mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-04-01 13:20:30 +00:00
Merge pull request #6902 from yanrayw/6651-enable-cipher-suite-names-consistent
compat.sh: report and filter cipher suite names consistently
This commit is contained in:
Gilles Peskine
GitHub
commit
e2db23d741
@ -53,7 +53,7 @@ jobs:
|
|||||||
- tests/scripts/test_psa_constant_names.py
|
- tests/scripts/test_psa_constant_names.py
|
||||||
- tests/ssl-opt.sh
|
- tests/ssl-opt.sh
|
||||||
# Modern OpenSSL does not support fixed ECDH or null ciphers.
|
# Modern OpenSSL does not support fixed ECDH or null ciphers.
|
||||||
- tests/compat.sh -p OpenSSL -e 'NULL\|ECDH-'
|
- tests/compat.sh -p OpenSSL -e 'NULL\|ECDH_'
|
||||||
- tests/scripts/travis-log-failure.sh
|
- tests/scripts/travis-log-failure.sh
|
||||||
# GnuTLS supports CAMELLIA but compat.sh doesn't properly enable it.
|
# GnuTLS supports CAMELLIA but compat.sh doesn't properly enable it.
|
||||||
- tests/compat.sh -p GnuTLS -e 'CAMELLIA'
|
- tests/compat.sh -p GnuTLS -e 'CAMELLIA'
|
||||||
|
|||||||
443
tests/compat.sh
443
tests/compat.sh
@ -89,7 +89,7 @@ FILTER=""
|
|||||||
# - NULL: excluded from our default config + requires OpenSSL legacy
|
# - NULL: excluded from our default config + requires OpenSSL legacy
|
||||||
# - ARIA: requires OpenSSL >= 1.1.1
|
# - ARIA: requires OpenSSL >= 1.1.1
|
||||||
# - ChachaPoly: requires OpenSSL >= 1.1.0
|
# - ChachaPoly: requires OpenSSL >= 1.1.0
|
||||||
EXCLUDE='NULL\|ARIA\|CHACHA20-POLY1305'
|
EXCLUDE='NULL\|ARIA\|CHACHA20_POLY1305'
|
||||||
VERBOSE=""
|
VERBOSE=""
|
||||||
MEMCHECK=0
|
MEMCHECK=0
|
||||||
PEERS="OpenSSL$PEER_GNUTLS mbedTLS"
|
PEERS="OpenSSL$PEER_GNUTLS mbedTLS"
|
||||||
@ -205,7 +205,7 @@ filter()
|
|||||||
check_openssl_server_bug()
|
check_openssl_server_bug()
|
||||||
{
|
{
|
||||||
if test "X$VERIFY" = "XYES" && is_dtls "$MODE" && \
|
if test "X$VERIFY" = "XYES" && is_dtls "$MODE" && \
|
||||||
echo "$1" | grep "^TLS-PSK" >/dev/null;
|
test "$TYPE" = "PSK";
|
||||||
then
|
then
|
||||||
SKIP_NEXT="YES"
|
SKIP_NEXT="YES"
|
||||||
fi
|
fi
|
||||||
@ -239,9 +239,14 @@ reset_ciphersuites()
|
|||||||
G_CIPHERS=""
|
G_CIPHERS=""
|
||||||
}
|
}
|
||||||
|
|
||||||
check_translation()
