mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-04-25 09:02:48 +00:00
Refactor to avoid duplicate add_*
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
This commit is contained in:
Jerry Yu
parent
882c30da17
commit
7918efe99a
File diff suppressed because it is too large
Load Diff
@ -84,24 +84,27 @@ class TLSProgram(metaclass=abc.ABCMeta):
|
|||||||
"""
|
"""
|
||||||
|
|
||||||
def __init__(self, ciphersuite, signature_algorithm, named_group):
|
def __init__(self, ciphersuite, signature_algorithm, named_group):
|
||||||
self._cipher = ciphersuite
|
self._ciphers = []
|
||||||
self._sig_alg = signature_algorithm
|
self._sig_algs = []
|
||||||
self._named_group = named_group
|
self._named_groups = []
|
||||||
self.add_ciphersuites(ciphersuite)
|
self.add_ciphersuites(ciphersuite)
|
||||||
self.add_named_groups(named_group)
|
self.add_named_groups(named_group)
|
||||||
self.add_signature_algorithms(signature_algorithm)
|
self.add_signature_algorithms(signature_algorithm)
|
||||||
|
|
||||||
@abc.abstractmethod
|
# add_ciphersuites should not override by sub class
|
||||||
def add_ciphersuites(self, *ciphersuites):
|
def add_ciphersuites(self, *ciphersuites):
|
||||||
pass
|
self._ciphers.extend(
|
||||||
|
[cipher for cipher in ciphersuites if cipher not in self._ciphers])
|
||||||
|
|
||||||
@abc.abstractmethod
|
# add_signature_algorithms should not override by sub class
|
||||||
def add_signature_algorithms(self, *signature_algorithms):
|
def add_signature_algorithms(self, *signature_algorithms):
|
||||||
pass
|
self._sig_algs.extend(
|
||||||
|
[sig_alg for sig_alg in signature_algorithms if sig_alg not in self._sig_algs])
|
||||||
|
|
||||||
@abc.abstractmethod
|
# add_signature_algorithms should not override by sub class
|
||||||
def add_named_groups(self, *named_groups):
|
def add_named_groups(self, *named_groups):
|
||||||
pass
|
self._named_groups.extend(
|
||||||
|
[named_group for named_group in named_groups if named_group not in self._named_groups])
|
||||||
|
|
||||||
@abc.abstractmethod
|
@abc.abstractmethod
|
||||||
def pre_checks(self):
|
def pre_checks(self):
|
||||||
@ -120,26 +123,6 @@ class OpenSSLServ(TLSProgram):
|
|||||||
"""
|
"""
|
||||||
Generate test commands for OpenSSL server.
|
Generate test commands for OpenSSL server.
|
||||||
"""
|
"""
|
||||||
program = '$OPENSSL_NEXT'
|
|
||||||
|
|
||||||
def __init__(
|
|
||||||
self,
|
|
||||||
ciphersuite,
|
|
||||||
signature_algorithm,
|
|
||||||
named_group):
|
|
||||||
self.ciphersuites = []
|
|
||||||
self.named_groups = []
|
|
||||||
self.signature_algorithms = []
|
|
||||||
self.certificates = []
|
|
||||||
super().__init__(ciphersuite, signature_algorithm, named_group)
|
|
||||||
|
|
||||||
def add_ciphersuites(self, *ciphersuites):
|
|
||||||
self.ciphersuites.extend(ciphersuites)
|
|
||||||
|
|
||||||
def add_signature_algorithms(self, *signature_algorithms):
|
|
||||||
self.signature_algorithms.extend(signature_algorithms)
|
|
||||||
for sig_alg in signature_algorithms:
|
|
||||||
self.certificates.append(CERTIFICATES[sig_alg])
|
|
||||||
|
|
||||||
NAMED_GROUP = {
|
