cuberite/polarssl
1
0
Fork 0
mirror of https://github.com/cuberite/polarssl.git synced 2025-11-04 04:32:24 -05:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4813 from JoeSubbiani/TranslateCiphersuite_dev

Browse Source 
Translate ciphersuite names
This commit is contained in:
Ronald Cron 2021-09-27 08:57:52 +02:00 committed by GitHub
commit 27f84fc75c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 239 additions and 279 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

352
tests/compat.sh
View File

@ -236,60 +236,46 @@ reset_ciphersuites()
G_CIPHERS=""
}
check_translation()
{
if [ $1 -ne 0 ]; then
echo "translate_ciphers.py failed with exit code $1" >&2
echo "$2" >&2
exit 1
fi
}
# Ciphersuites that can be used with all peers.
# Since we currently have three possible peers, each ciphersuite should appear
# three times: in each peer's list (with the name that this peer uses).
add_common_ciphersuites()
{
CIPHERS=""
case $TYPE in
"ECDSA")
if [ `minor_ver "$MODE"` -gt 0 ]
then
M_CIPHERS="$M_CIPHERS \
CIPHERS="$CIPHERS \
TLS-ECDHE-ECDSA-WITH-NULL-SHA \
TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA \
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA \
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA \
"
G_CIPHERS="$G_CIPHERS \
+ECDHE-ECDSA:+NULL:+SHA1 \
+ECDHE-ECDSA:+3DES-CBC:+SHA1 \
+ECDHE-ECDSA:+AES-128-CBC:+SHA1 \
+ECDHE-ECDSA:+AES-256-CBC:+SHA1 \
"
O_CIPHERS="$O_CIPHERS \
ECDHE-ECDSA-NULL-SHA \
ECDHE-ECDSA-DES-CBC3-SHA \
ECDHE-ECDSA-AES128-SHA \
ECDHE-ECDSA-AES256-SHA \
"
fi
if [ `minor_ver "$MODE"` -ge 3 ]
then
M_CIPHERS="$M_CIPHERS \
CIPHERS="$CIPHERS \
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 \
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384 \
TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 \
"
G_CIPHERS="$G_CIPHERS \
+ECDHE-ECDSA:+AES-128-CBC:+SHA256 \
+ECDHE-ECDSA:+AES-256-CBC:+SHA384 \
+ECDHE-ECDSA:+AES-128-GCM:+AEAD \
+ECDHE-ECDSA:+AES-256-GCM:+AEAD \
"
O_CIPHERS="$O_CIPHERS \
ECDHE-ECDSA-AES128-SHA256 \
ECDHE-ECDSA-AES256-SHA384 \
ECDHE-ECDSA-AES128-GCM-SHA256 \
ECDHE-ECDSA-AES256-GCM-SHA384 \
"
fi
;;
"RSA")
M_CIPHERS="$M_CIPHERS \
CIPHERS="$CIPHERS \
TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
TLS-DHE-RSA-WITH-AES-256-CBC-SHA \
TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA \
@ -303,58 +289,18 @@ add_common_ciphersuites()
TLS-RSA-WITH-NULL-MD5 \
TLS-RSA-WITH-NULL-SHA \
"
G_CIPHERS="$G_CIPHERS \
+DHE-RSA:+AES-128-CBC:+SHA1 \
+DHE-RSA:+AES-256-CBC:+SHA1 \
+DHE-RSA:+CAMELLIA-128-CBC:+SHA1 \
+DHE-RSA:+CAMELLIA-256-CBC:+SHA1 \
+DHE-RSA:+3DES-CBC:+SHA1 \
+RSA:+AES-256-CBC:+SHA1 \
+RSA:+CAMELLIA-256-CBC:+SHA1 \
