Added certificate management

Major change which allows assigning certificates to tunnels.
Certificates are managed on a separate tab, but they must be manually
generated on another system and pasted in along with RSA keys.

Certificate status display lists status including days until expiry.

1 files changed, 232 insertions, 0 deletions

diff --git a/config/stunnel/stunnel.inc b/config/stunnel/stunnel.inc
new file mode 100644
index 00000000..62558e34
--- /dev/null
+++ b/config/stunnel/stunnel.inc
@@ -0,0 +1,232 @@
+<?php
+
+if(!isset($_GET['id']) and !isset($_POST['id'])) {
+	if($GLOBALS['config']['installedpackages']['stunnelcerts']['savemsg']) {
+		$savemsg=$GLOBALS['config']['installedpackages']['stunnelcerts']['savemsg'];
+		unset($GLOBALS['config']['installedpackages']['stunnelcerts']['savemsg']);
+		write_config();
+	}
+	
+}
+
+if(isset($_GET['id'])) {
+	$config['installedpackages']['stunnelcerts']['config'][$_GET['id']]['cert_chain']=
+		base64_decode($config['installedpackages']['stunnelcerts']['config'][$_GET['id']]['cert_chain']);
+	$config['installedpackages']['stunnelcerts']['config'][$_GET['id']]['cert_key']=
+		base64_decode($config['installedpackages']['stunnelcerts']['config'][$_GET['id']]['cert_key']);
+}
+
+$certs=$config['installedpackages']['stunnelcerts']['config'];
+is_array($certs) ? $num_certs=count($certs) : $num_certs=0;
+if(!isset($_GET['id']) and !isset($_POST['id']) and $num_certs) {
+	for ($i=0;$i<$num_certs;$i++) {
+		$cert=$certs[$i];
+		$_info=openssl_x509_parse(base64_decode($cert['cert_chain']));
+		$valid=floor(($_info['validTo_time_t']-time())/86400);
+		if(!openssl_x509_check_private_key(base64_decode($cert['cert_chain']), base64_decode($cert['cert_key']))) {
+			$_status='<font color="#AA0000"><b>Invalid key/cert!</b></font>';
+		} elseif($valid<30) {
+			$_status='<font color="#B27D4B">Expires in '.$valid.' days!</font>';
+		} else {
+			$_status='<font color="#008800">OK ('.$valid.' days)</font>';
+		}
+		$config['installedpackages']['stunnelcerts']['config'][$i]['status']=$_status;
+	}
+}
+
+
+$tunnels=$config['installedpackages']['stunnel']['config'];
+is_array($tunnels) ? $num_tunnels=count($tunnels) : $num_tunnels=0;
+if(!isset($_GET['id']) and $num_tunnels) {
+	for ($i=0;$i<$num_tunnels;$i++) {
+		$tunnel=$tunnels[$i];
+		if($tunnel['certificate']) {
+			$certid=0;
+			if(is_array($config['installedpackages']['stunnelcerts']['config'])) {
+				foreach($config['installedpackages']['stunnelcerts']['config'] as $cert) {
+					if($tunnel['certificate']==$cert['filename'])
+						$config['installedpackages']['stunnel']['config'][$i]['certificatelink']=
+							'<a href="/pkg_edit.php?xml=stunnel_certs.xml&act=edit&id='.$certid.'">'.$cert['description'].'</a>';
+					$certid++;
+				}
+			}
+		}
+	}
+}
+
+function stunnel_printcsr() {
+#	$GLOBALS['savemsg']="<pre>" . print_r($GLOBALS['config']['installedpackages']['stunnelcerts']['config'],true) . "</pre>";
+}
+
+function stunnel_addcerts($config) {
+	$certs=$config['installedpackages']['stunnelcerts']['config'];
+	$tunnels=$config['installedpackages']['stunnel']['config'];
+	?>
+	<script type="text/javascript">
+	function addcerts() {
+		<?php
+	
+		foreach($certs as $cert) {
+			echo("document.forms['iform'].certificate.appendChild(new Option('".$cert['description']."', '".$cert['filename']."'));");
