1 /******************************************************************************
6 * Created: Oct 09 2010 19:14:12
7 * Last modified: Oct 09 2010 19:14:12
9 * Author: Ladislav Láska
10 * e-mail: ladislav.laska@gmail.com
12 ******************************************************************************/
14 #define _XOPEN_SOURCE 500
16 #include <gnutls/gnutls.h>
17 #include <gnutls/x509.h>
20 #include <sys/types.h>
21 #include <sys/socket.h>
31 int warning_after = 30;
48 int tcp_open( char *hostname, char *service ) {
49 struct addrinfo hints;
50 struct addrinfo *result, *result_ptr;
54 memset(&hints, 0, sizeof(struct addrinfo));
55 hints.ai_family = AF_UNSPEC;
56 hints.ai_socktype = SOCK_STREAM;
57 err = getaddrinfo(hostname, service, &hints, &result);
59 fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(err));
63 for (result_ptr = result; result_ptr != NULL; result_ptr = result_ptr->ai_next) {
64 sfd = socket(result_ptr->ai_family, result_ptr->ai_socktype,
65 result_ptr->ai_protocol);
66 if (sfd == -1) continue;
68 if (connect(sfd, result_ptr->ai_addr, result_ptr->ai_addrlen) != -1)
71 close(sfd); /* connect(2) failed. */
74 if (result_ptr == NULL) {
75 /* No address succeeded */
84 int check( char * hostname, char *service ) {
88 gnutls_session_t session;
89 gnutls_certificate_credentials_t xcred;
93 err = gnutls_certificate_allocate_credentials( &xcred );
94 if (err < 0) gnutls_die(err);
96 err = gnutls_init( &session, GNUTLS_CLIENT );
97 if (err < 0) gnutls_die(err);
100 err = gnutls_priority_set_direct(session, "EXPORT", NULL);
101 if (err < 0) gnutls_die(err);
103 err = gnutls_credentials_set( session, GNUTLS_CRD_CERTIFICATE, xcred );
104 if (err < 0) gnutls_die(err);
106 /* Connect to server */
108 long fd = tcp_open( hostname, service );
111 state= S_UNREACHABLE;
117 switch (use_starttls) {
119 starttls_ok = smtp_starttls(fd);
122 die("STARTTLS for IMAP not implemented yet.");
125 /* Don't use STARTTLS */
129 die("Unknown STARTTLS protocol requested.");
133 die("STARTTLS failed silently. This shouldn't happen.");
135 /* Socket opened, establish tls connection */
137 /* Associate socket with session */
138 gnutls_transport_set_ptr( session, (gnutls_transport_ptr_t) fd );
141 err = gnutls_handshake( session );
142 if (err < 0) gnutls_die(err);
144 /* Get server certificate. */
145 const gnutls_datum_t *cert_list;
146 unsigned int cert_list_size = 0;
147 time_t expiration_time, today;
148 gnutls_x509_crt_t cert;
150 if ( gnutls_certificate_type_get( session ) != GNUTLS_CRT_X509 ) {
155 cert_list = gnutls_certificate_get_peers( session, &cert_list_size );
159 for (int i = 0; i < cert_list_size; i++) {
160 gnutls_x509_crt_init( &cert );
161 gnutls_x509_crt_import( cert, &cert_list[0], GNUTLS_X509_FMT_DER );
162 expiration_time = gnutls_x509_crt_get_expiration_time( cert );
163 int expires_in = (expiration_time - today) / 86400;
164 struct tm * t = gmtime( &expiration_time );
165 if ((state == S_OK) && (expires_in <= warning_after)) {
167 sprintf(errmsg, "Warning - Will expire in %i days (%i-%02i-%02i).", expires_in,
168 t->tm_year+1900, t->tm_mon+1, t->tm_mday );
170 if ((state <= S_WARNING) && (expires_in <= error_after)) {
172 sprintf(errmsg, "Critical - Will expire in %i days (%i-%02i-%02i).", expires_in,
173 t->tm_year+1900, t->tm_mon+1, t->tm_mday );
176 sprintf(errmsg, "OK - Will expire in %i days (%i-%02i-%02i).", expires_in,
177 t->tm_year+1900, t->tm_mon+1, t->tm_mday );
183 /* This could use some other parameter. */
184 switch (use_starttls) {
189 die("IMAP not implemented yet.");
194 // err = gnutls_bye( session, GNUTLS_SHUT_WR );
195 // if (err < 0) gnutls_die(err);
198 gnutls_deinit( session );
199 gnutls_certificate_free_credentials( xcred );
204 void log_func( int level, char *msg ) {
205 fprintf(stderr, "[%2i] %s", level, msg);
209 * This signal handler is wrong, but it's just a failsafe.
211 void sig_handler(int k) {
212 fputs("Timeout.\n", stderr);
216 int main(int argc, char **argv) {
217 char *hostname = NULL;
218 char *service = NULL;
222 while ((opt = getopt(argc, argv, "hvSIw:c:H:p:s:t:")) != -1) {
225 warning_after = atoi(optarg);
228 error_after = atoi(optarg);
231 hostname = strdup(optarg);
234 timeout = atoi( optarg );
235 if (timeout < 0) die("Timeout must be >= 0");
239 if (service != NULL) die("Only one service can be specified.");
240 service = strdup(optarg);
249 use_starttls = P_SMTP;
252 use_starttls = P_IMAP;
258 if (!hostname) die("No address to try.");
259 if (!service) die("No service given.");
261 gnutls_global_set_log_function((gnutls_log_func) log_func);
262 gnutls_global_set_log_level(LOG_LEVEL);
265 /* Initialize gnutls */
267 if ((err = gnutls_global_init())) {
272 sprintf(errmsg, "OK");
278 /* TODO: doesn't work. */
279 signal(SIGALRM, sig_handler);
283 state = check(hostname, service);
288 sprintf(errmsg, "Connection refused.");
292 sprintf(errmsg, "No X509 certificate to check.");
294 sprintf(errmsg, "Internal error %i.", state);
299 gnutls_global_deinit();
304 printf("%s\n", errmsg);
305 return (state < 0) ? 127 : state;
310 "Usage: cert-checker [options] -H hostname -p|s port|service\n"
311 " Where options could be: \n"
313 " -H hostname target hostname\n"
314 " -s|p service port or service (as in /etc/services)\n"
315 " -w n warning level (in days, default 30)\n"
316 " -c n critical level (in days, default 7)\n"
317 " -v verbosity level\n"
318 " -t n timeout (in seconds, n=0 disables timeout\n"
319 " -S use SMTP/STARTLS\n"
320 " -I use IMAP/STARTLS\n"