+RSA:+AES-128-CBC:+SHA1 \
+RSA:+CAMELLIA-128-CBC:+SHA1 \
+RSA:+3DES-CBC:+SHA1 \
+RSA:+NULL:+MD5 \
+RSA:+NULL:+SHA1 \
"
O_CIPHERS="$O_CIPHERS \
DHE-RSA-AES128-SHA \
DHE-RSA-AES256-SHA \
DHE-RSA-CAMELLIA128-SHA \
DHE-RSA-CAMELLIA256-SHA \
EDH-RSA-DES-CBC3-SHA \
AES256-SHA \
CAMELLIA256-SHA \
AES128-SHA \
CAMELLIA128-SHA \
DES-CBC3-SHA \
NULL-MD5 \
NULL-SHA \
"
if [ `minor_ver "$MODE"` -gt 0 ]
then
M_CIPHERS="$M_CIPHERS \
CIPHERS="$CIPHERS \
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA \
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA \
TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA \
TLS-ECDHE-RSA-WITH-NULL-SHA \
"
G_CIPHERS="$G_CIPHERS \
+ECDHE-RSA:+AES-128-CBC:+SHA1 \
+ECDHE-RSA:+AES-256-CBC:+SHA1 \
+ECDHE-RSA:+3DES-CBC:+SHA1 \
+ECDHE-RSA:+NULL:+SHA1 \
"
O_CIPHERS="$O_CIPHERS \
ECDHE-RSA-AES256-SHA \
ECDHE-RSA-AES128-SHA \
ECDHE-RSA-DES-CBC3-SHA \
ECDHE-RSA-NULL-SHA \
"
fi
if [ `minor_ver "$MODE"` -ge 3 ]
then
M_CIPHERS="$M_CIPHERS \
CIPHERS="$CIPHERS \
TLS-RSA-WITH-AES-128-CBC-SHA256 \
TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 \
TLS-RSA-WITH-AES-256-CBC-SHA256 \
@ -367,62 +313,36 @@ add_common_ciphersuites()
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 \
TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 \
TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 \
"
G_CIPHERS="$G_CIPHERS \
+RSA:+AES-128-CBC:+SHA256 \
+DHE-RSA:+AES-128-CBC:+SHA256 \
+RSA:+AES-256-CBC:+SHA256 \
+DHE-RSA:+AES-256-CBC:+SHA256 \
+ECDHE-RSA:+AES-128-CBC:+SHA256 \
+ECDHE-RSA:+AES-256-CBC:+SHA384 \
+RSA:+AES-128-GCM:+AEAD \
+RSA:+AES-256-GCM:+AEAD \
+DHE-RSA:+AES-128-GCM:+AEAD \
+DHE-RSA:+AES-256-GCM:+AEAD \
+ECDHE-RSA:+AES-128-GCM:+AEAD \
+ECDHE-RSA:+AES-256-GCM:+AEAD \
"
O_CIPHERS="$O_CIPHERS \
NULL-SHA256 \
AES128-SHA256 \
DHE-RSA-AES128-SHA256 \
AES256-SHA256 \
DHE-RSA-AES256-SHA256 \
ECDHE-RSA-AES128-SHA256 \
ECDHE-RSA-AES256-SHA384 \
AES128-GCM-SHA256 \
DHE-RSA-AES128-GCM-SHA256 \
AES256-GCM-SHA384 \
DHE-RSA-AES256-GCM-SHA384 \
ECDHE-RSA-AES128-GCM-SHA256 \
ECDHE-RSA-AES256-GCM-SHA384 \
TLS-RSA-WITH-NULL-SHA256 \
"
fi
;;
"PSK")
M_CIPHERS="$M_CIPHERS \
CIPHERS="$CIPHERS \
TLS-PSK-WITH-3DES-EDE-CBC-SHA \
TLS-PSK-WITH-AES-128-CBC-SHA \
TLS-PSK-WITH-AES-256-CBC-SHA \
"
G_CIPHERS="$G_CIPHERS \
+PSK:+3DES-CBC:+SHA1 \
+PSK:+AES-128-CBC:+SHA1 \
+PSK:+AES-256-CBC:+SHA1 \
"
O_CIPHERS="$O_CIPHERS \
PSK-3DES-EDE-CBC-SHA \
PSK-AES128-CBC-SHA \
PSK-AES256-CBC-SHA \
"
;;
esac
M_CIPHERS="$M_CIPHERS $CIPHERS"
T=$(./scripts/translate_ciphers.py g $CIPHERS)
check_translation $? "$T"
G_CIPHERS="$G_CIPHERS $T"
T=$(./scripts/translate_ciphers.py o $CIPHERS)
check_translation $? "$T"
O_CIPHERS="$O_CIPHERS $T"
