Refactor compat scripts

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
This commit is contained in:
Jerry Yu 2022-06-12 20:53:02 +08:00
parent 9b938b7c37
commit b7c12a466f
3 changed files with 1144 additions and 1439 deletions

File diff suppressed because it is too large Load diff

View file

@ -24,7 +24,6 @@ Generate TLSv1.3 Compat test cases
import sys import sys
import os import os
import abc
import argparse import argparse
import itertools import itertools
from collections import namedtuple from collections import namedtuple
@ -71,10 +70,11 @@ NAMED_GROUP_IANA_VALUE = {
} }
class TLSProgram(metaclass=abc.ABCMeta): class TLSProgram:
""" """
Base class for generate server/client command. Base class for generate server/client command.
""" """
# pylint: disable=too-many-arguments # pylint: disable=too-many-arguments
def __init__(self, ciphersuite=None, signature_algorithm=None, named_group=None, def __init__(self, ciphersuite=None, signature_algorithm=None, named_group=None,
cert_sig_alg=None, compat_mode=True): cert_sig_alg=None, compat_mode=True):
@ -112,24 +112,25 @@ class TLSProgram(metaclass=abc.ABCMeta):
self._cert_sig_algs.extend( self._cert_sig_algs.extend(
[sig_alg for sig_alg in signature_algorithms if sig_alg not in self._cert_sig_algs]) [sig_alg for sig_alg in signature_algorithms if sig_alg not in self._cert_sig_algs])
@abc.abstractmethod # pylint: disable=no-self-use
def pre_checks(self): def pre_checks(self):
return [] return []
@abc.abstractmethod # pylint: disable=no-self-use
def cmd(self): def cmd(self):
if not self._cert_sig_algs: if not self._cert_sig_algs:
self._cert_sig_algs = list(CERTIFICATES.keys()) self._cert_sig_algs = list(CERTIFICATES.keys())
return self.pre_cmd()
@abc.abstractmethod # pylint: disable=no-self-use
def post_checks(self): def post_checks(self):
return [] return []
@abc.abstractmethod # pylint: disable=no-self-use
def pre_cmd(self): def pre_cmd(self):
return [] return ['false']
@abc.abstractmethod # pylint: disable=unused-argument,no-self-use
def hrr_post_checks(self, named_group): def hrr_post_checks(self, named_group):
return [] return []
@ -148,10 +149,7 @@ class OpenSSLBase(TLSProgram):
} }
def cmd(self): def cmd(self):
super().cmd() ret = super().cmd()
ret = []
for _, cert, key in map(lambda sig_alg: CERTIFICATES[sig_alg], self._cert_sig_algs):
ret += ['-cert {cert} -key {key}'.format(cert=cert, key=key)]
if self._ciphers: if self._ciphers:
ciphersuites = ':'.join(self._ciphers) ciphersuites = ':'.join(self._ciphers)
@ -177,15 +175,6 @@ class OpenSSLBase(TLSProgram):
def pre_checks(self): def pre_checks(self):
return ["requires_openssl_tls1_3"] return ["requires_openssl_tls1_3"]
def post_checks(self):
return []
def pre_cmd(self):
return []
def hrr_post_checks(self, named_group):
return []
class OpenSSLServ(OpenSSLBase): class OpenSSLServ(OpenSSLBase):
""" """
@ -193,18 +182,28 @@ class OpenSSLServ(OpenSSLBase):
""" """
def cmd(self): def cmd(self):
ret = self.pre_cmd() + super().cmd() ret = super().cmd()
ret += ['-accept $SRV_PORT']
ret += ['-num_tickets 0 -no_resume_ephemeral -no_cache'] ret += ['-num_tickets 0 -no_resume_ephemeral -no_cache']
return ret
return ' '.join(ret)
def post_checks(self): def post_checks(self):
return ['-c "HTTP/1.0 200 ok"'] return ['-c "HTTP/1.0 200 ok"']
def pre_cmd(self): def pre_cmd(self):
return ['$O_NEXT_SRV_NO_CERT'] ret = ['$O_NEXT_SRV_NO_CERT']
for _, cert, key in map(lambda sig_alg: CERTIFICATES[sig_alg], self._cert_sig_algs):
ret += ['-cert {cert} -key {key}'.format(cert=cert, key=key)]
return ret
class OpenSSLCli(OpenSSLBase):
"""
Generate test commands for OpenSSL client.
"""
def pre_cmd(self):
return ['$O_NEXT_CLI_NO_CERT',
'-CAfile {cafile}'.format(cafile=CERTIFICATES[self._cert_sig_algs[0]].cafile)]
class GnuTLSBase(TLSProgram): class GnuTLSBase(TLSProgram):
@ -253,22 +252,8 @@ class GnuTLSBase(TLSProgram):
"requires_gnutls_next_no_ticket", "requires_gnutls_next_no_ticket",
"requires_gnutls_next_disable_tls13_compat", ] "requires_gnutls_next_disable_tls13_compat", ]
def post_checks(self):
return ['-c "HTTP/1.0 200 OK"']
def hrr_post_checks(self, named_group):
