Inline file capability now works for

--secret and --tls-auth.  For example:

<secret>
[ascii key data]
</secret>


git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@844 e7ae566f-a301-0410-adde-c780ea21d3b5

common.h

@@ -64,4 +64,12 @@ typedef unsigned long ptr_type;
  */
 #define TLS_CHANNEL_BUF_SIZE 1024
 
+/*
+ * A sort of pseudo-filename for data provided inline within
+ * the configuration file.
+ */
+#if ENABLE_INLINE_FILES
+#define INLINE_FILE_TAG "[[INLINE]]"
+#endif
+
 #endif

crypto.c

@@ -905,11 +905,12 @@ test_crypto (const struct crypto_options *co, struct frame* frame)
 }
 
 #ifdef USE_SSL
+
 void
 get_tls_handshake_key (const struct key_type *key_type,
 		       struct key_ctx_bi *ctx,
 		       const char *passphrase_file,
-		       bool key_direction)
+		       const unsigned int flags)
 {
   if (passphrase_file && key_type->hmac_length)
     {
@@ -921,8 +922,23 @@ get_tls_handshake_key (const struct key_type *key_type,
       kt.cipher_length = 0;
       kt.cipher = NULL;
 
+#if ENABLE_INLINE_FILES
+      if (flags & GHK_INLINE)
+	{
+	  /* key was specified inline, key text is in passphrase_file */
+	  read_key_file (&key2, passphrase_file, RKF_INLINE|RKF_MUST_SUCCEED);
+
+	  /* succeeded? */
+	  if (key2.n == 2)
+	    msg (M_INFO, "Control Channel Authentication: tls-auth using INLINE static key file");
+	  else
+	    msg (M_FATAL, "INLINE tls-auth file lacks the requisite 2 keys");
+	}
+      else
+#endif
+      {
 	/* first try to parse as an OpenVPN static key file */
-      read_key_file (&key2, passphrase_file, false);
+	read_key_file (&key2, passphrase_file, 0);
 
 	/* succeeded? */
 	if (key2.n == 2)
@@ -951,10 +967,10 @@ get_tls_handshake_key (const struct key_type *key_type,
 		 "Control Channel Authentication: using '%s' as a free-form passphrase file",
 		 passphrase_file);
 	  }
-
+      }
       /* handle key direction */
 
-      key_direction_state_init (&kds, key_direction);
+      key_direction_state_init (&kds, BOOL_CAST (flags & GHK_KEY_DIR));
       must_have_n_keys (passphrase_file, "tls-auth", &key2, kds.need_keys);
 
       /* initialize hmac key in both directions */
@@ -984,13 +1000,15 @@ static const char unprintable_char_fmt[] =
   "Non-Hex, unprintable character (0x%02x) found at line %d in key file '%s' (%d/%d/%d bytes found/min/max)";
 
 /* read key from file */
+
 void
-read_key_file (struct key2 *key2, const char *filename, bool must_succeed)
+read_key_file (struct key2 *key2, const char *file, const unsigned int flags)
 {
   struct gc_arena gc = gc_new ();
-  struct buffer in = alloc_buf_gc (64, &gc);
+  struct buffer in;
   int fd, size;
   uint8_t hex_byte[3] = {0, 0, 0};
+  const char *error_filename = file;
 
   /* parse info */
   int hb_index = 0;
@@ -1019,12 +1037,30 @@ read_key_file (struct key2 *key2, const char *filename, bool must_succeed)
 
   CLEAR (*key2);
 
