--- a/runtime/Stunnel.py Tue Oct 23 16:19:20 2018 +0200
+++ b/runtime/Stunnel.py Mon Oct 29 11:33:36 2018 +0100
@@ -4,11 +4,13 @@
restart_stunnel_cmdline = ["/etc/init.d/S50stunnel","restart"]
-# stunnel takes no encoding for psk, so we try to lose minimum entropy
+# stunnel takes no encoding for PSK, so we try to lose minimum entropy
# by using all possible chars except '\0\n\r' (checked stunnel parser to be sure)
translator = ''.join([(lambda c: '#' if c in '\0\n\r' else c)(chr(i)) for i in xrange(256)])
-def pskgen(ID, pskpath):
+_PSKpath = None
+
+def PSKgen(ID, PSKpath):
secret = os.urandom(256) # 2048 bits is still safe nowadays
# following makes 512 length string, rejected by stunnel
@@ -16,14 +18,27 @@
# secretstring = hexlify(secret)
secretstring = secret.translate(translator)
- pskstring = ID+":"+secretstring
- with open(pskpath, 'w') as f:
- f.write(pskstring)
+ PSKstring = ID+":"+secretstring
+ with open(PSKpath, 'w') as f:
+ f.write(PSKstring)
call(restart_stunnel_cmdline)
-def ensurepsk(ID, pskpath):
+def ensurePSK(ID, PSKpath):
+ global _PSKpath
+ _PSKpath = PSKpath
# check if already there
- if not os.path.exists(pskpath):
+ if not os.path.exists(PSKpath):
# create if needed
- pskgen(ID, pskpath)
+ PSKgen(ID, PSKpath)
+def getPSKID():
+ if _PSKpath is not None :
+ if not os.path.exists(_PSKpath):
+ confnodesroot.logger.write_error(
+ 'Error: Pre-Shared-Key Secret in %s is missing!\n' % _PSKpath)
+ return None
+ ID,_sep,PSK = open(_PSKpath).read().partition(':')
+ PSK = PSK.rstrip('\n\r')
+ return (ID,PSK)
+ return None
+