NAMED_GROUP = {
|
||||||
'secp256r1': 'P-256',
|
'secp256r1': 'P-256',
|
||||||
@ -149,20 +132,15 @@ class OpenSSLServ(TLSProgram):
|
|||||||
'x448': 'X448',
|
'x448': 'X448',
|
||||||
}
|
}
|
||||||
|
|
||||||
def add_named_groups(self, *named_groups):
|
|
||||||
for named_group in named_groups:
|
|
||||||
self.named_groups.append(self.NAMED_GROUP[named_group])
|
|
||||||
|
|
||||||
def cmd(self):
|
def cmd(self):
|
||||||
ret = ['$O_NEXT_SRV_NO_CERT']
|
ret = ['$O_NEXT_SRV_NO_CERT']
|
||||||
for i in self.certificates:
|
for _, cert, key in map(lambda sig_alg: CERTIFICATES[sig_alg], self._sig_algs):
|
||||||
print(i)
|
|
||||||
for _, cert, key in self.certificates:
|
|
||||||
ret += ['-cert {cert} -key {key}'.format(cert=cert, key=key)]
|
ret += ['-cert {cert} -key {key}'.format(cert=cert, key=key)]
|
||||||
ret += ['-accept $SRV_PORT']
|
ret += ['-accept $SRV_PORT']
|
||||||
ciphersuites = ','.join(self.ciphersuites)
|
ciphersuites = ','.join(self._ciphers)
|
||||||
signature_algorithms = ','.join(self.signature_algorithms)
|
signature_algorithms = ','.join(self._sig_algs)
|
||||||
named_groups = ','.join(self.named_groups)
|
named_groups = ','.join(
|
||||||
|
map(lambda named_group: self.NAMED_GROUP[named_group], self._named_groups))
|
||||||
ret += ["-ciphersuites {ciphersuites}".format(ciphersuites=ciphersuites),
|
ret += ["-ciphersuites {ciphersuites}".format(ciphersuites=ciphersuites),
|
||||||
"-sigalgs {signature_algorithms}".format(
|
"-sigalgs {signature_algorithms}".format(
|
||||||
signature_algorithms=signature_algorithms),
|
signature_algorithms=signature_algorithms),
|
||||||
@ -182,11 +160,6 @@ class GnuTLSServ(TLSProgram):
|
|||||||
Generate test commands for GnuTLS server.
|
Generate test commands for GnuTLS server.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
def __init__(self, ciphersuite, signature_algorithm, named_group):
|
|
||||||
self.priority_strings = []
|
|
||||||
self.certificates = []
|
|
||||||
super().__init__(ciphersuite, signature_algorithm, named_group)
|
|
||||||
|
|
||||||
CIPHER_SUITE = {
|
CIPHER_SUITE = {
|
||||||
'TLS_AES_256_GCM_SHA384': [
|
'TLS_AES_256_GCM_SHA384': [
|
||||||
'AES-256-GCM',
|
'AES-256-GCM',
|
||||||
@ -209,21 +182,12 @@ class GnuTLSServ(TLSProgram):
|
|||||||
'SHA256',
|
'SHA256',
|
||||||
'AEAD']}
|
'AEAD']}
|
||||||
|
|
||||||
def add_ciphersuites(self, *ciphersuites):
|
|
||||||
for ciphersuite in ciphersuites:
|
|
||||||
self.priority_strings.extend(self.CIPHER_SUITE[ciphersuite])
|
|
||||||
|
|
||||||
SIGNATURE_ALGORITHM = {
|
SIGNATURE_ALGORITHM = {
|
||||||
'ecdsa_secp256r1_sha256': ['SIGN-ECDSA-SECP256R1-SHA256'],
|
'ecdsa_secp256r1_sha256': ['SIGN-ECDSA-SECP256R1-SHA256'],
|
||||||
'ecdsa_secp521r1_sha512': ['SIGN-ECDSA-SECP521R1-SHA512'],
|
'ecdsa_secp521r1_sha512': ['SIGN-ECDSA-SECP521R1-SHA512'],
|
||||||
'ecdsa_secp384r1_sha384': ['SIGN-ECDSA-SECP384R1-SHA384'],
|
'ecdsa_secp384r1_sha384': ['SIGN-ECDSA-SECP384R1-SHA384'],
|
||||||
'rsa_pss_rsae_sha256': ['SIGN-RSA-PSS-RSAE-SHA256']}
|
'rsa_pss_rsae_sha256': ['SIGN-RSA-PSS-RSAE-SHA256']}
|
||||||
|
|
||||||
