>From b78c8887fe4b69a30404ce7dbef0b866743b12f5 Mon Sep 17 00:00:00 2001
From: Matthias Berndt <matthias berndt riskident com>
Date: Fri, 22 Jan 2016 00:54:59 +0100
Subject: [PATCH] handle tls-auth blobs correctly

---
 properties/import-export.c | 45 +++++++++++++++++++++++++++++++++++++--------
 1 file changed, 37 insertions(+), 8 deletions(-)

diff --git a/properties/import-export.c b/properties/import-export.c
index d624b52..cbc8952 100644
--- a/properties/import-export.c
+++ b/properties/import-export.c
@@ -105,6 +105,9 @@
 #define RPORT_TAG "rport "
 #define SECRET_TAG "secret "
 #define TLS_AUTH_TAG "tls-auth "
+#define TLS_AUTH_BLOB_START_TAG "<tls-auth>"
+#define TLS_AUTH_BLOB_END_TAG "</tls-auth>"
+#define KEY_DIRECTION_TAG "key-direction "
 #define TLS_CLIENT_TAG "tls-client"
 #define TLS_REMOTE_TAG "tls-remote "
 #define REMOTE_CERT_TLS_TAG "remote-cert-tls "
@@ -192,21 +195,28 @@ handle_path_item (const char *line,
 	return TRUE;
 }
 
+static void
+handle_direction (const char *tag, const char *key, char *leftover, NMSettingVpn *s_vpn);
+
 #define CERT_BEGIN  "-----BEGIN CERTIFICATE-----"
 #define CERT_END    "-----END CERTIFICATE-----"
 #define PRIV_KEY_BEGIN  "-----BEGIN PRIVATE KEY-----"
 #define PRIV_KEY_END    "-----END PRIVATE KEY-----"
 #define RSA_PRIV_KEY_BEGIN  "-----BEGIN RSA PRIVATE KEY-----"
 #define RSA_PRIV_KEY_END    "-----END RSA PRIVATE KEY-----"
+#define STATIC_KEY_BEGIN    "-----BEGIN OpenVPN Static key V1-----"
+#define STATIC_KEY_END    "-----END OpenVPN Static key V1-----"
 
 static gboolean
 handle_blob_item (const char ***line,
                   const char *key,
                   NMSettingVpn *s_vpn,
                   const char *name,
-                  GError **error)
+                  GError **error,
+                  char *last_seen_key_direction)
 {
 	gboolean success = FALSE;
+	const char *key_direction_tag = NULL;
 	const char *blob_mark_start, *blob_mark_end;
 	const char *blob_mark_start2 = NULL, *blob_mark_end2 = NULL;
 	const char *start_tag, *end_tag;
@@ -222,7 +232,7 @@ handle_blob_item (const char ***line,
 			p++; \
 			if (!*p) \
 				goto finish; \
-		} while (!*p[0]); \
+		} while (*p[0] == '\0' || *p[0] == '#' || *p[0] == ';'); \
 	} G_STMT_END
 
 	if (!strcmp (key, NM_OPENVPN_KEY_CA)) {
@@ -235,6 +245,12 @@ handle_blob_item (const char ***line,
 		end_tag = CERT_BLOB_END_TAG;
 		blob_mark_start = CERT_BEGIN;
 		blob_mark_end = CERT_END;
+	} else if (!strcmp (key, NM_OPENVPN_KEY_TA)) {
+		start_tag = TLS_AUTH_BLOB_START_TAG;
+		end_tag = TLS_AUTH_BLOB_END_TAG;
+		blob_mark_start = STATIC_KEY_BEGIN;
+		blob_mark_end = STATIC_KEY_END;
+		key_direction_tag = "tls-auth";
 	} else if (!strcmp (key, NM_OPENVPN_KEY_KEY)) {
 		start_tag = KEY_BLOB_START_TAG;
 		end_tag = KEY_BLOB_END_TAG;
@@ -244,10 +260,10 @@ handle_blob_item (const char ***line,
 		blob_mark_end2 = RSA_PRIV_KEY_END;
 	} else
 		g_return_val_if_reached (FALSE);
-
 	p = *line;
 	if (strncmp (*p, start_tag, strlen (start_tag)))
 		goto finish;
+
 	NEXT_LINE;
 
 	if (blob_mark_start2 && !strcmp (*p, blob_mark_start2)) {
@@ -292,14 +308,19 @@ handle_blob_item (const char ***line,
 		goto finish;
 
 	nm_setting_vpn_add_data_item (s_vpn, key, path);
-
+	if (key_direction_tag)
+		handle_direction(key_direction_tag,
+		                 NM_OPENVPN_KEY_TA_DIR,
+		                 last_seen_key_direction,
+		                 s_vpn);
 finish:
-	line = &p;
+	*line = p;
 	g_free (filename);
 	g_free (dirname);
 	g_free (path);
 	if (in_file)
 		g_string_free (in_file, TRUE);
+
 	return success;
 
 }
@@ -507,6 +528,7 @@ do_import (const char *path, const char *contents, GError **error)
 	char *new_contents = NULL;
 	gboolean http_proxy = FALSE, socks_proxy = FALSE, proxy_set = FALSE;
 	int nitems;
+	char *last_seen_key_direction = NULL;
 
 	connection = nm_simple_connection_new ();
 	s_con = NM_SETTING_CONNECTION (nm_setting_connection_new ());
@@ -578,6 +600,10 @@ do_import (const char *path, const char *contents, GError **error)
 			continue;
 		}
 
+		if (!strncmp(*line, KEY_DIRECTION_TAG, strlen (KEY_DIRECTION_TAG))) {
+			last_seen_key_direction = *line + strlen(KEY_DIRECTION_TAG);
+		}
+
 		if (!strncmp (*line, DEV_TAG, strlen (DEV_TAG))) {
 			items = get_args (*line + strlen (DEV_TAG), &nitems);
 			if (nitems == 1) {
@@ -859,13 +885,16 @@ do_import (const char *path, const char *contents, GError **error)
 		if (handle_path_item (*line, KEY_TAG, NM_OPENVPN_KEY_KEY, s_vpn, default_path, NULL))
 			continue;
 
-		if (handle_blob_item ((const char ***)&line, NM_OPENVPN_KEY_CA, s_vpn, basename, NULL))
+		if (handle_blob_item ((const char ***)&line, NM_OPENVPN_KEY_CA, s_vpn, basename, NULL, last_seen_key_direction))
+			continue;
+
+		if (handle_blob_item ((const char ***)&line, NM_OPENVPN_KEY_CERT, s_vpn, basename, NULL, last_seen_key_direction))
 			continue;
 
-		if (handle_blob_item ((const char ***)&line, NM_OPENVPN_KEY_CERT, s_vpn, basename, NULL))
+		if (handle_blob_item ((const char ***)&line, NM_OPENVPN_KEY_KEY, s_vpn, basename, NULL, last_seen_key_direction))
 			continue;
 
-		if (handle_blob_item ((const char ***)&line, NM_OPENVPN_KEY_KEY, s_vpn, basename, NULL))
+		if (handle_blob_item ((const char ***)&line, NM_OPENVPN_KEY_TA, s_vpn, basename, NULL, last_seen_key_direction))
 			continue;
 
 		if (handle_path_item (*line, SECRET_TAG, NM_OPENVPN_KEY_STATIC_KEY,
-- 
2.5.0