Merge pull request #6902 from yanrayw/6651-enable-cipher-suite-names-consistent

compat.sh: report and filter cipher suite names consistently

.travis.yml

@@ -53,7 +53,7 @@ jobs:
         - tests/scripts/test_psa_constant_names.py
         - tests/ssl-opt.sh
         # Modern OpenSSL does not support fixed ECDH or null ciphers.
-        - tests/compat.sh -p OpenSSL -e 'NULL\|ECDH-'
+        - tests/compat.sh -p OpenSSL -e 'NULL\|ECDH_'
         - tests/scripts/travis-log-failure.sh
         # GnuTLS supports CAMELLIA but compat.sh doesn't properly enable it.
         - tests/compat.sh -p GnuTLS -e 'CAMELLIA'

tests/compat.sh

@@ -89,7 +89,7 @@ FILTER=""
 # - NULL: excluded from our default config + requires OpenSSL legacy
 # - ARIA: requires OpenSSL >= 1.1.1
 # - ChachaPoly: requires OpenSSL >= 1.1.0
-EXCLUDE='NULL\|ARIA\|CHACHA20-POLY1305'
+EXCLUDE='NULL\|ARIA\|CHACHA20_POLY1305'
 VERBOSE=""
 MEMCHECK=0
 PEERS="OpenSSL$PEER_GNUTLS mbedTLS"
@@ -205,7 +205,7 @@ filter()
 check_openssl_server_bug()
 {
     if test "X$VERIFY" = "XYES" && is_dtls "$MODE" && \
-        echo "$1" | grep "^TLS-PSK" >/dev/null;
+        test "$TYPE" = "PSK";
     then
         SKIP_NEXT="YES"
     fi
@@ -239,9 +239,14 @@ reset_ciphersuites()
     G_CIPHERS=""
 }
 
-check_translation()
+# translate_ciphers {g|m|o} {STANDARD_CIPHER_SUITE_NAME...}
+# Set $ciphers to the cipher suite name translations for the specified
+# program (gnutls, mbedtls or openssl). $ciphers is a space-separated
+# list of entries of the form "STANDARD_NAME=PROGRAM_NAME".
+translate_ciphers()
 {
-    if [ $1 -ne 0 ]; then
+    ciphers=$(scripts/translate_ciphers.py "$@")
+    if [ $? -ne 0 ]; then
         echo "translate_ciphers.py failed with exit code $1" >&2
         echo "$2" >&2
         exit 1
@@ -258,71 +263,66 @@ add_common_ciphersuites()
 
         "ECDSA")
             CIPHERS="$CIPHERS                           \
-                TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA    \
-                TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 \
-                TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
-                TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA    \
-                TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384 \
-                TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 \
-                TLS-ECDHE-ECDSA-WITH-NULL-SHA           \
+                TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    \
+                TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 \
+                TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 \
+                TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA    \
+                TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 \
+                TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 \
+                TLS_ECDHE_ECDSA_WITH_NULL_SHA           \
                 "
             ;;
 
         "RSA")
             CIPHERS="$CIPHERS                           \
-                TLS-DHE-RSA-WITH-AES-128-CBC-SHA        \
-                TLS-DHE-RSA-WITH-AES-128-CBC-SHA256     \
-                TLS-DHE-RSA-WITH-AES-128-GCM-SHA256     \
-                TLS-DHE-RSA-WITH-AES-256-CBC-SHA        \
-                TLS-DHE-RSA-WITH-AES-256-CBC-SHA256     \
-                TLS-DHE-RSA-WITH-AES-256-GCM-SHA384     \
-                TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA   \
-                TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA   \
-                TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA      \
-                TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256   \
-                TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256   \
-                TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA      \
-                TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384   \
-                TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384   \
-                TLS-ECDHE-RSA-WITH-NULL-SHA             \
-                TLS-RSA-WITH-AES-128-CBC-SHA            \
-                TLS-RSA-WITH-AES-128-CBC-SHA256         \
-                TLS-RSA-WITH-AES-128-GCM-SHA256         \
-                TLS-RSA-WITH-AES-256-CBC-SHA            \
-                TLS-RSA-WITH-AES-256-CBC-SHA256         \
-                TLS-RSA-WITH-AES-256-GCM-SHA384         \
-                TLS-RSA-WITH-CAMELLIA-128-CBC-SHA       \
-                TLS-RSA-WITH-CAMELLIA-256-CBC-SHA       \
-                TLS-RSA-WITH-NULL-MD5                   \
-                TLS-RSA-WITH-NULL-SHA                   \
-                TLS-RSA-WITH-NULL-SHA256                \
+                TLS_DHE_RSA_WITH_AES_128_CBC_SHA        \
+                TLS_DHE_RSA_WITH_AES_128_CBC_SHA256     \
+                TLS_DHE_RSA_WITH_AES_128_GCM_SHA256     \
+                TLS_DHE_RSA_WITH_AES_256_CBC_SHA        \
+                TLS_DHE_RSA_WITH_AES_256_CBC_SHA256     \
+                TLS_DHE_RSA_WITH_AES_256_GCM_SHA384     \
+                TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA   \
+                TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA   \
+                TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      \
+                TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256   \
+                TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   \
+                TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA      \
+                TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   \
+                TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   \
+                TLS_ECDHE_RSA_WITH_NULL_SHA             \
+                TLS_RSA_WITH_AES_128_CBC_SHA            \
+                TLS_RSA_WITH_AES_128_CBC_SHA256         \
+                TLS_RSA_WITH_AES_128_GCM_SHA256         \
+                TLS_RSA_WITH_AES_256_CBC_SHA            \
+                TLS_RSA_WITH_AES_256_CBC_SHA256         \
+                TLS_RSA_WITH_AES_256_GCM_SHA384         \
+                TLS_RSA_WITH_CAMELLIA_128_CBC_SHA       \
+                TLS_RSA_WITH_CAMELLIA_256_CBC_SHA       \
+                TLS_RSA_WITH_NULL_MD5                   \
+                TLS_RSA_WITH_NULL_SHA                   \
+                TLS_RSA_WITH_NULL_SHA256                \
                 "
             ;;
 
