@@ -1103,48 +1103,45 @@ test_crypto (struct crypto_options *co, struct frame* frame)

 }

 void

-get_tls_handshake_key (const struct key_type *key_type,

-		       struct key_ctx_bi *ctx,

-		       const char *key_file,

-		       const int key_direction,

-		       const unsigned int flags)

+crypto_read_openvpn_key (const struct key_type *key_type,

+	struct key_ctx_bi *ctx, const char *key_file, const char *key_inline,

+	const int key_direction, const char *key_name, const char *opt_name)

 {

-  if (key_file)

-    {

-      struct key2 key2;

-      struct key_direction_state kds;

-

-      if (flags & GHK_INLINE)

-	{

-	  read_key_file (&key2, key_file, RKF_INLINE|RKF_MUST_SUCCEED);

-	}

-      else

-	{

-	  read_key_file (&key2, key_file, RKF_MUST_SUCCEED);

-	}

-

-	if (key2.n != 2)

-	  {

-	    msg (M_ERR, "Control Channel Authentication: File '%s' does not "

-		"have OpenVPN Static Key format.  Using free-form passphrase "

-		"file is not supported anymore.", key_file);

-	  }

-      /* handle key direction */

-      key_direction_state_init (&kds, key_direction);

-      must_have_n_keys (key_file, "tls-auth", &key2, kds.need_keys);

+  struct key2 key2;

+  struct key_direction_state kds;

+  char log_prefix[128] = { 0 };

-      /* initialize key in both directions */

-      init_key_ctx (&ctx->encrypt, &key2.keys[kds.out_key], key_type, OPENVPN_OP_ENCRYPT,

-		    "Outgoing Control Channel Authentication");

-      init_key_ctx (&ctx->decrypt, &key2.keys[kds.in_key], key_type, OPENVPN_OP_DECRYPT,

-		    "Incoming Control Channel Authentication");

-

-      CLEAR (key2);

+  if (key_inline)

+    {

+      read_key_file (&key2, key_inline, RKF_MUST_SUCCEED|RKF_INLINE);

     }

   else

     {

-      CLEAR (*ctx);

+      read_key_file (&key2, key_file, RKF_MUST_SUCCEED);

+    }

+

+  if (key2.n != 2)

+    {

+      msg (M_ERR, "File '%s' does not have OpenVPN Static Key format.  Using "

+	   "free-form passphrase file is not supported anymore.", key_file);

     }

+

+  /* check for and fix highly unlikely key problems */

+  verify_fix_key2 (&key2, key_type, key_file);

+

+  /* handle key direction */

+  key_direction_state_init (&kds, key_direction);

+  must_have_n_keys (key_file, opt_name, &key2, kds.need_keys);

+

+  /* initialize key in both directions */

+  openvpn_snprintf (log_prefix, sizeof (log_prefix), "Outgoing %s", key_name);

+  init_key_ctx (&ctx->encrypt, &key2.keys[kds.out_key], key_type,

+		OPENVPN_OP_ENCRYPT, log_prefix);

+  openvpn_snprintf (log_prefix, sizeof (log_prefix), "Incoming %s", key_name);

+  init_key_ctx (&ctx->decrypt, &key2.keys[kds.in_key], key_type,

+		OPENVPN_OP_DECRYPT, log_prefix);

+

+  CLEAR (key2);

 }

 /* header and footer for static key file */

@@ -465,12 +465,9 @@ void key2_print (const struct key2* k,

 		 const char* prefix0,

 		 const char* prefix1);

-#define GHK_INLINE  (1<<0)

-void get_tls_handshake_key (const struct key_type *key_type,

-			    struct key_ctx_bi *ctx,

-			    const char *passphrase_file,

-			    const int key_direction,

-			    const unsigned int flags);

+void crypto_read_openvpn_key (const struct key_type *key_type,

+	struct key_ctx_bi *ctx, const char *key_file, const char *key_inline,

+	const int key_direction, const char *key_name, const char *opt_name);

 /*

  * Inline functions

@@ -2147,33 +2147,11 @@ do_init_crypto_static (struct context *c, const unsigned int flags)

 		     options->keysize, options->test_crypto, true);

       /* Read cipher and hmac keys from shared secret file */

-      {

-	unsigned int rkf_flags = RKF_MUST_SUCCEED;

-	const char *rkf_file = options->shared_secret_file;

-

-	if (options->shared_secret_file_inline)

-	  {

-	    rkf_file = options->shared_secret_file_inline;

-	    rkf_flags |= RKF_INLINE;

-	  }

-	read_key_file (&key2, rkf_file, rkf_flags);

-      }

-

-      /* Check for and fix highly unlikely key problems */

-      verify_fix_key2 (&key2, &c->c1.ks.key_type,

-		       options->shared_secret_file);

-

-      /* Initialize OpenSSL key objects */

-      key_direction_state_init (&kds, options->key_direction);

-      must_have_n_keys (options->shared_secret_file, "secret", &key2,

-			kds.need_keys);

-      init_key_ctx (&c->c1.ks.static_key.encrypt, &key2.keys[kds.out_key],

-		    &c->c1.ks.key_type, OPENVPN_OP_ENCRYPT, "Static Encrypt");

-      init_key_ctx (&c->c1.ks.static_key.decrypt, &key2.keys[kds.in_key],

-		    &c->c1.ks.key_type, OPENVPN_OP_DECRYPT, "Static Decrypt");

-

-      /* Erase the temporary copy of key */

-      CLEAR (key2);

+      crypto_read_openvpn_key (&c->c1.ks.key_type, &c->c1.ks.static_key,

+			       options->shared_secret_file,

+			       options->shared_secret_file_inline,

+			       options->key_direction, "Static Key Encryption",

+			       "secret");

     }

   else

     {

@@ -2242,15 +2220,6 @@ do_init_crypto_tls_c1 (struct context *c)

       /* TLS handshake authentication (--tls-auth) */

       if (options->tls_auth_file)

 	{

-	  unsigned int flags = 0;

-	  const char *file = options->tls_auth_file;

-

-	  if (options->tls_auth_file_inline)

-	    {

-	      flags |= GHK_INLINE;

-	      file = options->tls_auth_file_inline;

-	    }

-

 	  /* Initialize key_type for tls-auth with auth only */

 	  CLEAR (c->c1.ks.tls_auth_key_type);

 	  if (!streq (options->authname, "none"))

@@ -2265,8 +2234,10 @@ do_init_crypto_tls_c1 (struct context *c)

 		  "algorithm specified ('%s')", options->authname);

 	    }

-	  get_tls_handshake_key (&c->c1.ks.tls_auth_key_type,

-	      &c->c1.ks.tls_auth_key, file, options->key_direction, flags);

+	  crypto_read_openvpn_key (&c->c1.ks.tls_auth_key_type,

+	      &c->c1.ks.tls_auth_key, options->tls_auth_file,

+	      options->tls_auth_file_inline, options->key_direction,

+	      "Control Channel Authentication", "tls-auth");

 	}

       c->c1.ciphername = options->ciphername;