Refactor compat scripts

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
This commit is contained in:
Jerry Yu 2022-06-12 20:53:02 +08:00
parent 9b938b7c37
commit b7c12a466f
3 changed files with 1144 additions and 1439 deletions

File diff suppressed because it is too large Load diff

View file

@ -24,7 +24,6 @@ Generate TLSv1.3 Compat test cases
import sys
import os
import abc
import argparse
import itertools
from collections import namedtuple
@ -71,10 +70,11 @@ NAMED_GROUP_IANA_VALUE = {
}
class TLSProgram(metaclass=abc.ABCMeta):
class TLSProgram:
"""
Base class for generate server/client command.
"""
# pylint: disable=too-many-arguments
def __init__(self, ciphersuite=None, signature_algorithm=None, named_group=None,
cert_sig_alg=None, compat_mode=True):
@ -112,24 +112,25 @@ class TLSProgram(metaclass=abc.ABCMeta):
self._cert_sig_algs.extend(
[sig_alg for sig_alg in signature_algorithms if sig_alg not in self._cert_sig_algs])
@abc.abstractmethod
# pylint: disable=no-self-use
def pre_checks(self):
return []
@abc.abstractmethod
# pylint: disable=no-self-use
def cmd(self):
if not self._cert_sig_algs:
self._cert_sig_algs = list(CERTIFICATES.keys())
return self.pre_cmd()
@abc.abstractmethod
# pylint: disable=no-self-use
def post_checks(self):
return []
@abc.abstractmethod
# pylint: disable=no-self-use
def pre_cmd(self):
return []
return ['false']
@abc.abstractmethod
# pylint: disable=unused-argument,no-self-use
def hrr_post_checks(self, named_group):
return []
@ -148,10 +149,7 @@ class OpenSSLBase(TLSProgram):
}
def cmd(self):
super().cmd()
ret = []
for _, cert, key in map(lambda sig_alg: CERTIFICATES[sig_alg], self._cert_sig_algs):
ret += ['-cert {cert} -key {key}'.format(cert=cert, key=key)]
ret = super().cmd()
if self._ciphers:
ciphersuites = ':'.join(self._ciphers)
@ -177,15 +175,6 @@ class OpenSSLBase(TLSProgram):
def pre_checks(self):
return ["requires_openssl_tls1_3"]
def post_checks(self):
return []
def pre_cmd(self):
return []
def hrr_post_checks(self, named_group):
return []
class OpenSSLServ(OpenSSLBase):
"""
@ -193,18 +182,28 @@ class OpenSSLServ(OpenSSLBase):
"""
def cmd(self):
ret = self.pre_cmd() + super().cmd()
ret += ['-accept $SRV_PORT']
ret = super().cmd()
ret += ['-num_tickets 0 -no_resume_ephemeral -no_cache']
return ' '.join(ret)
return ret
def post_checks(self):
return ['-c "HTTP/1.0 200 ok"']
def pre_cmd(self):
return ['$O_NEXT_SRV_NO_CERT']
ret = ['$O_NEXT_SRV_NO_CERT']
for _, cert, key in map(lambda sig_alg: CERTIFICATES[sig_alg], self._cert_sig_algs):
ret += ['-cert {cert} -key {key}'.format(cert=cert, key=key)]
return ret
class OpenSSLCli(OpenSSLBase):
"""
Generate test commands for OpenSSL client.
"""
def pre_cmd(self):
return ['$O_NEXT_CLI_NO_CERT',
'-CAfile {cafile}'.format(cafile=CERTIFICATES[self._cert_sig_algs[0]].cafile)]
class GnuTLSBase(TLSProgram):
@ -253,22 +252,8 @@ class GnuTLSBase(TLSProgram):
"requires_gnutls_next_no_ticket",
"requires_gnutls_next_disable_tls13_compat", ]
def post_checks(self):
return ['-c "HTTP/1.0 200 OK"']
def hrr_post_checks(self, named_group):