         "PSK")
             CIPHERS="$CIPHERS                           \
-                TLS-PSK-WITH-AES-128-CBC-SHA            \
-                TLS-PSK-WITH-AES-256-CBC-SHA            \
+                TLS_PSK_WITH_AES_128_CBC_SHA            \
+                TLS_PSK_WITH_AES_256_CBC_SHA            \
                 "
             ;;
     esac
 
+    O_CIPHERS="$O_CIPHERS $CIPHERS"
+    G_CIPHERS="$G_CIPHERS $CIPHERS"
     M_CIPHERS="$M_CIPHERS $CIPHERS"
-
-    T=$(./scripts/translate_ciphers.py g $CIPHERS)
-    check_translation $? "$T"
-    G_CIPHERS="$G_CIPHERS $T"
-
-    T=$(./scripts/translate_ciphers.py o $CIPHERS)
-    check_translation $? "$T"
-    O_CIPHERS="$O_CIPHERS $T"
 }
 
 # Ciphersuites usable only with Mbed TLS and OpenSSL
-# A list of ciphersuites in the Mbed TLS convention is compiled and
-# appended to the list of Mbed TLS ciphersuites $M_CIPHERS. The same list
-# is translated to the OpenSSL naming convention and appended to the list of
-# OpenSSL ciphersuites $O_CIPHERS.
+# A list of ciphersuites in the standard naming convention is appended
+# to the list of Mbed TLS ciphersuites $M_CIPHERS and
+# to the list of OpenSSL ciphersuites $O_CIPHERS respectively.
+# Based on client's naming convention, all ciphersuite names will be
+# translated into another naming format before sent to the client.
 #
 # NOTE: for some reason RSA-PSK doesn't work with OpenSSL,
 # so RSA-PSK ciphersuites need to go in other sections, see
@@ -337,57 +337,55 @@ add_openssl_ciphersuites()
 
         "ECDSA")
             CIPHERS="$CIPHERS                                   \
-                TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA             \
-                TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256          \
-                TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256          \
-                TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA             \
-                TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384          \
-                TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384          \
-                TLS-ECDH-ECDSA-WITH-NULL-SHA                    \
-                TLS-ECDHE-ECDSA-WITH-ARIA-128-GCM-SHA256        \
-                TLS-ECDHE-ECDSA-WITH-ARIA-256-GCM-SHA384        \
-                TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256   \
+                TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA             \
+                TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256          \
+                TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256          \
+                TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA             \
+                TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384          \
+                TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384          \
+                TLS_ECDH_ECDSA_WITH_NULL_SHA                    \
+                TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256        \
+                TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384        \
+                TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256   \
                 "
             ;;
 
         "RSA")
             CIPHERS="$CIPHERS                                   \
-                TLS-DHE-RSA-WITH-ARIA-128-GCM-SHA256            \
-                TLS-DHE-RSA-WITH-ARIA-256-GCM-SHA384            \
-                TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256       \
-                TLS-ECDHE-RSA-WITH-ARIA-128-GCM-SHA256          \
-                TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384          \
-                TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256     \
-                TLS-RSA-WITH-ARIA-128-GCM-SHA256                \
-                TLS-RSA-WITH-ARIA-256-GCM-SHA384                \
+                TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256            \
+                TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384            \
+                TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256       \
+                TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256          \
+                TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384          \
+                TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256     \
+                TLS_RSA_WITH_ARIA_128_GCM_SHA256                \
+                TLS_RSA_WITH_ARIA_256_GCM_SHA384                \
                 "
             ;;
 
         "PSK")
             CIPHERS="$CIPHERS                                   \
-                TLS-DHE-PSK-WITH-ARIA-128-GCM-SHA256            \
-                TLS-DHE-PSK-WITH-ARIA-256-GCM-SHA384            \
-                TLS-DHE-PSK-WITH-CHACHA20-POLY1305-SHA256       \
-                TLS-ECDHE-PSK-WITH-CHACHA20-POLY1305-SHA256     \
-                TLS-PSK-WITH-ARIA-128-GCM-SHA256                \
-                TLS-PSK-WITH-ARIA-256-GCM-SHA384                \
-                TLS-PSK-WITH-CHACHA20-POLY1305-SHA256           \
+                TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256            \
+                TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384            \
+                TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256       \
+                TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256     \
+                TLS_PSK_WITH_ARIA_128_GCM_SHA256                \
+                TLS_PSK_WITH_ARIA_256_GCM_SHA384                \
+                TLS_PSK_WITH_CHACHA20_POLY1305_SHA256           \
                 "
             ;;
     esac
 
