From d5f99e49e0fc70f776f9776f4a9c6bda9865d76b Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Wed, 11 Jan 2023 10:11:23 +0800 Subject: [PATCH 1/9] Change cipher suite names to standard names in compat.sh Since there is a plan to report and filter all cipher suite names consistently, cipher suite names in compat.sh are changed to the standard naming convention. Signed-off-by: Yanray Wang --- tests/compat.sh | 365 +++++++++++++++++++++++++----------------------- 1 file changed, 192 insertions(+), 173 deletions(-) diff --git a/tests/compat.sh b/tests/compat.sh index fc2bfab7a0..0785f730c0 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -234,6 +234,7 @@ filter_ciphersuites() reset_ciphersuites() { + S_CIPHERS="" M_CIPHERS="" O_CIPHERS="" G_CIPHERS="" @@ -258,56 +259,60 @@ add_common_ciphersuites() "ECDSA") CIPHERS="$CIPHERS \ - TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA \ - TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 \ - TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ - TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA \ - TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384 \ - TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 \ - TLS-ECDHE-ECDSA-WITH-NULL-SHA \ + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA \ + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 \ + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 \ + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA \ + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 \ + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 \ + TLS_ECDHE_ECDSA_WITH_NULL_SHA \ " ;; "RSA") CIPHERS="$CIPHERS \ - TLS-DHE-RSA-WITH-AES-128-CBC-SHA \ - TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 \ - TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 \ - TLS-DHE-RSA-WITH-AES-256-CBC-SHA \ - TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 \ - TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 \ - TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA \ - TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA \ - TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA \ - TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256 \ - TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 \ - TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA \ - TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384 \ - TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 \ - TLS-ECDHE-RSA-WITH-NULL-SHA \ - TLS-RSA-WITH-AES-128-CBC-SHA \ - TLS-RSA-WITH-AES-128-CBC-SHA256 \ - TLS-RSA-WITH-AES-128-GCM-SHA256 \ - TLS-RSA-WITH-AES-256-CBC-SHA \ - TLS-RSA-WITH-AES-256-CBC-SHA256 \ - TLS-RSA-WITH-AES-256-GCM-SHA384 \ - TLS-RSA-WITH-CAMELLIA-128-CBC-SHA \ - TLS-RSA-WITH-CAMELLIA-256-CBC-SHA \ - TLS-RSA-WITH-NULL-MD5 \ - TLS-RSA-WITH-NULL-SHA \ - TLS-RSA-WITH-NULL-SHA256 \ + TLS_DHE_RSA_WITH_AES_128_CBC_SHA \ + TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 \ + TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 \ + TLS_DHE_RSA_WITH_AES_256_CBC_SHA \ + TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 \ + TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 \ + TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA \ + TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA \ + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA \ + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 \ + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 \ + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA \ + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 \ + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 \ + TLS_ECDHE_RSA_WITH_NULL_SHA \ + TLS_RSA_WITH_AES_128_CBC_SHA \ + TLS_RSA_WITH_AES_128_CBC_SHA256 \ + TLS_RSA_WITH_AES_128_GCM_SHA256 \ + TLS_RSA_WITH_AES_256_CBC_SHA \ + TLS_RSA_WITH_AES_256_CBC_SHA256 \ + TLS_RSA_WITH_AES_256_GCM_SHA384 \ + TLS_RSA_WITH_CAMELLIA_128_CBC_SHA \ + TLS_RSA_WITH_CAMELLIA_256_CBC_SHA \ + TLS_RSA_WITH_NULL_MD5 \ + TLS_RSA_WITH_NULL_SHA \ + TLS_RSA_WITH_NULL_SHA256 \ " ;; "PSK") CIPHERS="$CIPHERS \ - TLS-PSK-WITH-AES-128-CBC-SHA \ - TLS-PSK-WITH-AES-256-CBC-SHA \ + TLS_PSK_WITH_AES_128_CBC_SHA \ + TLS_PSK_WITH_AES_256_CBC_SHA \ " ;; esac - M_CIPHERS="$M_CIPHERS $CIPHERS" + S_CIPHERS="$S_CIPHERS $CIPHERS" + + T=$(./scripts/translate_ciphers.py m $CIPHERS) + check_translation $? "$T" + M_CIPHERS="$M_CIPHERS $T" T=$(./scripts/translate_ciphers.py g $CIPHERS) check_translation $? "$T" @@ -337,46 +342,50 @@ add_openssl_ciphersuites() "ECDSA") CIPHERS="$CIPHERS \ - TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA \ - TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256 \ - TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256 \ - TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA \ - TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384 \ - TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384 \ - TLS-ECDH-ECDSA-WITH-NULL-SHA \ - TLS-ECDHE-ECDSA-WITH-ARIA-128-GCM-SHA256 \ - TLS-ECDHE-ECDSA-WITH-ARIA-256-GCM-SHA384 \ - TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256 \ + TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA \ + TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 \ + TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 \ + TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA \ + TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 \ + TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 \ + TLS_ECDH_ECDSA_WITH_NULL_SHA \ + TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 \ + TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 \ + TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 \ " ;; "RSA") CIPHERS="$CIPHERS \ - TLS-DHE-RSA-WITH-ARIA-128-GCM-SHA256 \ - TLS-DHE-RSA-WITH-ARIA-256-GCM-SHA384 \ - TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256 \ - TLS-ECDHE-RSA-WITH-ARIA-128-GCM-SHA256 \ - TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384 \ - TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256 \ - TLS-RSA-WITH-ARIA-128-GCM-SHA256 \ - TLS-RSA-WITH-ARIA-256-GCM-SHA384 \ + TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 \ + TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 \ + TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \ + TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 \ + TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 \ + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \ + TLS_RSA_WITH_ARIA_128_GCM_SHA256 \ + TLS_RSA_WITH_ARIA_256_GCM_SHA384 \ " ;; "PSK") CIPHERS="$CIPHERS \ - TLS-DHE-PSK-WITH-ARIA-128-GCM-SHA256 \ - TLS-DHE-PSK-WITH-ARIA-256-GCM-SHA384 \ - TLS-DHE-PSK-WITH-CHACHA20-POLY1305-SHA256 \ - TLS-ECDHE-PSK-WITH-CHACHA20-POLY1305-SHA256 \ - TLS-PSK-WITH-ARIA-128-GCM-SHA256 \ - TLS-PSK-WITH-ARIA-256-GCM-SHA384 \ - TLS-PSK-WITH-CHACHA20-POLY1305-SHA256 \ + TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 \ + TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 \ + TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 \ + TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 \ + TLS_PSK_WITH_ARIA_128_GCM_SHA256 \ + TLS_PSK_WITH_ARIA_256_GCM_SHA384 \ + TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 \ " ;; esac - M_CIPHERS="$M_CIPHERS $CIPHERS" + S_CIPHERS="$S_CIPHERS $CIPHERS" + + T=$(./scripts/translate_ciphers.py m $CIPHERS) + check_translation $? "$T" + M_CIPHERS="$M_CIPHERS $T" T=$(./scripts/translate_ciphers.py o $CIPHERS) check_translation $? "$T" @@ -395,99 +404,103 @@ add_gnutls_ciphersuites() "ECDSA") CIPHERS="$CIPHERS \ - TLS-ECDHE-ECDSA-WITH-AES-128-CCM \ - TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \ - TLS-ECDHE-ECDSA-WITH-AES-256-CCM \ - TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8 \ - TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256 \ - TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256 \ - TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA384 \ - TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384 \ + TLS_ECDHE_ECDSA_WITH_AES_128_CCM \ + TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 \ + TLS_ECDHE_ECDSA_WITH_AES_256_CCM \ + TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 \ + TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 \ + TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 \ + TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 \ + TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 \ " ;; "RSA") CIPHERS="$CIPHERS \ - TLS-DHE-RSA-WITH-AES-128-CCM \ - TLS-DHE-RSA-WITH-AES-128-CCM-8 \ - TLS-DHE-RSA-WITH-AES-256-CCM \ - TLS-DHE-RSA-WITH-AES-256-CCM-8 \ - TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256 \ - TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256 \ - TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256 \ - TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384 \ - TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256 \ - TLS-ECDHE-RSA-WITH-CAMELLIA-128-GCM-SHA256 \ - TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA384 \ - TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384 \ - TLS-RSA-WITH-AES-128-CCM \ - TLS-RSA-WITH-AES-128-CCM-8 \ - TLS-RSA-WITH-AES-256-CCM \ - TLS-RSA-WITH-AES-256-CCM-8 \ - TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256 \ - TLS-RSA-WITH-CAMELLIA-128-GCM-SHA256 \ - TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256 \ - TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 \ + TLS_DHE_RSA_WITH_AES_128_CCM \ + TLS_DHE_RSA_WITH_AES_128_CCM_8 \ + TLS_DHE_RSA_WITH_AES_256_CCM \ + TLS_DHE_RSA_WITH_AES_256_CCM_8 \ + TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 \ + TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 \ + TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 \ + TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 \ + TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 \ + TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 \ + TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 \ + TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 \ + TLS_RSA_WITH_AES_128_CCM \ + TLS_RSA_WITH_AES_128_CCM_8 \ + TLS_RSA_WITH_AES_256_CCM \ + TLS_RSA_WITH_AES_256_CCM_8 \ + TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 \ + TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 \ + TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 \ + TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 \ " ;; "PSK") CIPHERS="$CIPHERS \ - TLS-DHE-PSK-WITH-AES-128-CBC-SHA \ - TLS-DHE-PSK-WITH-AES-128-CBC-SHA256 \ - TLS-DHE-PSK-WITH-AES-128-CCM \ - TLS-DHE-PSK-WITH-AES-128-CCM-8 \ - TLS-DHE-PSK-WITH-AES-128-GCM-SHA256 \ - TLS-DHE-PSK-WITH-AES-256-CBC-SHA \ - TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \ - TLS-DHE-PSK-WITH-AES-256-CCM \ - TLS-DHE-PSK-WITH-AES-256-CCM-8 \ - TLS-DHE-PSK-WITH-AES-256-GCM-SHA384 \ - TLS-DHE-PSK-WITH-CAMELLIA-128-CBC-SHA256 \ - TLS-DHE-PSK-WITH-CAMELLIA-128-GCM-SHA256 \ - TLS-DHE-PSK-WITH-CAMELLIA-256-CBC-SHA384 \ - TLS-DHE-PSK-WITH-CAMELLIA-256-GCM-SHA384 \ - TLS-DHE-PSK-WITH-NULL-SHA256 \ - TLS-DHE-PSK-WITH-NULL-SHA384 \ - TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA \ - TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 \ - TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA \ - TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \ - TLS-ECDHE-PSK-WITH-CAMELLIA-128-CBC-SHA256 \ - TLS-ECDHE-PSK-WITH-CAMELLIA-256-CBC-SHA384 \ - TLS-ECDHE-PSK-WITH-NULL-SHA256 \ - TLS-ECDHE-PSK-WITH-NULL-SHA384 \ - TLS-PSK-WITH-AES-128-CBC-SHA256 \ - TLS-PSK-WITH-AES-128-CCM \ - TLS-PSK-WITH-AES-128-CCM-8 \ - TLS-PSK-WITH-AES-128-GCM-SHA256 \ - TLS-PSK-WITH-AES-256-CBC-SHA384 \ - TLS-PSK-WITH-AES-256-CCM \ - TLS-PSK-WITH-AES-256-CCM-8 \ - TLS-PSK-WITH-AES-256-GCM-SHA384 \ - TLS-PSK-WITH-CAMELLIA-128-CBC-SHA256 \ - TLS-PSK-WITH-CAMELLIA-128-GCM-SHA256 \ - TLS-PSK-WITH-CAMELLIA-256-CBC-SHA384 \ - TLS-PSK-WITH-CAMELLIA-256-GCM-SHA384 \ - TLS-PSK-WITH-NULL-SHA256 \ - TLS-PSK-WITH-NULL-SHA384 \ - TLS-RSA-PSK-WITH-AES-128-CBC-SHA \ - TLS-RSA-PSK-WITH-AES-128-CBC-SHA256 \ - TLS-RSA-PSK-WITH-AES-128-GCM-SHA256 \ - TLS-RSA-PSK-WITH-AES-256-CBC-SHA \ - TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \ - TLS-RSA-PSK-WITH-AES-256-GCM-SHA384 \ - TLS-RSA-PSK-WITH-CAMELLIA-128-CBC-SHA256 \ - TLS-RSA-PSK-WITH-CAMELLIA-128-GCM-SHA256 \ - TLS-RSA-PSK-WITH-CAMELLIA-256-CBC-SHA384 \ - TLS-RSA-PSK-WITH-CAMELLIA-256-GCM-SHA384 \ - TLS-RSA-PSK-WITH-NULL-SHA256 \ - TLS-RSA-PSK-WITH-NULL-SHA384 \ + TLS_DHE_PSK_WITH_AES_128_CBC_SHA \ + TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 \ + TLS_DHE_PSK_WITH_AES_128_CCM \ + TLS_DHE_PSK_WITH_AES_128_CCM_8 \ + TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 \ + TLS_DHE_PSK_WITH_AES_256_CBC_SHA \ + TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 \ + TLS_DHE_PSK_WITH_AES_256_CCM \ + TLS_DHE_PSK_WITH_AES_256_CCM_8 \ + TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 \ + TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 \ + TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 \ + TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 \ + TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 \ + TLS_DHE_PSK_WITH_NULL_SHA256 \ + TLS_DHE_PSK_WITH_NULL_SHA384 \ + TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA \ + TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 \ + TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA \ + TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 \ + TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 \ + TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 \ + TLS_ECDHE_PSK_WITH_NULL_SHA256 \ + TLS_ECDHE_PSK_WITH_NULL_SHA384 \ + TLS_PSK_WITH_AES_128_CBC_SHA256 \ + TLS_PSK_WITH_AES_128_CCM \ + TLS_PSK_WITH_AES_128_CCM_8 \ + TLS_PSK_WITH_AES_128_GCM_SHA256 \ + TLS_PSK_WITH_AES_256_CBC_SHA384 \ + TLS_PSK_WITH_AES_256_CCM \ + TLS_PSK_WITH_AES_256_CCM_8 \ + TLS_PSK_WITH_AES_256_GCM_SHA384 \ + TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 \ + TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 \ + TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 \ + TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 \ + TLS_PSK_WITH_NULL_SHA256 \ + TLS_PSK_WITH_NULL_SHA384 \ + TLS_RSA_PSK_WITH_AES_128_CBC_SHA \ + TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 \ + TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 \ + TLS_RSA_PSK_WITH_AES_256_CBC_SHA \ + TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 \ + TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 \ + TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 \ + TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 \ + TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 \ + TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 \ + TLS_RSA_PSK_WITH_NULL_SHA256 \ + TLS_RSA_PSK_WITH_NULL_SHA384 \ " ;; esac - M_CIPHERS="$M_CIPHERS $CIPHERS" + S_CIPHERS="$S_CIPHERS $CIPHERS" + + T=$(./scripts/translate_ciphers.py m $CIPHERS) + check_translation $? "$T" + M_CIPHERS="$M_CIPHERS $T" T=$(./scripts/translate_ciphers.py g $CIPHERS) check_translation $? "$T" @@ -503,51 +516,57 @@ add_mbedtls_ciphersuites() "ECDSA") M_CIPHERS="$M_CIPHERS \ - TLS-ECDH-ECDSA-WITH-ARIA-128-CBC-SHA256 \ - TLS-ECDH-ECDSA-WITH-ARIA-128-GCM-SHA256 \ - TLS-ECDH-ECDSA-WITH-ARIA-256-CBC-SHA384 \ - TLS-ECDH-ECDSA-WITH-ARIA-256-GCM-SHA384 \ - TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256 \ - TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256 \ - TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384 \ - TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384 \ - TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256 \ - TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384 \ + TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 \ + TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 \ + TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 \ + TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 \ + TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 \ + TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 \ + TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 \ + TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 \ + TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 \ + TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 \ " ;; "RSA") M_CIPHERS="$M_CIPHERS \ - TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256 \ - TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384 \ - TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256 \ - TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384 \ - TLS-RSA-WITH-ARIA-128-CBC-SHA256 \ - TLS-RSA-WITH-ARIA-256-CBC-SHA384 \ + TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 \ + TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 \ + TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 \ + TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 \ + TLS_RSA_WITH_ARIA_128_CBC_SHA256 \ + TLS_RSA_WITH_ARIA_256_CBC_SHA384 \ " ;; "PSK") - # *PSK-NULL-SHA suites supported by GnuTLS 3.3.5 but not 3.2.15 + # *PSK_NULL_SHA suites supported by GnuTLS 3.3.5 but not 3.2.15 M_CIPHERS="$M_CIPHERS \ - TLS-DHE-PSK-WITH-ARIA-128-CBC-SHA256 \ - TLS-DHE-PSK-WITH-ARIA-256-CBC-SHA384 \ - TLS-DHE-PSK-WITH-NULL-SHA \ - TLS-ECDHE-PSK-WITH-ARIA-128-CBC-SHA256 \ - TLS-ECDHE-PSK-WITH-ARIA-256-CBC-SHA384 \ - TLS-ECDHE-PSK-WITH-NULL-SHA \ - TLS-PSK-WITH-ARIA-128-CBC-SHA256 \ - TLS-PSK-WITH-ARIA-256-CBC-SHA384 \ - TLS-PSK-WITH-NULL-SHA \ - TLS-RSA-PSK-WITH-ARIA-128-CBC-SHA256 \ - TLS-RSA-PSK-WITH-ARIA-128-GCM-SHA256 \ - TLS-RSA-PSK-WITH-ARIA-256-CBC-SHA384 \ - TLS-RSA-PSK-WITH-ARIA-256-GCM-SHA384 \ - TLS-RSA-PSK-WITH-CHACHA20-POLY1305-SHA256 \ - TLS-RSA-PSK-WITH-NULL-SHA \ + TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 \ + TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 \ + TLS_DHE_PSK_WITH_NULL_SHA \ + TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 \ + TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 \ + TLS_ECDHE_PSK_WITH_NULL_SHA \ + TLS_PSK_WITH_ARIA_128_CBC_SHA256 \ + TLS_PSK_WITH_ARIA_256_CBC_SHA384 \ + TLS_PSK_WITH_NULL_SHA \ + TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 \ + TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 \ + TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 \ + TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 \ + TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 \ + TLS_RSA_PSK_WITH_NULL_SHA \ " ;; esac + + S_CIPHERS="$S_CIPHERS $CIPHERS" + + T=$(./scripts/translate_ciphers.py m $CIPHERS) + check_translation $? "$T" + M_CIPHERS="$M_CIPHERS $T" } setup_arguments() From ee97f05d353551104f0c694d94e35f7b73989f12 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Mon, 16 Jan 2023 11:30:59 +0800 Subject: [PATCH 2/9] Translate cipher suite names based on standard naming convention With this commit, translate_ciphers.py would be based on standard cipher suite names instead of MbedTLS naming convention. Signed-off-by: Yanray Wang --- tests/scripts/translate_ciphers.py | 149 ++++++++++++++++++----------- 1 file changed, 91 insertions(+), 58 deletions(-) diff --git a/tests/scripts/translate_ciphers.py b/tests/scripts/translate_ciphers.py index d5f847fd54..c622a6704c 100755 --- a/tests/scripts/translate_ciphers.py +++ b/tests/scripts/translate_ciphers.py @@ -18,8 +18,7 @@ # limitations under the License. """ -Translate ciphersuite names in Mbed TLS format to OpenSSL and GNUTLS -standards. +Translate standard ciphersuite names to GnuTLS, OpenSSL and Mbed TLS standards. To test the translation functions run: python3 -m unittest translate_cipher.py @@ -36,116 +35,150 @@ class TestTranslateCiphers(unittest.TestCase): """ def test_translate_all_cipher_names(self): """ - Translate MbedTLS ciphersuite names to their OpenSSL and - GnuTLS counterpart. Use only a small subset of ciphers - that exercise each step of the translate functions + Translate standard ciphersuite names to GnuTLS, OpenSSL and + Mbed TLS counterpart. Use only a small subset of ciphers + that exercise each step of the translation functions """ ciphers = [ - ("TLS-ECDHE-ECDSA-WITH-NULL-SHA", + ("TLS_ECDHE_ECDSA_WITH_NULL_SHA", "+ECDHE-ECDSA:+NULL:+SHA1", - "ECDHE-ECDSA-NULL-SHA"), - ("TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256", + "ECDHE-ECDSA-NULL-SHA", + "TLS-ECDHE-ECDSA-WITH-NULL-SHA"), + ("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "+ECDHE-ECDSA:+AES-128-GCM:+AEAD", - "ECDHE-ECDSA-AES128-GCM-SHA256"), - ("TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA", + "ECDHE-ECDSA-AES128-GCM-SHA256", + "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"), + ("TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA", "+DHE-RSA:+3DES-CBC:+SHA1", - "EDH-RSA-DES-CBC3-SHA"), - ("TLS-RSA-WITH-AES-256-CBC-SHA", + "EDH-RSA-DES-CBC3-SHA", + "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA"), + ("TLS_RSA_WITH_AES_256_CBC_SHA", "+RSA:+AES-256-CBC:+SHA1", - "AES256-SHA"), - ("TLS-PSK-WITH-3DES-EDE-CBC-SHA", + "AES256-SHA", + "TLS-RSA-WITH-AES-256-CBC-SHA"), + ("TLS_PSK_WITH_3DES_EDE_CBC_SHA", "+PSK:+3DES-CBC:+SHA1", - "PSK-3DES-EDE-CBC-SHA"), - ("TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256", + "PSK-3DES-EDE-CBC-SHA", + "TLS-PSK-WITH-3DES-EDE-CBC-SHA"), + ("TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", None, - "ECDHE-ECDSA-CHACHA20-POLY1305"), - ("TLS-ECDHE-ECDSA-WITH-AES-128-CCM", + "ECDHE-ECDSA-CHACHA20-POLY1305", + "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256"), + ("TLS_ECDHE_ECDSA_WITH_AES_128_CCM", "+ECDHE-ECDSA:+AES-128-CCM:+AEAD", - None), - ("TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384", None, - "ECDHE-ARIA256-GCM-SHA384"), + "TLS-ECDHE-ECDSA-WITH-AES-128-CCM"), + ("TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384", + None, + "ECDHE-ARIA256-GCM-SHA384", + "TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384"), ] - for