@@ -64,4 +64,12 @@ typedef unsigned long ptr_type;

  */

 #define TLS_CHANNEL_BUF_SIZE 1024

+/*

+ * A sort of pseudo-filename for data provided inline within

+ * the configuration file.

+ */

+#if ENABLE_INLINE_FILES

+#define INLINE_FILE_TAG "[[INLINE]]"

+#endif

+

 #endif

@@ -905,11 +905,12 @@ test_crypto (const struct crypto_options *co, struct frame* frame)

 }

 #ifdef USE_SSL

+

 void

 get_tls_handshake_key (const struct key_type *key_type,

 		       struct key_ctx_bi *ctx,

 		       const char *passphrase_file,

-		       bool key_direction)

+		       const unsigned int flags)

 {

   if (passphrase_file && key_type->hmac_length)

     {

@@ -921,40 +922,55 @@ get_tls_handshake_key (const struct key_type *key_type,

       kt.cipher_length = 0;

       kt.cipher = NULL;

-      /* first try to parse as an OpenVPN static key file */

-      read_key_file (&key2, passphrase_file, false);

-

-      /* succeeded? */

-      if (key2.n == 2)

+#if ENABLE_INLINE_FILES

+      if (flags & GHK_INLINE)

 	{

-	  msg (M_INFO,

-	       "Control Channel Authentication: using '%s' as a " PACKAGE_NAME " static key file",

-	       passphrase_file);

+	  /* key was specified inline, key text is in passphrase_file */

+	  read_key_file (&key2, passphrase_file, RKF_INLINE|RKF_MUST_SUCCEED);

+

+	  /* succeeded? */

+	  if (key2.n == 2)

+	    msg (M_INFO, "Control Channel Authentication: tls-auth using INLINE static key file");

+	  else

+	    msg (M_FATAL, "INLINE tls-auth file lacks the requisite 2 keys");

 	}

       else

-	{

-	  int hash_size;

+#endif

+      {

+	/* first try to parse as an OpenVPN static key file */

+	read_key_file (&key2, passphrase_file, 0);

-	  CLEAR (key2);

+	/* succeeded? */

+	if (key2.n == 2)

+	  {

+	    msg (M_INFO,

+		 "Control Channel Authentication: using '%s' as a " PACKAGE_NAME " static key file",

+		 passphrase_file);

+	  }

+	else

+	  {

+	    int hash_size;

-	  /* failed, now try to get hash from a freeform file */

-	  hash_size = read_passphrase_hash (passphrase_file,

-					    kt.digest,

-					    key2.keys[0].hmac,

-					    MAX_HMAC_KEY_LENGTH);

-	  ASSERT (hash_size == kt.hmac_length);

+	    CLEAR (key2);

-	  /* suceeded */

-	  key2.n = 1;

+	    /* failed, now try to get hash from a freeform file */

+	    hash_size = read_passphrase_hash (passphrase_file,

+					      kt.digest,

+					      key2.keys[0].hmac,

+					      MAX_HMAC_KEY_LENGTH);

+	    ASSERT (hash_size == kt.hmac_length);

-	  msg (M_INFO,

-	       "Control Channel Authentication: using '%s' as a free-form passphrase file",

-	       passphrase_file);

-	}

+	    /* suceeded */

+	    key2.n = 1;

+	    msg (M_INFO,

+		 "Control Channel Authentication: using '%s' as a free-form passphrase file",

+		 passphrase_file);

+	  }

+      }

       /* handle key direction */

-      key_direction_state_init (&kds, key_direction);

+      key_direction_state_init (&kds, BOOL_CAST (flags & GHK_KEY_DIR));

       must_have_n_keys (passphrase_file, "tls-auth", &key2, kds.need_keys);

       /* initialize hmac key in both directions */

@@ -984,13 +1000,15 @@ static const char unprintable_char_fmt[] =

   "Non-Hex, unprintable character (0x%02x) found at line %d in key file '%s' (%d/%d/%d bytes found/min/max)";

 /* read key from file */

+

 void

-read_key_file (struct key2 *key2, const char *filename, bool must_succeed)

+read_key_file (struct key2 *key2, const char *file, const unsigned int flags)

 {

   struct gc_arena gc = gc_new ();

-  struct buffer in = alloc_buf_gc (64, &gc);

+  struct buffer in;

   int fd, size;

   uint8_t hex_byte[3] = {0, 0, 0};

+  const char *error_filename = file;

   /* parse info */

   int hb_index = 0;

@@ -1019,96 +1037,111 @@ read_key_file (struct key2 *key2, const char *filename, bool must_succeed)

   CLEAR (*key2);

-  fd = open (filename, O_RDONLY);

-  if (fd == -1)

-    msg (M_ERR, "Cannot open file key file '%s'", filename);

+  /*

+   * Key can be provided as a filename in 'file' or if RKF_INLINE

+   * is set, the actual key data itself in ascii form.

