|
| 1 | +diff --git a/lib/utils_base.c b/lib/utils_base.c |
| 2 | +index fbf66810..f8592f41 100644 |
| 3 | +--- a/lib/utils_base.c |
| 4 | ++++ b/lib/utils_base.c |
| 5 | +@@ -401,26 +401,45 @@ int mp_translate_state (char *state_text) { |
| 6 | + * parse of argv, so that uniqueness in parameters are reflected there. |
| 7 | + */ |
| 8 | + char *_np_state_generate_key() { |
| 9 | +- struct sha256_ctx ctx; |
| 10 | + int i; |
| 11 | + char **argv = this_monitoring_plugin->argv; |
| 12 | +- unsigned char result[20]; |
| 13 | + char keyname[41]; |
| 14 | + char *p=NULL; |
| 15 | + |
| 16 | +- sha256_init_ctx(&ctx); |
| 17 | +- |
| 18 | ++ unsigned char result[256]; |
| 19 | ++ |
| 20 | ++#ifdef USE_OPENSSL |
| 21 | ++ /* |
| 22 | ++ * This code path is chosen if openssl is available (which should be the most common |
| 23 | ++ * scenario). Alternatively, the gnulib implementation/ |
| 24 | ++ * |
| 25 | ++ */ |
| 26 | ++ EVP_MD_CTX *ctx = EVP_MD_CTX_new(); |
| 27 | ++ |
| 28 | ++ EVP_DigestInit(ctx, EVP_sha256()); |
| 29 | ++ |
| 30 | ++ for(i=0; i<this_monitoring_plugin->argc; i++) { |
| 31 | ++ EVP_DigestUpdate(ctx, argv[i], strlen(argv[i])); |
| 32 | ++ } |
| 33 | ++ |
| 34 | ++ EVP_DigestFinal(ctx, result, NULL); |
| 35 | ++#else |
| 36 | ++ |
| 37 | ++ struct sha256_ctx ctx; |
| 38 | ++ |
| 39 | + for(i=0; i<this_monitoring_plugin->argc; i++) { |
| 40 | + sha256_process_bytes(argv[i], strlen(argv[i]), &ctx); |
| 41 | + } |
| 42 | + |
| 43 | +- sha256_finish_ctx(&ctx, &result); |
| 44 | +- |
| 45 | ++ sha256_finish_ctx(&ctx, result); |
| 46 | ++#endif // FOUNDOPENSSL |
| 47 | ++ |
| 48 | + for (i=0; i<20; ++i) { |
| 49 | + sprintf(&keyname[2*i], "%02x", result[i]); |
| 50 | + } |
| 51 | ++ |
| 52 | + keyname[40]='\0'; |
| 53 | +- |
| 54 | ++ |
| 55 | + p = strdup(keyname); |
| 56 | + if(p==NULL) { |
| 57 | + die(STATE_UNKNOWN, _("Cannot execute strdup: %s"), strerror(errno)); |
| 58 | +diff --git a/lib/utils_base.h b/lib/utils_base.h |
| 59 | +index 4335ae3a..9d4dffed 100644 |
| 60 | +--- a/lib/utils_base.h |
| 61 | ++++ b/lib/utils_base.h |
| 62 | +@@ -2,7 +2,9 @@ |
| 63 | + #define _UTILS_BASE_ |
| 64 | + /* Header file for Monitoring Plugins utils_base.c */ |
| 65 | + |
| 66 | +-#include "sha256.h" |
| 67 | ++#ifndef USE_OPENSSL |
| 68 | ++# include "sha256.h" |
| 69 | ++#endif |
| 70 | + |
| 71 | + /* This file holds header information for thresholds - use this in preference to |
| 72 | + individual plugin logic */ |
| 73 | +diff --git a/plugins/sslutils.c b/plugins/sslutils.c |
| 74 | +index 666a0120..6bc0ba81 100644 |
| 75 | +--- a/plugins/sslutils.c |
| 76 | ++++ b/plugins/sslutils.c |
| 77 | +@@ -31,9 +31,8 @@ |
| 78 | + #include "netutils.h" |
| 79 | + |
| 80 | + #ifdef HAVE_SSL |
| 81 | +-static SSL_CTX *c=NULL; |
| 82 | ++static SSL_CTX *ctx=NULL; |
| 83 | + static SSL *s=NULL; |
| 84 | +-static int initialized=0; |
| 85 | + |
| 86 | + int np_net_ssl_init(int sd) { |
| 87 | + return np_net_ssl_init_with_hostname(sd, NULL); |
| 88 | +@@ -48,24 +47,24 @@ int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int versi |
| 89 | + } |
| 90 | + |
| 91 | + int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, char *privkey) { |
| 92 | +- const SSL_METHOD *method = NULL; |
