![[tokkee]](http://tokkee.org/images/avatar.png){kind=avatar}
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7fe1468)
raw | patch | inline | side by side (parent: 7fe1468)
| author | Steven Bell <stv.bell07@gmail.com> | |
| Sun, 19 Feb 2017 05:56:27 +0000 (00:56 -0500) | ||
| committer | Steven Bell <stv.bell07@gmail.com> | |
| Sun, 19 Feb 2017 10:43:26 +0000 (05:43 -0500) |
| configure.ac | patch | blob | history | |
| src/collectd.conf.in | patch | blob | history | |
| src/collectd.conf.pod | patch | blob | history | |
| src/nut.c | patch | blob | history |
diff --git a/configure.ac b/configure.ac
index 1b9b3fbfe2907ea204475fcf6e193d143c23a480..572bedec556a5671133176c85d578d08c0a4c88b 100644 (file)
--- a/configure.ac
+++ b/configure.ac
[with_libupsclient="no (symbol upscli_connect not found)"]
)
+ AC_CHECK_LIB([upsclient], [upscli_init],
+ [AC_DEFINE([WITH_UPSCLIENT_27], [1], [At least version 2-7])],
+ []
+ )
+
LDFLAGS="$SAVE_LDFLAGS"
fi
diff --git a/src/collectd.conf.in b/src/collectd.conf.in
index ff7b01b406f3e85a37c7a842225eda8f0dac5c2a..261d6a1fc6963d919edde7c76a86b6b5e79590e4 100644 (file)
--- a/src/collectd.conf.in
+++ b/src/collectd.conf.in
#<Plugin nut>
# UPS "upsname@hostname:port"
# ForceSSL true
+# VerifyPeer true
+# CAPath "/path/to/folder"
#</Plugin>
#<Plugin olsrd>
diff --git a/src/collectd.conf.pod b/src/collectd.conf.pod
index 4c045a6da52d275fb472764037875c82e42667af..81bc0743b2047c763b9b232cfdb9646f63bad94b 100644 (file)
--- a/src/collectd.conf.pod
+++ b/src/collectd.conf.pod
Stops connections from falling back to unsecured if an SSL connection
cannot be established. Defaults to false if undeclared.
+=item B<VerifyPeer> I<true>|I<false>
+
+If set to true, requires a CAPath be provided. Will use the CAPath to find
+certificates to use as Trusted Certificates to validate a upsd server certificate.
+If validation of the upsd server certificate fails, the connection will not be
+established. If ForceSSL is undeclared or set to false, setting VerifyPeer to true
+will override and set ForceSSL to true.
+
+=item B<CAPath> I/path/to/certs/folder
+
+If VerifyPeer is set to true, this is required. Otherwise this is ignored.
+The folder pointed at must contain certificate(s) named according to their hash.
+Ex: XXXXXXXX.Y where X is the hash value of a cert and Y is 0. If name collisions
+occur because two different certs have the same hash value, Y can be incremented
+in order to avoid conflict. To create a symbolic link to a certificate the following
+command can be used from within the directory where the cert resides:
+
+C<ln -s some.crt ./$(openssl x509 -hash -noout -in some.crt).0>
+
+Alternatively, the package openssl-perl provides a command C<c_rehash> that will
+generate links like the one described above for ALL certs in a given folder.