|
# translate_ciphers {g|m|o} {STANDARD_CIPHER_SUITE_NAME...}
|
||||||
|
# Set $ciphers to the cipher suite name translations for the specified
|
||||||
|
# program (gnutls, mbedtls or openssl). $ciphers is a space-separated
|
||||||
|
# list of entries of the form "STANDARD_NAME=PROGRAM_NAME".
|
||||||
|
translate_ciphers()
|
||||||
{
|
{
|
||||||
if [ $1 -ne 0 ]; then
|
ciphers=$(scripts/translate_ciphers.py "$@")
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
echo "translate_ciphers.py failed with exit code $1" >&2
|
echo "translate_ciphers.py failed with exit code $1" >&2
|
||||||
echo "$2" >&2
|
echo "$2" >&2
|
||||||
exit 1
|
exit 1
|
||||||
@ -258,71 +263,66 @@ add_common_ciphersuites()
|
|||||||
|
|
||||||
"ECDSA")
|
"ECDSA")
|
||||||
CIPHERS="$CIPHERS \
|
CIPHERS="$CIPHERS \
|
||||||
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA \
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA \
|
||||||
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 \
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 \
|
||||||
TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
|
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 \
|
||||||
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA \
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA \
|
||||||
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384 \
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 \
|
||||||
TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 \
|
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 \
|
||||||
TLS-ECDHE-ECDSA-WITH-NULL-SHA \
|
TLS_ECDHE_ECDSA_WITH_NULL_SHA \
|
||||||
"
|
"
|
||||||
;;
|
;;
|
||||||
|
|
||||||
"RSA")
|
"RSA")
|
||||||
CIPHERS="$CIPHERS \
|
CIPHERS="$CIPHERS \
|
||||||
TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
|
TLS_DHE_RSA_WITH_AES_128_CBC_SHA \
|
||||||
TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 \
|
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 \
|
||||||
TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 \
|
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 \
|
||||||
TLS-DHE-RSA-WITH-AES-256-CBC-SHA \
|
TLS_DHE_RSA_WITH_AES_256_CBC_SHA \
|
||||||
TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 \
|
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 \
|
||||||
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 \
|
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 \
|
||||||
TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA \
|
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA \
|
||||||
TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA \
|
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA \
|
||||||
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA \
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA \
|
||||||
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256 \
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 \
|
||||||
TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 \
|
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 \
|
||||||
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA \
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA \
|
||||||
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384 \
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 \
|
||||||
TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 \
|
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 \
|
||||||
TLS-ECDHE-RSA-WITH-NULL-SHA \
|
TLS_ECDHE_RSA_WITH_NULL_SHA \
|
||||||
TLS-RSA-WITH-AES-128-CBC-SHA \
|
TLS_RSA_WITH_AES_128_CBC_SHA \
|
||||||
TLS-RSA-WITH-AES-128-CBC-SHA256 \
|
TLS_RSA_WITH_AES_128_CBC_SHA256 \
|
||||||
TLS-RSA-WITH-AES-128-GCM-SHA256 \
|
TLS_RSA_WITH_AES_128_GCM_SHA256 \
|
||||||
TLS-RSA-WITH-AES-256-CBC-SHA \
|
TLS_RSA_WITH_AES_256_CBC_SHA \
|
||||||
TLS-RSA-WITH-AES-256-CBC-SHA256 \
|
TLS_RSA_WITH_AES_256_CBC_SHA256 \
|
||||||
TLS-RSA-WITH-AES-256-GCM-SHA384 \
|
TLS_RSA_WITH_AES_256_GCM_SHA384 \
|
||||||
TLS-RSA-WITH-CAMELLIA-128-CBC-SHA \
|
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA \
|
||||||
TLS-RSA-WITH-CAMELLIA-256-CBC-SHA \
|
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA \
|
||||||
TLS-RSA-WITH-NULL-MD5 \
|
TLS_RSA_WITH_NULL_MD5 \
|
||||||
TLS-RSA-WITH-NULL-SHA \
|
TLS_RSA_WITH_NULL_SHA \
|
||||||
TLS-RSA-WITH-NULL-SHA256 \
|
TLS_RSA_WITH_NULL_SHA256 \
|
||||||
"
|
"
|
||||||
;;
|
;;
|
||||||
|
|
||||||
"PSK")
|
"PSK")
|
||||||
CIPHERS="$CIPHERS \
|
CIPHERS="$CIPHERS \
|
||||||
TLS-PSK-WITH-AES-128-CBC-SHA \
|
TLS_PSK_WITH_AES_128_CBC_SHA \
|
||||||
TLS-PSK-WITH-AES-256-CBC-SHA \
|
TLS_PSK_WITH_AES_256_CBC_SHA \
|
||||||
"
|
"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
|
O_CIPHERS="$O_CIPHERS $CIPHERS"
|
||||||
|
G_CIPHERS="$G_CIPHERS $CIPHERS"
|
||||||
M_CIPHERS="$M_CIPHERS $CIPHERS"
|
M_CIPHERS="$M_CIPHERS $CIPHERS"
|
||||||
|
|
||||||
T=$(./scripts/translate_ciphers.py g $CIPHERS)
|
|
||||||
check_translation $? "$T"
|
|
||||||
G_CIPHERS="$G_CIPHERS $T"
|
|
||||||
|
|
||||||
T=$(./scripts/translate_ciphers.py o $CIPHERS)
|
|
||||||
check_translation $? "$T"
|
|
||||||
O_CIPHERS="$O_CIPHERS $T"
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# Ciphersuites usable only with Mbed TLS and OpenSSL