+    O_CIPHERS="$O_CIPHERS $CIPHERS"
     M_CIPHERS="$M_CIPHERS $CIPHERS"
-
-    T=$(./scripts/translate_ciphers.py o $CIPHERS)
-    check_translation $? "$T"
-    O_CIPHERS="$O_CIPHERS $T"
 }
 
 # Ciphersuites usable only with Mbed TLS and GnuTLS
-# A list of ciphersuites in the Mbed TLS convention is compiled and
-# appended to the list of Mbed TLS ciphersuites $M_CIPHERS. The same list
-# is translated to the GnuTLS naming convention and appended to the list of
-# GnuTLS ciphersuites $G_CIPHERS.
+# A list of ciphersuites in the standard naming convention is appended
+# to the list of Mbed TLS ciphersuites $M_CIPHERS and
+# to the list of GnuTLS ciphersuites $G_CIPHERS respectively.
+# Based on client's naming convention, all ciphersuite names will be
+# translated into another naming format before sent to the client.
 add_gnutls_ciphersuites()
 {
     CIPHERS=""
@@ -395,107 +393,104 @@ add_gnutls_ciphersuites()
 
         "ECDSA")
             CIPHERS="$CIPHERS                                       \
-                TLS-ECDHE-ECDSA-WITH-AES-128-CCM                    \
-                TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8                  \
-                TLS-ECDHE-ECDSA-WITH-AES-256-CCM                    \
-                TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8                  \
-                TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256        \
-                TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256        \
-                TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA384        \
-                TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384        \
+                TLS_ECDHE_ECDSA_WITH_AES_128_CCM                    \
+                TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8                  \
+                TLS_ECDHE_ECDSA_WITH_AES_256_CCM                    \
+                TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8                  \
+                TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256        \
+                TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256        \
+                TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384        \
+                TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384        \
                 "
             ;;
 
         "RSA")
             CIPHERS="$CIPHERS                               \
-                TLS-DHE-RSA-WITH-AES-128-CCM                \
-                TLS-DHE-RSA-WITH-AES-128-CCM-8              \
-                TLS-DHE-RSA-WITH-AES-256-CCM                \
-                TLS-DHE-RSA-WITH-AES-256-CCM-8              \
-                TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256    \
-                TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256    \
-                TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256    \
-                TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384    \
-                TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256  \
-                TLS-ECDHE-RSA-WITH-CAMELLIA-128-GCM-SHA256  \
-                TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA384  \
-                TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384  \
-                TLS-RSA-WITH-AES-128-CCM                    \
-                TLS-RSA-WITH-AES-128-CCM-8                  \
-                TLS-RSA-WITH-AES-256-CCM                    \
-                TLS-RSA-WITH-AES-256-CCM-8                  \
-                TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256        \
-                TLS-RSA-WITH-CAMELLIA-128-GCM-SHA256        \
-                TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256        \
-                TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384        \
+                TLS_DHE_RSA_WITH_AES_128_CCM                \
+                TLS_DHE_RSA_WITH_AES_128_CCM_8              \
+                TLS_DHE_RSA_WITH_AES_256_CCM                \
+                TLS_DHE_RSA_WITH_AES_256_CCM_8              \
+                TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256    \
+                TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256    \
+                TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256    \
+                TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384    \
+                TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256  \
+                TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256  \
+                TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384  \
+                TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384  \
+                TLS_RSA_WITH_AES_128_CCM                    \
+                TLS_RSA_WITH_AES_128_CCM_8                  \
+                TLS_RSA_WITH_AES_256_CCM                    \
+                TLS_RSA_WITH_AES_256_CCM_8                  \
+                TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256        \
+                TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256        \
+                TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256        \
+                TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384        \
                 "
             ;;
 
