16799db69a
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
180 lines
5.7 KiB
Python
Executable file
180 lines
5.7 KiB
Python
Executable file
#!/usr/bin/env python3
|
|
|
|
# translate_ciphers.py
|
|
#
|
|
# Copyright The Mbed TLS Contributors
|
|
# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
|
|
|
"""
|
|
Translate standard ciphersuite names to GnuTLS, OpenSSL and Mbed TLS standards.
|
|
|
|
To test the translation functions run:
|
|
python3 -m unittest translate_cipher.py
|
|
"""
|
|
|
|
import re
|
|
import argparse
|
|
import unittest
|
|
|
|
class TestTranslateCiphers(unittest.TestCase):
|
|
"""
|
|
Ensure translate_ciphers.py translates and formats ciphersuite names
|
|
correctly
|
|
"""
|
|
def test_translate_all_cipher_names(self):
|
|
"""
|
|
Translate standard ciphersuite names to GnuTLS, OpenSSL and
|
|
Mbed TLS counterpart. Use only a small subset of ciphers
|
|
that exercise each step of the translation functions
|
|
"""
|
|
ciphers = [
|
|
("TLS_ECDHE_ECDSA_WITH_NULL_SHA",
|
|
"+ECDHE-ECDSA:+NULL:+SHA1",
|
|
"ECDHE-ECDSA-NULL-SHA",
|
|
"TLS-ECDHE-ECDSA-WITH-NULL-SHA"),
|
|
("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
|
|
"+ECDHE-ECDSA:+AES-128-GCM:+AEAD",
|
|
"ECDHE-ECDSA-AES128-GCM-SHA256",
|
|
"TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"),
|
|
("TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
|
|
"+DHE-RSA:+3DES-CBC:+SHA1",
|
|
"EDH-RSA-DES-CBC3-SHA",
|
|
"TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA"),
|
|
("TLS_RSA_WITH_AES_256_CBC_SHA",
|
|
"+RSA:+AES-256-CBC:+SHA1",
|
|
"AES256-SHA",
|
|
"TLS-RSA-WITH-AES-256-CBC-SHA"),
|
|
("TLS_PSK_WITH_3DES_EDE_CBC_SHA",
|
|
"+PSK:+3DES-CBC:+SHA1",
|
|
"PSK-3DES-EDE-CBC-SHA",
|
|
"TLS-PSK-WITH-3DES-EDE-CBC-SHA"),
|
|
("TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
|
|
None,
|
|
"ECDHE-ECDSA-CHACHA20-POLY1305",
|
|
"TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256"),
|
|
("TLS_ECDHE_ECDSA_WITH_AES_128_CCM",
|
|
"+ECDHE-ECDSA:+AES-128-CCM:+AEAD",
|
|
None,
|
|
"TLS-ECDHE-ECDSA-WITH-AES-128-CCM"),
|
|
("TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384",
|
|
None,
|
|
"ECDHE-ARIA256-GCM-SHA384",
|
|
"TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384"),
|
|
]
|
|
|
|
for s, g_exp, o_exp, m_exp in ciphers:
|
|
|
|
if g_exp is not None:
|
|
g = translate_gnutls(s)
|
|
self.assertEqual(g, g_exp)
|
|
|
|
if o_exp is not None:
|
|
o = translate_ossl(s)
|
|
self.assertEqual(o, o_exp)
|
|
|
|
if m_exp is not None:
|
|
m = translate_mbedtls(s)
|
|
self.assertEqual(m, m_exp)
|
|
|
|
def translate_gnutls(s_cipher):
|
|
"""
|
|
Translate s_cipher from standard ciphersuite naming convention
|
|
and return the GnuTLS naming convention
|
|
"""
|
|
|
|
# Replace "_" with "-" to handle ciphersuite names based on Mbed TLS
|
|
# naming convention
|
|
s_cipher = s_cipher.replace("_", "-")
|
|
|
|
s_cipher = re.sub(r'\ATLS-', '+', s_cipher)
|
|