|
# Ciphersuites usable only with Mbed TLS and OpenSSL
|
||||||
# A list of ciphersuites in the Mbed TLS convention is compiled and
|
# A list of ciphersuites in the standard naming convention is appended
|
||||||
# appended to the list of Mbed TLS ciphersuites $M_CIPHERS. The same list
|
# to the list of Mbed TLS ciphersuites $M_CIPHERS and
|
||||||
# is translated to the OpenSSL naming convention and appended to the list of
|
# to the list of OpenSSL ciphersuites $O_CIPHERS respectively.
|
||||||
# OpenSSL ciphersuites $O_CIPHERS.
|
# Based on client's naming convention, all ciphersuite names will be
|
||||||
|
# translated into another naming format before sent to the client.
|
||||||
#
|
#
|
||||||
# NOTE: for some reason RSA-PSK doesn't work with OpenSSL,
|
# NOTE: for some reason RSA-PSK doesn't work with OpenSSL,
|
||||||
# so RSA-PSK ciphersuites need to go in other sections, see
|
# so RSA-PSK ciphersuites need to go in other sections, see
|
||||||
@ -337,57 +337,55 @@ add_openssl_ciphersuites()
|
|||||||
|
|
||||||
"ECDSA")
|
"ECDSA")
|
||||||
CIPHERS="$CIPHERS \
|
CIPHERS="$CIPHERS \
|
||||||
TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA \
|
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA \
|
||||||
TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256 \
|
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 \
|
||||||
TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256 \
|
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 \
|
||||||
TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA \
|
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA \
|
||||||
TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384 \
|
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 \
|
||||||
TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384 \
|
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 \
|
||||||
TLS-ECDH-ECDSA-WITH-NULL-SHA \
|
TLS_ECDH_ECDSA_WITH_NULL_SHA \
|
||||||
TLS-ECDHE-ECDSA-WITH-ARIA-128-GCM-SHA256 \
|
TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 \
|
||||||
TLS-ECDHE-ECDSA-WITH-ARIA-256-GCM-SHA384 \
|
TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 \
|
||||||
TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256 \
|
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 \
|
||||||
"
|
"
|
||||||
;;
|
;;
|
||||||
|
|
||||||
"RSA")
|
"RSA")
|
||||||
CIPHERS="$CIPHERS \
|
CIPHERS="$CIPHERS \
|
||||||
TLS-DHE-RSA-WITH-ARIA-128-GCM-SHA256 \
|
TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 \
|
||||||
TLS-DHE-RSA-WITH-ARIA-256-GCM-SHA384 \
|
TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 \
|
||||||
TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256 \
|
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \
|
||||||
TLS-ECDHE-RSA-WITH-ARIA-128-GCM-SHA256 \
|
TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 \
|
||||||
TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384 \
|
TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 \
|
||||||
TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256 \
|
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \
|
||||||
TLS-RSA-WITH-ARIA-128-GCM-SHA256 \
|
TLS_RSA_WITH_ARIA_128_GCM_SHA256 \
|
||||||
TLS-RSA-WITH-ARIA-256-GCM-SHA384 \
|
TLS_RSA_WITH_ARIA_256_GCM_SHA384 \
|
||||||
"
|
"
|
||||||
;;
|
;;
|
||||||
|
|
||||||
"PSK")
|
"PSK")
|
||||||
CIPHERS="$CIPHERS \
|
CIPHERS="$CIPHERS \
|
||||||
TLS-DHE-PSK-WITH-ARIA-128-GCM-SHA256 \
|
TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 \
|
||||||
TLS-DHE-PSK-WITH-ARIA-256-GCM-SHA384 \
|
TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 \
|
||||||
TLS-DHE-PSK-WITH-CHACHA20-POLY1305-SHA256 \
|
TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 \
|
||||||
TLS-ECDHE-PSK-WITH-CHACHA20-POLY1305-SHA256 \
|
TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 \
|
||||||
TLS-PSK-WITH-ARIA-128-GCM-SHA256 \
|
TLS_PSK_WITH_ARIA_128_GCM_SHA256 \
|
||||||
TLS-PSK-WITH-ARIA-256-GCM-SHA384 \
|
TLS_PSK_WITH_ARIA_256_GCM_SHA384 \
|
||||||
TLS-PSK-WITH-CHACHA20-POLY1305-SHA256 \
|
TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 \
|
||||||
"
|
"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
|
O_CIPHERS="$O_CIPHERS $CIPHERS"
|
||||||
M_CIPHERS="$M_CIPHERS $CIPHERS"
|
M_CIPHERS="$M_CIPHERS $CIPHERS"
|
||||||
|
|
||||||
T=$(./scripts/translate_ciphers.py o $CIPHERS)
|
|
||||||
check_translation $? "$T"
|
|
||||||
O_CIPHERS="$O_CIPHERS $T"
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# Ciphersuites usable only with Mbed TLS and GnuTLS
