<?php

$pf_version=substr(trim(file_get_contents("/etc/version")),0,3);
if ($pf_version == "2.1" || $pf_version == "2.2") {
	define('STUNNEL_LOCALBASE', '/usr/pbi/stunnel-' . php_uname("m"));
} else {
	define('STUNNEL_LOCALBASE','/usr/local');
}
define('STUNNEL_ETCDIR', STUNNEL_LOCALBASE . "/etc/stunnel");

if(!isset($_GET['id']) and !isset($_POST['id'])) {
	if($GLOBALS['config']['installedpackages']['stunnelcerts']['savemsg']) {
		$savemsg=$GLOBALS['config']['installedpackages']['stunnelcerts']['savemsg'];
		unset($GLOBALS['config']['installedpackages']['stunnelcerts']['savemsg']);
		write_config();
	}
	
}

if(isset($_GET['id'])) {
	$config['installedpackages']['stunnelcerts']['config'][$_GET['id']]['cert_chain']=
		base64_decode($config['installedpackages']['stunnelcerts']['config'][$_GET['id']]['cert_chain']);
	$config['installedpackages']['stunnelcerts']['config'][$_GET['id']]['cert_key']=
		base64_decode($config['installedpackages']['stunnelcerts']['config'][$_GET['id']]['cert_key']);
}

$certs=$config['installedpackages']['stunnelcerts']['config'];
is_array($certs) ? $num_certs=count($certs) : $num_certs=0;
if(!isset($_GET['id']) and !isset($_POST['id']) and $num_certs) {
	for ($i=0;$i<$num_certs;$i++) {
		$cert=$certs[$i];
		$_info=openssl_x509_parse(base64_decode($cert['cert_chain']));
		$valid=floor(($_info['validTo_time_t']-time())/86400);
		if($cert['cert_chain']) {
			if(!openssl_x509_check_private_key(base64_decode($cert['cert_chain']), base64_decode($cert['cert_key']))) {
				$_status='<font color="#AA0000"><b>Invalid key/cert!</b></font>';
			} elseif($valid<30) {
				$_status='<font color="#B27D4B">Expires in '.$valid.' days!</font>';
			} else {
				$_status='<font color="#008800">OK ('.$valid.' days)</font>';
			}
			$config['installedpackages']['stunnelcerts']['config'][$i]['status']=$_status;
		} else {
			unset($config['installedpackages']['stunnelcerts']['config'][$i]);
		}
	}
}


$tunnels=$config['installedpackages']['stunnel']['config'];
is_array($tunnels) ? $num_tunnels=count($tunnels) : $num_tunnels=0;
if(!isset($_GET['id']) and $num_tunnels) {
	for ($i=0;$i<$num_tunnels;$i++) {
		$tunnel=$tunnels[$i];
		if($tunnel['certificate']) {
			$certid=0;
			if(is_array($config['installedpackages']['stunnelcerts']['config'])) {
				foreach($config['installedpackages']['stunnelcerts']['config'] as $cert) {
					if($tunnel['certificate']==$cert['filename'])
						$config['installedpackages']['stunnel']['config'][$i]['certificatelink']=
							'<a href="/pkg_edit.php?xml=stunnel_certs.xml&act=edit&id='.$certid.'">'.$cert['description'].'</a>';
					$certid++;
				}
			}
		}
	}
}

function stunnel_printcsr() {
#	$GLOBALS['savemsg']="<pre>" . print_r($GLOBALS['config']['installedpackages']['stunnelcerts']['config'],true) . "</pre>";
}

function stunnel_addcerts($config) {
	$certs=$config['installedpackages']['stunnelcerts']['config'];
	$tunnels=$config['installedpackages']['stunnel']['config'];
	?>
	<script type="text/javascript">
	function addcerts() {
		<?php
	
		foreach($certs as $cert) {
			echo("document.forms['iform'].certificate.appendChild(new Option('".$cert['description']."', '".$cert['filename']."'));");
		}
		
		?>
	}
	addcerts();
	for (var i=0; i < document.forms['iform'].certificate.length; i++) {
		<?php
		$filename=$tunnels[$_GET['id']]['certificate'];
		echo('if (document.forms["iform"].certificate[i].value == "'.$filename.'") {');
		?>
			document.forms['iform'].certificate[i].selected = true;
		} else {
			document.forms['iform'].certificate[i].selected = false;
		}	
	}