return []
def pre_cmd(self):
return []
def cmd(self): def cmd(self):
super().cmd() ret = super().cmd()
ret = []
for _, cert, key in map(lambda sig_alg: CERTIFICATES[sig_alg], self._cert_sig_algs):
ret += ['--x509certfile {cert} --x509keyfile {key}'.format(
cert=cert, key=key)]
priority_string_list = [] priority_string_list = []
@ -316,14 +301,26 @@ class GnuTLSServ(GnuTLSBase):
Generate test commands for GnuTLS server. Generate test commands for GnuTLS server.
""" """
def cmd(self): def pre_cmd(self):
ret = self.pre_cmd() + super().cmd() ret = ['$G_NEXT_SRV_NO_CERT', '--http', '--disable-client-cert', '--debug=4']
ret = ' '.join(ret) for _, cert, key in map(lambda sig_alg: CERTIFICATES[sig_alg], self._cert_sig_algs):
ret += ['--x509certfile {cert} --x509keyfile {key}'.format(
cert=cert, key=key)]
return ret return ret
def post_checks(self):
return ['-c "HTTP/1.0 200 OK"']
class GnuTLSCli(GnuTLSBase):
"""
Generate test commands for GnuTLS client.
"""
def pre_cmd(self): def pre_cmd(self):
return ['$G_NEXT_SRV_NO_CERT'] + ['--http', '--disable-client-cert', '--debug=4'] return ['$G_NEXT_CLI_NO_CERT', '--debug=4', '--single-key-share',
'--x509cafile {cafile}'.format(cafile=CERTIFICATES[self._cert_sig_algs[0]].cafile)]
class MbedTLSBase(TLSProgram): class MbedTLSBase(TLSProgram):
@ -339,10 +336,9 @@ class MbedTLSBase(TLSProgram):
'TLS_AES_128_CCM_8_SHA256': 'TLS1-3-AES-128-CCM-8-SHA256'} 'TLS_AES_128_CCM_8_SHA256': 'TLS1-3-AES-128-CCM-8-SHA256'}
def cmd(self): def cmd(self):
super().cmd() ret = super().cmd()
ret = ['server_addr=127.0.0.1', 'server_port=$SRV_PORT', 'debug_level=4'] ret += ['debug_level=4']
ret += ['ca_file={cafile}'.format(
cafile=CERTIFICATES[self._cert_sig_algs[0]].cafile)]
if self._ciphers: if self._ciphers:
ciphers = ','.join( ciphers = ','.join(
@ -356,7 +352,7 @@ class MbedTLSBase(TLSProgram):
if self._named_groups: if self._named_groups:
named_groups = ','.join(self._named_groups) named_groups = ','.join(self._named_groups)
ret += ["curves={named_groups}".format(named_groups=named_groups)] ret += ["curves={named_groups}".format(named_groups=named_groups)]
ret += ['force_version=tls13']
return ret return ret
def pre_checks(self): def pre_checks(self):
@ -371,15 +367,6 @@ class MbedTLSBase(TLSProgram):
'requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT') 'requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT')
return ret return ret
def post_checks(self):
return []
def pre_cmd(self):
return []
def hrr_post_checks(self, named_group):
return []
class MbedTLSServ(MbedTLSBase): class MbedTLSServ(MbedTLSBase):
""" """
@ -387,13 +374,8 @@ class MbedTLSServ(MbedTLSBase):
""" """
def cmd(self): def cmd(self):
ret = self.pre_cmd() + super().cmd() ret = super().cmd()
ret += ['force_version=tls13']
for _, cert, key in map(lambda sig_alg: CERTIFICATES[sig_alg], self._cert_sig_algs):
ret += ['crt_file={cert} key_file={key}'.format(cert=cert, key=key)]
ret += ['tls13_kex_modes=ephemeral cookies=0 tickets=0'] ret += ['tls13_kex_modes=ephemeral cookies=0 tickets=0']
ret = ' '.join(ret)
return ret return ret
def pre_checks(self): def pre_checks(self):
@ -420,64 +402,23 @@ class MbedTLSServ(MbedTLSBase):
return ['-s "{}"'.format(i) for i in check_strings] return ['-s "{}"'.format(i) for i in check_strings]
def pre_cmd(self): def pre_cmd(self):
return ['$P_SRV_NO_CERT'] ret = ['$P_SRV']
for _, cert, key in map(lambda sig_alg: CERTIFICATES[sig_alg], self._cert_sig_algs):
ret += ['crt_file={cert} key_file={key}'.format(cert=cert, key=key)]
return ret
def hrr_post_checks(self, named_group): def hrr_post_checks(self, named_group):
return ['-s "HRR selected_group: {:s}"'.format(named_group)] return ['-s "HRR selected_group: {:s}"'.format(named_group)]
class OpenSSLCli(OpenSSLBase):
"""
Generate test commands for OpenSSL client.
"""
def cmd(self):
ret = self.pre_cmd() + super().cmd()
ret += ['-CAfile {cafile}'.format(
cafile=CERTIFICATES[self._cert_sig_algs[0]].cafile)]
return ' '.join(ret)
def post_checks(self):
return ['-s "HTTP/1.0 200 OK"']
def pre_cmd(self):
return ['$O_NEXT_CLI_NO_CERT']
class GnuTLSCli(GnuTLSBase):
"""