|
# Ciphersuites usable only with Mbed TLS and GnuTLS
|
||||||
# A list of ciphersuites in the Mbed TLS convention is compiled and
|
# A list of ciphersuites in the standard naming convention is appended
|
||||||
# appended to the list of Mbed TLS ciphersuites $M_CIPHERS. The same list
|
# to the list of Mbed TLS ciphersuites $M_CIPHERS and
|
||||||
# is translated to the GnuTLS naming convention and appended to the list of
|
# to the list of GnuTLS ciphersuites $G_CIPHERS respectively.
|
||||||
# GnuTLS ciphersuites $G_CIPHERS.
|
# Based on client's naming convention, all ciphersuite names will be
|
||||||
|
# translated into another naming format before sent to the client.
|
||||||
add_gnutls_ciphersuites()
|
add_gnutls_ciphersuites()
|
||||||
{
|
{
|
||||||
CIPHERS=""
|
CIPHERS=""
|
||||||
@ -395,107 +393,104 @@ add_gnutls_ciphersuites()
|
|||||||
|
|
||||||
"ECDSA")
|
"ECDSA")
|
||||||
CIPHERS="$CIPHERS \
|
CIPHERS="$CIPHERS \
|
||||||
TLS-ECDHE-ECDSA-WITH-AES-128-CCM \
|
TLS_ECDHE_ECDSA_WITH_AES_128_CCM \
|
||||||
TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \
|
TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 \
|
||||||
TLS-ECDHE-ECDSA-WITH-AES-256-CCM \
|
TLS_ECDHE_ECDSA_WITH_AES_256_CCM \
|
||||||
TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8 \
|
TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 \
|
||||||
TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256 \
|
TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 \
|
||||||
TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256 \
|
TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 \
|
||||||
TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA384 \
|
TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 \
|
||||||
TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384 \
|
TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 \
|
||||||
"
|
"
|
||||||
;;
|
;;
|
||||||
|
|
||||||
"RSA")
|
"RSA")
|
||||||
CIPHERS="$CIPHERS \
|
CIPHERS="$CIPHERS \
|
||||||
TLS-DHE-RSA-WITH-AES-128-CCM \
|
TLS_DHE_RSA_WITH_AES_128_CCM \
|
||||||
TLS-DHE-RSA-WITH-AES-128-CCM-8 \
|
TLS_DHE_RSA_WITH_AES_128_CCM_8 \
|
||||||
TLS-DHE-RSA-WITH-AES-256-CCM \
|
TLS_DHE_RSA_WITH_AES_256_CCM \
|
||||||
TLS-DHE-RSA-WITH-AES-256-CCM-8 \
|
TLS_DHE_RSA_WITH_AES_256_CCM_8 \
|
||||||
TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256 \
|
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 \
|
||||||
TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256 \
|
TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 \
|
||||||
TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256 \
|
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 \
|
||||||
TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384 \
|
TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 \
|
||||||
TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256 \
|
TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 \
|
||||||
TLS-ECDHE-RSA-WITH-CAMELLIA-128-GCM-SHA256 \
|
TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 \
|
||||||
TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA384 \
|
TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 \
|
||||||
TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384 \
|
TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 \
|
||||||
TLS-RSA-WITH-AES-128-CCM \
|
TLS_RSA_WITH_AES_128_CCM \
|
||||||
TLS-RSA-WITH-AES-128-CCM-8 \
|
TLS_RSA_WITH_AES_128_CCM_8 \
|
||||||
TLS-RSA-WITH-AES-256-CCM \
|
TLS_RSA_WITH_AES_256_CCM \
|
||||||
TLS-RSA-WITH-AES-256-CCM-8 \
|
TLS_RSA_WITH_AES_256_CCM_8 \
|
||||||
TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256 \
|
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 \
|
||||||
TLS-RSA-WITH-CAMELLIA-128-GCM-SHA256 \
|
TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 \
|
||||||
TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256 \
|
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 \
|
||||||
TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 \
|
TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 \
|
||||||
"
|
"
|
||||||
;;
|
;;
|
||||||
|
|
||||||
"PSK")
|
"PSK")
|
||||||
CIPHERS="$CIPHERS \
|
CIPHERS="$CIPHERS \
|
||||||
TLS-DHE-PSK-WITH-AES-128-CBC-SHA \
|
TLS_DHE_PSK_WITH_AES_128_CBC_SHA \
|
||||||
TLS-DHE-PSK-WITH-AES-128-CBC-SHA256 \
|
TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 \
|
||||||
TLS-DHE-PSK-WITH-AES-128-CCM \
|
TLS_DHE_PSK_WITH_AES_128_CCM \
|
||||||
TLS-DHE-PSK-WITH-AES-128-CCM-8 \
|
TLS_DHE_PSK_WITH_AES_128_CCM_8 \
|
||||||
TLS-DHE-PSK-WITH-AES-128-GCM-SHA256 \
|
TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 \
|
||||||
TLS-DHE-PSK-WITH-AES-256-CBC-SHA \
|