def add_signature_algorithms(self, *signature_algorithms):
|
|
||||||
for sig_alg in signature_algorithms:
|
|
||||||
self.priority_strings.extend(self.SIGNATURE_ALGORITHM[sig_alg])
|
|
||||||
self.certificates.append(CERTIFICATES[sig_alg])
|
|
||||||
|
|
||||||
NAMED_GROUP = {
|
NAMED_GROUP = {
|
||||||
'secp256r1': ['GROUP-SECP256R1'],
|
'secp256r1': ['GROUP-SECP256R1'],
|
||||||
'secp384r1': ['GROUP-SECP384R1'],
|
'secp384r1': ['GROUP-SECP384R1'],
|
||||||
@ -232,10 +196,6 @@ class GnuTLSServ(TLSProgram):
|
|||||||
'x448': ['GROUP-X448'],
|
'x448': ['GROUP-X448'],
|
||||||
}
|
}
|
||||||
|
|
||||||
def add_named_groups(self, *named_groups):
|
|
||||||
for named_group in named_groups:
|
|
||||||
self.priority_strings.extend(self.NAMED_GROUP[named_group])
|
|
||||||
|
|
||||||
def pre_checks(self):
|
def pre_checks(self):
|
||||||
return ["requires_gnutls_tls1_3",
|
return ["requires_gnutls_tls1_3",
|
||||||
"requires_gnutls_next_no_ticket",
|
"requires_gnutls_next_no_ticket",
|
||||||
@ -245,20 +205,32 @@ class GnuTLSServ(TLSProgram):
|
|||||||
return ['-c "HTTP/1.0 200 OK"']
|
return ['-c "HTTP/1.0 200 OK"']
|
||||||
|
|
||||||
def cmd(self):
|
def cmd(self):
|
||||||
ret = [
|
ret = ['$G_NEXT_SRV_NO_CERT', '--http',
|
||||||
'$G_NEXT_SRV_NO_CERT',
|
'--disable-client-cert', '--debug=4']
|
||||||
'--http',
|
|
||||||
'--disable-client-cert',
|
for _, cert, key in map(lambda sig_alg: CERTIFICATES[sig_alg], self._sig_algs):
|
||||||
'--debug=4']
|
|
||||||
for _, cert, key in self.certificates:
|
|
||||||
ret += ['--x509certfile {cert} --x509keyfile {key}'.format(
|
ret += ['--x509certfile {cert} --x509keyfile {key}'.format(
|
||||||
cert=cert, key=key)]
|
cert=cert, key=key)]
|
||||||
priority_strings = ':+'.join(['NONE'] +
|
|
||||||
list(sorted(self.priority_strings)) +
|
priority_string_list = []
|
||||||
['VERS-TLS1.3'])
|
|
||||||
priority_strings += ':%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE'
|
def update_priority_string_list(items, map_table):
|
||||||
ret += ['--priority={priority_strings}'.format(
|
for item in items:
|
||||||
priority_strings=priority_strings)]
|
for i in map_table[item]:
|
||||||
|
if i not in priority_string_list:
|
||||||
|
yield i
|
||||||
|
priority_string_list.extend(update_priority_string_list(
|
||||||
|
self._sig_algs, self.SIGNATURE_ALGORITHM))
|
||||||
|
priority_string_list.extend(
|
||||||
|
update_priority_string_list(self._ciphers, self.CIPHER_SUITE))
|
||||||
|
priority_string_list.extend(update_priority_string_list(
|
||||||
|
self._named_groups, self.NAMED_GROUP))
|
||||||
|
priority_string_list = ['NONE'] + sorted(priority_string_list) + ['VERS-TLS1.3']
|
||||||
|
|
||||||
|
priority_string = ':+'.join(priority_string_list)
|
||||||
|
priority_string += ':%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE'
|
||||||
|
ret += ['--priority={priority_string}'.format(
|
||||||
|
priority_string=priority_string)]
|
||||||
ret = ' '.join(ret)
|
ret = ' '.join(ret)
|
||||||
return ret
|
return ret
|
||||||
|
|
||||||
@ -268,14 +240,6 @@ class MbedTLSCli(TLSProgram):
|
|||||||
Generate test commands for mbedTLS client.