| 93 | + long options = 0; |
| 94 | + |
| 95 | ++ if ((ctx = SSL_CTX_new(TLS_client_method())) == NULL) { |
| 96 | ++ printf("%s\n", _("CRITICAL - Cannot create SSL context.")); |
| 97 | ++ return STATE_CRITICAL; |
| 98 | ++ } |
| 99 | ++ |
| 100 | + switch (version) { |
| 101 | + case MP_SSLv2: /* SSLv2 protocol */ |
| 102 | +-#if defined(USE_GNUTLS) || defined(OPENSSL_NO_SSL2) |
| 103 | + printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library.")); |
| 104 | + return STATE_UNKNOWN; |
| 105 | +-#else |
| 106 | +- method = SSLv2_client_method(); |
| 107 | +- break; |
| 108 | +-#endif |
| 109 | + case MP_SSLv3: /* SSLv3 protocol */ |
| 110 | + #if defined(OPENSSL_NO_SSL3) |
| 111 | + printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library.")); |
| 112 | + return STATE_UNKNOWN; |
| 113 | + #else |
| 114 | +- method = SSLv3_client_method(); |
| 115 | ++ SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION); |
| 116 | ++ SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION); |
| 117 | + break; |
| 118 | + #endif |
| 119 | + case MP_TLSv1: /* TLSv1 protocol */ |
| 120 | +@@ -73,7 +72,8 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int |
| 121 | + printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library.")); |
| 122 | + return STATE_UNKNOWN; |
| 123 | + #else |
| 124 | +- method = TLSv1_client_method(); |
| 125 | ++ SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); |
| 126 | ++ SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION); |
| 127 | + break; |
| 128 | + #endif |
| 129 | + case MP_TLSv1_1: /* TLSv1.1 protocol */ |
| 130 | +@@ -81,7 +81,8 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int |
| 131 | + printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library.")); |
| 132 | + return STATE_UNKNOWN; |
| 133 | + #else |
| 134 | +- method = TLSv1_1_client_method(); |
| 135 | ++ SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION); |
| 136 | ++ SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION); |
| 137 | + break; |
| 138 | + #endif |
| 139 | + case MP_TLSv1_2: /* TLSv1.2 protocol */ |
| 140 | +@@ -89,7 +90,8 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int |
| 141 | + printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library.")); |
| 142 | + return STATE_UNKNOWN; |
| 143 | + #else |
| 144 | +- method = TLSv1_2_client_method(); |
| 145 | ++ SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); |
| 146 | ++ SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION); |
| 147 | + break; |
| 148 | + #endif |
| 149 | + case MP_TLSv1_2_OR_NEWER: |
| 150 | +@@ -97,56 +99,43 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int |
| 151 | + printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library.")); |
| 152 | + return STATE_UNKNOWN; |
| 153 | + #else |
| 154 | +- options |= SSL_OP_NO_TLSv1_1; |
| 155 | ++ SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); |
| 156 | ++ break; |
| 157 | + #endif |
| 158 | +- /* FALLTHROUGH */ |
| 159 | + case MP_TLSv1_1_OR_NEWER: |
| 160 | + #if !defined(SSL_OP_NO_TLSv1) |
| 161 | + printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library.")); |
| 162 | + return STATE_UNKNOWN; |
| 163 | + #else |
| 164 | +- options |= SSL_OP_NO_TLSv1; |