return []
def pre_cmd(self):
return []
def cmd(self):
super().cmd()
ret = []
for _, cert, key in map(lambda sig_alg: CERTIFICATES[sig_alg], self._cert_sig_algs):
ret += ['--x509certfile {cert} --x509keyfile {key}'.format(
cert=cert, key=key)]
ret = super().cmd()
priority_string_list = []
@ -316,14 +301,26 @@ class GnuTLSServ(GnuTLSBase):
Generate test commands for GnuTLS server.
"""
def cmd(self):
ret = self.pre_cmd() + super().cmd()
def pre_cmd(self):
ret = ['$G_NEXT_SRV_NO_CERT', '--http', '--disable-client-cert', '--debug=4']
ret = ' '.join(ret)
for _, cert, key in map(lambda sig_alg: CERTIFICATES[sig_alg], self._cert_sig_algs):
ret += ['--x509certfile {cert} --x509keyfile {key}'.format(
cert=cert, key=key)]
return ret
def post_checks(self):
return ['-c "HTTP/1.0 200 OK"']
class GnuTLSCli(GnuTLSBase):
"""
Generate test commands for GnuTLS client.
"""
def pre_cmd(self):
return ['$G_NEXT_SRV_NO_CERT'] + ['--http', '--disable-client-cert', '--debug=4']
return ['$G_NEXT_CLI_NO_CERT', '--debug=4', '--single-key-share',
'--x509cafile {cafile}'.format(cafile=CERTIFICATES[self._cert_sig_algs[0]].cafile)]
class MbedTLSBase(TLSProgram):
@ -339,10 +336,9 @@ class MbedTLSBase(TLSProgram):
'TLS_AES_128_CCM_8_SHA256': 'TLS1-3-AES-128-CCM-8-SHA256'}
def cmd(self):
super().cmd()
ret = ['server_addr=127.0.0.1', 'server_port=$SRV_PORT', 'debug_level=4']
ret += ['ca_file={cafile}'.format(
cafile=CERTIFICATES[self._cert_sig_algs[0]].cafile)]
ret = super().cmd()
ret += ['debug_level=4']
if self._ciphers:
ciphers = ','.join(
@ -356,7 +352,7 @@ class MbedTLSBase(TLSProgram):
if self._named_groups:
named_groups = ','.join(self._named_groups)
ret += ["curves={named_groups}".format(named_groups=named_groups)]
ret += ['force_version=tls13']
return ret
def pre_checks(self):
@ -371,15 +367,6 @@ class MbedTLSBase(TLSProgram):
'requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT')
return ret
def post_checks(self):
return []
def pre_cmd(self):
return []
def hrr_post_checks(self, named_group):
return []
class MbedTLSServ(MbedTLSBase):
"""
@ -387,13 +374,8 @@ class MbedTLSServ(MbedTLSBase):
"""
def cmd(self):
ret = self.pre_cmd() + super().cmd()
ret += ['force_version=tls13']
for _, cert, key in map(lambda sig_alg: CERTIFICATES[sig_alg], self._cert_sig_algs):
ret += ['crt_file={cert} key_file={key}'.format(cert=cert, key=key)]
ret = super().cmd()
ret += ['tls13_kex_modes=ephemeral cookies=0 tickets=0']
ret = ' '.join(ret)
return ret
def pre_checks(self):
@ -420,64 +402,23 @@ class MbedTLSServ(MbedTLSBase):
return ['-s "{}"'.format(i) for i in check_strings]
def pre_cmd(self):
return ['$P_SRV_NO_CERT']
ret = ['$P_SRV']
for _, cert, key in map(lambda sig_alg: CERTIFICATES[sig_alg], self._cert_sig_algs):
ret += ['crt_file={cert} key_file={key}'.format(cert=cert, key=key)]
return ret
def hrr_post_checks(self, named_group):
return ['-s "HRR selected_group: {:s}"'.format(named_group)]
class OpenSSLCli(OpenSSLBase):
"""
Generate test commands for OpenSSL client.
"""
def cmd(self):
ret = self.pre_cmd() + super().cmd()
ret += ['-CAfile {cafile}'.format(