+   */

+#if ENABLE_INLINE_FILES

+  if (flags & RKF_INLINE) /* 'file' is a string containing ascii representation of key */

+    {

+      size = strlen (file) + 1;

+      buf_set_read (&in, (const uint8_t *)file, size);

+      error_filename = INLINE_FILE_TAG;

+    }

+  else /* 'file' is a filename which refers to a file containing the ascii key */

+#endif

+    {

+      in = alloc_buf_gc (2048, &gc);

+      fd = open (file, O_RDONLY);

+      if (fd == -1)

+	msg (M_ERR, "Cannot open file key file '%s'", file);

+      size = read (fd, in.data, in.capacity);

+      if (size == in.capacity)

+	msg (M_FATAL, "Key file ('%s') can be a maximum of %d bytes", file, (int)in.capacity);

+      close (fd);

+    }

-  while ((size = read (fd, in.data, in.capacity)))

+  const char *cp = (char *)in.data;

+  while (size)

     {

-      const char *cp = (char *)in.data;

-      while (size)

-	{

-	  const char c = *cp;

+      const char c = *cp;

 #if 0

-	  msg (M_INFO, "char='%c' s=%d ln=%d li=%d m=%d c=%d",

-	       c, state, line_num, line_index, match, count);

+      msg (M_INFO, "char='%c' s=%d ln=%d li=%d m=%d c=%d",

+	   c, state, line_num, line_index, match, count);

 #endif

-	  if (c == '\n')

+      if (c == '\n')

+	{

+	  line_index = match = 0;

+	  ++line_num;	      

+	}

+      else

+	{

+	  /* first char of new line */

+	  if (!line_index)

 	    {

-	      line_index = match = 0;

-	      ++line_num;	      

+	      /* first char of line after header line? */

+	      if (state == PARSE_HEAD)

+		state = PARSE_DATA;

+

+	      /* first char of footer */

+	      if ((state == PARSE_DATA || state == PARSE_DATA_COMPLETE) && c == '-')

+		state = PARSE_FOOT;

 	    }

-	  else

+

+	  /* compare read chars with header line */

+	  if (state == PARSE_INITIAL)

 	    {

-	      /* first char of new line */

-	      if (!line_index)

+	      if (line_index < hlen && c == static_key_head[line_index])

 		{

-		  /* first char of line after header line? */

-		  if (state == PARSE_HEAD)

-		    state = PARSE_DATA;

-

-		  /* first char of footer */

-		  if ((state == PARSE_DATA || state == PARSE_DATA_COMPLETE) && c == '-')

-		    state = PARSE_FOOT;

+		  if (++match == hlen)

+		    state = PARSE_HEAD;

 		}

+	    }

-	      /* compare read chars with header line */

-	      if (state == PARSE_INITIAL)

+	  /* compare read chars with footer line */

+	  if (state == PARSE_FOOT)

+	    {

+	      if (line_index < flen && c == static_key_foot[line_index])

 		{

-		  if (line_index < hlen && c == static_key_head[line_index])

-		    {

-		      if (++match == hlen)

-			state = PARSE_HEAD;

-		    }

+		  if (++match == flen)

+		    state = PARSE_FINISHED;

 		}

+	    }

-	      /* compare read chars with footer line */

-	      if (state == PARSE_FOOT)

+	  /* reading key */

+	  if (state == PARSE_DATA)

+	    {

+	      if (isxdigit(c))

 		{

-		  if (line_index < flen && c == static_key_foot[line_index])

+		  ASSERT (hb_index >= 0 && hb_index < 2);

+		  hex_byte[hb_index++] = c;

+		  if (hb_index == 2)

 		    {

-		      if (++match == flen)

-			state = PARSE_FINISHED;

+		      unsigned int u;

