mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-02-04 15:39:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add cert_sig_algs for compat generate script

Browse Source 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
This commit is contained in:
Jerry Yu 2022-03-23 16:50:47 +08:00
parent 3616533d26
commit 7de79850c9
2 changed files with 823 additions and 567 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1242
tests/opt-testcases/tls13-compat.sh
View File

File diff suppressed because it is too large Load Diff

126
tests/scripts/generate_tls13_compat_tests.py
View File

@ -28,7 +28,6 @@ import abc
import argparse import argparse
import itertools import itertools
from collections import namedtuple from collections import namedtuple
# pylint: disable=useless-super-delegation
# define certificates configuration entry # define certificates configuration entry
Certificate = namedtuple("Certificate", ['cafile', 'certfile', 'keyfile']) Certificate = namedtuple("Certificate", ['cafile', 'certfile', 'keyfile'])
@ -71,18 +70,26 @@ NAMED_GROUP_IANA_VALUE = {
'x448': 0x1e, 'x448': 0x1e,
} }
class TLSProgram(metaclass=abc.ABCMeta): class TLSProgram(metaclass=abc.ABCMeta):
""" """
Base class for generate server/client command. Base class for generate server/client command.
""" """
# pylint: disable=too-many-arguments
def __init__(self, ciphersuite, signature_algorithm, named_group, compat_mode=True): def __init__(self, ciphersuite=None, signature_algorithm=None, named_group=None,
cert_sig_alg=None, compat_mode=True):
self._ciphers = [] self._ciphers = []
self._sig_algs = [] self._sig_algs = []
self._named_groups = [] self._named_groups = []
self._cert_sig_algs = []
if ciphersuite:
self.add_ciphersuites(ciphersuite) self.add_ciphersuites(ciphersuite)
if named_group:
self.add_named_groups(named_group) self.add_named_groups(named_group)
if signature_algorithm:
self.add_signature_algorithms(signature_algorithm) self.add_signature_algorithms(signature_algorithm)
if cert_sig_alg:
self.add_cert_signature_algorithms(cert_sig_alg)
self._compat_mode = compat_mode self._compat_mode = compat_mode
# add_ciphersuites should not override by sub class # add_ciphersuites should not override by sub class
@ -95,18 +102,24 @@ class TLSProgram(metaclass=abc.ABCMeta):
self._sig_algs.extend( self._sig_algs.extend(
[sig_alg for sig_alg in signature_algorithms if sig_alg not in self._sig_algs]) [sig_alg for sig_alg in signature_algorithms if sig_alg not in self._sig_algs])
# add_signature_algorithms should not override by sub class # add_named_groups should not override by sub class
def add_named_groups(self, *named_groups): def add_named_groups(self, *named_groups):
self._named_groups.extend( self._named_groups.extend(
[named_group for named_group in named_groups if named_group not in self._named_groups]) [named_group for named_group in named_groups if named_group not in self._named_groups])
# add_cert_signature_algorithms should not override by sub class
def add_cert_signature_algorithms(self, *signature_algorithms):
self._cert_sig_algs.extend(
[sig_alg for sig_alg in signature_algorithms if sig_alg not in self._cert_sig_algs])
@abc.abstractmethod @abc.abstractmethod
def pre_checks(self): def pre_checks(self):
return [] return []
@abc.abstractmethod @abc.abstractmethod
def cmd(self): def cmd(self):
pass if not self._cert_sig_algs:
self._cert_sig_algs = list(CERTIFICATES.keys())