         "PSK")
             CIPHERS="$CIPHERS                               \
-                TLS-DHE-PSK-WITH-AES-128-CBC-SHA            \
-                TLS-DHE-PSK-WITH-AES-128-CBC-SHA256         \
-                TLS-DHE-PSK-WITH-AES-128-CCM                \
-                TLS-DHE-PSK-WITH-AES-128-CCM-8              \
-                TLS-DHE-PSK-WITH-AES-128-GCM-SHA256         \
-                TLS-DHE-PSK-WITH-AES-256-CBC-SHA            \
-                TLS-DHE-PSK-WITH-AES-256-CBC-SHA384         \
-                TLS-DHE-PSK-WITH-AES-256-CCM                \
-                TLS-DHE-PSK-WITH-AES-256-CCM-8              \
-                TLS-DHE-PSK-WITH-AES-256-GCM-SHA384         \
-                TLS-DHE-PSK-WITH-CAMELLIA-128-CBC-SHA256    \
-                TLS-DHE-PSK-WITH-CAMELLIA-128-GCM-SHA256    \
-                TLS-DHE-PSK-WITH-CAMELLIA-256-CBC-SHA384    \
-                TLS-DHE-PSK-WITH-CAMELLIA-256-GCM-SHA384    \
-                TLS-DHE-PSK-WITH-NULL-SHA256                \
-                TLS-DHE-PSK-WITH-NULL-SHA384                \
-                TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA          \
-                TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256       \
-                TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA          \
-                TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384       \
-                TLS-ECDHE-PSK-WITH-CAMELLIA-128-CBC-SHA256  \
-                TLS-ECDHE-PSK-WITH-CAMELLIA-256-CBC-SHA384  \
-                TLS-ECDHE-PSK-WITH-NULL-SHA256              \
-                TLS-ECDHE-PSK-WITH-NULL-SHA384              \
-                TLS-PSK-WITH-AES-128-CBC-SHA256             \
-                TLS-PSK-WITH-AES-128-CCM                    \
-                TLS-PSK-WITH-AES-128-CCM-8                  \
-                TLS-PSK-WITH-AES-128-GCM-SHA256             \
-                TLS-PSK-WITH-AES-256-CBC-SHA384             \
-                TLS-PSK-WITH-AES-256-CCM                    \
-                TLS-PSK-WITH-AES-256-CCM-8                  \
-                TLS-PSK-WITH-AES-256-GCM-SHA384             \
-                TLS-PSK-WITH-CAMELLIA-128-CBC-SHA256        \
-                TLS-PSK-WITH-CAMELLIA-128-GCM-SHA256        \
-                TLS-PSK-WITH-CAMELLIA-256-CBC-SHA384        \
-                TLS-PSK-WITH-CAMELLIA-256-GCM-SHA384        \
-                TLS-PSK-WITH-NULL-SHA256                    \
-                TLS-PSK-WITH-NULL-SHA384                    \
-                TLS-RSA-PSK-WITH-AES-128-CBC-SHA            \
-                TLS-RSA-PSK-WITH-AES-128-CBC-SHA256         \
-                TLS-RSA-PSK-WITH-AES-128-GCM-SHA256         \
-                TLS-RSA-PSK-WITH-AES-256-CBC-SHA            \
-                TLS-RSA-PSK-WITH-AES-256-CBC-SHA384         \
-                TLS-RSA-PSK-WITH-AES-256-GCM-SHA384         \
-                TLS-RSA-PSK-WITH-CAMELLIA-128-CBC-SHA256    \
-                TLS-RSA-PSK-WITH-CAMELLIA-128-GCM-SHA256    \
-                TLS-RSA-PSK-WITH-CAMELLIA-256-CBC-SHA384    \
-                TLS-RSA-PSK-WITH-CAMELLIA-256-GCM-SHA384    \
-                TLS-RSA-PSK-WITH-NULL-SHA256                \
-                TLS-RSA-PSK-WITH-NULL-SHA384                \
+                TLS_DHE_PSK_WITH_AES_128_CBC_SHA            \
+                TLS_DHE_PSK_WITH_AES_128_CBC_SHA256         \
+                TLS_DHE_PSK_WITH_AES_128_CCM                \
+                TLS_DHE_PSK_WITH_AES_128_CCM_8              \
+                TLS_DHE_PSK_WITH_AES_128_GCM_SHA256         \
+                TLS_DHE_PSK_WITH_AES_256_CBC_SHA            \
+                TLS_DHE_PSK_WITH_AES_256_CBC_SHA384         \
+                TLS_DHE_PSK_WITH_AES_256_CCM                \
+                TLS_DHE_PSK_WITH_AES_256_CCM_8              \
+                TLS_DHE_PSK_WITH_AES_256_GCM_SHA384         \
+                TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256    \
+                TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256    \
+                TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384    \
+                TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384    \
+                TLS_DHE_PSK_WITH_NULL_SHA256                \
+                TLS_DHE_PSK_WITH_NULL_SHA384                \
+                TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA          \
+                TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256       \
+                TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA          \
+                TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384       \
+                TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256  \
+                TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384  \
+                TLS_ECDHE_PSK_WITH_NULL_SHA256              \
+                TLS_ECDHE_PSK_WITH_NULL_SHA384              \
+                TLS_PSK_WITH_AES_128_CBC_SHA256             \
+                TLS_PSK_WITH_AES_128_CCM                    \
+                TLS_PSK_WITH_AES_128_CCM_8                  \
+                TLS_PSK_WITH_AES_128_GCM_SHA256             \
+                TLS_PSK_WITH_AES_256_CBC_SHA384             \
+                TLS_PSK_WITH_AES_256_CCM                    \
+                TLS_PSK_WITH_AES_256_CCM_8                  \
+                TLS_PSK_WITH_AES_256_GCM_SHA384             \
+                TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256        \
+                TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256        \
+                TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384        \
+                TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384        \
+                TLS_PSK_WITH_NULL_SHA256                    \
+                TLS_PSK_WITH_NULL_SHA384                    \
+                TLS_RSA_PSK_WITH_AES_128_CBC_SHA            \
+                TLS_RSA_PSK_WITH_AES_128_CBC_SHA256         \
+                TLS_RSA_PSK_WITH_AES_128_GCM_SHA256         \
+                TLS_RSA_PSK_WITH_AES_256_CBC_SHA            \
+                TLS_RSA_PSK_WITH_AES_256_CBC_SHA384         \
+                TLS_RSA_PSK_WITH_AES_256_GCM_SHA384         \
+                TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256    \
+                TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256    \
+                TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384    \
+                TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384    \
+                TLS_RSA_PSK_WITH_NULL_SHA256                \
+                TLS_RSA_PSK_WITH_NULL_SHA384                \
                 "
             ;;
     esac
 