}
# Ciphersuites usable only with Mbed TLS and OpenSSL
# Each ciphersuite should appear two times, once with its OpenSSL name, once
# with its Mbed TLS name.
# A list of ciphersuites in the Mbed TLS convention is compiled and
# appended to the list of Mbed TLS ciphersuites $M_CIPHERS. The same list
# is translated to the OpenSSL naming convention and appended to the list of
# OpenSSL ciphersuites $O_CIPHERS.
#
# NOTE: for some reason RSA-PSK doesn't work with OpenSSL,
# so RSA-PSK ciphersuites need to go in other sections, see
@ -432,28 +352,23 @@ add_common_ciphersuites()
# GnuTLS in 3.5.0 and the CI only has 3.4.x so far.
add_openssl_ciphersuites()
{
CIPHERS=""
case $TYPE in
"ECDSA")
if [ `minor_ver "$MODE"` -gt 0 ]
then
M_CIPHERS="$M_CIPHERS \
TLS-ECDH-ECDSA-WITH-NULL-SHA \
CIPHERS="$CIPHERS \
TLS-ECDH-ECDSA-WITH-NULL-SHA \
TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA \
TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA \
TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA \
"
O_CIPHERS="$O_CIPHERS \
ECDH-ECDSA-NULL-SHA \
ECDH-ECDSA-DES-CBC3-SHA \
ECDH-ECDSA-AES128-SHA \
ECDH-ECDSA-AES256-SHA \
"
fi
if [ `minor_ver "$MODE"` -ge 3 ]
then
M_CIPHERS="$M_CIPHERS \
TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256 \
CIPHERS="$CIPHERS \
TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256 \
TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384 \
TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256 \
TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384 \
@ -461,31 +376,18 @@ add_openssl_ciphersuites()
TLS-ECDHE-ECDSA-WITH-ARIA-128-GCM-SHA256 \
TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256 \
"
O_CIPHERS="$O_CIPHERS \
ECDH-ECDSA-AES128-SHA256 \
ECDH-ECDSA-AES256-SHA384 \
ECDH-ECDSA-AES128-GCM-SHA256 \
ECDH-ECDSA-AES256-GCM-SHA384 \
ECDHE-ECDSA-ARIA256-GCM-SHA384 \
ECDHE-ECDSA-ARIA128-GCM-SHA256 \
ECDHE-ECDSA-CHACHA20-POLY1305 \
"
fi
;;
"RSA")
M_CIPHERS="$M_CIPHERS \
TLS-RSA-WITH-DES-CBC-SHA \
CIPHERS="$CIPHERS \
TLS-RSA-WITH-DES-CBC-SHA \
TLS-DHE-RSA-WITH-DES-CBC-SHA \
"
O_CIPHERS="$O_CIPHERS \
DES-CBC-SHA \
EDH-RSA-DES-CBC-SHA \
"
if [ `minor_ver "$MODE"` -ge 3 ]
then
M_CIPHERS="$M_CIPHERS \
TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384 \
CIPHERS="$CIPHERS \
TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384 \
TLS-DHE-RSA-WITH-ARIA-256-GCM-SHA384 \
TLS-RSA-WITH-ARIA-256-GCM-SHA384 \
TLS-ECDHE-RSA-WITH-ARIA-128-GCM-SHA256 \
@ -494,24 +396,14 @@ add_openssl_ciphersuites()
TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256 \
TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256 \
"
O_CIPHERS="$O_CIPHERS \
ECDHE-ARIA256-GCM-SHA384 \
DHE-RSA-ARIA256-GCM-SHA384 \
ARIA256-GCM-SHA384 \
ECDHE-ARIA128-GCM-SHA256 \
DHE-RSA-ARIA128-GCM-SHA256 \
ARIA128-GCM-SHA256 \
DHE-RSA-CHACHA20-POLY1305 \
ECDHE-RSA-CHACHA20-POLY1305 \
"
fi
;;
"PSK")
if [ `minor_ver "$MODE"` -ge 3 ]
then
M_CIPHERS="$M_CIPHERS \
TLS-DHE-PSK-WITH-ARIA-256-GCM-SHA384 \
CIPHERS="$CIPHERS \
TLS-DHE-PSK-WITH-ARIA-256-GCM-SHA384 \
TLS-DHE-PSK-WITH-ARIA-128-GCM-SHA256 \
TLS-PSK-WITH-ARIA-256-GCM-SHA384 \
TLS-PSK-WITH-ARIA-128-GCM-SHA256 \
@ -519,66 +411,47 @@ add_openssl_ciphersuites()
TLS-ECDHE-PSK-WITH-CHACHA20-POLY1305-SHA256 \
TLS-DHE-PSK-WITH-CHACHA20-POLY1305-SHA256 \
"
O_CIPHERS="$O_CIPHERS \
DHE-PSK-ARIA256-GCM-SHA384 \
DHE-PSK-ARIA128-GCM-SHA256 \
PSK-ARIA256-GCM-SHA384 \
PSK-ARIA128-GCM-SHA256 \
DHE-PSK-CHACHA20-POLY1305 \
ECDHE-PSK-CHACHA20-POLY1305 \
PSK-CHACHA20-POLY1305 \
"
fi
;;
esac
M_CIPHERS="$M_CIPHERS $CIPHERS"
T=$(./scripts/translate_ciphers.py o $CIPHERS)
check_translation $? "$T"
O_CIPHERS="$O_CIPHERS $T"