@abc.abstractmethod @abc.abstractmethod
def post_checks(self): def post_checks(self):
@ -127,18 +140,26 @@ class OpenSSLServ(TLSProgram):
} }
def cmd(self): def cmd(self):
super().cmd()
ret = ['$O_NEXT_SRV_NO_CERT'] ret = ['$O_NEXT_SRV_NO_CERT']
for _, cert, key in map(lambda sig_alg: CERTIFICATES[sig_alg], self._sig_algs): for _, cert, key in map(lambda sig_alg: CERTIFICATES[sig_alg], self._cert_sig_algs):
ret += ['-cert {cert} -key {key}'.format(cert=cert, key=key)] ret += ['-cert {cert} -key {key}'.format(cert=cert, key=key)]
ret += ['-accept $SRV_PORT'] ret += ['-accept $SRV_PORT']
ciphersuites = ','.join(self._ciphers)
signature_algorithms = ','.join(self._sig_algs) if self._ciphers:
named_groups = ','.join( ciphersuites = ':'.join(self._ciphers)
ret += ["-ciphersuites {ciphersuites}".format(ciphersuites=ciphersuites)]
if self._sig_algs:
signature_algorithms = ':'.join(self._sig_algs)
ret += ["-sigalgs {signature_algorithms}".format(
signature_algorithms=signature_algorithms)]
if self._named_groups:
named_groups = ':'.join(
map(lambda named_group: self.NAMED_GROUP[named_group], self._named_groups)) map(lambda named_group: self.NAMED_GROUP[named_group], self._named_groups))
ret += ["-ciphersuites {ciphersuites}".format(ciphersuites=ciphersuites), ret += ["-groups {named_groups}".format(named_groups=named_groups)]
"-sigalgs {signature_algorithms}".format(
signature_algorithms=signature_algorithms),
"-groups {named_groups}".format(named_groups=named_groups)]
ret += ['-msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache'] ret += ['-msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache']
if not self._compat_mode: if not self._compat_mode:
ret += ['-no_middlebox'] ret += ['-no_middlebox']
@ -202,10 +223,11 @@ class GnuTLSServ(TLSProgram):
return ['-c "HTTP/1.0 200 OK"'] return ['-c "HTTP/1.0 200 OK"']
def cmd(self): def cmd(self):
super().cmd()
ret = ['$G_NEXT_SRV_NO_CERT', '--http', ret = ['$G_NEXT_SRV_NO_CERT', '--http',
'--disable-client-cert', '--debug=4'] '--disable-client-cert', '--debug=4']
for _, cert, key in map(lambda sig_alg: CERTIFICATES[sig_alg], self._sig_algs): for _, cert, key in map(lambda sig_alg: CERTIFICATES[sig_alg], self._cert_sig_algs):
ret += ['--x509certfile {cert} --x509keyfile {key}'.format( ret += ['--x509certfile {cert} --x509keyfile {key}'.format(
cert=cert, key=key)] cert=cert, key=key)]
@ -216,16 +238,32 @@ class GnuTLSServ(TLSProgram):
for i in map_table[item]: for i in map_table[item]:
if i not in priority_string_list: if i not in priority_string_list:
yield i yield i
if self._ciphers:
priority_string_list.extend(update_priority_string_list(
self._ciphers, self.CIPHER_SUITE))
else:
priority_string_list.append('CIPHER-ALL')
if self._sig_algs:
priority_string_list.extend(update_priority_string_list( priority_string_list.extend(update_priority_string_list(
self._sig_algs, self.SIGNATURE_ALGORITHM)) self._sig_algs, self.SIGNATURE_ALGORITHM))
priority_string_list.extend( else:
update_priority_string_list(self._ciphers, self.CIPHER_SUITE)) priority_string_list.append('SIGN-ALL')
if self._named_groups:
priority_string_list.extend(update_priority_string_list( priority_string_list.extend(update_priority_string_list(
self._named_groups, self.NAMED_GROUP)) self._named_groups, self.NAMED_GROUP))
priority_string_list = ['NONE'] + sorted(priority_string_list) + ['VERS-TLS1.3'] else:
priority_string_list.append('GROUP-ALL')