| 165 | ++ SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION); |
| 166 | ++ break; |
| 167 | + #endif |
| 168 | +- /* FALLTHROUGH */ |
| 169 | + case MP_TLSv1_OR_NEWER: |
| 170 | + #if defined(SSL_OP_NO_SSLv3) |
| 171 | +- options |= SSL_OP_NO_SSLv3; |
| 172 | ++ SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); |
| 173 | ++ break; |
| 174 | + #endif |
| 175 | +- /* FALLTHROUGH */ |
| 176 | + case MP_SSLv3_OR_NEWER: |
| 177 | + #if defined(SSL_OP_NO_SSLv2) |
| 178 | +- options |= SSL_OP_NO_SSLv2; |
| 179 | ++ SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION); |
| 180 | ++ break; |
| 181 | + #endif |
| 182 | +- case MP_SSLv2_OR_NEWER: |
| 183 | +- /* FALLTHROUGH */ |
| 184 | +- default: /* Default to auto negotiation */ |
| 185 | +- method = SSLv23_client_method(); |
| 186 | +- } |
| 187 | +- if (!initialized) { |
| 188 | +- /* Initialize SSL context */ |
| 189 | +- SSLeay_add_ssl_algorithms(); |
| 190 | +- SSL_load_error_strings(); |
| 191 | +- OpenSSL_add_all_algorithms(); |
| 192 | +- initialized = 1; |
| 193 | +- } |
| 194 | +- if ((c = SSL_CTX_new(method)) == NULL) { |
| 195 | +- printf("%s\n", _("CRITICAL - Cannot create SSL context.")); |
| 196 | +- return STATE_CRITICAL; |
| 197 | + } |
| 198 | ++ |
| 199 | + if (cert && privkey) { |
| 200 | + #ifdef USE_OPENSSL |
| 201 | +- if (!SSL_CTX_use_certificate_chain_file(c, cert)) { |
| 202 | ++ if (!SSL_CTX_use_certificate_chain_file(ctx, cert)) { |
| 203 | + #elif USE_GNUTLS |
| 204 | +- if (!SSL_CTX_use_certificate_file(c, cert, SSL_FILETYPE_PEM)) { |
| 205 | ++ if (!SSL_CTX_use_certificate_file(ctx, cert, SSL_FILETYPE_PEM)) { |
| 206 | + #else |
| 207 | + #error Unported for unknown SSL library |
| 208 | + #endif |
| 209 | + printf ("%s\n", _("CRITICAL - Unable to open certificate chain file!\n")); |
| 210 | + return STATE_CRITICAL; |
| 211 | + } |
| 212 | +- SSL_CTX_use_PrivateKey_file(c, privkey, SSL_FILETYPE_PEM); |
| 213 | ++ SSL_CTX_use_PrivateKey_file(ctx, privkey, SSL_FILETYPE_PEM); |
| 214 | + #ifdef USE_OPENSSL |
| 215 | +- if (!SSL_CTX_check_private_key(c)) { |
| 216 | ++ if (!SSL_CTX_check_private_key(ctx)) { |
| 217 | + printf ("%s\n", _("CRITICAL - Private key does not seem to match certificate!\n")); |
| 218 | + return STATE_CRITICAL; |
| 219 | + } |
| 220 | +@@ -155,9 +144,9 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int |
| 221 | + #ifdef SSL_OP_NO_TICKET |
| 222 | + options |= SSL_OP_NO_TICKET; |
| 223 | + #endif |
| 224 | +- SSL_CTX_set_options(c, options); |
| 225 | +- SSL_CTX_set_mode(c, SSL_MODE_AUTO_RETRY); |
| 226 | +- if ((s = SSL_new(c)) != NULL) { |
| 227 | ++ SSL_CTX_set_options(ctx, options); |
| 228 | ++ SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); |
| 229 | ++ if ((s = SSL_new(ctx)) != NULL) { |
| 230 | + #ifdef SSL_set_tlsext_host_name |
| 231 | + if (host_name != NULL) |
| 232 | + SSL_set_tlsext_host_name(s, host_name); |
| 233 | +@@ -184,9 +173,9 @@ void np_net_ssl_cleanup() { |
| 234 | + #endif |
| 235 | + SSL_shutdown(s); |
| 236 | + SSL_free(s); |
| 237 | +- if (c) { |
| 238 | +- SSL_CTX_free(c); |
| 239 | +- c=NULL; |
| 240 | ++ if (ctx) { |
| 241 | ++ SSL_CTX_free(ctx); |
| 242 | ++ ctx=NULL; |
| 243 | + } |
| 244 | + s=NULL; |
| 245 | + } |
0 commit comments