+    G_CIPHERS="$G_CIPHERS $CIPHERS"
     M_CIPHERS="$M_CIPHERS $CIPHERS"
-
-    T=$(./scripts/translate_ciphers.py g $CIPHERS)
-    check_translation $? "$T"
-    G_CIPHERS="$G_CIPHERS $T"
 }
 
 # Ciphersuites usable only with Mbed TLS (not currently supported by another
-# peer usable in this script). This provide only very rudimentaty testing, as
+# peer usable in this script). This provides only very rudimentaty testing, as
 # this is not interop testing, but it's better than nothing.
 add_mbedtls_ciphersuites()
 {
@@ -503,48 +498,48 @@ add_mbedtls_ciphersuites()
 
         "ECDSA")
             M_CIPHERS="$M_CIPHERS                               \
-                TLS-ECDH-ECDSA-WITH-ARIA-128-CBC-SHA256         \
-                TLS-ECDH-ECDSA-WITH-ARIA-128-GCM-SHA256         \
-                TLS-ECDH-ECDSA-WITH-ARIA-256-CBC-SHA384         \
-                TLS-ECDH-ECDSA-WITH-ARIA-256-GCM-SHA384         \
-                TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256     \
-                TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256     \
-                TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384     \
-                TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384     \
-                TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256        \
-                TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384        \
+                TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256         \
+                TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256         \
+                TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384         \
+                TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384         \
+                TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256     \
+                TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256     \
+                TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384     \
+                TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384     \
+                TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256        \
+                TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384        \
                 "
             ;;
 
         "RSA")
             M_CIPHERS="$M_CIPHERS                               \
-                TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256            \
-                TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384            \
-                TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256          \
-                TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384          \
-                TLS-RSA-WITH-ARIA-128-CBC-SHA256                \
-                TLS-RSA-WITH-ARIA-256-CBC-SHA384                \
+                TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256            \
+                TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384            \
+                TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256          \
+                TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384          \
+                TLS_RSA_WITH_ARIA_128_CBC_SHA256                \
+                TLS_RSA_WITH_ARIA_256_CBC_SHA384                \
                 "
             ;;
 
         "PSK")
-            # *PSK-NULL-SHA suites supported by GnuTLS 3.3.5 but not 3.2.15
+            # *PSK_NULL_SHA suites supported by GnuTLS 3.3.5 but not 3.2.15
             M_CIPHERS="$M_CIPHERS                               \
-                TLS-DHE-PSK-WITH-ARIA-128-CBC-SHA256            \
-                TLS-DHE-PSK-WITH-ARIA-256-CBC-SHA384            \
-                TLS-DHE-PSK-WITH-NULL-SHA                       \
-                TLS-ECDHE-PSK-WITH-ARIA-128-CBC-SHA256          \
-                TLS-ECDHE-PSK-WITH-ARIA-256-CBC-SHA384          \
-                TLS-ECDHE-PSK-WITH-NULL-SHA                     \
-                TLS-PSK-WITH-ARIA-128-CBC-SHA256                \
-                TLS-PSK-WITH-ARIA-256-CBC-SHA384                \
-                TLS-PSK-WITH-NULL-SHA                           \
-                TLS-RSA-PSK-WITH-ARIA-128-CBC-SHA256            \
-                TLS-RSA-PSK-WITH-ARIA-128-GCM-SHA256            \
-                TLS-RSA-PSK-WITH-ARIA-256-CBC-SHA384            \
-                TLS-RSA-PSK-WITH-ARIA-256-GCM-SHA384            \
-                TLS-RSA-PSK-WITH-CHACHA20-POLY1305-SHA256       \
-                TLS-RSA-PSK-WITH-NULL-SHA                       \
+                TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256            \
+                TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384            \
+                TLS_DHE_PSK_WITH_NULL_SHA                       \
+                TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256          \
+                TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384          \
+                TLS_ECDHE_PSK_WITH_NULL_SHA                     \
+                TLS_PSK_WITH_ARIA_128_CBC_SHA256                \
+                TLS_PSK_WITH_ARIA_256_CBC_SHA384                \
+                TLS_PSK_WITH_NULL_SHA                           \
+                TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256            \
+                TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256            \
+                TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384            \
+                TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384            \
+                TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256       \
+                TLS_RSA_PSK_WITH_NULL_SHA                       \
                 "
             ;;
     esac
@@ -684,7 +679,11 @@ setup_arguments()
 
 # is_mbedtls <cmd_line>
 is_mbedtls() {
-    echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
+    case $1 in
+        *ssl_client2*) true;;
+        *ssl_server2*) true;;
+        *) false;;
+    esac
 }
 