TLS_DHE_PSK_WITH_AES_256_CBC_SHA \
|
||||||
TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \
|
TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 \
|
||||||
TLS-DHE-PSK-WITH-AES-256-CCM \
|
TLS_DHE_PSK_WITH_AES_256_CCM \
|
||||||
TLS-DHE-PSK-WITH-AES-256-CCM-8 \
|
TLS_DHE_PSK_WITH_AES_256_CCM_8 \
|
||||||
TLS-DHE-PSK-WITH-AES-256-GCM-SHA384 \
|
TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 \
|
||||||
TLS-DHE-PSK-WITH-CAMELLIA-128-CBC-SHA256 \
|
TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 \
|
||||||
TLS-DHE-PSK-WITH-CAMELLIA-128-GCM-SHA256 \
|
TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 \
|
||||||
TLS-DHE-PSK-WITH-CAMELLIA-256-CBC-SHA384 \
|
TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 \
|
||||||
TLS-DHE-PSK-WITH-CAMELLIA-256-GCM-SHA384 \
|
TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 \
|
||||||
TLS-DHE-PSK-WITH-NULL-SHA256 \
|
TLS_DHE_PSK_WITH_NULL_SHA256 \
|
||||||
TLS-DHE-PSK-WITH-NULL-SHA384 \
|
TLS_DHE_PSK_WITH_NULL_SHA384 \
|
||||||
TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA \
|
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA \
|
||||||
TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 \
|
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 \
|
||||||
TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA \
|
TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA \
|
||||||
TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \
|
TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 \
|
||||||
TLS-ECDHE-PSK-WITH-CAMELLIA-128-CBC-SHA256 \
|
TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 \
|
||||||
TLS-ECDHE-PSK-WITH-CAMELLIA-256-CBC-SHA384 \
|
TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 \
|
||||||
TLS-ECDHE-PSK-WITH-NULL-SHA256 \
|
TLS_ECDHE_PSK_WITH_NULL_SHA256 \
|
||||||
TLS-ECDHE-PSK-WITH-NULL-SHA384 \
|
TLS_ECDHE_PSK_WITH_NULL_SHA384 \
|
||||||
TLS-PSK-WITH-AES-128-CBC-SHA256 \
|
TLS_PSK_WITH_AES_128_CBC_SHA256 \
|
||||||
TLS-PSK-WITH-AES-128-CCM \
|
TLS_PSK_WITH_AES_128_CCM \
|
||||||
TLS-PSK-WITH-AES-128-CCM-8 \
|
TLS_PSK_WITH_AES_128_CCM_8 \
|
||||||
TLS-PSK-WITH-AES-128-GCM-SHA256 \
|
TLS_PSK_WITH_AES_128_GCM_SHA256 \
|
||||||
TLS-PSK-WITH-AES-256-CBC-SHA384 \
|
TLS_PSK_WITH_AES_256_CBC_SHA384 \
|
||||||
TLS-PSK-WITH-AES-256-CCM \
|
TLS_PSK_WITH_AES_256_CCM \
|
||||||
TLS-PSK-WITH-AES-256-CCM-8 \
|
TLS_PSK_WITH_AES_256_CCM_8 \
|
||||||
TLS-PSK-WITH-AES-256-GCM-SHA384 \
|
TLS_PSK_WITH_AES_256_GCM_SHA384 \
|
||||||
TLS-PSK-WITH-CAMELLIA-128-CBC-SHA256 \
|
TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 \
|
||||||
TLS-PSK-WITH-CAMELLIA-128-GCM-SHA256 \
|
TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 \
|
||||||
TLS-PSK-WITH-CAMELLIA-256-CBC-SHA384 \
|
TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 \
|
||||||
TLS-PSK-WITH-CAMELLIA-256-GCM-SHA384 \
|
TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 \
|
||||||
TLS-PSK-WITH-NULL-SHA256 \
|
TLS_PSK_WITH_NULL_SHA256 \
|
||||||
TLS-PSK-WITH-NULL-SHA384 \
|
TLS_PSK_WITH_NULL_SHA384 \
|
||||||
TLS-RSA-PSK-WITH-AES-128-CBC-SHA \
|
TLS_RSA_PSK_WITH_AES_128_CBC_SHA \
|
||||||
TLS-RSA-PSK-WITH-AES-128-CBC-SHA256 \
|
TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 \
|
||||||
TLS-RSA-PSK-WITH-AES-128-GCM-SHA256 \
|
TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 \
|
||||||
TLS-RSA-PSK-WITH-AES-256-CBC-SHA \
|
TLS_RSA_PSK_WITH_AES_256_CBC_SHA \
|
||||||
TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \
|
TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 \
|
||||||
TLS-RSA-PSK-WITH-AES-256-GCM-SHA384 \
|
TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 \
|
||||||
TLS-RSA-PSK-WITH-CAMELLIA-128-CBC-SHA256 \
|
TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 \
|
||||||
TLS-RSA-PSK-WITH-CAMELLIA-128-GCM-SHA256 \
|
TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 \
|
||||||
TLS-RSA-PSK-WITH-CAMELLIA-256-CBC-SHA384 \
|
TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 \
|
||||||
TLS-RSA-PSK-WITH-CAMELLIA-256-GCM-SHA384 \
|
TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 \
|
||||||
TLS-RSA-PSK-WITH-NULL-SHA256 \
|
TLS_RSA_PSK_WITH_NULL_SHA256 \
|
||||||
TLS-RSA-PSK-WITH-NULL-SHA384 \
|
TLS_RSA_PSK_WITH_NULL_SHA384 \
|
||||||
"
|
"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
|
G_CIPHERS="$G_CIPHERS $CIPHERS"
|
||||||
M_CIPHERS="$M_CIPHERS $CIPHERS"
|
M_CIPHERS="$M_CIPHERS $CIPHERS"
|
||||||
|
|
||||||
T=$(./scripts/translate_ciphers.py g $CIPHERS)
|
|
||||||
check_translation $? "$T"
|
|
||||||
G_CIPHERS="$G_CIPHERS $T"
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# Ciphersuites usable only with Mbed TLS (not currently supported by another