cafile=CERTIFICATES[self._cert_sig_algs[0]].cafile)]
return ' '.join(ret)
def post_checks(self):
return ['-s "HTTP/1.0 200 OK"']
def pre_cmd(self):
return ['$O_NEXT_CLI_NO_CERT']
class GnuTLSCli(GnuTLSBase):
"""
Generate test commands for GnuTLS client.
"""
def cmd(self):
ret = self.pre_cmd() + super().cmd()
ret += ['--x509cafile {cafile}'.format(
cafile=CERTIFICATES[self._cert_sig_algs[0]].cafile)]
ret = ' '.join(ret)
return ret
def pre_cmd(self):
ret = ['$G_NEXT_CLI_NO_CERT']
ret += ['--debug=4', 'localhost', '-p $SRV_PORT', '--single-key-share']
return ret
class MbedTLSCli(MbedTLSBase):
"""
Generate test commands for mbedTLS client.
"""
def cmd(self):
ret = self.pre_cmd() + super().cmd()
ret = ' '.join(ret)
return ret
def pre_cmd(self):
return ['$P_CLI']
return ['$P_CLI',
'ca_file={cafile}'.format(cafile=CERTIFICATES[self._cert_sig_algs[0]].cafile)]
def pre_checks(self):
return ['requires_config_enabled MBEDTLS_SSL_CLI_C'] + super().pre_checks()
@ -528,8 +469,10 @@ def generate_compat_test(client=None, server=None, cipher=None, named_group=None
signature_algorithm=sig_alg,
cert_sig_alg=sig_alg)
cmd = ['run_test "{}"'.format(name), '"{}"'.format(
server_object.cmd()), '"{}"'.format(client_object.cmd()), '0']
cmd = ['run_test "{}"'.format(name),
'"{}"'.format(' '.join(server_object.cmd())),
'"{}"'.format(' '.join(client_object.cmd())),
'0']
cmd += server_object.post_checks()
cmd += client_object.post_checks()
cmd += ['-C "received HelloRetryRequest message"']
@ -554,8 +497,10 @@ def generate_hrr_compat_test(client=None, server=None,
cert_sig_alg=cert_sig_alg)
client_object.add_named_groups(server_named_group)
cmd = ['run_test "{}"'.format(name), '"{}"'.format(
server_object.cmd()), '"{}"'.format(client_object.cmd()), '0']
cmd = ['run_test "{}"'.format(name),
'"{}"'.format(' '.join(server_object.cmd())),
'"{}"'.format(' '.join(client_object.cmd())),
'0']
cmd += server_object.post_checks()
cmd += client_object.post_checks()
cmd += server_object.hrr_post_checks(server_named_group)
@ -660,6 +605,7 @@ def main():
SERVER_CLASSES.keys(),
NAMED_GROUP_IANA_VALUE.keys(),
NAMED_GROUP_IANA_VALUE.keys()):
if (client == 'mbedTLS' or server == 'mbedTLS') and \
client_named_group != server_named_group:
yield generate_hrr_compat_test(client=client, server=server,

View file

@ -1542,7 +1542,6 @@ SRV_DELAY_SECONDS=0
# Note: Using 'localhost' rather than 127.0.0.1 here is unwise, as on many
# machines that will resolve to ::1, and we don't want ipv6 here.
P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT"
P_SRV_NO_CERT="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT"
P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT"
P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT ${SEED:+"seed=$SEED"}"
O_SRV="$O_SRV -accept $SRV_PORT"
@ -1569,7 +1568,7 @@ fi
if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then
G_NEXT_CLI="$G_NEXT_CLI -p +SRV_PORT"
G_NEXT_CLI_NO_CERT="$G_NEXT_CLI_NO_CERT"
G_NEXT_CLI_NO_CERT="$G_NEXT_CLI_NO_CERT -p +SRV_PORT localhost"
fi
# Allow SHA-1, because many of our test certificates use it