 # has_mem_err <log_file_name>
@@ -803,16 +802,14 @@ wait_client_done() {
     echo "EXIT: $EXIT" >> $CLI_OUT
 }
 
-# run_client <name> <cipher>
+# run_client PROGRAM_NAME STANDARD_CIPHER_SUITE PROGRAM_CIPHER_SUITE
 run_client() {
     # announce what we're going to do
     TESTS=$(( $TESTS + 1 ))
-    VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]')
-    TITLE="`echo $1 | head -c1`->`echo $SERVER_NAME | head -c1`"
+    TITLE="${1%"${1#?}"}->${SERVER_NAME%"${SERVER_NAME#?}"}"
     TITLE="$TITLE $MODE,$VERIF $2"
-    printf "%s " "$TITLE"
-    LEN=$(( 72 - `echo "$TITLE" | wc -c` ))
-    for i in `seq 1 $LEN`; do printf '.'; done; printf ' '
+    DOTS72="........................................................................"
+    printf "%s %.*s " "$TITLE" "$((71 - ${#TITLE}))" "$DOTS72"
 
     # should we skip?
     if [ "X$SKIP_NEXT" = "XYES" ]; then
@@ -825,7 +822,7 @@ run_client() {
     # run the command and interpret result
     case $1 in
         [Oo]pen*)
-            CLIENT_CMD="$OPENSSL s_client $O_CLIENT_ARGS -cipher $2"
+            CLIENT_CMD="$OPENSSL s_client $O_CLIENT_ARGS -cipher $3"
             log "$CLIENT_CMD"
             echo "$CLIENT_CMD" > $CLI_OUT
             printf 'GET HTTP/1.0\r\n\r\n' | $CLIENT_CMD >> $CLI_OUT 2>&1 &
@@ -850,7 +847,7 @@ run_client() {
             else
                 G_HOST="localhost"
             fi
-            CLIENT_CMD="$GNUTLS_CLI $G_CLIENT_ARGS --priority $G_PRIO_MODE:$2 $G_HOST"
+            CLIENT_CMD="$GNUTLS_CLI $G_CLIENT_ARGS --priority $G_PRIO_MODE:$3 $G_HOST"
             log "$CLIENT_CMD"
             echo "$CLIENT_CMD" > $CLI_OUT
             printf 'GET HTTP/1.0\r\n\r\n' | $CLIENT_CMD >> $CLI_OUT 2>&1 &
@@ -872,7 +869,7 @@ run_client() {
             ;;
 
         mbed*)
-            CLIENT_CMD="$M_CLI $M_CLIENT_ARGS force_ciphersuite=$2"
+            CLIENT_CMD="$M_CLI $M_CLIENT_ARGS force_ciphersuite=$3"
             if [ "$MEMCHECK" -gt 0 ]; then
                 CLIENT_CMD="valgrind --leak-check=full $CLIENT_CMD"
             fi
@@ -1005,6 +1002,7 @@ SKIP_NEXT="NO"
 trap cleanup INT TERM HUP
 
 for VERIFY in $VERIFIES; do
+    VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]')
     for MODE in $MODES; do
         for TYPE in $TYPES; do
             for PEER in $PEERS; do
@@ -1035,17 +1033,19 @@ for VERIFY in $VERIFIES; do
 
                     if [ "X" != "X$M_CIPHERS" ]; then
                         start_server "OpenSSL"
-                        for i in $M_CIPHERS; do
-                            check_openssl_server_bug $i
-                            run_client mbedTLS $i
+                        translate_ciphers m $M_CIPHERS
+                        for i in $ciphers; do
+                            check_openssl_server_bug
+                            run_client mbedTLS ${i%%=*} ${i#*=}
                         done
                         stop_server
                     fi
 
                     if [ "X" != "X$O_CIPHERS" ]; then
                         start_server "mbedTLS"
-                        for i in $O_CIPHERS; do
-                            run_client OpenSSL $i
+                        translate_ciphers o $O_CIPHERS
+                        for i in $ciphers; do
+                            run_client OpenSSL ${i%%=*} ${i#*=}
                         done
                         stop_server
                     fi
@@ -1061,16 +1061,18 @@ for VERIFY in $VERIFIES; do
 
                     if [ "X" != "X$M_CIPHERS" ]; then
                         start_server "GnuTLS"
-                        for i in $M_CIPHERS; do
-                            run_client mbedTLS $i
+                        translate_ciphers m $M_CIPHERS
+                        for i in $ciphers; do
+                            run_client mbedTLS ${i%%=*} ${i#*=}
                         done
                         stop_server
                     fi
 
                     if [ "X" != "X$G_CIPHERS" ]; then
                         start_server "mbedTLS"
-                        for i in $G_CIPHERS; do
-                            run_client GnuTLS $i
+                        translate_ciphers g $G_CIPHERS
+                        for i in $ciphers; do
+                            run_client GnuTLS ${i%%=*} ${i#*=}
                         done
                         stop_server
                     fi
@@ -1088,8 +1090,9 @@ for VERIFY in $VERIFIES; do
 
                     if [ "X" != "X$M_CIPHERS" ]; then
                         start_server "mbedTLS"
-                        for i in $M_CIPHERS; do
-                            run_client mbedTLS $i
+                        translate_ciphers m $M_CIPHERS
+                        for i in $ciphers; do
+                            run_client mbedTLS ${i%%=*} ${i#*=}
                         done
                         stop_server
                     fi

tests/scripts/translate_ciphers.py

@@ -18,8 +18,7 @@
 # limitations under the License.
 
