From 024c7c59b7163a5734ae4bc860f0c926006d806b Mon Sep 17 00:00:00 2001
From: JianBo He <heeejianbo@gmail.com>
Date: Tue, 29 Mar 2022 18:04:10 +0800
Subject: [PATCH] chore: unify all psk cipher suites

---
 .../etc/emqx_bridge_mqtt.conf                 |  2 +-
 .../priv/emqx_bridge_mqtt.schema              | 30 +++++++++++----
 apps/emqx_exproto/etc/emqx_exproto.conf       |  2 +-
 apps/emqx_exproto/priv/emqx_exproto.schema    | 29 +++++++++++---
 apps/emqx_lwm2m/priv/emqx_lwm2m.schema        | 38 ++++++++++++++-----
 5 files changed, 77 insertions(+), 24 deletions(-)

diff --git a/apps/emqx_bridge_mqtt/etc/emqx_bridge_mqtt.conf b/apps/emqx_bridge_mqtt/etc/emqx_bridge_mqtt.conf
index 1192863c0..faf2fd39c 100644
--- a/apps/emqx_bridge_mqtt/etc/emqx_bridge_mqtt.conf
+++ b/apps/emqx_bridge_mqtt/etc/emqx_bridge_mqtt.conf
@@ -129,7 +129,7 @@ bridge.mqtt.aws.ciphers = TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHAC
 ## Note that 'bridge.${BridgeName}.ciphers' and 'bridge.${BridgeName}.psk_ciphers' cannot
 ## be configured at the same time.
 ## See 'https://tools.ietf.org/html/rfc4279#section-2'.
-#bridge.mqtt.aws.psk_ciphers = PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA
+#bridge.mqtt.aws.psk_ciphers = RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384,RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256,RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA
 
 ## Ping interval of a down bridge.
 ##
diff --git a/apps/emqx_bridge_mqtt/priv/emqx_bridge_mqtt.schema b/apps/emqx_bridge_mqtt/priv/emqx_bridge_mqtt.schema
index 12a571f45..30120a7d5 100644
--- a/apps/emqx_bridge_mqtt/priv/emqx_bridge_mqtt.schema
+++ b/apps/emqx_bridge_mqtt/priv/emqx_bridge_mqtt.schema
@@ -134,14 +134,30 @@
 ]}.
 
 {translation, "emqx_bridge_mqtt.bridges", fun(Conf) ->
-
+    AvaiableCiphers = ["RSA-PSK-AES256-GCM-SHA384","RSA-PSK-AES256-CBC-SHA384",
+                       "RSA-PSK-AES128-GCM-SHA256","RSA-PSK-AES128-CBC-SHA256",
+                       "RSA-PSK-AES256-CBC-SHA","RSA-PSK-AES128-CBC-SHA"
+                      ],
+    %% Compatible with legacy PSK Cipher strings
+    PskMapping = fun("PSK-AES128-CBC-SHA") -> {true, "RSA-PSK-AES128-CBC-SHA"};
+                    ("PSK-AES256-CBC-SHA") -> {true, "RSA-PSK-AES256-CBC-SHA"};
+                    ("PSK-3DES-EDE-CBC-SHA") -> {true, "PSK-3DES-EDE-CBC-SHA"};
+                    ("PSK-RC4-SHA") -> {true, "PSK-RC4-SHA"};
+                    (C) -> case lists:member(C, AvaiableCiphers) of
+                               true -> {true, C};
+                               false -> false
+                           end
+                 end,
     MapPSKCiphers = fun(PSKCiphers) ->
-                        lists:map(
-                          fun("PSK-AES128-CBC-SHA") -> {psk, aes_128_cbc, sha};
-                             ("PSK-AES256-CBC-SHA") -> {psk, aes_256_cbc, sha};
-                             ("PSK-3DES-EDE-CBC-SHA") -> {psk, '3des_ede_cbc', sha};
-                             ("PSK-RC4-SHA") -> {psk, rc4_128, sha}
-                          end, PSKCiphers)
+                      lists:filtermap(fun(C0) ->
+                        case PskMapping(C0) of
+                            false ->
+                              cuttlefish:invalid(
+                                io_lib:format("psk_ciphers: not support ~s", [C0]));
+                            {true, C} ->
+                                {true, C}
+                        end
+                      end, PSKCiphers)
                     end,
 
     Split = fun(undefined) -> undefined; (S) -> string:tokens(S, ",") end,
diff --git a/apps/emqx_exproto/etc/emqx_exproto.conf b/apps/emqx_exproto/etc/emqx_exproto.conf
index ae79e1a42..712442eb9 100644
--- a/apps/emqx_exproto/etc/emqx_exproto.conf
+++ b/apps/emqx_exproto/etc/emqx_exproto.conf
@@ -224,7 +224,7 @@ exproto.listener.protoname.reuseaddr = true
 ## Note that 'listener.ssl.external.ciphers' and 'listener.ssl.external.psk_ciphers' cannot
 ## be configured at the same time.
 ## See 'https://tools.ietf.org/html/rfc4279#section-2'.
-#exproto.listener.protoname.psk_ciphers = PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA
+#exproto.listener.protoname.psk_ciphers = RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384,RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256,RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA
 
