1 /*****************************************************************************
2 *
3 * Nagios plugins SSL utilities
4 *
5 * License: GPL
6 * Copyright (c) 2005-2010 Nagios Plugins Development Team
7 *
8 * Description:
9 *
10 * This file contains common functions for plugins that require SSL.
11 *
12 *
13 * This program is free software: you can redistribute it and/or modify
14 * it under the terms of the GNU General Public License as published by
15 * the Free Software Foundation, either version 3 of the License, or
16 * (at your option) any later version.
17 *
18 * This program is distributed in the hope that it will be useful,
19 * but WITHOUT ANY WARRANTY; without even the implied warranty of
20 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21 * GNU General Public License for more details.
22 *
23 * You should have received a copy of the GNU General Public License
24 * along with this program. If not, see <http://www.gnu.org/licenses/>.
25 *
26 *
27 *****************************************************************************/
29 #define MAX_CN_LENGTH 256
30 #define LOCAL_TIMEOUT_ALARM_HANDLER
31 #include "common.h"
32 #include "netutils.h"
34 #ifdef HAVE_SSL
35 static SSL_CTX *c=NULL;
36 static SSL *s=NULL;
37 static int initialized=0;
39 int np_net_ssl_init (int sd) {
40 return np_net_ssl_init_with_hostname(sd, NULL);
41 }
43 int np_net_ssl_init_with_hostname (int sd, char *host_name) {
44 if (!initialized) {
45 /* Initialize SSL context */
46 SSLeay_add_ssl_algorithms ();
47 SSL_load_error_strings ();
48 OpenSSL_add_all_algorithms ();
49 initialized = 1;
50 }
51 if ((c = SSL_CTX_new (SSLv23_client_method ())) == NULL) {
52 printf ("%s\n", _("CRITICAL - Cannot create SSL context."));
53 return STATE_CRITICAL;
54 }
55 if ((s = SSL_new (c)) != NULL){
56 #ifdef SSL_set_tlsext_host_name
57 if (host_name != NULL)
58 SSL_set_tlsext_host_name(s, host_name);
59 #endif
60 SSL_set_fd (s, sd);
61 if (SSL_connect(s) == 1){
62 return OK;
63 } else {
64 printf ("%s\n", _("CRITICAL - Cannot make SSL connection "));
65 # ifdef USE_OPENSSL /* XXX look into ERR_error_string */
66 ERR_print_errors_fp (stdout);
67 # endif /* USE_OPENSSL */
68 }
69 } else {
70 printf ("%s\n", _("CRITICAL - Cannot initiate SSL handshake."));
71 }
72 return STATE_CRITICAL;
73 }
75 void np_net_ssl_cleanup (){
76 if(s){
77 #ifdef SSL_set_tlsext_host_name
78 SSL_set_tlsext_host_name(s, NULL);
79 #endif
80 SSL_shutdown (s);
81 SSL_free (s);
82 if(c) {
83 SSL_CTX_free (c);
84 c=NULL;
85 }
86 s=NULL;
87 }
88 }
90 int np_net_ssl_write(const void *buf, int num){
91 return SSL_write(s, buf, num);
92 }
94 int np_net_ssl_read(void *buf, int num){
95 return SSL_read(s, buf, num);
96 }
98 int np_net_ssl_check_cert(int days_till_exp){
99 # ifdef USE_OPENSSL
100 X509 *certificate=NULL;
101 X509_NAME *subj=NULL;
102 char cn[MAX_CN_LENGTH]= "";
103 int cnlen =-1;
104 int status=STATE_UNKNOWN;
106 ASN1_STRING *tm;
107 int offset;
108 struct tm stamp;
109 float time_left;
110 int days_left;
111 char timestamp[17] = "";
113 certificate=SSL_get_peer_certificate(s);
114 if(! certificate){
115 printf ("%s\n",_("CRITICAL - Cannot retrieve server certificate."));
116 return STATE_CRITICAL;
117 }
119 /* Extract CN from certificate subject */
120 subj=X509_get_subject_name(certificate);
122 if(! subj){
123 printf ("%s\n",_("CRITICAL - Cannot retrieve certificate subject."));
124 return STATE_CRITICAL;
125 }
126 cnlen = X509_NAME_get_text_by_NID (subj, NID_commonName, cn, sizeof(cn));
127 if ( cnlen == -1 )
128 strcpy(cn , _("Unknown CN"));
130 /* Retrieve timestamp of certificate */
131 tm = X509_get_notAfter (certificate);
133 /* Generate tm structure to process timestamp */
134 if (tm->type == V_ASN1_UTCTIME) {
135 if (tm->length < 10) {
136 printf ("%s\n", _("CRITICAL - Wrong time format in certificate."));
137 return STATE_CRITICAL;
138 } else {
139 stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0');
140 if (stamp.tm_year < 50)
141 stamp.tm_year += 100;
142 offset = 0;
143 }
144 } else {
145 if (tm->length < 12) {
146 printf ("%s\n", _("CRITICAL - Wrong time format in certificate."));
147 return STATE_CRITICAL;
148 } else {
149 stamp.tm_year =
150 (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 +
151 (tm->data[2] - '0') * 10 + (tm->data[3] - '0');
152 stamp.tm_year -= 1900;
153 offset = 2;
154 }
155 }
156 stamp.tm_mon =
157 (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1;
158 stamp.tm_mday =
159 (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0');
160 stamp.tm_hour =
161 (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0');
162 stamp.tm_min =
163 (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0');
164 stamp.tm_sec = 0;
165 stamp.tm_isdst = -1;
167 time_left = difftime(timegm(&stamp), time(NULL));
168 days_left = time_left / 86400;
169 snprintf
170 (timestamp, 17, "%02d/%02d/%04d %02d:%02d",
171 stamp.tm_mon + 1,
172 stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min);
174 if (days_left > 0 && days_left <= days_till_exp) {
175 printf (_("WARNING - Certificate '%s' expires in %d day(s) (%s).\n"), cn, days_left, timestamp);
176 status=STATE_WARNING;
177 } else if (time_left < 0) {
178 printf (_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp);
179 status=STATE_CRITICAL;
180 } else if (days_left == 0) {
181 printf (_("WARNING - Certificate '%s' expires today (%s).\n"), cn, timestamp);
182 status=STATE_WARNING;
183 } else {
184 printf (_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp);
185 status=STATE_OK;
186 }
187 X509_free (certificate);
188 return status;
189 # else /* ifndef USE_OPENSSL */
190 printf ("%s\n", _("WARNING - Plugin does not support checking certificates."));
191 return STATE_WARNING;
192 # endif /* USE_OPENSSL */
193 }
195 #endif /* HAVE_SSL */