From 20ecb48c45abc7fb98e962cbd1c0ce31d80f9f85 Mon Sep 17 00:00:00 2001
From: Stefan Schantl <stefan.schantl@ipfire.org>
Date: Sat, 13 Apr 2013 22:04:50 +0200
Subject: [PATCH] aiccu: Implement optional SSL encrytion.

Add a new configure switch to the aiccu network hook, to enable the SSL
encrytion on tunnel dialin. The default value is "true" because most TIC server from Sixxs
are able to handle those requests.

Fixes #10351.
---
 functions.aiccu   | 25 +++++++++++++++++++------
 hooks/zones/aiccu | 28 ++++++++++++++++++++--------
 2 files changed, 39 insertions(+), 14 deletions(-)

diff --git a/functions.aiccu b/functions.aiccu
index 5c4d38bb..54bbdbf7 100644
--- a/functions.aiccu
+++ b/functions.aiccu
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2010  Michael Tremer & Christian Schmidt                      #
+# Copyright (C) 2013  IPFire Network Development Team                         #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -79,23 +79,33 @@ function aiccu_configure() {
 	local server
 	local protocol="tic"
 	local tunnel_id
+	local require_tls
 
 	while [ $# -gt  0 ]; do
 		case "${1}" in
 			--user=*)
-				user=$(cli_get_val ${1})
+				user="$(cli_get_val ${1})"
 				;;
 			--secret=*)
-				secret=$(cli_get_val ${1})
+				secret="$(cli_get_val ${1})"
 				;;
 			--server=*)
-				server=$(cli_get_val ${1})
+				server="$(cli_get_val ${1})"
 				;;
 			--protocol=*)
-				protocol=$(cli_get_val ${1})
+				protocol="$(cli_get_val ${1})"
 				;;
 			--tunnel-id=*)
-				tunnel_id=$(cli_get_val ${1})
+				tunnel_id="$(cli_get_val ${1})"
+				;;
+			--require-tls=*)
+				require_tls="$(cli_get_val ${1})"
+
+				if enabled val; then
+					require_tls="true"
+				else
+					require_tls="false"
+				fi
 				;;
 		esac
 		shift
@@ -105,6 +115,7 @@ function aiccu_configure() {
 	assert isset secret
 	assert isset server
 	assert isset protocol
+	assert isset require_tls
 	assert isoneof protocol tic tsp l2tp
 
 cat <<EOF
@@ -124,6 +135,8 @@ verbose true
 daemonize true
 automatic true
 
+requiretls ${require_tls}
+
 pidfile $(aiccu_config_dir ${zone})/pid
 
 #setupscript /tmp/aiccu.sh
diff --git a/hooks/zones/aiccu b/hooks/zones/aiccu
index f9ab0cd2..66d7b382 100755
--- a/hooks/zones/aiccu
+++ b/hooks/zones/aiccu
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2010  Michael Tremer & Christian Schmidt                      #
+# Copyright (C) 2013  IPFire Network Development Team                         #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -21,19 +21,21 @@
 
 . /usr/lib/network/header-zone
 
-HOOK_SETTINGS="HOOK PROTOCOL USER SECRET SERVER TUNNEL_ID"
+HOOK_SETTINGS="HOOK PROTOCOL REQUIRE_TLS USER SECRET SERVER TUNNEL_ID"
 
 USER=
 SECRET=
 SERVER="tic.sixxs.net"
 PROTOCOL="tic"
 TUNNEL_ID=
+REQUIRE_TLS="true"
 
 function _check() {
 	assert isset USER
 	assert isset SECRET
 	assert isset SERVER
 	assert isset PROTOCOL
+	assert isset REQUIRE_TLS
 }
 
 function _parse_cmdline() {
@@ -42,19 +44,28 @@ function _parse_cmdline() {
 	while [ $# -gt 0 ]; do
 		case "$1" in
 			--user=*)
-				USER=$(cli_get_val ${1})
+				USER="$(cli_get_val ${1})"
 				;;
 			--secret=*)
-				SECRET=$(cli_get_val ${1})
+				SECRET="$(cli_get_val ${1})"
 				;;
 			--server=*)
-				SERVER=$(cli_get_val ${1})
+				SERVER="$(cli_get_val ${1})"
 				;;
 			--protocol=*)
-				PROTOCOL=$(cli_get_val ${1})
+				PROTOCOL="$(cli_get_val ${1})"
 				;;
 			--tunnel-id=*)
-				TUNNEL_ID=$(cli_get_val ${1})
+				TUNNEL_ID="$(cli_get_val ${1})"
+				;;
+			--require-tls=*)
+				REQUIRE_TLS="$(cli_get_val ${1})"
+
+				if enabled val; then
+					REQUIRE_TLS="true"
+				else
+					REQUIRE_TLS="false"
+				fi
 				;;
 			*)
 				echo "Unknown option: $1" >&2
@@ -78,7 +89,8 @@ function _up() {
 		--protocol="${PROTOCOL}" \
 		--user="${USER}" \
 		--secret="${SECRET}" \
-		--tunnel-id="${TUNNEL_ID}"
+		--tunnel-id="${TUNNEL_ID}" \
+		--require-tls="${REQUIRE_TLS}"
 
 	exit $?
 }
-- 
2.47.2