Merge pull request #9505 from lafirest/fix/psk_r50

fix(psk): Add more PSK ciphers support
2022-12-09 00:00:52 +08:00 · 2022-12-09 00:00:52 +08:00 · 3705d5bc73
parent 9da12a0814 90adad70b7
commit 3705d5bc73
4 changed files with 69 additions and 3 deletions
--- a/apps/emqx/src/emqx_tls_lib.erl
+++ b/apps/emqx/src/emqx_tls_lib.erl
@ -166,7 +166,20 @@ all_ciphers(['tlsv1.3']) ->
 all_ciphers(Versions) ->
    %% assert non-empty
    List = lists:append([ssl:cipher_suites(all, V, openssl) || V <- Versions]),
-    [_ | _] = dedup(List).
+
+    %% Some PSK ciphers are both supported by OpenSSL and Erlang, but they need manual add here.
+    %% Found by this cmd
+    %% openssl ciphers -v|grep ^PSK| awk '{print $1}'| sed  "s/^/\"/;s/$/\"/" | tr "\n" ","
+    %% Then remove the ciphers that aren't supported by Erlang
+    PSK = [
+        "PSK-AES256-GCM-SHA384",
+        "PSK-AES128-GCM-SHA256",
+        "PSK-AES256-CBC-SHA384",
+        "PSK-AES256-CBC-SHA",
+        "PSK-AES128-CBC-SHA256",
+        "PSK-AES128-CBC-SHA"
+    ],
+    [_ | _] = dedup(List ++ PSK).

 %% @doc All Pre-selected TLS ciphers.
 default_ciphers() ->
--- a/apps/emqx_psk/test/emqx_psk_SUITE.erl
+++ b/apps/emqx_psk/test/emqx_psk_SUITE.erl
@ -24,8 +24,13 @@
 -define(CR, 13).
 -define(LF, 10).

-all() ->
-    emqx_common_test_helpers:all(?MODULE).
+all() -> [{group, normal}, {group, ciphers}].
+
+groups() ->
+    [
+        {normal, [], emqx_common_test_helpers:all(?MODULE)},
+        {ciphers, [], [ciphers_test]}
+    ].

 init_per_suite(Config) ->
    meck:new(emqx_config, [non_strict, passthrough, no_history, no_link]),
@ -128,3 +133,47 @@ t_trim_crlf(_) ->
    ?assertEqual(Bin, emqx_psk:trim_crlf(Bin)),
    ?assertEqual(Bin, emqx_psk:trim_crlf(<<Bin/binary, ?LF>>)),
    ?assertEqual(Bin, emqx_psk:trim_crlf(<<Bin/binary, ?CR, ?LF>>)).
+
+ciphers_test(Config) ->
+    Ciphers = [
+        "PSK-AES256-GCM-SHA384",
+        "PSK-AES128-GCM-SHA256",
+        "PSK-AES256-CBC-SHA384",
+        "PSK-AES256-CBC-SHA",
+        "PSK-AES128-CBC-SHA256",
+        "PSK-AES128-CBC-SHA"
+    ],
+    lists:foreach(fun(Cipher) -> cipher_test(Cipher, Config) end, Ciphers).
+
+cipher_test(Cipher, _) ->
+    ct:pal("Test PSK with Cipher:~p~n", [Cipher]),
+    PSKIdentity1 = "myclient1",
+    SharedSecret1 = <<"8c701116e9127c57a99d5563709af3deaca75563e2c4dd0865701ae839fb6d79">>,
+
+    ClientLookup = fun
+        (psk, undefined, _) -> {ok, SharedSecret1};
+        (psk, _, _) -> error
+    end,
+
+    ClientTLSOpts = #{
+        versions => ['tlsv1.2'],
+        ciphers => [Cipher],
+        psk_identity => PSKIdentity1,
+        verify => verify_none,
+        user_lookup_fun => {ClientLookup, undefined}
+    },
+
+    ServerTLSOpts = #{
+        versions => ['tlsv1.2'],
+        ciphers => [Cipher],
+        verify => verify_none,
+        reuseaddr => true,
+        user_lookup_fun => {fun emqx_tls_psk:lookup/3, undefined}
+    },
+    emqx_config:put([listeners, ssl, default, ssl_options], ServerTLSOpts),
+    emqx_listeners:restart_listener('ssl:default'),
+
+    {ok, Socket} = ssl:connect("127.0.0.1", 8883, maps:to_list(ClientTLSOpts)),
+    ssl:close(Socket),
+
+    ok.
--- a/changes/v5.0.12-en.md
+++ b/changes/v5.0.12-en.md
@ -16,6 +16,8 @@

 - Redesign `/rules` API to make `metrics` a dedicated resources rather than being included with every response [#9461](https://github.com/emqx/emqx/pull/9461).

+- Add more PSK ciphers support [#9505](https://github.com/emqx/emqx/pull/9505).
+
 ## Bug fixes

 - Fix that the obsolete SSL files aren't deleted after the ExHook config update [#9432](https://github.com/emqx/emqx/pull/9432).
--- a/changes/v5.0.12-zh.md
+++ b/changes/v5.0.12-zh.md
@ -16,6 +16,8 @@

 - 重新设计了 `/rules` API，将  `metrics` 改为专用资源，而不再是包含在每个响应中 [#9461](https://github.com/emqx/emqx/pull/9461)。

+- 支持更多的 PSK 密码套件[#9505](https://github.com/emqx/emqx/pull/9505)。
+
 ## 修复

 - 修复 ExHook 更新 SSL 相关配置后，过时的 SSL 文件没有被删除的问题 [#9432](https://github.com/emqx/emqx/pull/9432)。