}
# Ciphersuites usable only with Mbed TLS and GnuTLS
# Each ciphersuite should appear two times, once with its GnuTLS name, once
# with its Mbed TLS name.
# A list of ciphersuites in the Mbed TLS convention is compiled and
# appended to the list of Mbed TLS ciphersuites $M_CIPHERS. The same list
# is translated to the GnuTLS naming convention and appended to the list of
# GnuTLS ciphersuites $G_CIPHERS.
add_gnutls_ciphersuites()
{
CIPHERS=""
case $TYPE in
"ECDSA")
if [ `minor_ver "$MODE"` -ge 3 ]
then
M_CIPHERS="$M_CIPHERS \
TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256 \
TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA384 \
TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256 \
TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384 \
TLS-ECDHE-ECDSA-WITH-AES-128-CCM \
TLS-ECDHE-ECDSA-WITH-AES-256-CCM \
TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \
TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8 \
"
G_CIPHERS="$G_CIPHERS \
+ECDHE-ECDSA:+CAMELLIA-128-CBC:+SHA256 \
+ECDHE-ECDSA:+CAMELLIA-256-CBC:+SHA384 \
+ECDHE-ECDSA:+CAMELLIA-128-GCM:+AEAD \
+ECDHE-ECDSA:+CAMELLIA-256-GCM:+AEAD \
+ECDHE-ECDSA:+AES-128-CCM:+AEAD \
+ECDHE-ECDSA:+AES-256-CCM:+AEAD \
+ECDHE-ECDSA:+AES-128-CCM-8:+AEAD \
+ECDHE-ECDSA:+AES-256-CCM-8:+AEAD \
CIPHERS="$CIPHERS \
TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256 \
TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA384 \
TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256 \
TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384 \
TLS-ECDHE-ECDSA-WITH-AES-128-CCM \
TLS-ECDHE-ECDSA-WITH-AES-256-CCM \
TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \
TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8 \
"
fi
;;
"RSA")
if [ `minor_ver "$MODE"` -gt 0 ]
then
M_CIPHERS="$M_CIPHERS \
TLS-RSA-WITH-NULL-SHA256 \
"
G_CIPHERS="$G_CIPHERS \
+RSA:+NULL:+SHA256 \
"
fi
if [ `minor_ver "$MODE"` -ge 3 ]
then
M_CIPHERS="$M_CIPHERS \
CIPHERS="$CIPHERS \
TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256 \
TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA384 \
TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256 \
@ -600,45 +473,18 @@ add_gnutls_ciphersuites()
TLS-DHE-RSA-WITH-AES-128-CCM-8 \
TLS-DHE-RSA-WITH-AES-256-CCM-8 \
"
G_CIPHERS="$G_CIPHERS \