Generate test commands for GnuTLS client.
"""
def cmd(self):
ret = self.pre_cmd() + super().cmd()
ret += ['--x509cafile {cafile}'.format(
cafile=CERTIFICATES[self._cert_sig_algs[0]].cafile)]
ret = ' '.join(ret)
return ret
def pre_cmd(self):
ret = ['$G_NEXT_CLI_NO_CERT']
ret += ['--debug=4', 'localhost', '-p $SRV_PORT', '--single-key-share']
return ret
class MbedTLSCli(MbedTLSBase): class MbedTLSCli(MbedTLSBase):
""" """
Generate test commands for mbedTLS client. Generate test commands for mbedTLS client.
""" """
def cmd(self):
ret = self.pre_cmd() + super().cmd()
ret = ' '.join(ret)
return ret
def pre_cmd(self): def pre_cmd(self):
return ['$P_CLI'] return ['$P_CLI',
'ca_file={cafile}'.format(cafile=CERTIFICATES[self._cert_sig_algs[0]].cafile)]
def pre_checks(self): def pre_checks(self):
return ['requires_config_enabled MBEDTLS_SSL_CLI_C'] + super().pre_checks() return ['requires_config_enabled MBEDTLS_SSL_CLI_C'] + super().pre_checks()
@ -528,8 +469,10 @@ def generate_compat_test(client=None, server=None, cipher=None, named_group=None
signature_algorithm=sig_alg, signature_algorithm=sig_alg,
cert_sig_alg=sig_alg) cert_sig_alg=sig_alg)
cmd = ['run_test "{}"'.format(name), '"{}"'.format( cmd = ['run_test "{}"'.format(name),
server_object.cmd()), '"{}"'.format(client_object.cmd()), '0'] '"{}"'.format(' '.join(server_object.cmd())),
'"{}"'.format(' '.join(client_object.cmd())),
'0']
cmd += server_object.post_checks() cmd += server_object.post_checks()
cmd += client_object.post_checks() cmd += client_object.post_checks()
cmd += ['-C "received HelloRetryRequest message"'] cmd += ['-C "received HelloRetryRequest message"']
@ -554,8 +497,10 @@ def generate_hrr_compat_test(client=None, server=None,
cert_sig_alg=cert_sig_alg) cert_sig_alg=cert_sig_alg)
client_object.add_named_groups(server_named_group) client_object.add_named_groups(server_named_group)
cmd = ['run_test "{}"'.format(name), '"{}"'.format( cmd = ['run_test "{}"'.format(name),
server_object.cmd()), '"{}"'.format(client_object.cmd()), '0'] '"{}"'.format(' '.join(server_object.cmd())),
'"{}"'.format(' '.join(client_object.cmd())),
'0']
cmd += server_object.post_checks() cmd += server_object.post_checks()
cmd += client_object.post_checks() cmd += client_object.post_checks()
cmd += server_object.hrr_post_checks(server_named_group) cmd += server_object.hrr_post_checks(server_named_group)
@ -660,6 +605,7 @@ def main():
SERVER_CLASSES.keys(), SERVER_CLASSES.keys(),
NAMED_GROUP_IANA_VALUE.keys(), NAMED_GROUP_IANA_VALUE.keys(),
NAMED_GROUP_IANA_VALUE.keys()): NAMED_GROUP_IANA_VALUE.keys()):
if (client == 'mbedTLS' or server == 'mbedTLS') and \ if (client == 'mbedTLS' or server == 'mbedTLS') and \
client_named_group != server_named_group: client_named_group != server_named_group:
yield generate_hrr_compat_test(client=client, server=server, yield generate_hrr_compat_test(client=client, server=server,

View file

@ -1542,7 +1542,6 @@ SRV_DELAY_SECONDS=0
# Note: Using 'localhost' rather than 127.0.0.1 here is unwise, as on many # Note: Using 'localhost' rather than 127.0.0.1 here is unwise, as on many
# machines that will resolve to ::1, and we don't want ipv6 here. # machines that will resolve to ::1, and we don't want ipv6 here.
P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT" P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT"
P_SRV_NO_CERT="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT"
P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT" P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT"
P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT ${SEED:+"seed=$SEED"}" P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT ${SEED:+"seed=$SEED"}"
O_SRV="$O_SRV -accept $SRV_PORT" O_SRV="$O_SRV -accept $SRV_PORT"
@ -1569,7 +1568,7 @@ fi
if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then
G_NEXT_CLI="$G_NEXT_CLI -p +SRV_PORT" G_NEXT_CLI="$G_NEXT_CLI -p +SRV_PORT"
G_NEXT_CLI_NO_CERT="$G_NEXT_CLI_NO_CERT" G_NEXT_CLI_NO_CERT="$G_NEXT_CLI_NO_CERT -p +SRV_PORT localhost"
fi fi
# Allow SHA-1, because many of our test certificates use it # Allow SHA-1, because many of our test certificates use it