|
Generate test commands for mbedTLS client.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
def __init__(self, ciphersuite, signature_algorithm, named_group):
|
|
||||||
self.ciphersuites = []
|
|
||||||
self.certificates = []
|
|
||||||
self.signature_algorithms = []
|
|
||||||
self.named_groups = []
|
|
||||||
self.needed_named_groups = []
|
|
||||||
super().__init__(ciphersuite, signature_algorithm, named_group)
|
|
||||||
|
|
||||||
CIPHER_SUITE = {
|
CIPHER_SUITE = {
|
||||||
'TLS_AES_256_GCM_SHA384': 'TLS1-3-AES-256-GCM-SHA384',
|
'TLS_AES_256_GCM_SHA384': 'TLS1-3-AES-256-GCM-SHA384',
|
||||||
'TLS_AES_128_GCM_SHA256': 'TLS1-3-AES-128-GCM-SHA256',
|
'TLS_AES_128_GCM_SHA256': 'TLS1-3-AES-128-GCM-SHA256',
|
||||||
@ -283,69 +247,54 @@ class MbedTLSCli(TLSProgram):
|
|||||||
'TLS_AES_128_CCM_SHA256': 'TLS1-3-AES-128-CCM-SHA256',
|
'TLS_AES_128_CCM_SHA256': 'TLS1-3-AES-128-CCM-SHA256',
|
||||||
'TLS_AES_128_CCM_8_SHA256': 'TLS1-3-AES-128-CCM-8-SHA256'}
|
'TLS_AES_128_CCM_8_SHA256': 'TLS1-3-AES-128-CCM-8-SHA256'}
|
||||||
|
|
||||||
def add_ciphersuites(self, *ciphersuites):
|
def cmd(self):
|
||||||
for ciphersuite in ciphersuites:
|
ret = ['$P_CLI']
|
||||||
self.ciphersuites.append(self.CIPHER_SUITE[ciphersuite])
|
ret += ['server_addr=127.0.0.1', 'server_port=$SRV_PORT',
|
||||||
|
'debug_level=4', 'force_version=tls1_3']
|
||||||
|
ret += ['ca_file={cafile}'.format(
|
||||||
|
cafile=CERTIFICATES[self._sig_algs[0]].cafile)]
|
||||||
|
|
||||||
def add_signature_algorithms(self, *signature_algorithms):
|
if self._ciphers:
|
||||||
for sig_alg in signature_algorithms:
|
ciphers = ','.join(
|
||||||
self.signature_algorithms.append(sig_alg)
|
map(lambda cipher: self.CIPHER_SUITE[cipher], self._ciphers))
|
||||||
if sig_alg == 'ecdsa_secp256r1_sha256':
|
ret += ["force_ciphersuite={ciphers}".format(ciphers=ciphers)]
|
||||||
self.needed_named_groups.append('secp256r1')
|
|
||||||
elif sig_alg == 'ecdsa_secp521r1_sha512':
|
|
||||||
self.needed_named_groups.append('secp521r1')
|
|
||||||
elif sig_alg == 'ecdsa_secp384r1_sha384':
|
|
||||||
self.needed_named_groups.append('secp384r1')
|
|
||||||
|
|
||||||
self.certificates.append(CERTIFICATES[sig_alg])
|
if self._sig_algs:
|
||||||
|
ret += ['sig_algs={sig_algs}'.format(
|
||||||
|
sig_algs=','.join(self._sig_algs))]
|
||||||
|
for sig_alg in self._sig_algs:
|
||||||
|
if sig_alg in ('ecdsa_secp256r1_sha256',
|
||||||
|
'ecdsa_secp384r1_sha384',
|
||||||
|
'ecdsa_secp521r1_sha512'):
|
||||||
|
self.add_named_groups(sig_alg.split('_')[1])
|
||||||
|
|
||||||
def add_named_groups(self, *named_groups):
|
if self._named_groups:
|
||||||
for named_group in named_groups:
|
named_groups = ','.join(self._named_groups)
|
||||||
self.named_groups.append(named_group)
|
ret += ["curves={named_groups}".format(named_groups=named_groups)]
|
||||||
|
|
||||||
|
ret = ' '.join(ret)
|
||||||
|
return ret
|
||||||
|
|
||||||
def pre_checks(self):
|
def pre_checks(self):
|
||||||
