hex key support for psk
I ran into an issue with PSK reading the key as ascii instead of hex. I had a gnutls-serv and gnutls-cli set up with a hex key, and I switched the server for one wrapped using stunnel, but using the same key in psk.txt was failing. I eventually got it working by converting the hex characters to binary and placing that in the contents of the file specified by PSKsecrets (psk.txt), but this won't work for certain scenarios. For example, what if the key contains ascii newline characters?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 29.10.2015 00:12, Reese Wilson wrote:
I ran into an issue with PSK reading the key as ascii instead of hex. I had a gnutls-serv and gnutls-cli set up with a hex key, and I switched the server for one wrapped using stunnel, but using the same key in psk.txt was failing. I eventually got it working by converting the hex characters to binary and placing that in the contents of the file specified by PSKsecrets (psk.txt), but this won't work for certain scenarios. For example, what if the key contains ascii newline characters?
Do it the other way around: generate sufficiently long printable ASCII pre-shared keys, and then hex-encode them for applications that require hex-encoded pre-shared keys. The same applies to any other encoding (base64, rot13, etc.). Yes, the interface of stunnel restricts the subset of bytes that may be used for pre-shared keys (but not the length of those keys). Yes, this may require generating new pre-shared keys when you migrate to stunnel from another product. Yes, I consider this to be a feature. You can use passphrases or your favourite password generator to generate pre-shared keys for stunnel. Changing the pre-shared key when you migrate to stunnel is also *good* for your security. Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWMd8UAAoJEC78f/DUFuAUoOAQAJkSO2uIulKQWJSZ5HnAViK+ a+qoVkIIpnmAzp9YUQPZ59/BPQcRfNo0sc3cIvLtr25pLylyF8Tofjrm17bvmYqI ptyNDWbKOnQmcNiU+mz2oMDFbV9SU6srfGb8RR1dkvGItXU8BNjk5Gg1KIljf7vH vTEU3RSnzO5TG97KtWAQVOc94rN/VgSW3EMH0VE9UcYn4seXiWM3dTwt0xT1R9UT G1iU0nl9AMvpLih02Ax7JEg+8S5OYsq3N01qfhmGB2H/lWWGRHUEWOtaDUcv4bBd lJ+EjZIXpMXl2PMnHz6K4T1WjvQojIrAKeIE3HGSKdanytLNVguqkc6ZXn5PMZR3 1yngV2CcF4YOV0MAmtSQWrlbM+vHRNHP+osen5fufaDKBOQPvpF6a7GDM7WcDLbw y3xkQ7QVPuP6oaePszz/Vc+39NuNhQ5qWdwMthAaOqmuHtzOm84SqdY6bGaMy7vk JwpQ7ecsARkfufoXJso0NTN1lWYQUjw5CJmK+wgymLv8Z5V1F+hW5RLbrL7CocB+ uIn71hdLFkWddXNEAbKwRznH9IEla25eGuXuHmRMWkNNgS+E2G6vYqQDrsF5kpYv LIuPMGn5xZN5Nzx2y4JiWMWu8qHYFEx8Pa6+fB7LWzmtQHWVB8blHUKyBat/OMtV LrLXUnCMKNv2eHSsgn5D =vg8c -----END PGP SIGNATURE-----
participants (2)
-
Michal Trojnara -
Reese Wilson