
- return STATE_CRITICAL;
- }
- else {
- stamp.tm_year =
- (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 +
- (tm->data[2] - '0') * 10 + (tm->data[3] - '0');
- stamp.tm_year -= 1900;
- offset = 2;
- }
- }
- stamp.tm_mon =
- (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1;
- stamp.tm_mday =
- (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0');
- stamp.tm_hour =
- (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0');
- stamp.tm_min =
- (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0');
- stamp.tm_sec = 0;
- stamp.tm_isdst = -1;
-
- days_left = (mktime (&stamp) - time (NULL)) / 86400;
- snprintf
- (timestamp, sizeof(timestamp), "%02d/%02d/%04d %02d:%02d",
- stamp.tm_mon + 1,
- stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min);
-
- if (days_left > 0 && days_left <= days_till_exp) {
- printf ("Certificate expires in %d day(s) (%s).\n", days_left, timestamp);
- return STATE_WARNING;
- }
- if (days_left < 0) {
- printf ("Certificate expired on %s.\n", timestamp);
- return STATE_CRITICAL;
- }
-
- if (days_left == 0) {
- printf ("Certificate expires today (%s).\n", timestamp);
- return STATE_WARNING;
- }
-
- printf ("Certificate will expire on %s.\n", timestamp);
-
- return STATE_OK;
-}
-#endif
-
-int
-myrecv (void)
-{
- int i;
-
-#ifdef HAVE_SSL
- if (use_ssl) {
- i = SSL_read (ssl, buffer, MAXBUF - 1);
- }
- else {
-#endif
- i = read (sd, buffer, MAXBUF - 1);
-#ifdef HAVE_SSL
- }
-#endif
- return i;
-}
-
-int
-my_close (void)
-{
-#ifdef HAVE_SSL
- if (use_ssl == TRUE) {
- SSL_shutdown (ssl);
- SSL_free (ssl);
- SSL_CTX_free (ctx);
- return 0;
- }
- else {
-#endif
- return close(sd);
-#ifdef HAVE_SSL
- }
-#endif
-}