+		      ASSERT(sscanf((const char *)hex_byte, "%x", &u) == 1);

+		      *out++ = u;

+		      hb_index = 0;

+		      if (++count == keylen)

+			state = PARSE_DATA_COMPLETE;

 		    }

 		}

-

-	      /* reading key */

-	      if (state == PARSE_DATA)

+	      else if (isspace(c))

+		;

+	      else

 		{

-		  if (isxdigit(c))

-		    {

-		      ASSERT (hb_index >= 0 && hb_index < 2);

-		      hex_byte[hb_index++] = c;

-		      if (hb_index == 2)

-			{

-			  unsigned int u;

-			  ASSERT(sscanf((const char *)hex_byte, "%x", &u) == 1);

-			  *out++ = u;

-			  hb_index = 0;

-			  if (++count == keylen)

-			    state = PARSE_DATA_COMPLETE;

-			}

-		    }

-		  else if (isspace(c))

-		    ;

-		  else

-		    {

-		      msg (M_FATAL,

-			   (isprint (c) ? printable_char_fmt : unprintable_char_fmt),

-			   c, line_num, filename, count, onekeylen, keylen);

-		    }

+		  msg (M_FATAL,

+		       (isprint (c) ? printable_char_fmt : unprintable_char_fmt),

+		       c, line_num, error_filename, count, onekeylen, keylen);

 		}

-	      ++line_index;

 	    }

-	  ++cp;

-	  --size;

+	  ++line_index;

 	}

+      ++cp;

+      --size;

     }

-  close (fd);

-

   /*

    * Normally we will read either 1 or 2 keys from file.

    */

@@ -1116,22 +1149,22 @@ read_key_file (struct key2 *key2, const char *filename, bool must_succeed)

   ASSERT (key2->n >= 0 && key2->n <= (int) SIZE (key2->keys));

-  if (must_succeed)

+  if (flags & RKF_MUST_SUCCEED)

     {

       if (!key2->n)

 	msg (M_FATAL, "Insufficient key material or header text not found found in file '%s' (%d/%d/%d bytes found/min/max)",

-	     filename, count, onekeylen, keylen);

+	     error_filename, count, onekeylen, keylen);

       if (state != PARSE_FINISHED)

 	msg (M_FATAL, "Footer text not found in file '%s' (%d/%d/%d bytes found/min/max)",

-	     filename, count, onekeylen, keylen);

+	     error_filename, count, onekeylen, keylen);

     }

   /* zero file read buffer */

   buf_clear (&in);

   if (key2->n)

-    warn_if_group_others_accessible (filename);

+    warn_if_group_others_accessible (error_filename);

 #if 0

   /* DEBUGGING */

@@ -270,7 +270,9 @@ void init_key_type (struct key_type *kt, const char *ciphername,

 		    bool authname_defined, int keysize,

 		    bool cfb_ofb_allowed, bool warn);

-void read_key_file (struct key2 *key2, const char *filename, bool must_succeed);

+#define RKF_MUST_SUCCEED (1<<0)

+#define RKF_INLINE       (1<<1)

+void read_key_file (struct key2 *key2, const char *file, const unsigned int flags);

 int write_key_file (const int nkeys, const char *filename);

@@ -367,10 +369,12 @@ void openssl_dmalloc_init (void);

 #ifdef USE_SSL

+#define GHK_KEY_DIR (1<<0)

+#define GHK_INLINE  (1<<1)

 void get_tls_handshake_key (const struct key_type *key_type,

 			    struct key_ctx_bi *ctx,

 			    const char *passphrase_file,

-			    bool key_direction);

+			    const unsigned int flags);

 #else

@@ -1276,7 +1276,19 @@ do_init_crypto_static (struct context *c, const unsigned int flags)

 		     options->test_crypto, true);

       /* Read cipher and hmac keys from shared secret file */

-      read_key_file (&key2, options->shared_secret_file, true);

+      {

+	unsigned int rkf_flags = RKF_MUST_SUCCEED;

+	const char *rkf_file = options->shared_secret_file;

+

+#if ENABLE_INLINE_FILES

+	if (options->shared_secret_file_inline)

+	  {

+	    rkf_file = options->shared_secret_file_inline;

+	    rkf_flags |= RKF_INLINE;

+	  }

+#endif

+	read_key_file (&key2, rkf_file, rkf_flags);

