From 7eb6cc05d96aa980ce1ac99a98b67a6d26ba0c87 Mon Sep 17 00:00:00 2001
From: Jan Wagner <waja@cyconet.org>
Date: Sun, 12 Jun 2016 15:52:00 +0200
Subject: [PATCH] check_openvpn: Update to 20151106

---
 check_openvpn/check_openvpn | 167 +++++++++++++++++++++++++++---------
 check_openvpn/control       |   2 +-
 2 files changed, 126 insertions(+), 43 deletions(-)

diff --git a/check_openvpn/check_openvpn b/check_openvpn/check_openvpn
index f91fab7..d851939 100644
--- a/check_openvpn/check_openvpn
+++ b/check_openvpn/check_openvpn
@@ -2,9 +2,9 @@
 
 # Check if an OpenVPN server runs on a given UDP port.
 #
-# Copyright 2013 Roland Wolters, credativ GmbH
+# Copyright 2013 Roland Wolters
 #
-# Version 20130904
+# Version 20151106
 #
 # Permission is hereby granted, free of charge, to any person obtaining
 # a copy of this software and associated documentation files (the
@@ -25,62 +25,145 @@
 # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
 # WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
-import sys
+import os
+import time
+import hmac
+import hashlib
+import struct
 import socket
 import argparse
 import binascii
 
+HMAC_CLIENT_KEY_START = 192
+BUFFER_SIZE = 1024
+
 def ok(msg):
-    print "OK: %s" % msg
-    sys.exit(0)
+    print 'OK: %s' % msg
+    return 0
 
 def critical(msg):
-    print "CRIT: %s" % msg
-    sys.exit(2)
+    print 'CRIT: %s' % msg
+    return 2
 
-def checkserver(host,port,proto):
-    byte_stream = "\x38\x01\x00\x00\x00\x00\x00\x00\x00"
+def buildpacket(tcp, key, digestmod):
+    packet = 1
+    ts = int(time.time())
+    session = os.urandom(8)
+    
+    if key:
+        # hmac
+        h = hmac.new(key, digestmod=digestmod)
+        h.update(struct.pack('>I', packet)) # packet id
+        h.update(struct.pack('>I', ts)) # net time
+        h.update('\x38') # type
+        h.update(session) # session id
+        h.update(struct.pack('>B', 0)) # message packet id array length
+        h.update(struct.pack('>I', 0)) # message packet id
+    
+    # packet
+    result = ''
+    result += '\x38' # type
+    result += session # session id
+    if key: result += h.digest() # hmac
+    result += struct.pack('>I', packet) # packet id
+    result += struct.pack('>I', ts) # net time
+    result += struct.pack('>B', 0) # message packet id array length
+    result += struct.pack('>I', 0) # message packet id
+    if tcp: result = struct.pack('>H', len(result)) + result
+    return result
 
-    if proto:
-        ovpn_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-    else:
-        ovpn_sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
-
-    ovpn_sock.settimeout(5)
+def checkserver(host, port, tcp, timeout, key, digest):
+    packet = buildpacket(tcp, key, digest)
+    if tcp: checkserver_tcp(host, port, timeout, packet)
+    else: checkserver_udp(host, port, timeout, packet)
 
+def checkserver_udp(host, port, timeout, packet):
+    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+    s.settimeout(timeout)
+    
     try:
-        ovpn_sock.connect((host, port))
-        ovpn_sock.sendto(byte_stream, (host, port))
-        data, addr = ovpn_sock.recvfrom(1024) # buffer size is 1024 bytes
+        s.sendto(packet, (host, port))
+        data, _ = s.recvfrom(BUFFER_SIZE)
         reply = binascii.hexlify(data)
-        if proto:
-            ok("OpenVPN tcp port reachable.")
-        else:
-            ok("OpenVPN server response (hex): %s" % reply)
-    except socket.timeout:
-        critical("Request timed out")
-        ovpn_sock.close()
-    except (socket.error, Exception):
-        critical("OpenVPN server not responding")
-        ovpn_sock.close()
+        return ok('OpenVPN UDP server response (hex): %s' % reply)
+    except:
+        return critical('OpenVPN UDP server not responding')
+    finally:
+        s.close()
 
