Added certificate management

Major change which allows assigning certificates to tunnels.
Certificates are managed on a separate tab, but they must be manually
generated on another system and pasted in along with RSA keys.

Certificate status display lists status including days until expiry.

1 files changed, 50 insertions, 57 deletions

diff --git a/config/stunnel.xml b/config/stunnel.xml
index 64c9becd..6ea9f99f 100644
--- a/config/stunnel.xml
+++ b/config/stunnel.xml
@@ -51,11 +51,35 @@
 		<section>Services</section>
 		<configfile>stunnel.xml</configfile>
 	</menu>
+	
+	<additional_files_needed>
+		<prefix>/usr/local/pkg/</prefix>
+		<chmod>0644</chmod>
+		<item>http://www.pfsense.com/packages/config/stunnel/stunnel.inc</item>
+	</additional_files_needed>
+	<additional_files_needed>
+		<prefix>/usr/local/pkg/</prefix>
+		<chmod>0644</chmod>
+		<item>http://www.pfsense.com/packages/config/stunnel/stunnel_certs.xml</item>
+	</additional_files_needed>
 	<!-- configpath gets expanded out automatically and config items will be
          stored in that location -->
 	<configpath>['installedpackages']['package']['$packagename']['configuration']</configpath>
+         
+	<tabs>
+		<tab>
+			<text>Tunnels</text>
+			<url>/pkg.php?xml=stunnel.xml</url>
+			<active/>
+		</tab>
+		<tab>
+			<text>Certificates</text>
+			<url>/pkg.php?xml=stunnel_certs.xml</url>
+		</tab>
+	</tabs>
+
 	<!-- adddeleteeditpagefields items will appear on the first page where you can add / delete or edit
-         items.  An example of this would be the nat page where you add new nat redirects -->
+         items.  An example of this would be the nat page where you add new nat redirects -->         
 	<adddeleteeditpagefields>
 		<columnitem>
 			<fielddescr>Description</fielddescr>
@@ -70,6 +94,10 @@
 			<fieldname>localport</fieldname>
 		</columnitem>
 		<columnitem>
+			<fielddescr>Certificate</fielddescr>
+			<fieldname>certificatelink</fieldname>
+		</columnitem>
+		<columnitem>
 			<fielddescr>Redirects to IP</fielddescr>
 			<fieldname>redirectip</fieldname>
 		</columnitem>
@@ -100,6 +128,16 @@
 			<type>input</type>
 		</field>
 		<field>
+			<fielddescr>Certificate</fielddescr>
+			<fieldname>certificate</fieldname>
+			<description>Select server certificate to use for this tunnel. Certificates are defined on the 'Certificates' page.</description>
+			<type>select</type>
+			<options>
+				<option><name> --- default --- </name><value></value></option>
+			</options>
+			<default_value></default_value>
+		</field>
+		<field>
 			<fielddescr>Redirects to IP</fielddescr>
 			<fieldname>redirectip</fieldname>
 			<description>Enter the IP address to redirect this to.</description>
@@ -117,72 +155,27 @@
 			<description>Enter the source IP address for outgoing connections.</description>
 			<type>input</type>
 		</field>
-
 	</fields>
+
 	<service>
 	  <name>stunnel</name>
 	  <rcfile>/usr/local/etc/rc.d/stunnel.sh</rcfile>
 	  <executable>stunnel</executable>
 	</service>	
+
+	<include_file>/usr/local/pkg/stunnel.inc</include_file>
+
 	<custom_add_php_command_late>
-	<![CDATA[	
-	  conf_mount_rw();
-	  config_lock();
-	  $fout = fopen("/usr/local/etc/stunnel/stunnel.conf","w");
-	  fwrite($fout, "cert = /usr/local/etc/stunnel/stunnel.pem \n");
-	  fwrite($fout, "chroot = /var/tmp/stunnel \n");
-	  fwrite($fout, "setuid = stunnel \n");
-	  fwrite($fout, "setgid = stunnel \n");
-	  foreach($config['installedpackages']['stunnel']['config'] as $pkgconfig) {
-	    fwrite($fout, "\n[" . $pkgconfig['description'] . "]\n");
-	    if($pkgconfig['sourceip']) fwrite($fout, "local = " . $pkgconfig['sourceip'] . "\n");
-	    fwrite($fout, "accept = " . $pkgconfig['localip'] . ":" . $pkgconfig['localport'] . "\n");
-	    fwrite($fout, "connect = " . $pkgconfig['redirectip'] . ":" . $pkgconfig['redirectport'] . "\n");
-	    fwrite($fout, "TIMEOUTclose = 0\n\n");
-	  }
-	  fclose($fout);
-	  conf_mount_ro();
-	  config_unlock();
-	  system("/usr/local/etc/rc.d/stunnel.sh stop 2>/dev/null");
-	  system("/usr/local/etc/rc.d/stunnel.sh start 2>/dev/null");
-	]]>		
+		stunnel_save($config);
 	</custom_add_php_command_late>
 	<custom_php_install_command>
-	<![CDATA[
-		safe_mkdir("/usr/local/etc/stunnel");
-		system("/usr/bin/openssl req -new -x509 -days 365 -nodes -out /usr/local/etc/stunnel/stunnel.pem -keyout /usr/local/etc/stunnel/stunnel.pem 2>/dev/null");
-		chmod("/usr/local/etc/stunnel/stunnel.pem", 600);
-		make_dirs("/var/tmp/stunnel/var/tmp/run/stunnel");
-		system("/usr/sbin/chown -R stunnel:stunnel /var/tmp/stunnel");
-		$_rcfile['file']='stunnel.sh';
-		$_rcfile['start'].="/usr/local/bin/stunnel /usr/local/etc/stunnel/stunnel.conf \n\t";
-		$_rcfile['stop'].="killall stunnel \n\t";
-		write_rcfile($_rcfile);
-		unlink_if_exists("/usr/local/etc/rc.d/stunnel");
-		conf_mount_rw();
-		config_lock();
-		$fout = fopen("/usr/local/etc/stunnel/stunnel.conf","w");
-		fwrite($fout, "cert = /usr/local/etc/stunnel/stunnel.pem \n");
-		fwrite($fout, "chroot = /var/tmp/stunnel \n");
-		fwrite($fout, "setuid = stunnel \n");
-		fwrite($fout, "setgid = stunnel \n");
-		foreach($config['installedpackages']['stunnel']['config'] as $pkgconfig) {
-			fwrite($fout, "\n[" . $pkgconfig['description'] . "]\n");
-			if($pkgconfig['sourceip']) fwrite($fout, "local = " . $pkgconfig['sourceip'] . "\n");
-			fwrite($fout, "accept = " . $pkgconfig['localip'] . ":" . $pkgconfig['localport'] . "\n");
-			fwrite($fout, "connect = " . $pkgconfig['redirectip'] . ":" . $pkgconfig['redirectport'] . "\n");
-			fwrite($fout, "TIMEOUTclose = 0\n\n");
-		}
-		fclose($fout);
-		conf_mount_ro();
-		config_unlock();
-	]]>	
+		stunnel_install();
 	</custom_php_install_command>
 	<custom_php_deinstall_command>
-	<![CDATA[		
-	    rmdir_recursive("/var/tmp/stunnel");
-	    rmdir_recursive("/usr/local/etc/stunnel*");
-	    unlink_if_exists("/usr/local/etc/rc.d/stunnel.sh");
-	]]>
+		stunnel_deinstall();
 	</custom_php_deinstall_command>
+	<custom_php_after_form_command>
+		stunnel_addcerts($config);
+	</custom_php_after_form_command>
+
 </packagegui>