m, g_exp, o_exp in ciphers: + for s, g_exp, o_exp, m_exp in ciphers: if g_exp is not None: - g = translate_gnutls(m) + g = translate_gnutls(s) self.assertEqual(g, g_exp) if o_exp is not None: - o = translate_ossl(m) + o = translate_ossl(s) self.assertEqual(o, o_exp) -def translate_gnutls(m_cipher): + if m_exp is not None: + m = translate_mbedtls(s) + self.assertEqual(m, m_exp) + +def translate_gnutls(s_cipher): """ - Translate m_cipher from Mbed TLS ciphersuite naming convention + Translate s_cipher from standard ciphersuite naming convention and return the GnuTLS naming convention """ - m_cipher = re.sub(r'\ATLS-', '+', m_cipher) - m_cipher = m_cipher.replace("-WITH-", ":+") - m_cipher = m_cipher.replace("-EDE", "") + # Replace "_" with "-" to handle ciphersuite names based on Mbed TLS + # naming convention + s_cipher = s_cipher.replace("_", "-") + + s_cipher = re.sub(r'\ATLS-', '+', s_cipher) + s_cipher = s_cipher.replace("-WITH-", ":+") + s_cipher = s_cipher.replace("-EDE", "") # SHA in Mbed TLS == SHA1 GnuTLS, # if the last 3 chars are SHA append 1 - if m_cipher[-3:] == "SHA": - m_cipher = m_cipher+"1" + if s_cipher[-3:] == "SHA": + s_cipher = s_cipher+"1" # CCM or CCM-8 should be followed by ":+AEAD" # Replace "GCM:+SHAxyz" with "GCM:+AEAD" - if "CCM" in m_cipher or "GCM" in m_cipher: - m_cipher = re.sub(r"GCM-SHA\d\d\d", "GCM", m_cipher) - m_cipher = m_cipher+":+AEAD" + if "CCM" in s_cipher or "GCM" in s_cipher: + s_cipher = re.sub(r"GCM-SHA\d\d\d", "GCM", s_cipher) + s_cipher = s_cipher+":+AEAD" # Replace the last "-" with ":+" else: - index = m_cipher.rindex("-") - m_cipher = m_cipher[:index] + ":+" + m_cipher[index+1:] + index = s_cipher.rindex("-") + s_cipher = s_cipher[:index] + ":+" + s_cipher[index+1:] - return m_cipher + return s_cipher -def translate_ossl(m_cipher): +def translate_ossl(s_cipher): """ - Translate m_cipher from Mbed TLS ciphersuite naming convention + Translate s_cipher from standard ciphersuite naming convention and return the OpenSSL naming convention """ - m_cipher = re.sub(r'^TLS-', '', m_cipher) - m_cipher = m_cipher.replace("-WITH", "") + # Replace "_" with "-" to handle ciphersuite names based on Mbed TLS + # naming convention + s_cipher = s_cipher.replace("_", "-") + + s_cipher = re.sub(r'^TLS-', '', s_cipher) + s_cipher = s_cipher.replace("-WITH", "") # Remove the "-" from "ABC-xyz" - m_cipher = m_cipher.replace("AES-", "AES") - m_cipher = m_cipher.replace("CAMELLIA-", "CAMELLIA") - m_cipher = m_cipher.replace("ARIA-", "ARIA") + s_cipher = s_cipher.replace("AES-", "AES") + s_cipher = s_cipher.replace("CAMELLIA-", "CAMELLIA") + s_cipher = s_cipher.replace("ARIA-", "ARIA") # Remove "RSA" if it is at the beginning - m_cipher = re.sub(r'^RSA-', r'', m_cipher) + s_cipher = re.sub(r'^RSA-', r'', s_cipher) # For all circumstances outside of PSK - if "PSK" not in m_cipher: - m_cipher = m_cipher.replace("-EDE", "") - m_cipher = m_cipher.replace("3DES-CBC", "DES-CBC3") + if "PSK" not in s_cipher: + s_cipher = s_cipher.replace("-EDE", "") + s_cipher = s_cipher.replace("3DES-CBC", "DES-CBC3") # Remove "CBC" if it is not prefixed by DES - m_cipher = re.sub(r'(? Date: Fri, 13 Jan 2023 18:00:10 +0800 Subject: [PATCH 3/9] Redesign translation of cipher suite names in compat.sh Move translation of cipher suite names after filter_ciphersuites so that filter is based on standard cipher suite names. Furthermore, an additional flag is passed to run_client to determine the type of translation of cipher suite names. Therefore, client receives cipher suite names based on its naming convention but the reporting output is still the standard cipher suite names. Signed-off-by: Yanray Wang --- tests/compat.sh | 89 ++++++++++++++++++------------------------------- 1 file changed, 32 insertions(+), 57 deletions(-) diff --git a/tests/compat.sh b/tests/compat.sh index 0785f730c0..886ad8f651 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -89,7 +89,7 @@ FILTER="" # - NULL: excluded from our default config + requires OpenSSL legacy # - ARIA: requires OpenSSL >= 1.1.1 # - ChachaPoly: requires OpenSSL >= 1.1.0 -EXCLUDE='NULL\|ARIA\|CHACHA20-POLY1305' +EXCLUDE='NULL\|ARIA\|CHACHA20_POLY1305' VERBOSE="" MEMCHECK=0 PEERS="OpenSSL$PEER_GNUTLS mbedTLS" @@ -205,7 +205,7 @@ filter() check_openssl_server_bug() { if test "X$VERIFY" = "XYES" && is_dtls "$MODE" && \ - echo "$1" | grep "^TLS-PSK" >/dev/null; + echo "$1" | grep "^TLS_PSK" >/dev/null; then SKIP_NEXT="YES" fi @@ -234,7 +234,6 @@ filter_ciphersuites() reset_ciphersuites() { - S_CIPHERS="" M_CIPHERS="" O_CIPHERS="" G_CIPHERS="" @@ -308,26 +307,17 @@ add_common_ciphersuites() ;; esac - S_CIPHERS="$S_CIPHERS $CIPHERS" - - T=$(./scripts/translate_ciphers.py m $CIPHERS) - check_translation $? "$T" - M_CIPHERS="$M_CIPHERS $T" - - T=$(./scripts/translate_ciphers.py g $CIPHERS) - check_translation $? "$T" - G_CIPHERS="$G_CIPHERS $T" - - T=$(./scripts/translate_ciphers.py o $CIPHERS) - check_translation $? "$T" - O_CIPHERS="$O_CIPHERS $T" + O_CIPHERS="$O_CIPHERS $CIPHERS" + G_CIPHERS="$G_CIPHERS $CIPHERS" + M_CIPHERS="$M_CIPHERS $CIPHERS" } # Ciphersuites usable only with Mbed TLS and OpenSSL -# A list of ciphersuites in the Mbed TLS convention is compiled and -# appended to the list of Mbed TLS ciphersuites $M_CIPHERS. The same list -# is translated to the OpenSSL naming convention and appended to the list of -# OpenSSL ciphersuites $O_CIPHERS. +# A list of ciphersuites in the standard naming convention is appended +# to the list of Mbed TLS ciphersuites $M_CIPHERS and +# to the list of OpenSSL ciphersuites $O_CIPHERS respectively. +# Based on client's naming convention, all ciphersuite names will be +# translated into another naming format before sent to the client. # # NOTE: for some reason RSA-PSK doesn't work with OpenSSL, # so RSA-PSK ciphersuites need to go in other sections, see @@ -381,22 +371,16 @@ add_openssl_ciphersuites() ;; esac - S_CIPHERS="$S_CIPHERS $CIPHERS" - - T=$(./scripts/translate_ciphers.py m $CIPHERS) - check_translation $? "$T" - M_CIPHERS="$M_CIPHERS $T" - - T=$(./scripts/translate_ciphers.py o $CIPHERS) - check_translation $? "$T" - O_CIPHERS="$O_CIPHERS $T" + O_CIPHERS="$O_CIPHERS $CIPHERS" + M_CIPHERS="$M_CIPHERS $CIPHERS" } # Ciphersuites usable only with Mbed TLS and GnuTLS -# A list of ciphersuites in the Mbed TLS convention is compiled and -# appended to the list of Mbed TLS ciphersuites $M_CIPHERS. The same list -# is translated to the GnuTLS naming convention and appended to the list of -# GnuTLS ciphersuites $G_CIPHERS. +# A list of ciphersuites in the standard naming convention is appended +# to the list of Mbed TLS ciphersuites $M_CIPHERS and +# to the list of GnuTLS ciphersuites $G_CIPHERS respectively. +# Based on client's naming convention, all ciphersuite names will be +# translated into another naming format before sent to the client. add_gnutls_ciphersuites() { CIPHERS="" @@ -496,19 +480,12 @@ add_gnutls_ciphersuites() ;; esac - S_CIPHERS="$S_CIPHERS $CIPHERS" - - T=$(./scripts/translate_ciphers.py m $CIPHERS) - check_translation $? "$T" - M_CIPHERS="$M_CIPHERS $T" - - T=$(./scripts/translate_ciphers.py g $CIPHERS) - check_translation $? "$T" - G_CIPHERS="$G_CIPHERS $T" + G_CIPHERS="$G_CIPHERS $CIPHERS" + M_CIPHERS="$M_CIPHERS $CIPHERS" } # Ciphersuites usable only with Mbed TLS (not currently supported by another -# peer usable in this script). This provide only very rudimentaty testing, as +# peer usable in this script). This provides only very rudimentaty testing, as # this is not interop testing, but it's better than nothing. add_mbedtls_ciphersuites() { @@ -561,12 +538,6 @@ add_mbedtls_ciphersuites() " ;; esac - - S_CIPHERS="$S_CIPHERS $CIPHERS" - - T=$(./scripts/translate_ciphers.py m $CIPHERS) - check_translation $? "$T" - M_CIPHERS="$M_CIPHERS $T" } setup_arguments() @@ -829,6 +800,10 @@ run_client() { LEN=$(( 72 - `echo "$TITLE" | wc -c` )) for i in `seq 1 $LEN`; do printf '.'; done; printf ' ' + # Translate ciphersuite names based on client's naming convention + t_cipher=$(./scripts/translate_ciphers.py $3 $2) + check_translation $? "$t_cipher" + # should we skip? if [ "X$SKIP_NEXT" = "XYES" ]; then SKIP_NEXT="NO" @@ -840,7 +815,7 @@ run_client() { # run the command and interpret result case $1 in [Oo]pen*) - CLIENT_CMD="$OPENSSL s_client $O_CLIENT_ARGS -cipher $2" + CLIENT_CMD="$OPENSSL s_client $O_CLIENT_ARGS -cipher $t_cipher" log "$CLIENT_CMD" echo "$CLIENT_CMD" > $CLI_OUT printf 'GET HTTP/1.0\r\n\r\n' | $CLIENT_CMD >> $CLI_OUT 2>&1 & @@ -865,7 +840,7 @@ run_client() { else G_HOST="localhost" fi - CLIENT_CMD="$GNUTLS_CLI $G_CLIENT_ARGS --priority $G_PRIO_MODE:$2 $G_HOST" + CLIENT_CMD="$GNUTLS_CLI $G_CLIENT_ARGS --priority $G_PRIO_MODE:$t_cipher $G_HOST" log "$CLIENT_CMD" echo "$CLIENT_CMD" > $CLI_OUT printf 'GET HTTP/1.0\r\n\r\n' | $CLIENT_CMD >> $CLI_OUT 2>&1 & @@ -887,7 +862,7 @@ run_client() { ;; mbed*) - CLIENT_CMD="$M_CLI $M_CLIENT_ARGS force_ciphersuite=$2" + CLIENT_CMD="$M_CLI $M_CLIENT_ARGS force_ciphersuite=$t_cipher" if [ "$MEMCHECK" -gt 0 ]; then CLIENT_CMD="valgrind --leak-check=full $CLIENT_CMD" fi @@ -1052,7 +1027,7 @@ for VERIFY in $VERIFIES; do start_server "OpenSSL" for i in $M_CIPHERS; do check_openssl_server_bug $i - run_client mbedTLS $i + run_client mbedTLS $i m done stop_server fi @@ -1060,7 +1035,7 @@ for VERIFY in $VERIFIES; do if [ "X" != "X$O_CIPHERS" ]; then start_server "mbedTLS" for i in $O_CIPHERS; do - run_client OpenSSL $i + run_client OpenSSL $i o done stop_server fi @@ -1077,7 +1052,7 @@ for VERIFY in $VERIFIES; do if [ "X" != "X$M_CIPHERS" ]; then start_server "GnuTLS" for i in $M_CIPHERS; do - run_client mbedTLS $i + run_client mbedTLS $i m done stop_server fi @@ -1085,7 +1060,7 @@ for VERIFY in $VERIFIES; do if [ "X" != "X$G_CIPHERS" ]; then start_server "mbedTLS" for i in $G_CIPHERS; do - run_client GnuTLS $i + run_client GnuTLS $i g done stop_server fi @@ -1104,7 +1079,7 @@ for VERIFY in $VERIFIES; do if [ "X" != "X$M_CIPHERS" ]; then start_server "mbedTLS" for i in $M_CIPHERS; do - run_client mbedTLS $i + run_client mbedTLS $i m done stop_server fi From 57ae192b13bf478922bfc0bf26c1a4012171ac20 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Tue, 17 Jan 2023 10:07:22 +0800 Subject: [PATCH 4/9] Fix failure in Travis CI Signed-off-by: Yanray Wang --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index eaf817a7b9..54df776060 100644 --- a/.travis.yml +++ b/.travis.yml @@ -53,7 +53,7 @@ jobs: - tests/scripts/test_psa_constant_names.py - tests/ssl-opt.sh # Modern OpenSSL does not support fixed ECDH or null ciphers. - - tests/compat.sh -p OpenSSL -e 'NULL\|ECDH-' + - tests/compat.sh -p OpenSSL -e 'NULL\|ECDH_' - tests/scripts/travis-log-failure.sh # GnuTLS supports CAMELLIA but compat.sh doesn't properly enable it. - tests/compat.sh -p GnuTLS -e 'CAMELLIA' From 60f8eaa3b40964e3dfd1146efa0ed8049f61fdbb Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Fri, 20 Jan 2023 12:45:13 +0800 Subject: [PATCH 5/9] Remove third argument passed to run_client in compat.sh The argument passed to translate_ciphers.py is calculated from $1 in run_client instead of passed as third argument. Signed-off-by: Yanray Wang --- tests/compat.sh | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/tests/compat.sh b/tests/compat.sh index 886ad8f651..2a93efc255 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -800,8 +800,11 @@ run_client() { LEN=$(( 72 - `echo "$TITLE" | wc -c` )) for i in `seq 1 $LEN`; do printf '.'; done; printf ' ' + # Calculate the argument $c to pass to translate_ciphers.py + client=$(echo $1 | head -c1) + c=$(echo $client | tr '[:upper:]' '[:lower:]') # Translate ciphersuite names based on client's naming convention - t_cipher=$(./scripts/translate_ciphers.py $3 $2) + t_cipher=$(./scripts/translate_ciphers.py $c $2) check_translation $? "$t_cipher" # should we skip? @@ -1027,7 +1030,7 @@ for VERIFY in $VERIFIES; do start_server "OpenSSL" for i in $M_CIPHERS; do check_openssl_server_bug $i - run_client mbedTLS $i m + run_client mbedTLS $i done stop_server fi @@ -1035,7 +1038,7 @@ for VERIFY in $VERIFIES; do if [ "X" != "X$O_CIPHERS" ]; then start_server "mbedTLS" for i in $O_CIPHERS; do - run_client OpenSSL $i o + run_client OpenSSL $i done stop_server fi @@ -1052,7 +1055,7 @@ for VERIFY in $VERIFIES; do if [ "X" != "X$M_CIPHERS" ]; then start_server "GnuTLS" for i in $M_CIPHERS; do - run_client mbedTLS $i m + run_client mbedTLS $i done stop_server fi @@ -1060,7 +1063,7 @@ for VERIFY in $VERIFIES; do if [ "X" != "X$G_CIPHERS" ]; then start_server "mbedTLS" for i in $G_CIPHERS; do - run_client GnuTLS $i g + run_client GnuTLS $i done stop_server fi @@ -1079,7 +1082,7 @@ for VERIFY in $VERIFIES; do if [ "X" != "X$M_CIPHERS" ]; then start_server "mbedTLS" for i in $M_CIPHERS; do - run_client mbedTLS $i m + run_client mbedTLS $i done stop_server fi From 292cd6f4e560f3e3124bddada7ba232111783b46 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 26 Jan 2023 20:50:08 +0100 Subject: [PATCH 6/9] Don't use the cipher suite in check_openssl_server_bug We can detect PSK based on $TYPE. This allows more flexibility in how cipher suites are spelled. Signed-off-by: Gilles Peskine --- tests/compat.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/compat.sh b/tests/compat.sh index 2a93efc255..3f9070e5d8 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -205,7 +205,7 @@ filter() check_openssl_server_bug() { if test "X$VERIFY" = "XYES" && is_dtls "$MODE" && \ - echo "$1" | grep "^TLS_PSK" >/dev/null; + test "$TYPE" = "PSK"; then SKIP_NEXT="YES" fi @@ -1029,7 +1029,7 @@ for VERIFY in $VERIFIES; do if [ "X" != "X$M_CIPHERS" ]; then start_server "OpenSSL" for i in $M_CIPHERS; do - check_openssl_server_bug $i + check_openssl_server_bug run_client mbedTLS $i done stop_server From 47aab850da736ed422b17df9f0b0953d4a5830de Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 26 Jan 2023 21:16:34 +0100 Subject: [PATCH 7/9] Batch cipher translations to go faster Python has a high startup cost, so go back to invoking it only once per server start, rather than once per client start. This is a measurable performance improvement (running time ~*0.5 with PSK, less dramatic with asymmetric crypto). Signed-off-by: Gilles Peskine --- tests/compat.sh | 49 ++++++++++++++++-------------- tests/scripts/translate_ciphers.py | 2 +- 2 files changed, 27 insertions(+), 24 deletions(-) diff --git a/tests/compat.sh b/tests/compat.sh index 3f9070e5d8..754b1eee62 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -239,9 +239,14 @@ reset_ciphersuites() G_CIPHERS="" } -check_translation() +# translate_ciphers {g|m|o} {STANDARD_CIPHER_SUITE_NAME...} +# Set $ciphers to the cipher suite name translations for the specified +# program (gnutls, mbedtls or openssl). $ciphers is a space-separated +# list of entries of the form "STANDARD_NAME=PROGRAM_NAME". +translate_ciphers() { - if [ $1 -ne 0 ]; then + ciphers=$(scripts/translate_ciphers.py "$@") + if [ $? -ne 0 ]; then echo "translate_ciphers.py failed with exit code $1" >&2 echo "$2" >&2 exit 1 @@ -789,7 +794,7 @@ wait_client_done() { echo "EXIT: $EXIT" >> $CLI_OUT } -# run_client +# run_client PROGRAM_NAME STANDARD_CIPHER_SUITE PROGRAM_CIPHER_SUITE run_client() { # announce what we're going to do TESTS=$(( $TESTS + 1 )) @@ -800,13 +805,6 @@ run_client() { LEN=$(( 72 - `echo "$TITLE" | wc -c` )) for i in `seq 1 $LEN`; do printf '.'; done; printf ' ' - # Calculate the argument $c to pass to translate_ciphers.py - client=$(echo $1 | head -c1) - c=$(echo $client | tr '[:upper:]' '[:lower:]') - # Translate ciphersuite names based on client's naming convention - t_cipher=$(./scripts/translate_ciphers.py $c $2) - check_translation $? "$t_cipher" - # should we skip? if [ "X$SKIP_NEXT" = "XYES" ]; then SKIP_NEXT="NO" @@ -818,7 +816,7 @@ run_client() { # run the command and interpret result case $1 in [Oo]pen*) - CLIENT_CMD="$OPENSSL s_client $O_CLIENT_ARGS -cipher $t_cipher" + CLIENT_CMD="$OPENSSL s_client $O_CLIENT_ARGS -cipher $3" log "$CLIENT_CMD" echo "$CLIENT_CMD" > $CLI_OUT printf 'GET HTTP/1.0\r\n\r\n' | $CLIENT_CMD >> $CLI_OUT 2>&1 & @@ -843,7 +841,7 @@ run_client() { else G_HOST="localhost" fi - CLIENT_CMD="$GNUTLS_CLI $G_CLIENT_ARGS --priority $G_PRIO_MODE:$t_cipher $G_HOST" + CLIENT_CMD="$GNUTLS_CLI $G_CLIENT_ARGS --priority $G_PRIO_MODE:$3 $G_HOST" log "$CLIENT_CMD" echo "$CLIENT_CMD" > $CLI_OUT printf 'GET HTTP/1.0\r\n\r\n' | $CLIENT_CMD >> $CLI_OUT 2>&1 & @@ -865,7 +863,7 @@ run_client() { ;; mbed*) - CLIENT_CMD="$M_CLI $M_CLIENT_ARGS force_ciphersuite=$t_cipher" + CLIENT_CMD="$M_CLI $M_CLIENT_ARGS force_ciphersuite=$3" if [ "$MEMCHECK" -gt 0 ]; then CLIENT_CMD="valgrind --leak-check=full $CLIENT_CMD" fi @@ -1028,17 +1026,19 @@ for VERIFY in $VERIFIES; do if [ "X" != "X$M_CIPHERS" ]; then start_server "OpenSSL" - for i in $M_CIPHERS; do + translate_ciphers m $M_CIPHERS + for i in $ciphers; do check_openssl_server_bug - run_client mbedTLS $i + run_client mbedTLS ${i%%=*} ${i#*=} done stop_server fi if [ "X" != "X$O_CIPHERS" ]; then start_server "mbedTLS" - for i in $O_CIPHERS; do - run_client OpenSSL $i + translate_ciphers o $O_CIPHERS + for i in $ciphers; do + run_client OpenSSL ${i%%=*} ${i#*=} done stop_server fi @@ -1054,16 +1054,18 @@ for VERIFY in $VERIFIES; do if [ "X" != "X$M_CIPHERS" ]; then start_server "GnuTLS" - for i in $M_CIPHERS; do - run_client mbedTLS $i + translate_ciphers m $M_CIPHERS + for i in $ciphers; do + run_client mbedTLS ${i%%=*} ${i#*=} done stop_server fi if [ "X" != "X$G_CIPHERS" ]; then start_server "mbedTLS" - for i in $G_CIPHERS; do - run_client GnuTLS $i + translate_ciphers g $G_CIPHERS + for i in $ciphers; do + run_client GnuTLS ${i%%=*} ${i#*=} done stop_server fi @@ -1081,8 +1083,9 @@ for VERIFY in $VERIFIES; do if [ "X" != "X$M_CIPHERS" ]; then start_server "mbedTLS" - for i in $M_CIPHERS; do - run_client mbedTLS $i + translate_ciphers m $M_CIPHERS + for i in $ciphers; do + run_client mbedTLS ${i%%=*} ${i#*=} done stop_server fi diff --git a/tests/scripts/translate_ciphers.py b/tests/scripts/translate_ciphers.py index c622a6704c..a8db4bb352 100755 --- a/tests/scripts/translate_ciphers.py +++ b/tests/scripts/translate_ciphers.py @@ -179,7 +179,7 @@ def format_ciphersuite_names(mode, names): "o": translate_ossl, "m": translate_mbedtls }[mode] - return " ".join(t(c) for c in names) + return " ".join(c + '=' + t(c) for c in names) def main(target, names): print(format_ciphersuite_names(target, names)) From b20028b3a3250ddcd17ff85e687ddded19df95db Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 26 Jan 2023 21:34:01 +0100 Subject: [PATCH 8/9] Avoid using external programs in inner loops Don't use external programs for string manipulation that the shell can do. This makes the script a little faster (~10% when testing PSK). For this commit, I only looked at code run in the innermost loop. Signed-off-by: Gilles Peskine --- tests/compat.sh | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/tests/compat.sh b/tests/compat.sh index 754b1eee62..14d896bab3 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -679,7 +679,11 @@ setup_arguments() # is_mbedtls is_mbedtls() { - echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null + case $1 in + *ssl_client2*) true;; + *ssl_server2*) true;; + *) false;; + esac } # has_mem_err @@ -798,12 +802,9 @@ wait_client_done() { run_client() { # announce what we're going to do TESTS=$(( $TESTS + 1 )) - VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]') - TITLE="`echo $1 | head -c1`->`echo $SERVER_NAME | head -c1`" + TITLE="${1%"${1#?}"}->${SERVER_NAME%"${SERVER_NAME#?}"}" TITLE="$TITLE $MODE,$VERIF $2" - printf "%s " "$TITLE" - LEN=$(( 72 - `echo "$TITLE" | wc -c` )) - for i in `seq 1 $LEN`; do printf '.'; done; printf ' ' + printf "%s %.*s " "$TITLE" "$((72 - ${#TITLE}))" ........................................................................ # should we skip? if [ "X$SKIP_NEXT" = "XYES" ]; then @@ -996,6 +997,7 @@ SKIP_NEXT="NO" trap cleanup INT TERM HUP for VERIFY in $VERIFIES; do + VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]') for MODE in $MODES; do for TYPE in $TYPES; do for PEER in $PEERS; do From 131ec931ebcda87b894303cc56f71f45e2c23e22 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Wed, 1 Feb 2023 11:09:37 +0800 Subject: [PATCH 9/9] Remove the additional dot in output of compat.sh Signed-off-by: Yanray Wang --- tests/compat.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/compat.sh b/tests/compat.sh index 14d896bab3..81eaf0beb6 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -804,7 +804,8 @@ run_client() { TESTS=$(( $TESTS + 1 )) TITLE="${1%"${1#?}"}->${SERVER_NAME%"${SERVER_NAME#?}"}" TITLE="$TITLE $MODE,$VERIF $2" - printf "%s %.*s " "$TITLE" "$((72 - ${#TITLE}))" ........................................................................ + DOTS72="........................................................................" + printf "%s %.*s " "$TITLE" "$((71 - ${#TITLE}))" "$DOTS72" # should we skip? if [ "X$SKIP_NEXT" = "XYES" ]; then