priority_string_list = ['NONE'] + \
sorted(priority_string_list) + ['VERS-TLS1.3']
priority_string = ':+'.join(priority_string_list) priority_string = ':+'.join(priority_string_list)
priority_string += ':%NO_TICKETS' priority_string += ':%NO_TICKETS'
if not self._compat_mode: if not self._compat_mode:
priority_string += [':%DISABLE_TLS13_COMPAT_MODE'] priority_string += [':%DISABLE_TLS13_COMPAT_MODE']
@ -248,11 +286,12 @@ class MbedTLSCli(TLSProgram):
'TLS_AES_128_CCM_8_SHA256': 'TLS1-3-AES-128-CCM-8-SHA256'} 'TLS_AES_128_CCM_8_SHA256': 'TLS1-3-AES-128-CCM-8-SHA256'}
def cmd(self): def cmd(self):
super().cmd()
ret = ['$P_CLI'] ret = ['$P_CLI']
ret += ['server_addr=127.0.0.1', 'server_port=$SRV_PORT', ret += ['server_addr=127.0.0.1', 'server_port=$SRV_PORT',
'debug_level=4', 'force_version=tls13'] 'debug_level=4', 'force_version=tls13']
ret += ['ca_file={cafile}'.format( ret += ['ca_file={cafile}'.format(
cafile=CERTIFICATES[self._sig_algs[0]].cafile)] cafile=CERTIFICATES[self._cert_sig_algs[0]].cafile)]
if self._ciphers: if self._ciphers:
ciphers = ','.join( ciphers = ','.join(
@ -262,11 +301,6 @@ class MbedTLSCli(TLSProgram):
if self._sig_algs: if self._sig_algs:
ret += ['sig_algs={sig_algs}'.format( ret += ['sig_algs={sig_algs}'.format(
sig_algs=','.join(self._sig_algs))] sig_algs=','.join(self._sig_algs))]
for sig_alg in self._sig_algs:
if sig_alg in ('ecdsa_secp256r1_sha256',
'ecdsa_secp384r1_sha384',
'ecdsa_secp521r1_sha512'):
self.add_named_groups(sig_alg.split('_')[1])
if self._named_groups: if self._named_groups:
named_groups = ','.join(self._named_groups) named_groups = ','.join(self._named_groups)
@ -283,19 +317,29 @@ class MbedTLSCli(TLSProgram):
if self._compat_mode: if self._compat_mode:
ret += ['requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE'] ret += ['requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE']
if 'rsa_pss_rsae_sha256' in self._sig_algs: if 'rsa_pss_rsae_sha256' in self._sig_algs + self._cert_sig_algs:
ret.append( ret.append(
'requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT') 'requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT')
return ret return ret
def post_checks(self): def post_checks(self):
check_strings = ["ECDH curve: {group}".format(group=self._named_groups[0]), check_strings = []
if self._ciphers:
check_strings.append(
"server hello, chosen ciphersuite: ( {:04x} ) - {}".format( "server hello, chosen ciphersuite: ( {:04x} ) - {}".format(
CIPHER_SUITE_IANA_VALUE[self._ciphers[0]], CIPHER_SUITE_IANA_VALUE[self._ciphers[0]],
self.CIPHER_SUITE[self._ciphers[0]]), self.CIPHER_SUITE[self._ciphers[0]]))
if self._sig_algs:
check_strings.append(
"Certificate Verify: Signature algorithm ( {:04x} )".format( "Certificate Verify: Signature algorithm ( {:04x} )".format(
SIG_ALG_IANA_VALUE[self._sig_algs[0]]), SIG_ALG_IANA_VALUE[self._sig_algs[0]]))
"Verifying peer X.509 certificate... ok", ]
for named_group in self._named_groups:
check_strings += ['NamedGroup: {named_group} ( {iana_value:x} )'.format(
named_group=named_group,
iana_value=NAMED_GROUP_IANA_VALUE[named_group])]
check_strings.append("Verifying peer X.509 certificate... ok")
return ['-c "{}"'.format(i) for i in check_strings] return ['-c "{}"'.format(i) for i in check_strings]
@ -309,13 +353,21 @@ def generate_compat_test(server=None, client=None, cipher=None, sig_alg=None, na
""" """