+Example usage:
+C<c_rehash /path/to/certs/folder>
+
=back
=head2 Plugin C<olsrd>
diff --git a/src/nut.c b/src/nut.c
index 0d506f03d446b560c69c22771434a404a54b61a0..5acbdde63946eecae6e751456a207057d77170b4 100644 (file)
--- a/src/nut.c
+++ b/src/nut.c
static pthread_mutex_t read_lock = PTHREAD_MUTEX_INITIALIZER;
static int read_busy = 0;
-static const char *config_keys[] = {"UPS", "FORCESSL"};
+static const char *config_keys[] = {"UPS", "FORCESSL", "VERIFYPEER", "CAPATH"};
static int config_keys_num = STATIC_ARRAY_SIZE(config_keys);
static int force_ssl = 0; // Initialized to default of 0 (false)
+static int verify_peer = 0; // Initialized to default of 0 (false)
+static char *ca_path = NULL;
static void free_nut_ups_t(nut_ups_t *ups) {
if (ups->conn != NULL) {
return (0);
} /* int nut_parse_force_ssl */
+static int nut_verify_peer(const char *value) {
+ if (strcasecmp(value, "true") == 0)
+ verify_peer = 1;
+ else if (strcasecmp(value, "false") == 0)
+ verify_peer = 0; // Should already be set to 0 from initialization
+ else {
+ verify_peer = 0;
+ WARNING("nut plugin: nut_verify_peer: invalid VERIFYPEER value "
+ "found. Defaulting to false.");
+ }
+ return (0);
+} /* int nut_verify_peer */
+
+static int nut_ca_path(const char *value) {
+ if (value != NULL && strcmp(value, "") != 0) {
+ ca_path = malloc(strlen(value) + 1);
+ strncpy(ca_path, value, (strlen(value) + 1));
+ } else {
+ ca_path = NULL; // Should alread be set to NULL from initialization
+ }
+ return (0);
+} /* int nut_ca_path */
+
static int nut_config(const char *key, const char *value) {
if (strcasecmp(key, "UPS") == 0)
return (nut_add_ups(value));
else if (strcasecmp(key, "FORCESSL") == 0)
return (nut_force_ssl(value));
+ else if (strcasecmp(key, "VERIFYPEER") == 0)
+ return (nut_verify_peer(value));
+ else if (strcasecmp(key, "CAPATH") == 0)
+ return (nut_ca_path(value));
else
return (-1);
} /* int nut_config */
plugin_dispatch_values(&vl);
} /* void nut_submit */
+static int nut_connect(nut_ups_t *ups) {
+#ifdef WITH_UPSCLIENT_27
+ int status;
+ int ssl_status;
+ int ssl_flags;
+
+ if (verify_peer == 1 && force_ssl == 0) {
+ WARNING("nut plugin: nut_connect: VerifyPeer true but ForceSSL "
+ "false. Setting ForceSSL to true.");
+ force_ssl = 1;
+ }
+
+ if (verify_peer == 1 && ca_path == NULL) {
+ ERROR("nut plugin: nut_connect: VerifyPeer true but missing "
+ "CAPath value.");
+ return (-1);
+ }
+
+ if (verify_peer == 1) {
+ status = upscli_init(verify_peer, ca_path, NULL, NULL);
+
+ if (status != 1) {
+ ERROR("nut plugin: nut_connect: upscli_init (%i, %s) failed: %s",
+ verify_peer, ca_path, upscli_strerror(ups->conn));
+ upscli_cleanup();
+ return (-1);
+ }
+ } /* if (verify_peer == 1) */
+
+ if (verify_peer == 1)
+ ssl_flags = (UPSCLI_CONN_REQSSL | UPSCLI_CONN_CERTVERIF);
+ else if (force_ssl == 1)
+ ssl_flags = UPSCLI_CONN_REQSSL;
+ else
+ ssl_flags = UPSCLI_CONN_TRYSSL;
+
+ status = upscli_connect(ups->conn, ups->hostname, ups->port, ssl_flags);
+
+ if (status != 0) {
+ ERROR("nut plugin: nut_connect: upscli_connect (%s, %i) failed: %s",
+ ups->hostname, ups->port, upscli_strerror(ups->conn));
+ sfree(ups->conn);
+ upscli_cleanup();
+ return (-1);
+ } /* if (status != 0) */
+
+ INFO("nut plugin: Connection to (%s, %i) established.", ups->hostname,
+ ups->port);
+
+ // Output INFO or WARNING based on SSL and VERIFICATION
+ ssl_status = upscli_ssl(ups->conn); // 1 for SSL, 0 for not, -1 for error
+ if (ssl_status == 1 && verify_peer == 1) {