s_cipher = s_cipher.replace("-WITH-", ":+")
|
|
s_cipher = s_cipher.replace("-EDE", "")
|
|
|
|
# SHA in Mbed TLS == SHA1 GnuTLS,
|
|
# if the last 3 chars are SHA append 1
|
|
if s_cipher[-3:] == "SHA":
|
|
s_cipher = s_cipher+"1"
|
|
|
|
# CCM or CCM-8 should be followed by ":+AEAD"
|
|
# Replace "GCM:+SHAxyz" with "GCM:+AEAD"
|
|
if "CCM" in s_cipher or "GCM" in s_cipher:
|
|
s_cipher = re.sub(r"GCM-SHA\d\d\d", "GCM", s_cipher)
|
|
s_cipher = s_cipher+":+AEAD"
|
|
|
|
# Replace the last "-" with ":+"
|
|
else:
|
|
index = s_cipher.rindex("-")
|
|
s_cipher = s_cipher[:index] + ":+" + s_cipher[index+1:]
|
|
|
|
return s_cipher
|
|
|
|
def translate_ossl(s_cipher):
|
|
"""
|
|
Translate s_cipher from standard ciphersuite naming convention
|
|
and return the OpenSSL naming convention
|
|
"""
|
|
|
|
# Replace "_" with "-" to handle ciphersuite names based on Mbed TLS
|
|
# naming convention
|
|
s_cipher = s_cipher.replace("_", "-")
|
|
|
|
s_cipher = re.sub(r'^TLS-', '', s_cipher)
|
|
s_cipher = s_cipher.replace("-WITH", "")
|
|
|
|
# Remove the "-" from "ABC-xyz"
|
|
s_cipher = s_cipher.replace("AES-", "AES")
|
|
s_cipher = s_cipher.replace("CAMELLIA-", "CAMELLIA")
|
|
s_cipher = s_cipher.replace("ARIA-", "ARIA")
|
|
|
|
# Remove "RSA" if it is at the beginning
|
|
s_cipher = re.sub(r'^RSA-', r'', s_cipher)
|
|
|
|
# For all circumstances outside of PSK
|
|
if "PSK" not in s_cipher:
|
|
s_cipher = s_cipher.replace("-EDE", "")
|
|
s_cipher = s_cipher.replace("3DES-CBC", "DES-CBC3")
|
|
|
|
# Remove "CBC" if it is not prefixed by DES
|
|
s_cipher = re.sub(r'(?<!DES-)CBC-', r'', s_cipher)
|
|
|
|
# ECDHE-RSA-ARIA does not exist in OpenSSL
|
|
s_cipher = s_cipher.replace("ECDHE-RSA-ARIA", "ECDHE-ARIA")
|
|
|
|
# POLY1305 should not be followed by anything
|
|
if "POLY1305" in s_cipher:
|
|
index = s_cipher.rindex("POLY1305")
|
|
s_cipher = s_cipher[:index+8]
|
|
|
|
# If DES is being used, Replace DHE with EDH
|
|
if "DES" in s_cipher and "DHE" in s_cipher and "ECDHE" not in s_cipher:
|
|
s_cipher = s_cipher.replace("DHE", "EDH")
|
|
|
|
return s_cipher
|
|
|
|
def translate_mbedtls(s_cipher):
|
|
"""
|
|
Translate s_cipher from standard ciphersuite naming convention
|
|
and return Mbed TLS ciphersuite naming convention
|
|
"""
|
|
|
|
# Replace "_" with "-"
|
|
s_cipher = s_cipher.replace("_", "-")
|
|
|
|
return s_cipher
|
|
|
|
def format_ciphersuite_names(mode, names):
|
|
t = {"g": translate_gnutls,
|
|
"o": translate_ossl,
|
|
"m": translate_mbedtls
|
|
}[mode]
|
|
return " ".join(c + '=' + t(c) for c in names)
|
|
|
|
def main(target, names):
|
|
print(format_ciphersuite_names(target, names))
|
|
|
|
if __name__ == "__main__":
|
|
PARSER = argparse.ArgumentParser()
|
|
PARSER.add_argument('target', metavar='TARGET', choices=['o', 'g', 'm'])
|
|
PARSER.add_argument('names', metavar='NAMES', nargs='+')
|
|
ARGS = PARSER.parse_args()
|
|
main(ARGS.target, ARGS.names)
|