Merge pull request #9493 from lafirest/fix/psk_v4.4

fix(psk): add more PSK ciphers support
2022-12-09 16:10:51 +08:00 · 2022-12-09 16:10:51 +08:00 · e3ed682e8d
parent 925787bc59 a01301a985
commit e3ed682e8d
4 changed files with 15 additions and 5 deletions
--- a/apps/emqx_psk_file/test/emqx_psk_file_SUITE.erl
+++ b/apps/emqx_psk_file/test/emqx_psk_file_SUITE.erl
@ -74,7 +74,10 @@ do_emqtt_connect(Cipher) ->
 psk_ciphers() ->
    ["RSA-PSK-AES256-GCM-SHA384","RSA-PSK-AES256-CBC-SHA384",
     "RSA-PSK-AES128-GCM-SHA256","RSA-PSK-AES128-CBC-SHA256",
-     "RSA-PSK-AES256-CBC-SHA","RSA-PSK-AES128-CBC-SHA"].
+     "RSA-PSK-AES256-CBC-SHA","RSA-PSK-AES128-CBC-SHA",
+     "PSK-AES256-GCM-SHA384","PSK-AES128-GCM-SHA256",
+     "PSK-AES256-CBC-SHA384","PSK-AES256-CBC-SHA",
+     "PSK-AES128-CBC-SHA256","PSK-AES128-CBC-SHA"].

 ssl_opts(Cipher) ->
    TlsFile = fun(Name) ->
--- a/changes/v4.4.12-en.md
+++ b/changes/v4.4.12-en.md
@ -2,6 +2,8 @@

 - Upgrade http client library `ehttpc` from `0.2.1` to `0.4.2` [#9456](https://github.com/emqx/emqx/pull/9456).

+- Add more PSK ciphers support [#9493](https://github.com/emqx/emqx/pull/9493).
+
 ### Bug Fixes

 - Fixed load bootstrap file when no bootstrap user in `mqtt_app` [#9474](https://github.com/emqx/emqx/pull/9474).
--- a/changes/v4.4.12-zh.md
+++ b/changes/v4.4.12-zh.md
@ -2,6 +2,8 @@

 - HTTP 客户端库 `ehttpc` 从 `0.2.1` 升级到 `0.4.2` [#9456](https://github.com/emqx/emqx/pull/9456)。

+- 支持更多的 PSK 密码套件[#9493](https://github.com/emqx/emqx/pull/9493)。
+
 ### 修复

 - 修复 mqtt_app 表内没有 boostrap user 里未导入用户的问题 [#9474](https://github.com/emqx/emqx/pull/9474).
--- a/priv/emqx.schema
+++ b/priv/emqx.schema
@ -2290,12 +2290,15 @@ end}.
    %% In erlang, we only support the following PSK ciphers (ssl_cipher:psk_suites(3))
    AvaiableCiphers = ["RSA-PSK-AES256-GCM-SHA384","RSA-PSK-AES256-CBC-SHA384",
                       "RSA-PSK-AES128-GCM-SHA256","RSA-PSK-AES128-CBC-SHA256",
-                       "RSA-PSK-AES256-CBC-SHA","RSA-PSK-AES128-CBC-SHA"
+                       "RSA-PSK-AES256-CBC-SHA","RSA-PSK-AES128-CBC-SHA",
+                       %% The below ciphers are supported
+                       %% But they aren't visible in `ssl:cipher_suites`
+                       "PSK-AES256-GCM-SHA384","PSK-AES128-GCM-SHA256",
+                       "PSK-AES256-CBC-SHA384","PSK-AES256-CBC-SHA",
+                       "PSK-AES128-CBC-SHA256","PSK-AES128-CBC-SHA"
                      ],
    %% Compatible with legacy PSK Cipher strings
-    PskMapping = fun("PSK-AES128-CBC-SHA") -> {true, "RSA-PSK-AES128-CBC-SHA"};
-                    ("PSK-AES256-CBC-SHA") -> {true, "RSA-PSK-AES256-CBC-SHA"};
-                    ("PSK-3DES-EDE-CBC-SHA") -> {true, "PSK-3DES-EDE-CBC-SHA"};
+    PskMapping = fun("PSK-3DES-EDE-CBC-SHA") -> {true, "PSK-3DES-EDE-CBC-SHA"};
                    ("PSK-RC4-SHA") -> {true, "PSK-RC4-SHA"};
                    (C) -> case lists:member(C, AvaiableCiphers) of
                               true -> {true, C};