 """
-Translate ciphersuite names in Mbed TLS format to OpenSSL and GNUTLS
-standards.
+Translate standard ciphersuite names to GnuTLS, OpenSSL and Mbed TLS standards.
 
 To test the translation functions run:
 python3 -m unittest translate_cipher.py
@@ -36,124 +35,158 @@ class TestTranslateCiphers(unittest.TestCase):
     """
     def test_translate_all_cipher_names(self):
         """
-        Translate MbedTLS ciphersuite names to their OpenSSL and
-        GnuTLS counterpart. Use only a small subset of ciphers
-        that exercise each step of the translate functions
+        Translate standard ciphersuite names to GnuTLS, OpenSSL and
+        Mbed TLS counterpart. Use only a small subset of ciphers
+        that exercise each step of the translation functions
         """
         ciphers = [
-            ("TLS-ECDHE-ECDSA-WITH-NULL-SHA",
+            ("TLS_ECDHE_ECDSA_WITH_NULL_SHA",
              "+ECDHE-ECDSA:+NULL:+SHA1",
-             "ECDHE-ECDSA-NULL-SHA"),
-            ("TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256",
+             "ECDHE-ECDSA-NULL-SHA",
+             "TLS-ECDHE-ECDSA-WITH-NULL-SHA"),
+            ("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
              "+ECDHE-ECDSA:+AES-128-GCM:+AEAD",
-             "ECDHE-ECDSA-AES128-GCM-SHA256"),
-            ("TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA",
+             "ECDHE-ECDSA-AES128-GCM-SHA256",
+             "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"),
+            ("TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
              "+DHE-RSA:+3DES-CBC:+SHA1",
-             "EDH-RSA-DES-CBC3-SHA"),
-            ("TLS-RSA-WITH-AES-256-CBC-SHA",
+             "EDH-RSA-DES-CBC3-SHA",
+             "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA"),
+            ("TLS_RSA_WITH_AES_256_CBC_SHA",
              "+RSA:+AES-256-CBC:+SHA1",
-             "AES256-SHA"),
-            ("TLS-PSK-WITH-3DES-EDE-CBC-SHA",
+             "AES256-SHA",
+             "TLS-RSA-WITH-AES-256-CBC-SHA"),
+            ("TLS_PSK_WITH_3DES_EDE_CBC_SHA",
              "+PSK:+3DES-CBC:+SHA1",
-             "PSK-3DES-EDE-CBC-SHA"),
-            ("TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256",
+             "PSK-3DES-EDE-CBC-SHA",
+             "TLS-PSK-WITH-3DES-EDE-CBC-SHA"),
+            ("TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
              None,
-             "ECDHE-ECDSA-CHACHA20-POLY1305"),
-            ("TLS-ECDHE-ECDSA-WITH-AES-128-CCM",
+             "ECDHE-ECDSA-CHACHA20-POLY1305",
+             "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256"),
+            ("TLS_ECDHE_ECDSA_WITH_AES_128_CCM",
              "+ECDHE-ECDSA:+AES-128-CCM:+AEAD",
-             None),
-            ("TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384",
              None,
-             "ECDHE-ARIA256-GCM-SHA384"),
+             "TLS-ECDHE-ECDSA-WITH-AES-128-CCM"),
+            ("TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384",
+             None,
+             "ECDHE-ARIA256-GCM-SHA384",
+             "TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384"),
         ]
 
-        for m, g_exp, o_exp in ciphers:
+        for s, g_exp, o_exp, m_exp in ciphers:
 
             if g_exp is not None:
-                g = translate_gnutls(m)
+                g = translate_gnutls(s)
                 self.assertEqual(g, g_exp)
 
             if o_exp is not None:
-                o = translate_ossl(m)
+                o = translate_ossl(s)
                 self.assertEqual(o, o_exp)
 
-def translate_gnutls(m_cipher):
+            if m_exp is not None:
+                m = translate_mbedtls(s)
+                self.assertEqual(m, m_exp)
+
+def translate_gnutls(s_cipher):
     """
-    Translate m_cipher from Mbed TLS ciphersuite naming convention
+    Translate s_cipher from standard ciphersuite naming convention
     and return the GnuTLS naming convention
     """
 
-    m_cipher = re.sub(r'\ATLS-', '+', m_cipher)
-    m_cipher = m_cipher.replace("-WITH-", ":+")
-    m_cipher = m_cipher.replace("-EDE", "")
+    # Replace "_" with "-" to handle ciphersuite names based on Mbed TLS
+    # naming convention
+    s_cipher = s_cipher.replace("_", "-")
+
+    s_cipher = re.sub(r'\ATLS-', '+', s_cipher)
+    s_cipher = s_cipher.replace("-WITH-", ":+")
+    s_cipher = s_cipher.replace("-EDE", "")
 
     # SHA in Mbed TLS == SHA1 GnuTLS,
     # if the last 3 chars are SHA append 1
-    if m_cipher[-3:] == "SHA":
-        m_cipher = m_cipher+"1"
+    if s_cipher[-3:] == "SHA":
+        s_cipher = s_cipher+"1"
 