|
# Ciphersuites usable only with Mbed TLS (not currently supported by another
|
||||||
# peer usable in this script). This provide only very rudimentaty testing, as
|
# peer usable in this script). This provides only very rudimentaty testing, as
|
||||||
# this is not interop testing, but it's better than nothing.
|
# this is not interop testing, but it's better than nothing.
|
||||||
add_mbedtls_ciphersuites()
|
add_mbedtls_ciphersuites()
|
||||||
{
|
{
|
||||||
@ -503,48 +498,48 @@ add_mbedtls_ciphersuites()
|
|||||||
|
|
||||||
"ECDSA")
|
"ECDSA")
|
||||||
M_CIPHERS="$M_CIPHERS \
|
M_CIPHERS="$M_CIPHERS \
|
||||||
TLS-ECDH-ECDSA-WITH-ARIA-128-CBC-SHA256 \
|
TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 \
|
||||||
TLS-ECDH-ECDSA-WITH-ARIA-128-GCM-SHA256 \
|
TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 \
|
||||||
TLS-ECDH-ECDSA-WITH-ARIA-256-CBC-SHA384 \
|
TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 \
|
||||||
TLS-ECDH-ECDSA-WITH-ARIA-256-GCM-SHA384 \
|
TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 \
|
||||||
TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256 \
|
TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 \
|
||||||
TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256 \
|
TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 \
|
||||||
TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384 \
|
TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 \
|
||||||
TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384 \
|
TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 \
|
||||||
TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256 \
|
TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 \
|
||||||
TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384 \
|
TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 \
|
||||||
"
|
"
|
||||||
;;
|
;;
|
||||||
|
|
||||||
"RSA")
|
"RSA")
|
||||||
M_CIPHERS="$M_CIPHERS \
|
M_CIPHERS="$M_CIPHERS \
|
||||||
TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256 \
|
TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 \
|
||||||
TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384 \
|
TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 \
|
||||||
TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256 \
|
TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 \
|
||||||
TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384 \
|
TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 \
|
||||||
TLS-RSA-WITH-ARIA-128-CBC-SHA256 \
|
TLS_RSA_WITH_ARIA_128_CBC_SHA256 \
|
||||||
TLS-RSA-WITH-ARIA-256-CBC-SHA384 \
|
TLS_RSA_WITH_ARIA_256_CBC_SHA384 \
|
||||||
"
|
"
|
||||||
;;
|
;;
|
||||||
|
|
||||||
"PSK")
|
"PSK")
|
||||||
# *PSK-NULL-SHA suites supported by GnuTLS 3.3.5 but not 3.2.15
|
# *PSK_NULL_SHA suites supported by GnuTLS 3.3.5 but not 3.2.15
|
||||||
M_CIPHERS="$M_CIPHERS \
|
M_CIPHERS="$M_CIPHERS \
|
||||||
TLS-DHE-PSK-WITH-ARIA-128-CBC-SHA256 \
|
TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 \
|
||||||
TLS-DHE-PSK-WITH-ARIA-256-CBC-SHA384 \
|
TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 \
|
||||||
TLS-DHE-PSK-WITH-NULL-SHA \
|
TLS_DHE_PSK_WITH_NULL_SHA \
|
||||||
TLS-ECDHE-PSK-WITH-ARIA-128-CBC-SHA256 \
|
TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 \
|
||||||
TLS-ECDHE-PSK-WITH-ARIA-256-CBC-SHA384 \
|
TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 \
|
||||||
TLS-ECDHE-PSK-WITH-NULL-SHA \
|
TLS_ECDHE_PSK_WITH_NULL_SHA \
|
||||||
TLS-PSK-WITH-ARIA-128-CBC-SHA256 \
|
TLS_PSK_WITH_ARIA_128_CBC_SHA256 \
|
||||||
TLS-PSK-WITH-ARIA-256-CBC-SHA384 \
|
TLS_PSK_WITH_ARIA_256_CBC_SHA384 \
|
||||||
TLS-PSK-WITH-NULL-SHA \
|
TLS_PSK_WITH_NULL_SHA \
|
||||||
TLS-RSA-PSK-WITH-ARIA-128-CBC-SHA256 \
|
TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 \
|
||||||
TLS-RSA-PSK-WITH-ARIA-128-GCM-SHA256 \
|
TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 \
|
||||||
TLS-RSA-PSK-WITH-ARIA-256-CBC-SHA384 \
|
TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 \
|
||||||
TLS-RSA-PSK-WITH-ARIA-256-GCM-SHA384 \
|
TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 \
|
||||||
TLS-RSA-PSK-WITH-CHACHA20-POLY1305-SHA256 \
|
TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 \
|
||||||
TLS-RSA-PSK-WITH-NULL-SHA \
|
TLS_RSA_PSK_WITH_NULL_SHA \
|
||||||
"
|
"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
@ -684,7 +679,11 @@ setup_arguments()
|
|||||||
|
|
||||||
# is_mbedtls <cmd_line>
|
# is_mbedtls <cmd_line>
|
||||||
is_mbedtls() {
|
is_mbedtls() {
|
||||||
echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
|
case $1 in
|
||||||
|
*ssl_client2*) true;;
|
||||||
|
*ssl_server2*) true;;
|
||||||
|
*) false;;
|
||||||
|
esac
|
||||||
}
|
}
|
||||||
|
|
||||||
# has_mem_err <log_file_name>
|
# has_mem_err <log_file_name>
|
||||||
@ -803,16 +802,14 @@ wait_client_done() {
|
|||||||
echo "EXIT: $EXIT" >> $CLI_OUT
|
echo "EXIT: $EXIT" >> $CLI_OUT
|
||||||
}
|
}
|
||||||
|
|
||||||
# run_client <name> <cipher>
|
# run_client PROGRAM_NAME STANDARD_CIPHER_SUITE PROGRAM_CIPHER_SUITE
|
||||||
run_client() {
|
run_client() {
|
||||||
# announce what we're going to do
|
# announce what we're going to do
|
||||||
TESTS=$(( $TESTS + 1 ))
|
TESTS=$(( $TESTS + 1 ))
|
||||||
VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]')
|
TITLE="${1%"${1#?}"}->${SERVER_NAME%"${SERVER_NAME#?}"}"
|
||||||
TITLE="`echo $1 | head -c1`->`echo $SERVER_NAME | head -c1`"
|
|
||||||
TITLE="$TITLE $MODE,$VERIF $2"
|
TITLE="$TITLE $MODE,$VERIF $2"
|
||||||
printf "%s " "$TITLE"
|
DOTS72="........................................................................"
