fix(lwm2m): add support for new cipher suites

prior to this change, the schema does not allow newer cipher suites, and the default ciperhs given in the conf file is likely not supported by some clients (which only supports dtls v1.2)
2021-10-20 23:03:44 +02:00 · 2021-10-20 23:03:44 +02:00 · 4896c03881
parent d2f4c55fd7
commit 4896c03881
3 changed files with 11 additions and 10 deletions
--- a/apps/emqx_lwm2m/etc/emqx_lwm2m.conf
+++ b/apps/emqx_lwm2m/etc/emqx_lwm2m.conf
@ -146,4 +146,4 @@ lwm2m.dtls.ciphers = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,E
 ## Note that 'lwm2m.dtls.ciphers' and 'lwm2m.dtls.psk_ciphers' cannot
 ## be configured at the same time.
 ## See 'https://tools.ietf.org/html/rfc4279#section-2'.
-#lwm2m.dtls.psk_ciphers = PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA
+#lwm2m.dtls.psk_ciphers = RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384,RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256,RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA
--- a/apps/emqx_lwm2m/priv/emqx_lwm2m.schema
+++ b/apps/emqx_lwm2m/priv/emqx_lwm2m.schema
@ -185,7 +185,7 @@ end}.
  OldCert = cuttlefish:conf_get("lwm2m.certfile", Conf, undefined),

  %% Ciphers
-  SplitFun = fun(undefined) -> undefined; (S) -> string:tokens(S, ",") end,
+  SplitFun = fun(undefined) -> []; (S) -> string:tokens(S, ",") end,
  Ciphers =
      case cuttlefish:conf_get("lwm2m.dtls.ciphers", Conf, undefined) of
          undefined ->
@ -198,16 +198,17 @@ end}.
          undefined ->
              [];
          C2 ->
-              Psk = lists:map(fun("PSK-AES128-CBC-SHA") -> {psk, aes_128_cbc, sha};
-                                     ("PSK-AES256-CBC-SHA") -> {psk, aes_256_cbc, sha};
-                                     ("PSK-3DES-EDE-CBC-SHA") -> {psk, '3des_ede_cbc', sha};
-                                     ("PSK-RC4-SHA") -> {psk, rc4_128, sha}
-                                  end, SplitFun(C2)),
+              Psk = lists:map(fun("PSK-AES128-CBC-SHA") -> "RSA-PSK-AES128-CBC-SHA";
+                                 ("PSK-AES256-CBC-SHA") -> "RSA-PSK-AES256-CBC-SHA";
+                                 ("PSK-3DES-EDE-CBC-SHA") -> "RSA-PSK-3DES-EDE-CBC-SHA";
+                                 ("PSK-RC4-SHA") -> "RSA-PSK-RC4-SHA";
+                                 (Suite) -> Suite
+                              end, SplitFun(C2)),
              [{ciphers, Psk}, {user_lookup_fun, {fun emqx_psk:lookup/3, <<>>}}]
      end,
  Ciphers /= []
-      andalso PskCiphers /= []
-         andalso cuttlefish:invalid("The 'lwm2m.dtls.ciphers' and 'lwm2m.dtls.psk_ciphers' cannot exist simultaneously."),
+  andalso PskCiphers /= []
+  andalso cuttlefish:invalid("The 'lwm2m.dtls.ciphers' and 'lwm2m.dtls.psk_ciphers' cannot coexist"),

  NCiphers = Ciphers ++ PskCiphers,

--- a/apps/emqx_lwm2m/src/emqx_lwm2m.app.src
+++ b/apps/emqx_lwm2m/src/emqx_lwm2m.app.src
@ -1,6 +1,6 @@
 {application,emqx_lwm2m,
             [{description,"EMQ X LwM2M Gateway"},
-              {vsn, "4.3.3"}, % strict semver, bump manually!
+              {vsn, "4.3.4"}, % strict semver, bump manually!
              {modules,[]},
              {registered,[emqx_lwm2m_sup]},
              {applications,[kernel,stdlib,lwm2m_coap]},