	</script>
	<?php
}

function stunnel_disablefields() {
	?>
	<script type="text/javascript">
		document.forms['iform'].subject.readOnly=true;
		document.forms['iform'].filename.readOnly=true;
		document.forms['iform'].expiry.readOnly=true;
	</script>
	<?php
}

function stunnel_delete($config) {
	$cert=$config['installedpackages']['stunnelcerts']['config'][$_GET['id']];
	if(isset($_GET['id'])) {
		unlink_if_exists(STUNNEL_ETCDIR . '/'.$cert['filename'].'pem');
		unlink_if_exists(STUNNEL_ETCDIR . '/'.$cert['filename'].'key');
		unlink_if_exists(STUNNEL_ETCDIR . '/'.$cert['filename'].'chain');
	}
}

function stunnel_save($config) {
	$GLOBALS['config']['installedpackages']['stunnelcerts']['savemsg']='';
	conf_mount_rw();
	if (!file_exists(STUNNEL_ETCDIR))
		@mkdir(STUNNEL_ETCDIR, 0755, true);
	$fout = fopen(STUNNEL_ETCDIR . "/stunnel.conf","w");
	fwrite($fout, "cert = " . STUNNEL_ETCDIR . "/stunnel.pem \n");
	fwrite($fout, "chroot = /var/tmp/stunnel \n");
	fwrite($fout, "setuid = stunnel \n");
	fwrite($fout, "setgid = stunnel \n");
	if(!is_array($config['installedpackages']['stunnel']['config'])) { $config['installedpackages']['stunnel']['config']=Array(); }
	foreach($config['installedpackages']['stunnel']['config'] as $pkgconfig) {
		fwrite($fout, "\n[" . $pkgconfig['description'] . "]\n");
		if($pkgconfig['client']) fwrite($fout, "client = yes" . "\n");
		if($pkgconfig['certificate']) {
			if(file_exists(STUNNEL_ETCDIR . '/'.$pkgconfig['certificate'].'.key') and
			   file_exists(STUNNEL_ETCDIR . '/'.$pkgconfig['certificate'].'.chain')) {
				fwrite($fout, "key = " . STUNNEL_ETCDIR . "/" . $pkgconfig['certificate'] . ".key\n");
				fwrite($fout, "cert = " . STUNNEL_ETCDIR . "/" . $pkgconfig['certificate'] . ".chain\n");
			}
		}
		if($pkgconfig['sourceip']) fwrite($fout, "local = " . $pkgconfig['sourceip'] . "\n");
		fwrite($fout, "accept = " . $pkgconfig['localip'] . ":" . $pkgconfig['localport'] . "\n");
		fwrite($fout, "connect = " . $pkgconfig['redirectip'] . ":" . $pkgconfig['redirectport'] . "\n");
		fwrite($fout, "TIMEOUTclose = 0\n\n");
	}
	fclose($fout);
	conf_mount_ro();
	system("/usr/local/etc/rc.d/stunnel.sh stop 2>/dev/null");
	system("/usr/local/etc/rc.d/stunnel.sh start 2>/dev/null");
}
function stunnel_save_cert($config) {
	$GLOBALS['config']['installedpackages']['stunnelcerts']['savemsg']='';
	if(isset($_POST['id'])) {
#		echo "<pre>";
#		print_r($_POST);
#		echo "</pre>";

		if(!$_POST['cert_chain']) {
			$GLOBALS['config']['installedpackages']['stunnelcerts']['savemsg'].="Certificate chain must be specified!<br>";
		} if(!$_POST['cert_key']) {
			$GLOBALS['config']['installedpackages']['stunnelcerts']['savemsg'].="RSA Key must be specified!<br>";
		}
		if($_POST['cert_chain'] and $_POST['cert_key']) {
			$_cert=openssl_x509_parse($_POST['cert_chain']);
#			echo("<pre>");
#			print_r($_cert);
#			echo("</pre>");
			if($_cert['hash']) {
				if(openssl_x509_check_private_key($_POST['cert_chain'], $_POST['cert_key'])) {
					file_put_contents(STUNNEL_ETCDIR . '/'.$_cert['hash'].'.key',
						$_POST['cert_key']);
					file_put_contents(STUNNEL_ETCDIR . '/'.$_cert['hash'].'.chain',
						$_POST['cert_chain']);
					file_put_contents(STUNNEL_ETCDIR . '/'.$_cert['hash'].'.pem',
						$_POST['cert_key']."\n".$_POST['cert_chain']);
					system('chown stunnel:stunnel ' . STUNNEL_ETCDIR . '/*');
					chmod(STUNNEL_ETCDIR . '/'.$_cert['hash'].'.key', 0600);
					chmod(STUNNEL_ETCDIR . '/'.$_cert['hash'].'.pem', 0600);