|
||||||
LEN=$(( 72 - `echo "$TITLE" | wc -c` ))
|
printf "%s %.*s " "$TITLE" "$((71 - ${#TITLE}))" "$DOTS72"
|
||||||
for i in `seq 1 $LEN`; do printf '.'; done; printf ' '
|
|
||||||
|
|
||||||
# should we skip?
|
# should we skip?
|
||||||
if [ "X$SKIP_NEXT" = "XYES" ]; then
|
if [ "X$SKIP_NEXT" = "XYES" ]; then
|
||||||
@ -825,7 +822,7 @@ run_client() {
|
|||||||
# run the command and interpret result
|
# run the command and interpret result
|
||||||
case $1 in
|
case $1 in
|
||||||
[Oo]pen*)
|
[Oo]pen*)
|
||||||
CLIENT_CMD="$OPENSSL s_client $O_CLIENT_ARGS -cipher $2"
|
CLIENT_CMD="$OPENSSL s_client $O_CLIENT_ARGS -cipher $3"
|
||||||
log "$CLIENT_CMD"
|
log "$CLIENT_CMD"
|
||||||
echo "$CLIENT_CMD" > $CLI_OUT
|
echo "$CLIENT_CMD" > $CLI_OUT
|
||||||
printf 'GET HTTP/1.0\r\n\r\n' | $CLIENT_CMD >> $CLI_OUT 2>&1 &
|
printf 'GET HTTP/1.0\r\n\r\n' | $CLIENT_CMD >> $CLI_OUT 2>&1 &
|
||||||
@ -850,7 +847,7 @@ run_client() {
|
|||||||
else
|
else
|
||||||
G_HOST="localhost"
|
G_HOST="localhost"
|
||||||
fi
|
fi
|
||||||
CLIENT_CMD="$GNUTLS_CLI $G_CLIENT_ARGS --priority $G_PRIO_MODE:$2 $G_HOST"
|
CLIENT_CMD="$GNUTLS_CLI $G_CLIENT_ARGS --priority $G_PRIO_MODE:$3 $G_HOST"
|
||||||
log "$CLIENT_CMD"
|
log "$CLIENT_CMD"
|
||||||
echo "$CLIENT_CMD" > $CLI_OUT
|
echo "$CLIENT_CMD" > $CLI_OUT
|
||||||
printf 'GET HTTP/1.0\r\n\r\n' | $CLIENT_CMD >> $CLI_OUT 2>&1 &
|
printf 'GET HTTP/1.0\r\n\r\n' | $CLIENT_CMD >> $CLI_OUT 2>&1 &
|
||||||
@ -872,7 +869,7 @@ run_client() {
|
|||||||
;;
|
;;
|
||||||
|
|
||||||
mbed*)
|
mbed*)
|
||||||
CLIENT_CMD="$M_CLI $M_CLIENT_ARGS force_ciphersuite=$2"
|
CLIENT_CMD="$M_CLI $M_CLIENT_ARGS force_ciphersuite=$3"
|
||||||
if [ "$MEMCHECK" -gt 0 ]; then
|
if [ "$MEMCHECK" -gt 0 ]; then
|
||||||
CLIENT_CMD="valgrind --leak-check=full $CLIENT_CMD"
|
CLIENT_CMD="valgrind --leak-check=full $CLIENT_CMD"
|
||||||
fi
|
fi
|
||||||
@ -1005,6 +1002,7 @@ SKIP_NEXT="NO"
|
|||||||
trap cleanup INT TERM HUP
|
trap cleanup INT TERM HUP
|
||||||
|
|
||||||
for VERIFY in $VERIFIES; do
|
for VERIFY in $VERIFIES; do
|
||||||
|
VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]')
|
||||||
for MODE in $MODES; do
|
for MODE in $MODES; do
|
||||||
for TYPE in $TYPES; do
|
for TYPE in $TYPES; do
|
||||||
for PEER in $PEERS; do
|
for PEER in $PEERS; do
|
||||||
@ -1035,17 +1033,19 @@ for VERIFY in $VERIFIES; do
|
|||||||
|
|
||||||
if [ "X" != "X$M_CIPHERS" ]; then
|
if [ "X" != "X$M_CIPHERS" ]; then
|
||||||
start_server "OpenSSL"
|
start_server "OpenSSL"
|
||||||
for i in $M_CIPHERS; do
|
translate_ciphers m $M_CIPHERS
|
||||||
check_openssl_server_bug $i
|
for i in $ciphers; do
|
||||||
run_client mbedTLS $i
|
check_openssl_server_bug
|
||||||
|
run_client mbedTLS ${i%%=*} ${i#*=}
|
||||||
done
|
done
|
||||||
stop_server
|
stop_server
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "X" != "X$O_CIPHERS" ]; then
|
if [ "X" != "X$O_CIPHERS" ]; then
|
||||||
start_server "mbedTLS"
|
start_server "mbedTLS"
|
||||||
for i in $O_CIPHERS; do
|
translate_ciphers o $O_CIPHERS
|
||||||
run_client OpenSSL $i
|
for i in $ciphers; do
|
||||||
|
run_client OpenSSL ${i%%=*} ${i#*=}
|
||||||
done
|
done
|
||||||
stop_server
|
stop_server
|
||||||
fi
|
fi
|
||||||
@ -1061,16 +1061,18 @@ for VERIFY in $VERIFIES; do
|
|||||||
|
|
||||||