     # CCM or CCM-8 should be followed by ":+AEAD"
     # Replace "GCM:+SHAxyz" with "GCM:+AEAD"
-    if "CCM" in m_cipher or "GCM" in m_cipher:
-        m_cipher = re.sub(r"GCM-SHA\d\d\d", "GCM", m_cipher)
-        m_cipher = m_cipher+":+AEAD"
+    if "CCM" in s_cipher or "GCM" in s_cipher:
+        s_cipher = re.sub(r"GCM-SHA\d\d\d", "GCM", s_cipher)
+        s_cipher = s_cipher+":+AEAD"
 
     # Replace the last "-" with ":+"
     else:
-        index = m_cipher.rindex("-")
-        m_cipher = m_cipher[:index] + ":+" + m_cipher[index+1:]
+        index = s_cipher.rindex("-")
+        s_cipher = s_cipher[:index] + ":+" + s_cipher[index+1:]
 
-    return m_cipher
+    return s_cipher
 
-def translate_ossl(m_cipher):
+def translate_ossl(s_cipher):
     """
-    Translate m_cipher from Mbed TLS ciphersuite naming convention
+    Translate s_cipher from standard ciphersuite naming convention
     and return the OpenSSL naming convention
     """
 
-    m_cipher = re.sub(r'^TLS-', '', m_cipher)
-    m_cipher = m_cipher.replace("-WITH", "")
+    # Replace "_" with "-" to handle ciphersuite names based on Mbed TLS
+    # naming convention
+    s_cipher = s_cipher.replace("_", "-")
+
+    s_cipher = re.sub(r'^TLS-', '', s_cipher)
+    s_cipher = s_cipher.replace("-WITH", "")
 
     # Remove the "-" from "ABC-xyz"
-    m_cipher = m_cipher.replace("AES-", "AES")
-    m_cipher = m_cipher.replace("CAMELLIA-", "CAMELLIA")
-    m_cipher = m_cipher.replace("ARIA-", "ARIA")
+    s_cipher = s_cipher.replace("AES-", "AES")
+    s_cipher = s_cipher.replace("CAMELLIA-", "CAMELLIA")
+    s_cipher = s_cipher.replace("ARIA-", "ARIA")
 
     # Remove "RSA" if it is at the beginning
-    m_cipher = re.sub(r'^RSA-', r'', m_cipher)
+    s_cipher = re.sub(r'^RSA-', r'', s_cipher)
 
     # For all circumstances outside of PSK
-    if "PSK" not in m_cipher:
-        m_cipher = m_cipher.replace("-EDE", "")
-        m_cipher = m_cipher.replace("3DES-CBC", "DES-CBC3")
+    if "PSK" not in s_cipher:
+        s_cipher = s_cipher.replace("-EDE", "")
+        s_cipher = s_cipher.replace("3DES-CBC", "DES-CBC3")
 
         # Remove "CBC" if it is not prefixed by DES
-        m_cipher = re.sub(r'(?<!DES-)CBC-', r'', m_cipher)
+        s_cipher = re.sub(r'(?<!DES-)CBC-', r'', s_cipher)
 
     # ECDHE-RSA-ARIA does not exist in OpenSSL
-    m_cipher = m_cipher.replace("ECDHE-RSA-ARIA", "ECDHE-ARIA")
+    s_cipher = s_cipher.replace("ECDHE-RSA-ARIA", "ECDHE-ARIA")
 
     # POLY1305 should not be followed by anything
-    if "POLY1305" in m_cipher:
-        index = m_cipher.rindex("POLY1305")
-        m_cipher = m_cipher[:index+8]
+    if "POLY1305" in s_cipher:
+        index = s_cipher.rindex("POLY1305")
+        s_cipher = s_cipher[:index+8]
 
     # If DES is being used, Replace DHE with EDH
-    if "DES" in m_cipher and "DHE" in m_cipher and "ECDHE" not in m_cipher:
-        m_cipher = m_cipher.replace("DHE", "EDH")
+    if "DES" in s_cipher and "DHE" in s_cipher and "ECDHE" not in s_cipher:
+        s_cipher = s_cipher.replace("DHE", "EDH")
 
-    return m_cipher
+    return s_cipher
+
+def translate_mbedtls(s_cipher):
+    """
+    Translate s_cipher from standard ciphersuite naming convention
+    and return Mbed TLS ciphersuite naming convention
+    """
+
+    # Replace "_" with "-"
+    s_cipher = s_cipher.replace("_", "-")
+
+    return s_cipher
 
 def format_ciphersuite_names(mode, names):
-    t = {"g": translate_gnutls, "o": translate_ossl}[mode]
-    return " ".join(t(c) for c in names)
+    t = {"g": translate_gnutls,
+         "o": translate_ossl,
+         "m": translate_mbedtls
+        }[mode]
+    return " ".join(c + '=' + t(c) for c in names)
 
 def main(target, names):
     print(format_ciphersuite_names(target, names))
 
 if __name__ == "__main__":
     PARSER = argparse.ArgumentParser()
-    PARSER.add_argument('target', metavar='TARGET', choices=['o', 'g'])
+    PARSER.add_argument('target', metavar='TARGET', choices=['o', 'g', 'm'])
     PARSER.add_argument('names', metavar='NAMES', nargs='+')
     ARGS = PARSER.parse_args()
     main(ARGS.target, ARGS.names)