 ## SSL parameter renegotiation is a feature that allows a client and a server
 ## to renegotiate the parameters of the SSL connection on the fly.
diff --git a/apps/emqx_exproto/priv/emqx_exproto.schema b/apps/emqx_exproto/priv/emqx_exproto.schema
index fb114dc77..e8a210c2d 100644
--- a/apps/emqx_exproto/priv/emqx_exproto.schema
+++ b/apps/emqx_exproto/priv/emqx_exproto.schema
@@ -274,13 +274,30 @@ end}.
                           {reuseaddr, cuttlefish:conf_get(Prefix ++ ".reuseaddr", Conf, undefined)}])
               end,
     SplitFun = fun(undefined) -> undefined; (S) -> string:tokens(S, ",") end,
+    AvaiableCiphers = ["RSA-PSK-AES256-GCM-SHA384","RSA-PSK-AES256-CBC-SHA384",
+                       "RSA-PSK-AES128-GCM-SHA256","RSA-PSK-AES128-CBC-SHA256",
+                       "RSA-PSK-AES256-CBC-SHA","RSA-PSK-AES128-CBC-SHA"
+                      ],
+    %% Compatible with legacy PSK Cipher strings
+    PskMapping = fun("PSK-AES128-CBC-SHA") -> {true, "RSA-PSK-AES128-CBC-SHA"};
+                    ("PSK-AES256-CBC-SHA") -> {true, "RSA-PSK-AES256-CBC-SHA"};
+                    ("PSK-3DES-EDE-CBC-SHA") -> {true, "PSK-3DES-EDE-CBC-SHA"};
+                    ("PSK-RC4-SHA") -> {true, "PSK-RC4-SHA"};
+                    (C) -> case lists:member(C, AvaiableCiphers) of
+                               true -> {true, C};
+                               false -> false
+                           end
+                 end,
     MapPSKCiphers = fun(PSKCiphers) ->
-                      lists:map(
-                          fun("PSK-AES128-CBC-SHA") -> {psk, aes_128_cbc, sha};
-                             ("PSK-AES256-CBC-SHA") -> {psk, aes_256_cbc, sha};
-                             ("PSK-3DES-EDE-CBC-SHA") -> {psk, '3des_ede_cbc', sha};
-                             ("PSK-RC4-SHA") -> {psk, rc4_128, sha}
-                          end, PSKCiphers)
+                      lists:filtermap(fun(C0) ->
+                        case PskMapping(C0) of
+                            false ->
+                              cuttlefish:invalid(
+                                io_lib:format("psk_ciphers: not support ~s", [C0]));
+                            {true, C} ->
+                                {true, C}
+                        end
+                      end, PSKCiphers)
                     end,
     SslOpts = fun(Prefix) ->
                   Versions = case SplitFun(cuttlefish:conf_get(Prefix ++ ".tls_versions", Conf, undefined)) of
diff --git a/apps/emqx_lwm2m/priv/emqx_lwm2m.schema b/apps/emqx_lwm2m/priv/emqx_lwm2m.schema
index ded81df05..d459d74b8 100644
--- a/apps/emqx_lwm2m/priv/emqx_lwm2m.schema
+++ b/apps/emqx_lwm2m/priv/emqx_lwm2m.schema
@@ -190,21 +190,41 @@ end}.
       case cuttlefish:conf_get("lwm2m.dtls.ciphers", Conf, undefined) of
           undefined ->
               [];
-          C ->
-              [{ciphers, SplitFun(C)}]
+          Ciphers0 ->
+              [{ciphers, SplitFun(Ciphers0)}]
       end,
   PskCiphers =
       case cuttlefish:conf_get("lwm2m.dtls.psk_ciphers", Conf, undefined) of
           undefined ->
               [];
           C2 ->
-              Psk = lists:map(fun("PSK-AES128-CBC-SHA") -> "RSA-PSK-AES128-CBC-SHA";
-                                 ("PSK-AES256-CBC-SHA") -> "RSA-PSK-AES256-CBC-SHA";
-                                 ("PSK-3DES-EDE-CBC-SHA") -> "RSA-PSK-3DES-EDE-CBC-SHA";
-                                 ("PSK-RC4-SHA") -> "RSA-PSK-RC4-SHA";
-                                 (Suite) -> Suite
-                              end, SplitFun(C2)),
-              [{ciphers, Psk}, {user_lookup_fun, {fun emqx_psk:lookup/3, <<>>}}]
+              AvaiableCiphers = ["RSA-PSK-AES256-GCM-SHA384","RSA-PSK-AES256-CBC-SHA384",
+                                 "RSA-PSK-AES128-GCM-SHA256","RSA-PSK-AES128-CBC-SHA256",
+                                 "RSA-PSK-AES256-CBC-SHA","RSA-PSK-AES128-CBC-SHA"
+                                ],
+              %% Compatible with legacy PSK Cipher strings
+              PskMapping = fun("PSK-AES128-CBC-SHA") -> {true, "RSA-PSK-AES128-CBC-SHA"};
+                              ("PSK-AES256-CBC-SHA") -> {true, "RSA-PSK-AES256-CBC-SHA"};
+                              ("PSK-3DES-EDE-CBC-SHA") -> {true, "PSK-3DES-EDE-CBC-SHA"};
+                              ("PSK-RC4-SHA") -> {true, "PSK-RC4-SHA"};
+                              (C) -> case lists:member(C, AvaiableCiphers) of
+                                         true -> {true, C};
+                                         false -> false
+                                     end
+                           end,
+              MapPSKCiphers = fun(PSKCiphers) ->
+                                lists:filtermap(fun(C0) ->
+                                  case PskMapping(C0) of
+                                      false ->
+                                        cuttlefish:invalid(
+                                          io_lib:format("psk_ciphers: not support ~s", [C0]));
+                                      {true, C} ->
+                                          {true, C}
+                                  end
+                                end, PSKCiphers)
+                              end,
+              [{ciphers, MapPSKCiphers(SplitFun(C2))},
+               {user_lookup_fun, {fun emqx_psk:lookup/3, <<>>}}]
       end,
   Ciphers /= []
   andalso PskCiphers /= []