					$_POST['filename']=$_cert['hash'];
					$_POST['expiry_raw']=$_cert['validTo_time_t'];
					$_POST['expiry']=date('Y-m-d', $_cert['validTo_time_t']);
					$_POST['subject']=$_cert['name'];
				} else {
					$GLOBALS['config']['installedpackages']['stunnelcerts']['savemsg'].="Certificate and key do not match!<br>";
					$_POST['filename']='';
				}
			} else {
				$GLOBALS['config']['installedpackages']['stunnelcerts']['savemsg'].="Couldn't parse certificate!<br>";
				$_POST['expiry_raw']='';
				$_POST['expiry']='';
				$_POST['subject']='';
				$_POST['filename']='';
			}
		}
		$_POST['cert_key']=base64_encode($_POST['cert_key']);
		$_POST['cert_chain']=base64_encode($_POST['cert_chain']);
		$_fname=$GLOBALS['config']['installedpackages']['stunnelcerts']['config'][$_POST['id']]['filename'];
		if($_fname and $_fname!=$_POST['filename']) {
			unlink_if_exists(STUNNEL_ETCDIR . '/'.$_fname.'.chain');
			unlink_if_exists(STUNNEL_ETCDIR . '/'.$_fname.'.key');
			unlink_if_exists(STUNNEL_ETCDIR . '/'.$_fname.'.pem');
		}
	}
}

function stunnel_install() {
	safe_mkdir(STUNNEL_ETCDIR);
	system("/usr/bin/openssl req -new -x509 -days 365 -nodes -out " . STUNNEL_ETCDIR . "/stunnel.pem -keyout " . STUNNEL_ETCDIR . "/stunnel.pem 2>/dev/null");
	chmod(STUNNEL_ETCDIR . "/stunnel.pem", 0600);
	@mkdir("/var/tmp/stunnel/var/tmp/run/stunnel", 0755, true);
	system("/usr/sbin/chown -R stunnel:stunnel /var/tmp/stunnel");
	$_rcfile['file']='stunnel.sh';
	$_rcfile['start'].= STUNNEL_LOCALBASE . "/bin/stunnel " . STUNNEL_ETCDIR . "/stunnel.conf \n\t";
	$_rcfile['stop'].="killall stunnel \n\t";
	write_rcfile($_rcfile);
	unlink_if_exists("/usr/local/etc/rc.d/stunnel");
	
	$fout = fopen(STUNNEL_ETCDIR . "/stunnel.conf","w");
	fwrite($fout, "cert = " . STUNNEL_ETCDIR . "/stunnel.pem \n");
	fwrite($fout, "chroot = /var/tmp/stunnel \n");
	fwrite($fout, "setuid = stunnel \n");
	fwrite($fout, "setgid = stunnel \n");
	if($config['installedpackages']['stunnel']['config']) {
		foreach($config['installedpackages']['stunnel']['config'] as $pkgconfig) {
			fwrite($fout, "\n[" . $pkgconfig['description'] . "]\n");
			if($pkgconfig['sourceip']) fwrite($fout, "local = " . $pkgconfig['sourceip'] . "\n");
			fwrite($fout, "accept = " . $pkgconfig['localip'] . ":" . $pkgconfig['localport'] . "\n");
			fwrite($fout, "connect = " . $pkgconfig['redirectip'] . ":" . $pkgconfig['redirectport'] . "\n");
			fwrite($fout, "TIMEOUTclose = 0\n\n");
		}
	}
	fclose($fout);
}

function stunnel_deinstall() {
	rmdir_recursive("/var/tmp/stunnel");
	rmdir_recursive(STUNNEL_ETCDIR);
	unlink_if_exists("/usr/local/etc/rc.d/stunnel.sh");
}

?>