+ECDHE-RSA:+CAMELLIA-128-CBC:+SHA256 \
+ECDHE-RSA:+CAMELLIA-256-CBC:+SHA384 \
+RSA:+CAMELLIA-128-CBC:+SHA256 \
+RSA:+CAMELLIA-256-CBC:+SHA256 \
+DHE-RSA:+CAMELLIA-128-CBC:+SHA256 \
+DHE-RSA:+CAMELLIA-256-CBC:+SHA256 \
+ECDHE-RSA:+CAMELLIA-128-GCM:+AEAD \
+ECDHE-RSA:+CAMELLIA-256-GCM:+AEAD \
+DHE-RSA:+CAMELLIA-128-GCM:+AEAD \
+DHE-RSA:+CAMELLIA-256-GCM:+AEAD \
+RSA:+CAMELLIA-128-GCM:+AEAD \
+RSA:+CAMELLIA-256-GCM:+AEAD \
+RSA:+AES-128-CCM:+AEAD \
+RSA:+AES-256-CCM:+AEAD \
+RSA:+AES-128-CCM-8:+AEAD \
+RSA:+AES-256-CCM-8:+AEAD \
+DHE-RSA:+AES-128-CCM:+AEAD \
+DHE-RSA:+AES-256-CCM:+AEAD \
+DHE-RSA:+AES-128-CCM-8:+AEAD \
+DHE-RSA:+AES-256-CCM-8:+AEAD \
"
fi
;;
"PSK")
M_CIPHERS="$M_CIPHERS \
TLS-DHE-PSK-WITH-3DES-EDE-CBC-SHA \
TLS-DHE-PSK-WITH-AES-128-CBC-SHA \
TLS-DHE-PSK-WITH-AES-256-CBC-SHA \
"
G_CIPHERS="$G_CIPHERS \
+DHE-PSK:+3DES-CBC:+SHA1 \
+DHE-PSK:+AES-128-CBC:+SHA1 \
+DHE-PSK:+AES-256-CBC:+SHA1 \
CIPHERS="$CIPHERS \
TLS-DHE-PSK-WITH-3DES-EDE-CBC-SHA \
TLS-DHE-PSK-WITH-AES-128-CBC-SHA \
TLS-DHE-PSK-WITH-AES-256-CBC-SHA \
"
if [ `minor_ver "$MODE"` -gt 0 ]
then
M_CIPHERS="$M_CIPHERS \
CIPHERS="$CIPHERS \
TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA \
TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA \
TLS-ECDHE-PSK-WITH-3DES-EDE-CBC-SHA \
@ -646,18 +492,10 @@ add_gnutls_ciphersuites()
TLS-RSA-PSK-WITH-AES-256-CBC-SHA \
TLS-RSA-PSK-WITH-AES-128-CBC-SHA \
"
G_CIPHERS="$G_CIPHERS \
+ECDHE-PSK:+3DES-CBC:+SHA1 \
+ECDHE-PSK:+AES-128-CBC:+SHA1 \
+ECDHE-PSK:+AES-256-CBC:+SHA1 \
+RSA-PSK:+3DES-CBC:+SHA1 \
+RSA-PSK:+AES-256-CBC:+SHA1 \
+RSA-PSK:+AES-128-CBC:+SHA1 \
"
fi
if [ `minor_ver "$MODE"` -ge 3 ]
then
M_CIPHERS="$M_CIPHERS \
CIPHERS="$CIPHERS \
TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \
TLS-ECDHE-PSK-WITH-CAMELLIA-256-CBC-SHA384 \
TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 \
@ -703,55 +541,15 @@ add_gnutls_ciphersuites()
TLS-RSA-PSK-WITH-AES-256-GCM-SHA384 \
TLS-RSA-PSK-WITH-AES-128-GCM-SHA256 \
"
G_CIPHERS="$G_CIPHERS \
+ECDHE-PSK:+AES-256-CBC:+SHA384 \
+ECDHE-PSK:+CAMELLIA-256-CBC:+SHA384 \
+ECDHE-PSK:+AES-128-CBC:+SHA256 \
+ECDHE-PSK:+CAMELLIA-128-CBC:+SHA256 \
+PSK:+AES-128-CBC:+SHA256 \
+PSK:+AES-256-CBC:+SHA384 \
+DHE-PSK:+AES-128-CBC:+SHA256 \
+DHE-PSK:+AES-256-CBC:+SHA384 \
+RSA-PSK:+AES-256-CBC:+SHA384 \