+ INFO("nut plugin: Connection is secured with SSL and certificate "
+ "has been verified.");
+ } else if (ssl_status == 1) {
+ INFO("nut plugin: Connection is secured with SSL with no verification "
+ "of server SSL certificate.");
+ } else if (ssl_status == 0) {
+ WARNING("nut plugin: Connection is unsecured (no SSL).");
+ } else {
+ ERROR("nut plugin: nut_connect: upscli_ssl failed: %s",
+ upscli_strerror(ups->conn));
+ sfree(ups->conn);
+ upscli_cleanup();
+ return (-1);
+ } /* if (ssl_status == 1 && verify_peer == 1) */
+ return (0);
+
+#else /* #ifdef WITH_UPSCLIENT_27 */
+ int status;
+ int ssl_status;
+ int ssl_flags;
+
+ if (verify_peer == 1 || ca_path != NULL) {
+ WARNING("nut plugin: nut_connect: Dependency libupsclient version "
+ "insufficient (<2.7) for VerifyPeer support. Ignoring VerifyPeer "
+ "and CAPath.");
+ }
+
+ if (force_ssl == 1)
+ ssl_flags = UPSCLI_CONN_REQSSL;
+ else
+ ssl_flags = UPSCLI_CONN_TRYSSL;
+
+ status = upscli_connect(ups->conn, ups->hostname, ups->port, ssl_flags);
+
+ if (status != 0) {
+ ERROR("nut plugin: nut_connect: upscli_connect (%s, %i) failed: %s",
+ ups->hostname, ups->port, upscli_strerror(ups->conn));
+ sfree(ups->conn);
+ return (-1);
+ } /* if (status != 0) */
+
+ INFO("nut plugin: Connection to (%s, %i) established.", ups->hostname,
+ ups->port);
+
+ // Output INFO or WARNING based on SSL
+ ssl_status = upscli_ssl(ups->conn); // 1 for SSL, 0 for not, -1 for error
+ if (ssl_status == 1) {
+ INFO("nut plugin: Connection is secured with SSL with no verification "
+ "of server SSL certificate.");
+ } else if (ssl_status == 0) {
+ WARNING("nut plugin: Connection is unsecured (no SSL).");
+ } else {
+ ERROR("nut plugin: nut_connect: upscli_ssl failed: %s",
+ upscli_strerror(ups->conn));
+ sfree(ups->conn);
+ return (-1);
+ } /* if (ssl_status == 1 && verify_peer == 1) */
+ return (0);
+#endif
+}
+
static int nut_read_one(nut_ups_t *ups) {
const char *query[3] = {"VAR", ups->upsname, NULL};
unsigned int query_num = 2;
char **answer;
unsigned int answer_num;
int status;
- int ssl_status;
- int ssl_flags;
/* (Re-)Connect if we have no connection */
if (ups->conn == NULL) {
return (-1);
}
- if (force_ssl == 1)
- ssl_flags = UPSCLI_CONN_REQSSL;
- else
- ssl_flags = UPSCLI_CONN_TRYSSL;
-
- status = upscli_connect(ups->conn, ups->hostname, ups->port, ssl_flags);
-
- if (status != 0) {
- ERROR("nut plugin: nut_read_one: upscli_connect (%s, %i) failed: %s",
- ups->hostname, ups->port, upscli_strerror(ups->conn));
- sfree(ups->conn);
- return (-1);
- } /* if (status != 0) */
-
- INFO("nut plugin: Connection to (%s, %i) established.", ups->hostname,
- ups->port);
-
- // Output INFO or WARNING based on SSL and VERIFICATION
- ssl_status = upscli_ssl(ups->conn); // 1 for SSL, 0 for not, -1 for error
- if (ssl_status == 1){
- INFO("nut plugin: Connection is secured with SSL.");
- }
- else if (ssl_status == 0){
- WARNING("nut plugin: Connection is unsecured (no SSL).");
- }else{
- ERROR("nut plugin: nut_read_one: upscli_ssl failed: %s",
- upscli_strerror(ups->conn));
- sfree(ups->conn);
- return (-1);
- } /* if (ssl_status == 1 && verify_peer == 1) */
+ status = nut_connect(ups);
+ if (status == -1)
+ return -1;
} /* if (ups->conn == NULL) */
ups->upsname, upscli_strerror(ups->conn));
upscli_disconnect(ups->conn);
sfree(ups->conn);
+#ifdef WITH_UPSCLIENT_27
+ upscli_cleanup();
+#endif
return (-1);
}
free_nut_ups_t(this);
this = next;
}
+#ifdef WITH_UPSCLIENT_27
+ upscli_cleanup();
+#endif
return (0);
} /* int nut_shutdown */