+      }

       /* Check for and fix highly unlikely key problems */

       verify_fix_key2 (&key2, &c->c1.ks.key_type,

@@ -1361,10 +1373,22 @@ do_init_crypto_tls_c1 (struct context *c)

       /* TLS handshake authentication (--tls-auth) */

       if (options->tls_auth_file)

-	get_tls_handshake_key (&c->c1.ks.key_type,

-			       &c->c1.ks.tls_auth_key,

-			       options->tls_auth_file,

-			       options->key_direction);

+	{

+	  unsigned int flags = options->key_direction ? GHK_KEY_DIR : 0;

+	  const char *file = options->tls_auth_file;

+

+#if ENABLE_INLINE_FILES

+	  if (options->tls_auth_file_inline)

+	    {

+	      flags |= GHK_INLINE;

+	      file = options->tls_auth_file_inline;

+	    }

+#endif

+	  get_tls_handshake_key (&c->c1.ks.key_type,

+				 &c->c1.ks.tls_auth_key,

+				 file,

+				 flags);

+	}

 #if ENABLE_INLINE_FILES

       if (options->priv_key_file_inline)

@@ -433,15 +433,20 @@ void

 warn_if_group_others_accessible (const char* filename)

 {

 #ifdef HAVE_STAT

-  struct stat st;

-  if (stat (filename, &st))

-    {

-      msg (M_WARN | M_ERRNO, "WARNING: cannot stat file '%s'", filename);

-    }

-  else

+#if ENABLE_INLINE_FILES

+  if (strcmp (filename, INLINE_FILE_TAG))

+#endif

     {

-      if (st.st_mode & (S_IRWXG|S_IRWXO))

-	msg (M_WARN, "WARNING: file '%s' is group or others accessible", filename);

+      struct stat st;

+      if (stat (filename, &st))

+	{

+	  msg (M_WARN | M_ERRNO, "WARNING: cannot stat file '%s'", filename);

+	}

+      else

+	{

+	  if (st.st_mode & (S_IRWXG|S_IRWXO))

+	    msg (M_WARN, "WARNING: file '%s' is group or others accessible", filename);

+	}

     }

 #endif

 }

@@ -4538,9 +4538,26 @@ add_option (struct options *options,

       VERIFY_PERMISSION (OPT_P_GENERAL);

       options->show_engines = true;

     }

+  else if (streq (p[0], "key-direction") && p[1])

+    {

+      int key_direction;

+

+      key_direction = ascii2keydirection (msglevel, p[1]);

+      if (key_direction >= 0)

+	options->key_direction = key_direction;

+      else

+	goto err;

+    }

   else if (streq (p[0], "secret") && p[1])

     {

       VERIFY_PERMISSION (OPT_P_GENERAL);

+#if ENABLE_INLINE_FILES

+      if (streq (p[1], INLINE_FILE_TAG) && p[2])

+	{

+	  options->shared_secret_file_inline = p[2];

+	}

+      else

+#endif

       if (p[2])

 	{

 	  int key_direction;

@@ -4889,6 +4906,13 @@ add_option (struct options *options,

   else if (streq (p[0], "tls-auth") && p[1])

     {

       VERIFY_PERMISSION (OPT_P_GENERAL);

+#if ENABLE_INLINE_FILES

+      if (streq (p[1], INLINE_FILE_TAG) && p[2])

+	{

+	  options->tls_auth_file_inline = p[2];

+	}

+      else

+#endif

       if (p[2])

 	{

 	  int key_direction;

@@ -82,10 +82,6 @@ struct options_pre_pull

 #endif

-#if ENABLE_INLINE_FILES

-#define INLINE_FILE_TAG "[[INLINE]]"

-#endif

-

 /* Command line options */

 struct options

 {

@@ -356,6 +352,9 @@ struct options

 #ifdef USE_CRYPTO

   /* Cipher parms */

   const char *shared_secret_file;

+#if ENABLE_INLINE_FILES

+  const char *shared_secret_file_inline;

+#endif

   int key_direction;

   bool ciphername_defined;

   const char *ciphername;

@@ -433,6 +432,9 @@ struct options

   /* Special authentication MAC for TLS control channel */

   const char *tls_auth_file;		/* shared secret */

+#if ENABLE_INLINE_FILES

+  const char *tls_auth_file_inline;

+#endif

   /* Allow only one session */

   bool single_session;