Edouard@2321: import os
Edouard@2323: #from binascii import hexlify
Edouard@2323: from runtime.spawn_subprocess import call
Edouard@2321: 
Edouard@2321: restart_stunnel_cmdline = ["/etc/init.d/S50stunnel","restart"]
Edouard@2321: 
Edouard@2324: # stunnel takes no encoding for PSK, so we try to lose minimum entropy 
Edouard@2323: # by using all possible chars except '\0\n\r' (checked stunnel parser to be sure)
Edouard@2323: translator = ''.join([(lambda c: '#' if c in '\0\n\r' else c)(chr(i)) for i in xrange(256)])
Edouard@2323: 
Edouard@2324: _PSKpath = None
Edouard@2324: 
Edouard@2324: def PSKgen(ID, PSKpath):
Edouard@2323: 
Edouard@2325:     # 236 bytes is empirical maximum when using :
Edouard@2325:     #  - stunnel 5.36 on server with openssl 1.0.2k
Edouard@2325:     #  - python-sslpsk 1.0.0 on client with openssl 1.0.2k
Edouard@2325:     secret = os.urandom(236) 
Edouard@2323: 
Edouard@2323:     secretstring = secret.translate(translator)
Edouard@2324:     PSKstring = ID+":"+secretstring
Edouard@2324:     with open(PSKpath, 'w') as f:
Edouard@2324:         f.write(PSKstring)
Edouard@2321:     call(restart_stunnel_cmdline)
Edouard@2321: 
Edouard@2324: def ensurePSK(ID, PSKpath):
Edouard@2324:     global _PSKpath
Edouard@2324:     _PSKpath = PSKpath
Edouard@2321:     # check if already there
Edouard@2324:     if not os.path.exists(PSKpath):
Edouard@2321:         # create if needed
Edouard@2324:         PSKgen(ID, PSKpath)
Edouard@2321: 
Edouard@2324: def getPSKID():
Edouard@2324:     if _PSKpath is not None :
Edouard@2324:         if not os.path.exists(_PSKpath):
Edouard@2324:             confnodesroot.logger.write_error(
Edouard@2324:                 'Error: Pre-Shared-Key Secret in %s is missing!\n' % _PSKpath)
Edouard@2324:             return None
Edouard@2324:         ID,_sep,PSK = open(_PSKpath).read().partition(':')
Edouard@2324:         PSK = PSK.rstrip('\n\r')
Edouard@2324:         return (ID,PSK)
Edouard@2324:     return None
Edouard@2324: