yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #7427 from HJianBo/fix-psk-cipher 

Fix psk cipher suites
This commit is contained in:
JianBo He 2022-04-06 16:04:53 +08:00 committed by GitHub
parent a35e0adf51 c603b2c7e3
commit bbda2e4dfa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
16 changed files with 217 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES-4.3.md
View File

@ -19,6 +19,9 @@ File format:
* add api: PUT /rules/{id}/reset_metrics.
This api reset the metrics of the rule engine of a rule, and reset the metrics of the action related to this rule. [#7474]
* Enhanced rule engine error handling when json parsing error.
* Add support for `RSA-PSK-AES256-GCM-SHA384`, `RSA-PSK-AES256-CBC-SHA384`,
`RSA-PSK-AES128-GCM-SHA256`, `RSA-PSK-AES128-CBC-SHA256` PSK ciphers, and remove `PSK-3DES-EDE-CBC-SHA`,
`PSK-RC4-SHA` from the default configuration. [#7427]
### Bug fixes

2
apps/emqx_bridge_mqtt/etc/emqx_bridge_mqtt.conf
View File

@ -129,7 +129,7 @@ bridge.mqtt.aws.ciphers = TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHAC
## Note that 'bridge.${BridgeName}.ciphers' and 'bridge.${BridgeName}.psk_ciphers' cannot
## be configured at the same time.
## See 'https://tools.ietf.org/html/rfc4279#section-2'.
#bridge.mqtt.aws.psk_ciphers = PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA
#bridge.mqtt.aws.psk_ciphers = RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384,RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256,RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA
## Ping interval of a down bridge.
##

28
apps/emqx_bridge_mqtt/priv/emqx_bridge_mqtt.schema
View File

@ -134,13 +134,29 @@
]}.
{translation, "emqx_bridge_mqtt.bridges", fun(Conf) ->
AvaiableCiphers = ["RSA-PSK-AES256-GCM-SHA384","RSA-PSK-AES256-CBC-SHA384",
"RSA-PSK-AES128-GCM-SHA256","RSA-PSK-AES128-CBC-SHA256",
"RSA-PSK-AES256-CBC-SHA","RSA-PSK-AES128-CBC-SHA"
],
%% Compatible with legacy PSK Cipher strings
PskMapping = fun("PSK-AES128-CBC-SHA") -> {true, "RSA-PSK-AES128-CBC-SHA"};
("PSK-AES256-CBC-SHA") -> {true, "RSA-PSK-AES256-CBC-SHA"};
("PSK-3DES-EDE-CBC-SHA") -> {true, "PSK-3DES-EDE-CBC-SHA"};
("PSK-RC4-SHA") -> {true, "PSK-RC4-SHA"};
(C) -> case lists:member(C, AvaiableCiphers) of
true -> {true, C};
false -> false
end
end,
MapPSKCiphers = fun(PSKCiphers) ->
lists:map(
fun("PSK-AES128-CBC-SHA") -> {psk, aes_128_cbc, sha};
("PSK-AES256-CBC-SHA") -> {psk, aes_256_cbc, sha};
("PSK-3DES-EDE-CBC-SHA") -> {psk, '3des_ede_cbc', sha};
("PSK-RC4-SHA") -> {psk, rc4_128, sha}
lists:filtermap(fun(C0) ->
case PskMapping(C0) of
false ->
cuttlefish:invalid(
io_lib:format("psk_ciphers: not support ~s", [C0]));
{true, C} ->
{true, C}
end
end, PSKCiphers)
end,

2
apps/emqx_bridge_mqtt/src/emqx_bridge_mqtt.app.src
View File

@ -1,6 +1,6 @@
{application, emqx_bridge_mqtt,
[{description, "EMQ X Bridge to MQTT Broker"},
{vsn, "4.3.4"}, % strict semver, bump manually!
{vsn, "4.3.5"}, % strict semver, bump manually!
{modules, []},
{registered, []},
{applications, [kernel,stdlib,replayq,emqtt]},

6
apps/emqx_bridge_mqtt/src/emqx_bridge_mqtt.appup.src
View File

@ -1,6 +1,10 @@
%% -*-: erlang -*-
{VSN,
[
{"4.3.4", [
%% There are only changes to the schema file, so we don't need
%% any commands here.
]},
{"4.3.3", [
{load_module, emqx_bridge_mqtt, brutal_purge, soft_purge, []}
]},
@ -16,6 +20,8 @@
{<<".*">>, []}
],
[
{"4.3.4", [
]},
{"4.3.3", [
{load_module, emqx_bridge_mqtt, brutal_purge, soft_purge, []}
]},

2
apps/emqx_exproto/etc/emqx_exproto.conf
View File

@ -224,7 +224,7 @@ exproto.listener.protoname.reuseaddr = true
## Note that 'listener.ssl.external.ciphers' and 'listener.ssl.external.psk_ciphers' cannot
## be configured at the same time.
## See 'https://tools.ietf.org/html/rfc4279#section-2'.
#exproto.listener.protoname.psk_ciphers = PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA
#exproto.listener.protoname.psk_ciphers = RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384,RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256,RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA
## SSL parameter renegotiation is a feature that allows a client and a server
## to renegotiate the parameters of the SSL connection on the fly.

27
apps/emqx_exproto/priv/emqx_exproto.schema
View File

@ -274,12 +274,29 @@ end}.
{reuseaddr, cuttlefish:conf_get(Prefix ++ ".reuseaddr", Conf, undefined)}])
end,
SplitFun = fun(undefined) -> undefined; (S) -> string:tokens(S, ",") end,
AvaiableCiphers = ["RSA-PSK-AES256-GCM-SHA384","RSA-PSK-AES256-CBC-SHA384",
"RSA-PSK-AES128-GCM-SHA256","RSA-PSK-AES128-CBC-SHA256",
"RSA-PSK-AES256-CBC-SHA","RSA-PSK-AES128-CBC-SHA"
],
%% Compatible with legacy PSK Cipher strings
PskMapping = fun("PSK-AES128-CBC-SHA") -> {true, "RSA-PSK-AES128-CBC-SHA"};
("PSK-AES256-CBC-SHA") -> {true, "RSA-PSK-AES256-CBC-SHA"};
("PSK-3DES-EDE-CBC-SHA") -> {true, "PSK-3DES-EDE-CBC-SHA"};
("PSK-RC4-SHA") -> {true, "PSK-RC4-SHA"};
(C) -> case lists:member(C, AvaiableCiphers) of
true -> {true, C};
false -> false
end
end,
MapPSKCiphers = fun(PSKCiphers) ->
lists:map(
fun("PSK-AES128-CBC-SHA") -> {psk, aes_128_cbc, sha};
("PSK-AES256-CBC-SHA") -> {psk, aes_256_cbc, sha};
("PSK-3DES-EDE-CBC-SHA") -> {psk, '3des_ede_cbc', sha};
("PSK-RC4-SHA") -> {psk, rc4_128, sha}
lists:filtermap(fun(C0) ->
case PskMapping(C0) of
false ->
cuttlefish:invalid(
io_lib:format("psk_ciphers: not support ~s", [C0]));
{true, C} ->
{true, C}
end
end, PSKCiphers)
end,
SslOpts = fun(Prefix) ->

2
apps/emqx_exproto/src/emqx_exproto.app.src
View File

@ -1,6 +1,6 @@
{application, emqx_exproto,
[{description, "EMQ X Extension for Protocol"},
{vsn, "4.3.6"}, %% 4.3.3 is used by ee
{vsn, "4.3.7"}, %% 4.3.3 is used by ee
{modules, []},
{registered, []},
{mod, {emqx_exproto_app, []}},

10
apps/emqx_exproto/src/emqx_exproto.appup.src
View File

@ -1,6 +1,11 @@
%% -*- mode: erlang -*-
{VSN,
[{<<"4\\.3\\.[4-5]">>,
[
{"4.3.6",
[ %% There are only changes to the schema file, so we don't need any
%% commands here
]},
{<<"4\\.3\\.[4-5]">>,
[{load_module,emqx_exproto_conn,brutal_purge,soft_purge,[]},
{load_module,emqx_exproto_channel,brutal_purge,soft_purge,[]}]},
{<<"4\\.3\\.[2-3]">>,
@ -12,7 +17,8 @@
{load_module,emqx_exproto_conn,brutal_purge,soft_purge,[]},
{load_module,emqx_exproto_channel,brutal_purge,soft_purge,[]}]},
{<<".*">>,[]}],
[{<<"4\\.3\\.[4-5]">>,
[{"4.3.6", []},
{<<"4\\.3\\.[4-5]">>,
[{load_module,emqx_exproto_conn,brutal_purge,soft_purge,[]},
{load_module,emqx_exproto_channel,brutal_purge,soft_purge,[]}]},
{<<"4\\.3\\.[2-3]">>,

38
apps/emqx_lwm2m/priv/emqx_lwm2m.schema
View File

@ -190,21 +190,41 @@ end}.
case cuttlefish:conf_get("lwm2m.dtls.ciphers", Conf, undefined) of
undefined ->
[];
C ->
[{ciphers, SplitFun(C)}]
Ciphers0 ->
[{ciphers, SplitFun(Ciphers0)}]
end,
PskCiphers =
case cuttlefish:conf_get("lwm2m.dtls.psk_ciphers", Conf, undefined) of
undefined ->
[];
C2 ->
Psk = lists:map(fun("PSK-AES128-CBC-SHA") -> "RSA-PSK-AES128-CBC-SHA";
("PSK-AES256-CBC-SHA") -> "RSA-PSK-AES256-CBC-SHA";
("PSK-3DES-EDE-CBC-SHA") -> "RSA-PSK-3DES-EDE-CBC-SHA";
("PSK-RC4-SHA") -> "RSA-PSK-RC4-SHA";
(Suite) -> Suite
end, SplitFun(C2)),
[{ciphers, Psk}, {user_lookup_fun, {fun emqx_psk:lookup/3, <<>>}}]
AvaiableCiphers = ["RSA-PSK-AES256-GCM-SHA384","RSA-PSK-AES256-CBC-SHA384",
"RSA-PSK-AES128-GCM-SHA256","RSA-PSK-AES128-CBC-SHA256",
"RSA-PSK-AES256-CBC-SHA","RSA-PSK-AES128-CBC-SHA"
],
%% Compatible with legacy PSK Cipher strings
PskMapping = fun("PSK-AES128-CBC-SHA") -> {true, "RSA-PSK-AES128-CBC-SHA"};
("PSK-AES256-CBC-SHA") -> {true, "RSA-PSK-AES256-CBC-SHA"};
("PSK-3DES-EDE-CBC-SHA") -> {true, "PSK-3DES-EDE-CBC-SHA"};
("PSK-RC4-SHA") -> {true, "PSK-RC4-SHA"};
(C) -> case lists:member(C, AvaiableCiphers) of
true -> {true, C};
false -> false
end
end,
MapPSKCiphers = fun(PSKCiphers) ->
lists:filtermap(fun(C0) ->
case PskMapping(C0) of
false ->
cuttlefish:invalid(
io_lib:format("psk_ciphers: not support ~s", [C0]));
{true, C} ->
{true, C}
end
end, PSKCiphers)
end,
[{ciphers, MapPSKCiphers(SplitFun(C2))},
{user_lookup_fun, {fun emqx_psk:lookup/3, <<>>}}]
end,
Ciphers /= []
andalso PskCiphers /= []

2
apps/emqx_lwm2m/src/emqx_lwm2m.app.src
View File

@ -1,6 +1,6 @@
{application,emqx_lwm2m,
[{description,"EMQ X LwM2M Gateway"},
{vsn, "4.3.6"}, % strict semver, bump manually!
{vsn, "4.3.7"}, % strict semver, bump manually!
{modules,[]},
{registered,[emqx_lwm2m_sup]},
{applications,[kernel,stdlib,lwm2m_coap]},

9
apps/emqx_lwm2m/src/emqx_lwm2m.appup.src
View File

@ -10,7 +10,11 @@
[{load_module,emqx_lwm2m_protocol,brutal_purge,soft_purge,[]},
{load_module,emqx_lwm2m_api,brutal_purge,soft_purge,[]}]},
{"4.3.5",
[{load_module,emqx_lwm2m_api,brutal_purge,soft_purge,[]}]}],
[{load_module,emqx_lwm2m_api,brutal_purge,soft_purge,[]}]},
{"4.3.6",
[ %% There are only changes to the schema file, so we don't need any
%% commands here
]}],
[{<<"4\\.3\\.[0-1]">>,
[{restart_application,emqx_lwm2m}]},
{"4.3.2",
@ -21,4 +25,5 @@
[{load_module,emqx_lwm2m_protocol,brutal_purge,soft_purge,[]},
{load_module,emqx_lwm2m_api,brutal_purge,soft_purge,[]}]},
{"4.3.5",
[{load_module,emqx_lwm2m_api,brutal_purge,soft_purge,[]}]}]}.
[{load_module,emqx_lwm2m_api,brutal_purge,soft_purge,[]}]},
{"4.3.6", []}]}.

81
apps/emqx_psk_file/test/emqx_psk_file_SUITE.erl
View File

@ -15,10 +15,85 @@
%%--------------------------------------------------------------------
-module(emqx_psk_file_SUITE).
-compile(nowarn_export_all).
-compile(export_all).
all() -> [].
-include_lib("eunit/include/eunit.hrl").
groups() ->
[].
all() ->
emqx_ct:all(?MODULE).
init_per_suite(Config) ->
emqx_ct_helpers:start_apps([emqx_psk_file], fun set_special_confs/1),
Config.
end_per_suite(_) ->
emqx_ct_helpers:stop_apps([emqx_psk_file]).
set_special_confs(emqx) ->
emqx_ct_helpers:change_emqx_opts(
ssl_twoway, [{ssl_options,
[{versions, ['tlsv1.2','tlsv1.1', tlsv1]},
{ciphers, psk_ciphers()},
{user_lookup_fun,{fun emqx_psk:lookup/3,<<>>}}
]
}]),
application:set_env(emqx, plugins_loaded_file,
emqx_ct_helpers:deps_path(emqx, "test/emqx_SUITE_data/loaded_plugins"));
set_special_confs(emqx_psk_file) ->
Path = emqx_ct_helpers:deps_path(emqx_psk_file, "etc/psk.txt"),
application:set_env(emqx_psk_file, path, Path),
application:set_env(emqx_psk_file, delimiter, ":");
set_special_confs(_App) ->
ok.
%%--------------------------------------------------------------------
%% cases
t_psk_loaded(_) ->
?assertEqual({stop, <<"1234">>},
emqx_psk_file:on_psk_lookup(<<"client1">>, undefined)).
t_psk_ciphers(_) ->
lists:foreach(fun(Cipher) ->
{ok, C} = do_emqtt_connect(Cipher),
emqtt:disconnect(C)
end, psk_ciphers()).
do_emqtt_connect(Cipher) ->
{ok, C} = emqtt:start_link(
[{proto_ver, v5},
{port, 8883},
{ssl, true},
{ssl_opts, ssl_opts(Cipher)}
]),
{ok, _} = emqtt:connect(C),
{ok, C}.
psk_ciphers() ->
["RSA-PSK-AES256-GCM-SHA384","RSA-PSK-AES256-CBC-SHA384",
"RSA-PSK-AES128-GCM-SHA256","RSA-PSK-AES128-CBC-SHA256",
"RSA-PSK-AES256-CBC-SHA","RSA-PSK-AES128-CBC-SHA"].
ssl_opts(Cipher) ->
TlsFile = fun(Name) ->
emqx_ct_helpers:app_path(
emqx,
filename:join(["etc", "certs", Name]))
end,
[{cacertfile, TlsFile("cacert.pem")},
{certfile, TlsFile("client-cert.pem")},
{keyfile, TlsFile("client-key.pem")},
{verify, verify_peer},
{server_name_indication, disable},
{protocol, tls},
{versions, ['tlsv1.2', 'tlsv1.1']},
{psk_identity, "client1"},
{user_lookup_fun, {fun ?MODULE:on_psk_client_lookup/3, #{}}},
{ciphers, [Cipher]}
].
on_psk_client_lookup(psk, _PSKId, _UserState) ->
{stop, Psk} = emqx_psk_file:on_psk_lookup(<<"client1">>, undefined),
{ok, Psk}.