-  fd = open (filename, O_RDONLY);
-  if (fd == -1)
-    msg (M_ERR, "Cannot open file key file '%s'", filename);
-
-  while ((size = read (fd, in.data, in.capacity)))
+  /*
+   * Key can be provided as a filename in 'file' or if RKF_INLINE
+   * is set, the actual key data itself in ascii form.
+   */
+#if ENABLE_INLINE_FILES
+  if (flags & RKF_INLINE) /* 'file' is a string containing ascii representation of key */
     {
+      size = strlen (file) + 1;
+      buf_set_read (&in, (const uint8_t *)file, size);
+      error_filename = INLINE_FILE_TAG;
+    }
+  else /* 'file' is a filename which refers to a file containing the ascii key */
+#endif
+    {
+      in = alloc_buf_gc (2048, &gc);
+      fd = open (file, O_RDONLY);
+      if (fd == -1)
+	msg (M_ERR, "Cannot open file key file '%s'", file);
+      size = read (fd, in.data, in.capacity);
+      if (size == in.capacity)
+	msg (M_FATAL, "Key file ('%s') can be a maximum of %d bytes", file, (int)in.capacity);
+      close (fd);
+    }
+
   const char *cp = (char *)in.data;
   while (size)
     {
@@ -1097,7 +1133,7 @@ read_key_file (struct key2 *key2, const char *filename, bool must_succeed)
 		{
 		  msg (M_FATAL,
 		       (isprint (c) ? printable_char_fmt : unprintable_char_fmt),
-			   c, line_num, filename, count, onekeylen, keylen);
+		       c, line_num, error_filename, count, onekeylen, keylen);
 		}
 	    }
 	  ++line_index;
@@ -1105,9 +1141,6 @@ read_key_file (struct key2 *key2, const char *filename, bool must_succeed)
       ++cp;
       --size;
     }
-    }
-
-  close (fd);
 
   /*
    * Normally we will read either 1 or 2 keys from file.
@@ -1116,22 +1149,22 @@ read_key_file (struct key2 *key2, const char *filename, bool must_succeed)
 
   ASSERT (key2->n >= 0 && key2->n <= (int) SIZE (key2->keys));
 
-  if (must_succeed)
+  if (flags & RKF_MUST_SUCCEED)
     {
       if (!key2->n)
 	msg (M_FATAL, "Insufficient key material or header text not found found in file '%s' (%d/%d/%d bytes found/min/max)",
-	     filename, count, onekeylen, keylen);
+	     error_filename, count, onekeylen, keylen);
 
       if (state != PARSE_FINISHED)
 	msg (M_FATAL, "Footer text not found in file '%s' (%d/%d/%d bytes found/min/max)",
-	     filename, count, onekeylen, keylen);
+	     error_filename, count, onekeylen, keylen);
     }
 
   /* zero file read buffer */
   buf_clear (&in);
 
   if (key2->n)
-    warn_if_group_others_accessible (filename);
+    warn_if_group_others_accessible (error_filename);
 
 #if 0
   /* DEBUGGING */

crypto.h

@@ -270,7 +270,9 @@ void init_key_type (struct key_type *kt, const char *ciphername,
 		    bool authname_defined, int keysize,
 		    bool cfb_ofb_allowed, bool warn);
 
-void read_key_file (struct key2 *key2, const char *filename, bool must_succeed);
+#define RKF_MUST_SUCCEED (1<<0)
+#define RKF_INLINE       (1<<1)
+void read_key_file (struct key2 *key2, const char *file, const unsigned int flags);
 
 int write_key_file (const int nkeys, const char *filename);
 
@@ -367,10 +369,12 @@ void openssl_dmalloc_init (void);
 
 #ifdef USE_SSL
 
+#define GHK_KEY_DIR (1<<0)
+#define GHK_INLINE  (1<<1)
 void get_tls_handshake_key (const struct key_type *key_type,
 			    struct key_ctx_bi *ctx,
 			    const char *passphrase_file,
-			    bool key_direction);
+			    const unsigned int flags);
 
 #else
 

init.c

@@ -1276,7 +1276,19 @@ do_init_crypto_static (struct context *c, const unsigned int flags)
 		     options->test_crypto, true);
 
       /* Read cipher and hmac keys from shared secret file */
-      read_key_file (&key2, options->shared_secret_file, true);
+      {
+	unsigned int rkf_flags = RKF_MUST_SUCCEED;
+	const char *rkf_file = options->shared_secret_file;
+
+#if ENABLE_INLINE_FILES
+	if (options->shared_secret_file_inline)
+	  {
+	    rkf_file = options->shared_secret_file_inline;
+	    rkf_flags |= RKF_INLINE;
+	  }
+#endif
+	read_key_file (&key2, rkf_file, rkf_flags);
+      }
 