-    ovpn_sock.close()
-    return data
+def checkserver_tcp(host, port, timeout, packet):
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.settimeout(timeout)
+    
+    try:
+        s.connect((host, port))
+        s.send(packet)
+        data = s.recv(BUFFER_SIZE)
+        if len(data) <= 0: raise RuntimeError
+        reply = binascii.hexlify(data)
+        return ok('OpenVPN TCP server response (hex): %s' % reply)
+    except:
+        return critical('OpenVPN TCP server not responding')
+    finally:
+        s.close()
 
-def optionsparser():
+def readkey(path):
+    key = None
+    try:
+        with open(path, 'r') as myfile: key = myfile.read()
+    except:
+        return None
+    index_start = key.find('-\n');
+    index_end = key.find('\n-', index_start);
+    if index_start < 0 or index_end < 0 or index_end <= index_start:
+        return None
+    index_start += 2
+    key = key[index_start:index_end].replace('\n', '').replace('\r', '')
+    return key
+
+def optionsparser(args=None):
     parser = argparse.ArgumentParser()
-    parser.add_argument("-p","--port", help="set port number",
-    type=int, dest="port", default="1194")
-    parser.add_argument("-t","--tcp", help="use tcp instead of udp",
-    action="store_true")
-    parser.add_argument("host", type=str, help="the OpenVPN host name or ip")
-    return parser.parse_args()
+    parser.add_argument('-p', '--port', help='set port number (default is %%default)', type=int, dest='port', default='1194')
+    parser.add_argument('-t', '--tcp', help='use tcp instead of udp', action='store_true')
+    parser.add_argument('--timeout', help='set timeout (default is %%default)', type=int, default='5')
+    parser.add_argument('--digest', help='set HMAC digest (default is %%default)', type=str, default='sha1')
+    parser.add_argument('--digest-size', help='set HMAC digest size', type=int)
+    parser.add_argument('--digest-key', help='set HMAC key', type=str, default=None)
+    parser.add_argument('--tls-auth', help='set tls-auth file', type=str, default=None)
+    parser.add_argument('host', type=str, help='the OpenVPN host name or ip')
+    return parser.parse_args(args)
 
 def main():
-    arguments = optionsparser()
+    args = optionsparser()
+    
+    if args.digest_size and args.digest_size < 0:
+        critical('digest size must be positive')
+    if args.tls_auth and args.digest_key:
+        critical('--tls-auth cannot go with --digest-key')
+    
+    key = args.digest_key
+    digest = args.digest
+    digest_size = args.digest_size
+        
+    digest = digest.lower()
+    if digest not in hashlib.algorithms:
+        return critical('digest not available')
+    try:
+        digest = getattr(hashlib, digest)
+        if not digest_size: digest_size = digest().digest_size
+    except:
+        return critical('digest creation failed')
+    
+    if args.tls_auth:
+        key = readkey(args.tls_auth)
+        if key == None: return critical('cannot read tls auth file')
+        index_start = HMAC_CLIENT_KEY_START * 2
+        index_end = (HMAC_CLIENT_KEY_START + digest_size) * 2
+        key = key[index_start:index_end]
+    
+    if key: key = binascii.unhexlify(key)
+    
+    return checkserver(args.host, args.port, args.tcp, args.timeout, key, digest)
 
-    data = checkserver(arguments.host,arguments.port,arguments.tcp)
-
-if __name__ == "__main__":
+if __name__ == '__main__':
     main()
-
diff --git a/check_openvpn/control b/check_openvpn/control
index 8f14f75..b9c8a42 100644
--- a/check_openvpn/control
+++ b/check_openvpn/control
@@ -1,6 +1,6 @@
 Homepage: https://raw.github.com/liquidat/nagios-icinga-checks/master/check_openvpn
 Watch: https://raw.github.com/liquidat/nagios-icinga-checks/master/check_openvpn Version\ ([0-9.]+)
 Recommends: libpython-stdlib
-Version: 20130904
+Version: 20151106
 Uploaders: Jan Wagner <waja@cyconet.org>
 Description: plugin to check if an OpenVPN server runs on a given port