4
etc/emqx.conf
View File

@ -1468,7 +1468,7 @@ listener.ssl.external.ciphers = TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TL
## Note that 'listener.ssl.external.ciphers' and 'listener.ssl.external.psk_ciphers' cannot
## be configured at the same time.
## See 'https://tools.ietf.org/html/rfc4279#section-2'.
#listener.ssl.external.psk_ciphers = PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA
#listener.ssl.external.psk_ciphers = RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384,RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256,RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA
## SSL parameter renegotiation is a feature that allows a client and a server
## to renegotiate the parameters of the SSL connection on the fly.
@ -1993,7 +1993,7 @@ listener.wss.external.ciphers = TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TL
## Note that 'listener.wss.external.ciphers' and 'listener.wss.external.psk_ciphers' cannot
## be configured at the same time.
## See 'https://tools.ietf.org/html/rfc4279#section-2'.
## listener.wss.external.psk_ciphers = PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA
## listener.wss.external.psk_ciphers = RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384,RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256,RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA
## See: listener.ssl.$name.secure_renegotiate
##

37
priv/emqx.schema
View File

@ -2060,12 +2060,30 @@ end}.
{reuseaddr, cuttlefish:conf_get(Prefix ++ ".reuseaddr", Conf, undefined)}])
end,
SplitFun = fun(undefined) -> undefined; (S) -> string:tokens(S, ",") end,
%% In erlang, we only support the following PSK ciphers (ssl_cipher:psk_suites(3))
AvaiableCiphers = ["RSA-PSK-AES256-GCM-SHA384","RSA-PSK-AES256-CBC-SHA384",
"RSA-PSK-AES128-GCM-SHA256","RSA-PSK-AES128-CBC-SHA256",
"RSA-PSK-AES256-CBC-SHA","RSA-PSK-AES128-CBC-SHA"
],
%% Compatible with legacy PSK Cipher strings
PskMapping = fun("PSK-AES128-CBC-SHA") -> {true, "RSA-PSK-AES128-CBC-SHA"};
("PSK-AES256-CBC-SHA") -> {true, "RSA-PSK-AES256-CBC-SHA"};
("PSK-3DES-EDE-CBC-SHA") -> {true, "PSK-3DES-EDE-CBC-SHA"};
("PSK-RC4-SHA") -> {true, "PSK-RC4-SHA"};
(C) -> case lists:member(C, AvaiableCiphers) of
true -> {true, C};
false -> false
end
end,
MapPSKCiphers = fun(PSKCiphers) ->
lists:map(
fun("PSK-AES128-CBC-SHA") -> {psk, aes_128_cbc, sha};
("PSK-AES256-CBC-SHA") -> {psk, aes_256_cbc, sha};
("PSK-3DES-EDE-CBC-SHA") -> {psk, '3des_ede_cbc', sha};
("PSK-RC4-SHA") -> {psk, rc4_128, sha}
lists:filtermap(fun(C0) ->
case PskMapping(C0) of
false ->
cuttlefish:invalid(
io_lib:format("psk_ciphers: not support ~s", [C0]));
{true, C} ->
{true, C}
end
end, PSKCiphers)
end,
SslOpts = fun(Prefix) ->
@ -2082,7 +2100,14 @@ end}.
{TLSCiphers, undefined} ->
SplitFun(TLSCiphers);
{undefined, PSKCiphers} ->
MapPSKCiphers(SplitFun(PSKCiphers));
case Versions == undefined orelse lists:member('tlsv1.3', Versions) of
true ->
cuttlefish:invalid(
Prefix++".tls_versions cannot contain tlsv1.3 "
"if "++Prefix++".psk_ciphers is configured");
_ ->
MapPSKCiphers(SplitFun(PSKCiphers))
end;
{_TLSCiphers, _PSKCiphers} ->
cuttlefish:invalid(Prefix++".ciphers and "++Prefix++".psk_ciphers cannot be configured at the same time")
end,

1
rebar.config
View File

@ -6,6 +6,7 @@
%% with rebar.config.erl module. Final result is written to
%% rebar.config.rendered if environment DEBUG is set.
{minimum_otp_vsn, "23"}.
{edoc_opts, [{preprocess,true}]}.
{erl_opts, [warn_unused_vars,warn_shadow_vars,warn_unused_import,
warn_obsolete_guard,compressed,