+		}
+		
+		?>
+	}
+	addcerts();
+	for (var i=0; i < document.forms['iform'].certificate.length; i++) {
+		<?php
+		$filename=$tunnels[$_GET['id']]['certificate'];
+		echo('if (document.forms["iform"].certificate[i].value == "'.$filename.'") {');
+		?>
+			document.forms['iform'].certificate[i].selected = true;
+		} else {
+			document.forms['iform'].certificate[i].selected = false;
+		}	
+	}
+
+	</script>
+	<?php
+}
+
+function stunnel_disablefields() {
+	?>
+	<script type="text/javascript">
+		document.forms['iform'].subject.readOnly=true;
+		document.forms['iform'].filename.readOnly=true;
+		document.forms['iform'].expiry.readOnly=true;
+	</script>
+	<?php
+}
+
+function stunnel_delete($config) {
+	$cert=$config['installedpackages']['stunnelcerts']['config'][$_GET['id']];
+	if(isset($_GET['id'])) {
+		unlink_if_exists('/usr/local/etc/stunnel/'.$cert['filename'].'pem');
+		unlink_if_exists('/usr/local/etc/stunnel/'.$cert['filename'].'key');
+		unlink_if_exists('/usr/local/etc/stunnel/'.$cert['filename'].'chain');
+	}
+}
+
+function stunnel_save($config) {
+	$GLOBALS['config']['installedpackages']['stunnelcerts']['savemsg']='';
+	conf_mount_rw();
+	config_lock();
+	$fout = fopen("/usr/local/etc/stunnel/stunnel.conf","w");
+	fwrite($fout, "cert = /usr/local/etc/stunnel/stunnel.pem \n");
+	fwrite($fout, "chroot = /var/tmp/stunnel \n");
+	fwrite($fout, "setuid = stunnel \n");
+	fwrite($fout, "setgid = stunnel \n");
+	foreach($config['installedpackages']['stunnel']['config'] as $pkgconfig) {
+		fwrite($fout, "\n[" . $pkgconfig['description'] . "]\n");
+		if($pkgconfig['certificate']) {
+			if(file_exists('/usr/local/etc/stunnel/'.$pkgconfig['certificate'].'.key') and
+			   file_exists('/usr/local/etc/stunnel/'.$pkgconfig['certificate'].'.chain')) {
+				fwrite($fout, "key = /usr/local/etc/stunnel/" . $pkgconfig['certificate'] . ".key\n");
+				fwrite($fout, "cert = /usr/local/etc/stunnel/" . $pkgconfig['certificate'] . ".chain\n");
+			}
+		}
+		if($pkgconfig['sourceip']) fwrite($fout, "local = " . $pkgconfig['sourceip'] . "\n");
+		fwrite($fout, "accept = " . $pkgconfig['localip'] . ":" . $pkgconfig['localport'] . "\n");
+		fwrite($fout, "connect = " . $pkgconfig['redirectip'] . ":" . $pkgconfig['redirectport'] . "\n");
+		fwrite($fout, "TIMEOUTclose = 0\n\n");
+	}
+	fclose($fout);
+	conf_mount_ro();
+	config_unlock();
+	system("/usr/local/etc/rc.d/stunnel.sh stop 2>/dev/null");
+	system("/usr/local/etc/rc.d/stunnel.sh start 2>/dev/null");
+}
+function stunnel_save_cert($config) {
+	$GLOBALS['config']['installedpackages']['stunnelcerts']['savemsg']='';
+	if(isset($_POST['id'])) {
+#		echo "<pre>";
+#		print_r($_POST);
+#		echo "</pre>";
+
+		if(!$_POST['cert_chain']) {
+			$GLOBALS['config']['installedpackages']['stunnelcerts']['savemsg'].="Certificate chain must be specified!<br>";
+		} if(!$_POST['cert_key']) {
+			$GLOBALS['config']['installedpackages']['stunnelcerts']['savemsg'].="RSA Key must be specified!<br>";
+		}
+		if($_POST['cert_chain'] and $_POST['cert_key']) {
+			$_cert=openssl_x509_parse($_POST['cert_chain']);
+#			echo("<pre>");
+#			print_r($_cert);
+#			echo("</pre>");
+			if($_cert['hash']) {
+				if(openssl_x509_check_private_key($_POST['cert_chain'], $_POST['cert_key'])) {
