diff options
| author | Tom Rini <trini@konsulko.com> | 2024-10-08 13:56:50 -0600 |
|---|---|---|
| committer | Tom Rini <trini@konsulko.com> | 2024-10-08 13:56:50 -0600 |
| commit | 0344c602eadc0802776b65ff90f0a02c856cf53c (patch) | |
| tree | 236a705740939b84ff37d68ae650061dd14c3449 /tests/scripts/translate_ciphers.py | |
Squashed 'lib/mbedtls/external/mbedtls/' content from commit 2ca6c285a0dd
git-subtree-dir: lib/mbedtls/external/mbedtls
git-subtree-split: 2ca6c285a0dd3f33982dd57299012dacab1ff206
Diffstat (limited to 'tests/scripts/translate_ciphers.py')
| -rwxr-xr-x | tests/scripts/translate_ciphers.py | 180 |
1 files changed, 180 insertions, 0 deletions
diff --git a/tests/scripts/translate_ciphers.py b/tests/scripts/translate_ciphers.py new file mode 100755 index 00000000000..90514fca150 --- /dev/null +++ b/tests/scripts/translate_ciphers.py @@ -0,0 +1,180 @@ +#!/usr/bin/env python3 + +# translate_ciphers.py +# +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + +""" +Translate standard ciphersuite names to GnuTLS, OpenSSL and Mbed TLS standards. + +To test the translation functions run: +python3 -m unittest translate_cipher.py +""" + +import re +import argparse +import unittest + +class TestTranslateCiphers(unittest.TestCase): + """ + Ensure translate_ciphers.py translates and formats ciphersuite names + correctly + """ + def test_translate_all_cipher_names(self): + """ + Translate standard ciphersuite names to GnuTLS, OpenSSL and + Mbed TLS counterpart. Use only a small subset of ciphers + that exercise each step of the translation functions + """ + ciphers = [ + ("TLS_ECDHE_ECDSA_WITH_NULL_SHA", + "+ECDHE-ECDSA:+NULL:+SHA1", + "ECDHE-ECDSA-NULL-SHA", + "TLS-ECDHE-ECDSA-WITH-NULL-SHA"), + ("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + "+ECDHE-ECDSA:+AES-128-GCM:+AEAD", + "ECDHE-ECDSA-AES128-GCM-SHA256", + "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"), + ("TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA", + "+DHE-RSA:+3DES-CBC:+SHA1", + "EDH-RSA-DES-CBC3-SHA", + "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA"), + ("TLS_RSA_WITH_AES_256_CBC_SHA", + "+RSA:+AES-256-CBC:+SHA1", + "AES256-SHA", + "TLS-RSA-WITH-AES-256-CBC-SHA"), + ("TLS_PSK_WITH_3DES_EDE_CBC_SHA", + "+PSK:+3DES-CBC:+SHA1", + "PSK-3DES-EDE-CBC-SHA", + "TLS-PSK-WITH-3DES-EDE-CBC-SHA"), + ("TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", + None, + "ECDHE-ECDSA-CHACHA20-POLY1305", + "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256"), + ("TLS_ECDHE_ECDSA_WITH_AES_128_CCM", + "+ECDHE-ECDSA:+AES-128-CCM:+AEAD", + None, + "TLS-ECDHE-ECDSA-WITH-AES-128-CCM"), + ("TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384", + None, + "ECDHE-ARIA256-GCM-SHA384", + "TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384"), + ] + + for s, g_exp, o_exp, m_exp in ciphers: + + if g_exp is not None: + g = translate_gnutls(s) + self.assertEqual(g, g_exp) + + if o_exp is not None: + o = translate_ossl(s) + self.assertEqual(o, o_exp) + + if m_exp is not None: + m = translate_mbedtls(s) + self.assertEqual(m, m_exp) + +def translate_gnutls(s_cipher): + """ + Translate s_cipher from standard ciphersuite naming convention + and return the GnuTLS naming convention + """ + + # Replace "_" with "-" to handle ciphersuite names based on Mbed TLS + # naming convention + s_cipher = s_cipher.replace("_", "-") + + s_cipher = re.sub(r'\ATLS-', '+', s_cipher) + s_cipher = s_cipher.replace("-WITH-", ":+") + s_cipher = s_cipher.replace("-EDE", "") + + # SHA in Mbed TLS == SHA1 GnuTLS, + # if the last 3 chars are SHA append 1 + if s_cipher[-3:] == "SHA": + s_cipher = s_cipher+"1" + + # CCM or CCM-8 should be followed by ":+AEAD" + # Replace "GCM:+SHAxyz" with "GCM:+AEAD" + if "CCM" in s_cipher or "GCM" in s_cipher: + s_cipher = re.sub(r"GCM-SHA\d\d\d", "GCM", s_cipher) + s_cipher = s_cipher+":+AEAD" + + # Replace the last "-" with ":+" + else: + index = s_cipher.rindex("-") + s_cipher = s_cipher[:index] + ":+" + s_cipher[index+1:] + + return s_cipher + +def translate_ossl(s_cipher): + """ + Translate s_cipher from standard ciphersuite naming convention + and return the OpenSSL naming convention + """ + + # Replace "_" with "-" to handle ciphersuite names based on Mbed TLS + # naming convention + s_cipher = s_cipher.replace("_", "-") + + s_cipher = re.sub(r'^TLS-', '', s_cipher) + s_cipher = s_cipher.replace("-WITH", "") + + # Remove the "-" from "ABC-xyz" + s_cipher = s_cipher.replace("AES-", "AES") + s_cipher = s_cipher.replace("CAMELLIA-", "CAMELLIA") + s_cipher = s_cipher.replace("ARIA-", "ARIA") + + # Remove "RSA" if it is at the beginning + s_cipher = re.sub(r'^RSA-', r'', s_cipher) + + # For all circumstances outside of PSK + if "PSK" not in s_cipher: + s_cipher = s_cipher.replace("-EDE", "") + s_cipher = s_cipher.replace("3DES-CBC", "DES-CBC3") + + # Remove "CBC" if it is not prefixed by DES + s_cipher = re.sub(r'(?<!DES-)CBC-', r'', s_cipher) + + # ECDHE-RSA-ARIA does not exist in OpenSSL + s_cipher = s_cipher.replace("ECDHE-RSA-ARIA", "ECDHE-ARIA") + + # POLY1305 should not be followed by anything + if "POLY1305" in s_cipher: + index = s_cipher.rindex("POLY1305") + s_cipher = s_cipher[:index+8] + + # If DES is being used, Replace DHE with EDH + if "DES" in s_cipher and "DHE" in s_cipher and "ECDHE" not in s_cipher: + s_cipher = s_cipher.replace("DHE", "EDH") + + return s_cipher + +def translate_mbedtls(s_cipher): + """ + Translate s_cipher from standard ciphersuite naming convention + and return Mbed TLS ciphersuite naming convention + """ + + # Replace "_" with "-" + s_cipher = s_cipher.replace("_", "-") + + return s_cipher + +def format_ciphersuite_names(mode, names): + t = {"g": translate_gnutls, + "o": translate_ossl, + "m": translate_mbedtls + }[mode] + return " ".join(c + '=' + t(c) for c in names) + +def main(target, names): + print(format_ciphersuite_names(target, names)) + +if __name__ == "__main__": + PARSER = argparse.ArgumentParser() + PARSER.add_argument('target', metavar='TARGET', choices=['o', 'g', 'm']) + PARSER.add_argument('names', metavar='NAMES', nargs='+') + ARGS = PARSER.parse_args() + main(ARGS.target, ARGS.names) |