|
|
||||||
ret = ['requires_config_enabled MBEDTLS_DEBUG_C',
|
ret = ['requires_config_enabled MBEDTLS_DEBUG_C',
|
||||||
'requires_config_enabled MBEDTLS_SSL_CLI_C',
|
'requires_config_enabled MBEDTLS_SSL_CLI_C',
|
||||||
'requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL',
|
'requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL',
|
||||||
'requires_config_disabled MBEDTLS_USE_PSA_CRYPTO']
|
'requires_config_disabled MBEDTLS_USE_PSA_CRYPTO']
|
||||||
if 'rsa_pss_rsae_sha256' in self.signature_algorithms:
|
if 'rsa_pss_rsae_sha256' in self._sig_algs:
|
||||||
ret.append(
|
ret.append(
|
||||||
'requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT')
|
'requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT')
|
||||||
return ret
|
return ret
|
||||||
|
|
||||||
def post_checks(self):
|
def post_checks(self):
|
||||||
|
check_strings = ["ECDH curve: {group}".format(group=self._named_groups[0]),
|
||||||
check_strings = ["ECDH curve: {group}".format(group=self._named_group),
|
|
||||||
"server hello, chosen ciphersuite: ( {:04x} ) - {}".format(
|
"server hello, chosen ciphersuite: ( {:04x} ) - {}".format(
|
||||||
CIPHER_SUITE_IANA_VALUE[self._cipher],
|
CIPHER_SUITE_IANA_VALUE[self._ciphers[0]],
|
||||||
self.CIPHER_SUITE[self._cipher]),
|
self.CIPHER_SUITE[self._ciphers[0]]),
|
||||||
"Certificate Verify: Signature algorithm ( {:04x} )".format(
|
"Certificate Verify: Signature algorithm ( {:04x} )".format(
|
||||||
SIG_ALG_IANA_VALUE[self._sig_alg]),
|
SIG_ALG_IANA_VALUE[self._sig_algs[0]]),
|
||||||
"Verifying peer X.509 certificate... ok", ]
|
"Verifying peer X.509 certificate... ok", ]
|
||||||
return ['-c "{}"'.format(i) for i in check_strings]
|
return ['-c "{}"'.format(i) for i in check_strings]
|
||||||
|
|
||||||
def cmd(self):
|
|
||||||
ret = ['$P_CLI']
|
|
||||||
ret += [
|
|
||||||
'server_addr=127.0.0.1 server_port=$SRV_PORT',
|
|
||||||
'debug_level=4 force_version=tls1_3']
|
|
||||||
ret += ['ca_file={cafile}'.format(
|
|
||||||
cafile=CERTIFICATES[self._sig_alg].cafile)]
|
|
||||||
self.ciphersuites = list(set(self.ciphersuites))
|
|
||||||
cipher = ','.join(self.ciphersuites)
|
|
||||||
if cipher:
|
|
||||||
ret += ["force_ciphersuite={cipher}".format(cipher=cipher)]
|
|
||||||
self.named_groups = remove_duplicates(
|
|
||||||
self.named_groups + self.needed_named_groups)
|
|
||||||
group = ','.join(self.named_groups)
|
|
||||||
if group:
|
|
||||||
ret += ["curves={group}".format(group=group)]
|
|
||||||
sig_alg = ','.join(self.signature_algorithms)
|
|
||||||
ret += ['sig_algs={sig_alg}'.format(sig_alg=sig_alg)]
|
|
||||||
ret = ' '.join(ret)
|
|
||||||
return ret
|
|
||||||
|
|
||||||
|
|
||||||
SERVER_CLASSES = {'OpenSSL': OpenSSLServ, 'GnuTLS': GnuTLSServ}
|
SERVER_CLASSES = {'OpenSSL': OpenSSLServ, 'GnuTLS': GnuTLSServ}
|
||||||
CLIENT_CLASSES = {'mbedTLS': MbedTLSCli}
|
CLIENT_CLASSES = {'mbedTLS': MbedTLSCli}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user