       /* Check for and fix highly unlikely key problems */
       verify_fix_key2 (&key2, &c->c1.ks.key_type,
@@ -1361,10 +1373,22 @@ do_init_crypto_tls_c1 (struct context *c)
 
       /* TLS handshake authentication (--tls-auth) */
       if (options->tls_auth_file)
+	{
+	  unsigned int flags = options->key_direction ? GHK_KEY_DIR : 0;
+	  const char *file = options->tls_auth_file;
+
+#if ENABLE_INLINE_FILES
+	  if (options->tls_auth_file_inline)
+	    {
+	      flags |= GHK_INLINE;
+	      file = options->tls_auth_file_inline;
+	    }
+#endif
 	  get_tls_handshake_key (&c->c1.ks.key_type,
 				 &c->c1.ks.tls_auth_key,
-			       options->tls_auth_file,
-			       options->key_direction);
+				 file,
+				 flags);
+	}
 
 #if ENABLE_INLINE_FILES
       if (options->priv_key_file_inline)

misc.c

@@ -433,6 +433,10 @@ void
 warn_if_group_others_accessible (const char* filename)
 {
 #ifdef HAVE_STAT
+#if ENABLE_INLINE_FILES
+  if (strcmp (filename, INLINE_FILE_TAG))
+#endif
+    {
       struct stat st;
       if (stat (filename, &st))
 	{
@@ -443,6 +447,7 @@ warn_if_group_others_accessible (const char* filename)
 	  if (st.st_mode & (S_IRWXG|S_IRWXO))
 	    msg (M_WARN, "WARNING: file '%s' is group or others accessible", filename);
 	}
+    }
 #endif
 }
 

options.c

@@ -4538,9 +4538,26 @@ add_option (struct options *options,
       VERIFY_PERMISSION (OPT_P_GENERAL);
       options->show_engines = true;
     }
+  else if (streq (p[0], "key-direction") && p[1])
+    {
+      int key_direction;
+
+      key_direction = ascii2keydirection (msglevel, p[1]);
+      if (key_direction >= 0)
+	options->key_direction = key_direction;
+      else
+	goto err;
+    }
   else if (streq (p[0], "secret") && p[1])
     {
       VERIFY_PERMISSION (OPT_P_GENERAL);
+#if ENABLE_INLINE_FILES
+      if (streq (p[1], INLINE_FILE_TAG) && p[2])
+	{
+	  options->shared_secret_file_inline = p[2];
+	}
+      else
+#endif
       if (p[2])
 	{
 	  int key_direction;
@@ -4889,6 +4906,13 @@ add_option (struct options *options,
   else if (streq (p[0], "tls-auth") && p[1])
     {
       VERIFY_PERMISSION (OPT_P_GENERAL);
+#if ENABLE_INLINE_FILES
+      if (streq (p[1], INLINE_FILE_TAG) && p[2])
+	{
+	  options->tls_auth_file_inline = p[2];
+	}
+      else
+#endif
       if (p[2])
 	{
 	  int key_direction;

options.h

@@ -82,10 +82,6 @@ struct options_pre_pull
 
 #endif
 
-#if ENABLE_INLINE_FILES
-#define INLINE_FILE_TAG "[[INLINE]]"
-#endif
-
 /* Command line options */
 struct options
 {
@@ -356,6 +352,9 @@ struct options
 #ifdef USE_CRYPTO
   /* Cipher parms */
   const char *shared_secret_file;
+#if ENABLE_INLINE_FILES
+  const char *shared_secret_file_inline;
+#endif
   int key_direction;
   bool ciphername_defined;
   const char *ciphername;
@@ -433,6 +432,9 @@ struct options
 
   /* Special authentication MAC for TLS control channel */
   const char *tls_auth_file;		/* shared secret */
+#if ENABLE_INLINE_FILES
+  const char *tls_auth_file_inline;
+#endif
 
   /* Allow only one session */
   bool single_session;