+					file_put_contents('/usr/local/etc/stunnel/'.$_cert['hash'].'.key',
+						$_POST['cert_key']);
+					file_put_contents('/usr/local/etc/stunnel/'.$_cert['hash'].'.chain',
+						$_POST['cert_chain']);
+					file_put_contents('/usr/local/etc/stunnel/'.$_cert['hash'].'.pem',
+						$_POST['cert_key']."\n".$_POST['cert_chain']);
+					system('chown stunnel:stunnel /usr/local/etc/stunnel/*');
+					chmod('/usr/local/etc/stunnel/'.$_cert['hash'].'.key', 0600);
+					chmod('/usr/local/etc/stunnel/'.$_cert['hash'].'.pem', 0600);
+
+					$_POST['filename']=$_cert['hash'];
+					$_POST['expiry_raw']=$_cert['validTo_time_t'];
+					$_POST['expiry']=date('Y-m-d', $_cert['validTo_time_t']);
+					$_POST['subject']=$_cert['name'];
+				} else {
+					$GLOBALS['config']['installedpackages']['stunnelcerts']['savemsg'].="Certificate and key do not match!<br>";
+					$_POST['filename']='';
+				}
+			} else {
+				$GLOBALS['config']['installedpackages']['stunnelcerts']['savemsg'].="Couldn't parse certificate!<br>";
+				$_POST['expiry_raw']='';
+				$_POST['expiry']='';
+				$_POST['subject']='';
+				$_POST['filename']='';
+			}
+		}
+		$_POST['cert_key']=base64_encode($_POST['cert_key']);
+		$_POST['cert_chain']=base64_encode($_POST['cert_chain']);
+		$_fname=$GLOBALS['config']['installedpackages']['stunnelcerts']['config'][$_POST['id']]['filename'];
+		if($_fname and $_fname!=$_POST['filename']) {
+			unlink_if_exists('/usr/local/etc/stunnel/'.$_fname.'.chain');
+			unlink_if_exists('/usr/local/etc/stunnel/'.$_fname.'.key');
+			unlink_if_exists('/usr/local/etc/stunnel/'.$_fname.'.pem');
+		}
+	}
+}
+
+function stunnel_install() {
+	safe_mkdir("/usr/local/etc/stunnel");
+	system("/usr/bin/openssl req -new -x509 -days 365 -nodes -out /usr/local/etc/stunnel/stunnel.pem -keyout /usr/local/etc/stunnel/stunnel.pem 2>/dev/null");
+	chmod("/usr/local/etc/stunnel/stunnel.pem", 0600);
+	make_dirs("/var/tmp/stunnel/var/tmp/run/stunnel");
+	system("/usr/sbin/chown -R stunnel:stunnel /var/tmp/stunnel");
+	$_rcfile['file']='stunnel.sh';
+	$_rcfile['start'].="/usr/local/bin/stunnel /usr/local/etc/stunnel/stunnel.conf \n\t";
+	$_rcfile['stop'].="killall stunnel \n\t";
+	write_rcfile($_rcfile);
+	unlink_if_exists("/usr/local/etc/rc.d/stunnel");
+	
+	conf_mount_rw();
+	config_lock();
+	$fout = fopen("/usr/local/etc/stunnel/stunnel.conf","w");
+	fwrite($fout, "cert = /usr/local/etc/stunnel/stunnel.pem \n");
+	fwrite($fout, "chroot = /var/tmp/stunnel \n");
+	fwrite($fout, "setuid = stunnel \n");
+	fwrite($fout, "setgid = stunnel \n");
+	foreach($config['installedpackages']['stunnel']['config'] as $pkgconfig) {
+		fwrite($fout, "\n[" . $pkgconfig['description'] . "]\n");
+		if($pkgconfig['sourceip']) fwrite($fout, "local = " . $pkgconfig['sourceip'] . "\n");
+		fwrite($fout, "accept = " . $pkgconfig['localip'] . ":" . $pkgconfig['localport'] . "\n");
+		fwrite($fout, "connect = " . $pkgconfig['redirectip'] . ":" . $pkgconfig['redirectport'] . "\n");
+		fwrite($fout, "TIMEOUTclose = 0\n\n");
+	}
+	fclose($fout);
+	conf_mount_ro();
+	config_unlock();
+}
+
+function stunnel_deinstall() {
+	rmdir_recursive("/var/tmp/stunnel");
+	rmdir_recursive("/usr/local/etc/stunnel*");
+	unlink_if_exists("/usr/local/etc/rc.d/stunnel.sh");
+}
+
+?>
\ No newline at end of file