name = 'TLS 1.3 {client[0]}->{server[0]}: {cipher},{named_group},{sig_alg}'.format( name = 'TLS 1.3 {client[0]}->{server[0]}: {cipher},{named_group},{sig_alg}'.format(
client=client, server=server, cipher=cipher, sig_alg=sig_alg, named_group=named_group) client=client, server=server, cipher=cipher, sig_alg=sig_alg, named_group=named_group)
server_object = SERVER_CLASSES[server](cipher, sig_alg, named_group)
client_object = CLIENT_CLASSES[client](cipher, sig_alg, named_group) server_object = SERVER_CLASSES[server](ciphersuite=cipher,
named_group=named_group,
signature_algorithm=sig_alg,
cert_sig_alg=sig_alg)
client_object = CLIENT_CLASSES[client](ciphersuite=cipher,
named_group=named_group,
signature_algorithm=sig_alg,
cert_sig_alg=sig_alg)
cmd = ['run_test "{}"'.format(name), '"{}"'.format( cmd = ['run_test "{}"'.format(name), '"{}"'.format(
server_object.cmd()), '"{}"'.format(client_object.cmd()), '0'] server_object.cmd()), '"{}"'.format(client_object.cmd()), '0']
cmd += server_object.post_checks() cmd += server_object.post_checks()
cmd += client_object.post_checks() cmd += client_object.post_checks()
cmd += ['-C "received HelloRetryRequest message"']
prefix = ' \\\n' + (' '*9) prefix = ' \\\n' + (' '*9)
cmd = prefix.join(cmd) cmd = prefix.join(cmd)
return '\n'.join(server_object.pre_checks() + client_object.pre_checks() + [cmd]) return '\n'.join(server_object.pre_checks() + client_object.pre_checks() + [cmd])
@ -343,7 +395,7 @@ SSL_OUTPUT_HEADER = '''#!/bin/sh
# Purpose # Purpose
# #
# List TLS1.3 compat test cases. They are generated by # List TLS1.3 compat test cases. They are generated by
# `generate_tls13_compat_tests.py -a`. # `{cmd}`.
# #
# PLEASE DO NOT EDIT THIS FILE. IF NEEDED, PLEASE MODIFY `generate_tls13_compat_tests.py` # PLEASE DO NOT EDIT THIS FILE. IF NEEDED, PLEASE MODIFY `generate_tls13_compat_tests.py`
# AND REGENERATE THIS FILE. # AND REGENERATE THIS FILE.
@ -397,22 +449,26 @@ def main():
args = parser.parse_args() args = parser.parse_args()
def get_all_test_cases(): def get_all_test_cases():
# Generate normal compat test cases
for cipher, sig_alg, named_group, server, client in \ for cipher, sig_alg, named_group, server, client in \
itertools.product(CIPHER_SUITE_IANA_VALUE.keys(), SIG_ALG_IANA_VALUE.keys(), itertools.product(CIPHER_SUITE_IANA_VALUE.keys(),
NAMED_GROUP_IANA_VALUE.keys(), SERVER_CLASSES.keys(), SIG_ALG_IANA_VALUE.keys(),
NAMED_GROUP_IANA_VALUE.keys(),
SERVER_CLASSES.keys(),
CLIENT_CLASSES.keys()): CLIENT_CLASSES.keys()):
yield generate_compat_test(cipher=cipher, sig_alg=sig_alg, named_group=named_group, yield generate_compat_test(cipher=cipher, sig_alg=sig_alg, named_group=named_group,
server=server, client=client) server=server, client=client)
if args.generate_all_tls13_compat_tests: if args.generate_all_tls13_compat_tests:
if args.output: if args.output:
with open(args.output, 'w', encoding="utf-8") as f: with open(args.output, 'w', encoding="utf-8") as f:
f.write(SSL_OUTPUT_HEADER.format( f.write(SSL_OUTPUT_HEADER.format(
filename=os.path.basename(args.output))) filename=os.path.basename(args.output), cmd=' '.join(sys.argv)))
f.write('\n\n'.join(get_all_test_cases())) f.write('\n\n'.join(get_all_test_cases()))
f.write('\n') f.write('\n')
else: else:
print('\n'.join(get_all_test_cases())) print('\n\n'.join(get_all_test_cases()))
return 0 return 0
if args.list_ciphers or args.list_sig_algs or args.list_named_groups \ if args.list_ciphers or args.list_sig_algs or args.list_named_groups \