mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-07-28 00:21:48 +03:00
.github
3rdparty
ChangeLog.d
cmake
configs
docs
doxygen
include
library
programs
scripts
tests
.jenkins
configs
data_files
docker
git-scripts
include
opt-testcases
scripts
all-in-docker.sh
all.sh
analyze_outcomes.py
basic-build-test.sh
basic-in-docker.sh
check-doxy-blocks.pl
check-generated-files.sh
check-python-files.sh
check_files.py
check_names.py
check_test_cases.py
depends.py
docker_env.sh
doxygen.sh
gen_ctr_drbg.pl
gen_gcm_decrypt.pl
gen_gcm_encrypt.pl
gen_pkcs1_v21_sign_verify.pl
generate-afl-tests.sh
generate_bignum_tests.py
generate_psa_tests.py
generate_test_code.py
generate_tls13_compat_tests.py
list-identifiers.sh
list_internal_identifiers.py
psa_collect_statuses.py
recursion.pl
run-test-suites.pl
scripts_path.py
set_psa_test_dependencies.py
tcp_client.pl
test-ref-configs.pl
test_config_script.py
test_generate_test_code.py
test_psa_compliance.py
test_psa_constant_names.py
test_zeroize.gdb
translate_ciphers.py
travis-log-failure.sh
src
suites
.gitignore
CMakeLists.txt
Descriptions.txt
Makefile
compat-in-docker.sh
compat.sh
context-info.sh
make-in-docker.sh
ssl-opt-in-docker.sh
ssl-opt.sh
visualc
.gitattributes
.gitignore
.globalrc
.mypy.ini
.pylintrc
.travis.yml
BRANCHES.md
BUGS.md
CMakeLists.txt
CONTRIBUTING.md
ChangeLog
DartConfiguration.tcl
LICENSE
Makefile
README.md
SECURITY.md
SUPPORT.md
dco.txt
The list was trimmed previously according to code coverage, however this did not really evalute all test cases, e.g in the case of re.sub or m_cipher.replace. These lines are executed no matter what, so code coverage is not suitable. I have gone through each step in the translate functions and made sure there is at least one ciphersuite per step Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
160 lines
5.1 KiB
Python
Executable File
160 lines
5.1 KiB
Python
Executable File
#!/usr/bin/env python3
|
|
|
|
# translate_ciphers.py
|
|
#
|
|
# Copyright The Mbed TLS Contributors
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
"""
|
|
Translate ciphersuite names in Mbed TLS format to OpenSSL and GNUTLS
|
|
standards.
|
|
|
|
To test the translation functions run:
|
|
python3 -m unittest translate_cipher.py
|
|
"""
|
|
|
|
import re
|
|
import argparse
|
|
import unittest
|
|
|
|
class TestTranslateCiphers(unittest.TestCase):
|
|
"""
|
|
Ensure translate_ciphers.py translates and formats ciphersuite names
|
|
correctly
|
|
"""
|
|
def test_translate_all_cipher_names(self):
|
|
"""
|
|
Translate MbedTLS ciphersuite names to their OpenSSL and
|
|
GnuTLS counterpart. Use only a small subset of ciphers
|
|
that exercise each step of the translate functions
|
|
"""
|
|
ciphers = [
|
|
("TLS-ECDHE-ECDSA-WITH-NULL-SHA",
|
|
"+ECDHE-ECDSA:+NULL:+SHA1",
|
|
"ECDHE-ECDSA-NULL-SHA"),
|
|
("TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256",
|
|
"+ECDHE-ECDSA:+AES-128-GCM:+AEAD",
|
|
"ECDHE-ECDSA-AES128-GCM-SHA256"),
|
|
("TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA",
|
|
"+DHE-RSA:+3DES-CBC:+SHA1",
|
|
"EDH-RSA-DES-CBC3-SHA"),
|
|
("TLS-RSA-WITH-AES-256-CBC-SHA",
|
|
"+RSA:+AES-256-CBC:+SHA1",
|
|
"AES256-SHA"),
|
|
("TLS-PSK-WITH-3DES-EDE-CBC-SHA",
|
|
"+PSK:+3DES-CBC:+SHA1",
|
|