+RSA-PSK:+AES-128-CBC:+SHA256 \
+DHE-PSK:+CAMELLIA-128-CBC:+SHA256 \
+DHE-PSK:+CAMELLIA-256-CBC:+SHA384 \
+PSK:+CAMELLIA-128-CBC:+SHA256 \
+PSK:+CAMELLIA-256-CBC:+SHA384 \
+RSA-PSK:+CAMELLIA-256-CBC:+SHA384 \
+RSA-PSK:+CAMELLIA-128-CBC:+SHA256 \
+PSK:+AES-128-GCM:+AEAD \
+PSK:+AES-256-GCM:+AEAD \
+DHE-PSK:+AES-128-GCM:+AEAD \
+DHE-PSK:+AES-256-GCM:+AEAD \
+PSK:+AES-128-CCM:+AEAD \
+PSK:+AES-256-CCM:+AEAD \
+DHE-PSK:+AES-128-CCM:+AEAD \
+DHE-PSK:+AES-256-CCM:+AEAD \
+PSK:+AES-128-CCM-8:+AEAD \
+PSK:+AES-256-CCM-8:+AEAD \
+DHE-PSK:+AES-128-CCM-8:+AEAD \
+DHE-PSK:+AES-256-CCM-8:+AEAD \
+RSA-PSK:+CAMELLIA-128-GCM:+AEAD \
+RSA-PSK:+CAMELLIA-256-GCM:+AEAD \
+PSK:+CAMELLIA-128-GCM:+AEAD \
+PSK:+CAMELLIA-256-GCM:+AEAD \
+DHE-PSK:+CAMELLIA-128-GCM:+AEAD \
+DHE-PSK:+CAMELLIA-256-GCM:+AEAD \
+RSA-PSK:+AES-256-GCM:+AEAD \
+RSA-PSK:+AES-128-GCM:+AEAD \
+ECDHE-PSK:+NULL:+SHA384 \
+ECDHE-PSK:+NULL:+SHA256 \
+PSK:+NULL:+SHA256 \
+PSK:+NULL:+SHA384 \
+DHE-PSK:+NULL:+SHA256 \
+DHE-PSK:+NULL:+SHA384 \
+RSA-PSK:+NULL:+SHA256 \
+RSA-PSK:+NULL:+SHA384 \
"
fi
;;
esac
M_CIPHERS="$M_CIPHERS $CIPHERS"
T=$(./scripts/translate_ciphers.py g $CIPHERS)
check_translation $? "$T"
G_CIPHERS="$G_CIPHERS $T"
}
# Ciphersuites usable only with Mbed TLS (not currently supported by another

7
tests/scripts/all.sh
View File

@ -2770,12 +2770,15 @@ component_check_python_files () {
tests/scripts/check-python-files.sh
}
component_check_generate_test_code () {
msg "uint test: generate_test_code.py"
component_check_test_helpers () {
msg "unit test: generate_test_code.py"
# unittest writes out mundane stuff like number or tests run on stderr.
# Our convention is to reserve stderr for actual errors, and write
# harmless info on stdout so it can be suppress with --quiet.
./tests/scripts/test_generate_test_code.py 2>&1
msg "unit test: translate_ciphers.py"
python3 -m unittest tests/scripts/translate_ciphers.py 2>&1
}
################################################################

159
tests/scripts/translate_ciphers.py Executable file
View File

@ -0,0 +1,159 @@
#!/usr/bin/env python3
# translate_ciphers.py
#
# Copyright The Mbed TLS Contributors
# SPDX-License-Identifier: Apache-2.0
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""
Translate ciphersuite names in Mbed TLS format to OpenSSL and GNUTLS
standards.
To test the translation functions run:
python3 -m unittest translate_cipher.py
"""
import re
import argparse
import unittest
class TestTranslateCiphers(unittest.TestCase):
"""
Ensure translate_ciphers.py translates and formats ciphersuite names
correctly
"""
def test_translate_all_cipher_names(self):
"""
Translate MbedTLS ciphersuite names to their OpenSSL and
GnuTLS counterpart. Use only a small subset of ciphers
that exercise each step of the translate functions
"""
ciphers = [
("TLS-ECDHE-ECDSA-WITH-NULL-SHA",
"+ECDHE-ECDSA:+NULL:+SHA1",
"ECDHE-ECDSA-NULL-SHA"),
("TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256",
"+ECDHE-ECDSA:+AES-128-GCM:+AEAD",
"ECDHE-ECDSA-AES128-GCM-SHA256"),
("TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA",
"+DHE-RSA:+3DES-CBC:+SHA1",
"EDH-RSA-DES-CBC3-SHA"),
("TLS-RSA-WITH-AES-256-CBC-SHA",
"+RSA:+AES-256-CBC:+SHA1",
"AES256-SHA"),
("TLS-PSK-WITH-3DES-EDE-CBC-SHA",
"+PSK:+3DES-CBC:+SHA1",
"PSK-3DES-EDE-CBC-SHA"),
("TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256",
None,
"ECDHE-ECDSA-CHACHA20-POLY1305"),
("TLS-ECDHE-ECDSA-WITH-AES-128-CCM",
"+ECDHE-ECDSA:+AES-128-CCM:+AEAD",
None),
("TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384",
None,
"ECDHE-ARIA256-GCM-SHA384"),
]
for m, g_exp, o_exp in ciphers:
if g_exp is not None:
g = translate_gnutls(m)
self.assertEqual(g, g_exp)
if o_exp is not None:
o = translate_ossl(m)
self.assertEqual(o, o_exp)
def translate_gnutls(m_cipher):
"""
Translate m_cipher from Mbed TLS ciphersuite naming convention
and return the GnuTLS naming convention
"""
m_cipher = re.sub(r'\ATLS-', '+', m_cipher)
m_cipher = m_cipher.replace("-WITH-", ":+")
m_cipher = m_cipher.replace("-EDE", "")
# SHA in Mbed TLS == SHA1 GnuTLS,
# if the last 3 chars are SHA append 1
if m_cipher[-3:] == "SHA":
m_cipher = m_cipher+"1"
# CCM or CCM-8 should be followed by ":+AEAD"
# Replace "GCM:+SHAxyz" with "GCM:+AEAD"
if "CCM" in m_cipher or "GCM" in m_cipher:
m_cipher = re.sub(r"GCM-SHA\d\d\d", "GCM", m_cipher)
m_cipher = m_cipher+":+AEAD"
# Replace the last "-" with ":+"
else:
index = m_cipher.rindex("-")
m_cipher = m_cipher[:index] + ":+" + m_cipher[index+1:]
return m_cipher
def translate_ossl(m_cipher):
"""
Translate m_cipher from Mbed TLS ciphersuite naming convention
and return the OpenSSL naming convention
"""
m_cipher = re.sub(r'^TLS-', '', m_cipher)
m_cipher = m_cipher.replace("-WITH", "")
# Remove the "-" from "ABC-xyz"
m_cipher = m_cipher.replace("AES-", "AES")
m_cipher = m_cipher.replace("CAMELLIA-", "CAMELLIA")
m_cipher = m_cipher.replace("ARIA-", "ARIA")
# Remove "RSA" if it is at the beginning
m_cipher = re.sub(r'^RSA-', r'', m_cipher)
# For all circumstances outside of PSK
if "PSK" not in m_cipher:
m_cipher = m_cipher.replace("-EDE", "")
m_cipher = m_cipher.replace("3DES-CBC", "DES-CBC3")
# Remove "CBC" if it is not prefixed by DES
m_cipher = re.sub(r'(?<!DES-)CBC-', r'', m_cipher)
# ECDHE-RSA-ARIA does not exist in OpenSSL
m_cipher = m_cipher.replace("ECDHE-RSA-ARIA", "ECDHE-ARIA")
# POLY1305 should not be followed by anything
if "POLY1305" in m_cipher:
index = m_cipher.rindex("POLY1305")
m_cipher = m_cipher[:index+8]
# If DES is being used, Replace DHE with EDH
if "DES" in m_cipher and "DHE" in m_cipher and "ECDHE" not in m_cipher:
m_cipher = m_cipher.replace("DHE", "EDH")
return m_cipher
def format_ciphersuite_names(mode, names):
t = {"g": translate_gnutls, "o": translate_ossl}[mode]
return " ".join(t(c) for c in names)
def main(target, names):
print(format_ciphersuite_names(target, names))
if __name__ == "__main__":
PARSER = argparse.ArgumentParser()
PARSER.add_argument('target', metavar='TARGET', choices=['o', 'g'])
PARSER.add_argument('names', metavar='NAMES', nargs='+')
ARGS = PARSER.parse_args()
main(ARGS.target, ARGS.names)