"PSK-3DES-EDE-CBC-SHA"),
|
|
("TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256",
|
|
None,
|
|
"ECDHE-ECDSA-CHACHA20-POLY1305"),
|
|
("TLS-ECDHE-ECDSA-WITH-AES-128-CCM",
|
|
"+ECDHE-ECDSA:+AES-128-CCM:+AEAD",
|
|
None),
|
|
("TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384",
|
|
None,
|
|
"ECDHE-ARIA256-GCM-SHA384"),
|
|
]
|
|
|
|
for m, g_exp, o_exp in ciphers:
|
|
|
|
if g_exp is not None:
|
|
g = translate_gnutls(m)
|
|
self.assertEqual(g, g_exp)
|
|
|
|
if o_exp is not None:
|
|
o = translate_ossl(m)
|
|
self.assertEqual(o, o_exp)
|
|
|
|
def translate_gnutls(m_cipher):
|
|
"""
|
|
Translate m_cipher from Mbed TLS ciphersuite naming convention
|
|
and return the GnuTLS naming convention
|
|
"""
|
|
|
|
m_cipher = re.sub(r'\ATLS-', '+', m_cipher)
|
|
m_cipher = m_cipher.replace("-WITH-", ":+")
|
|
m_cipher = m_cipher.replace("-EDE", "")
|
|
|
|
# SHA in Mbed TLS == SHA1 GnuTLS,
|
|
# if the last 3 chars are SHA append 1
|
|
if m_cipher[-3:] == "SHA":
|
|
m_cipher = m_cipher+"1"
|
|
|
|
# CCM or CCM-8 should be followed by ":+AEAD"
|
|
# Replace "GCM:+SHAxyz" with "GCM:+AEAD"
|
|
if "CCM" in m_cipher or "GCM" in m_cipher:
|
|
m_cipher = re.sub(r"GCM-SHA\d\d\d", "GCM", m_cipher)
|
|
m_cipher = m_cipher+":+AEAD"
|
|
|
|
# Replace the last "-" with ":+"
|
|
else:
|
|
index = m_cipher.rindex("-")
|
|
m_cipher = m_cipher[:index] + ":+" + m_cipher[index+1:]
|
|
|
|
return m_cipher
|
|
|
|
def translate_ossl(m_cipher):
|
|
"""
|
|
Translate m_cipher from Mbed TLS ciphersuite naming convention
|
|
and return the OpenSSL naming convention
|
|
"""
|
|
|
|
m_cipher = re.sub(r'^TLS-', '', m_cipher)
|
|
m_cipher = m_cipher.replace("-WITH", "")
|
|
|
|
# Remove the "-" from "ABC-xyz"
|
|
m_cipher = m_cipher.replace("AES-", "AES")
|
|
m_cipher = m_cipher.replace("CAMELLIA-", "CAMELLIA")
|
|
m_cipher = m_cipher.replace("ARIA-", "ARIA")
|
|
|
|
# Remove "RSA" if it is at the beginning
|
|
m_cipher = re.sub(r'^RSA-', r'', m_cipher)
|
|
|
|
# For all circumstances outside of PSK
|
|
if "PSK" not in m_cipher:
|
|
m_cipher = m_cipher.replace("-EDE", "")
|
|
m_cipher = m_cipher.replace("3DES-CBC", "DES-CBC3")
|
|
|
|
# Remove "CBC" if it is not prefixed by DES
|
|
m_cipher = re.sub(r'(?<!DES-)CBC-', r'', m_cipher)
|
|
|
|
# ECDHE-RSA-ARIA does not exist in OpenSSL
|
|
m_cipher = m_cipher.replace("ECDHE-RSA-ARIA", "ECDHE-ARIA")
|
|
|
|
# POLY1305 should not be followed by anything
|
|
if "POLY1305" in m_cipher:
|
|
index = m_cipher.rindex("POLY1305")
|
|
m_cipher = m_cipher[:index+8]
|
|
|
|
# If DES is being used, Replace DHE with EDH
|
|
if "DES" in m_cipher and "DHE" in m_cipher and "ECDHE" not in m_cipher:
|
|
m_cipher = m_cipher.replace("DHE", "EDH")
|
|
|
|
return m_cipher
|
|
|
|
def format_ciphersuite_names(mode, names):
|
|
t = {"g": translate_gnutls, "o": translate_ossl}[mode]
|
|
return " ".join(t(c) for c in names)
|
|
|
|
def main(target, names):
|
|
print(format_ciphersuite_names(target, names))
|
|
|
|
if __name__ == "__main__":
|
|
PARSER = argparse.ArgumentParser()
|
|
PARSER.add_argument('target', metavar='TARGET', choices=['o', 'g'])
|
|
PARSER.add_argument('names', metavar='NAMES', nargs='+')
|
|
ARGS = PARSER.parse_args()
|
|
main(ARGS.target, ARGS.names)
|