if [ "X" != "X$M_CIPHERS" ]; then
|
if [ "X" != "X$M_CIPHERS" ]; then
|
||||||
start_server "GnuTLS"
|
start_server "GnuTLS"
|
||||||
for i in $M_CIPHERS; do
|
translate_ciphers m $M_CIPHERS
|
||||||
run_client mbedTLS $i
|
for i in $ciphers; do
|
||||||
|
run_client mbedTLS ${i%%=*} ${i#*=}
|
||||||
done
|
done
|
||||||
stop_server
|
stop_server
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "X" != "X$G_CIPHERS" ]; then
|
if [ "X" != "X$G_CIPHERS" ]; then
|
||||||
start_server "mbedTLS"
|
start_server "mbedTLS"
|
||||||
for i in $G_CIPHERS; do
|
translate_ciphers g $G_CIPHERS
|
||||||
run_client GnuTLS $i
|
for i in $ciphers; do
|
||||||
|
run_client GnuTLS ${i%%=*} ${i#*=}
|
||||||
done
|
done
|
||||||
stop_server
|
stop_server
|
||||||
fi
|
fi
|
||||||
@ -1088,8 +1090,9 @@ for VERIFY in $VERIFIES; do
|
|||||||
|
|
||||||
if [ "X" != "X$M_CIPHERS" ]; then
|
if [ "X" != "X$M_CIPHERS" ]; then
|
||||||
start_server "mbedTLS"
|
start_server "mbedTLS"
|
||||||
for i in $M_CIPHERS; do
|
translate_ciphers m $M_CIPHERS
|
||||||
run_client mbedTLS $i
|
for i in $ciphers; do
|
||||||
|
run_client mbedTLS ${i%%=*} ${i#*=}
|
||||||
done
|
done
|
||||||
stop_server
|
stop_server
|
||||||
fi
|
fi
|
||||||
|
|||||||
@ -18,8 +18,7 @@
|
|||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
"""
|
"""
|
||||||
Translate ciphersuite names in Mbed TLS format to OpenSSL and GNUTLS
|
Translate standard ciphersuite names to GnuTLS, OpenSSL and Mbed TLS standards.
|
||||||
standards.
|
|
||||||
|
|
||||||
To test the translation functions run:
|
To test the translation functions run:
|
||||||
python3 -m unittest translate_cipher.py
|
python3 -m unittest translate_cipher.py
|
||||||
@ -36,124 +35,158 @@ class TestTranslateCiphers(unittest.TestCase):
|
|||||||
"""
|
"""
|
||||||
def test_translate_all_cipher_names(self):
|
def test_translate_all_cipher_names(self):
|
||||||
"""
|
"""
|
||||||
Translate MbedTLS ciphersuite names to their OpenSSL and
|
Translate standard ciphersuite names to GnuTLS, OpenSSL and
|
||||||
GnuTLS counterpart. Use only a small subset of ciphers
|
Mbed TLS counterpart. Use only a small subset of ciphers
|
||||||
that exercise each step of the translate functions
|
that exercise each step of the translation functions
|
||||||
"""
|
"""
|
||||||
ciphers = [
|
ciphers = [
|
||||||
("TLS-ECDHE-ECDSA-WITH-NULL-SHA",
|
("TLS_ECDHE_ECDSA_WITH_NULL_SHA",
|
||||||
"+ECDHE-ECDSA:+NULL:+SHA1",
|
"+ECDHE-ECDSA:+NULL:+SHA1",
|
||||||
"ECDHE-ECDSA-NULL-SHA"),
|
"ECDHE-ECDSA-NULL-SHA",
|
||||||
("TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256",
|
"TLS-ECDHE-ECDSA-WITH-NULL-SHA"),
|
||||||
|
("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
|
||||||
"+ECDHE-ECDSA:+AES-128-GCM:+AEAD",
|
"+ECDHE-ECDSA:+AES-128-GCM:+AEAD",
|
||||||
"ECDHE-ECDSA-AES128-GCM-SHA256"),
|
"ECDHE-ECDSA-AES128-GCM-SHA256",
|
||||||
("TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA",
|
"TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"),
|
||||||
|
("TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
|
||||||
"+DHE-RSA:+3DES-CBC:+SHA1",
|
"+DHE-RSA:+3DES-CBC:+SHA1",
|
||||||
"EDH-RSA-DES-CBC3-SHA"),
|
"EDH-RSA-DES-CBC3-SHA",
|
||||||
("TLS-RSA-WITH-AES-256-CBC-SHA",
|
"TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA"),
|
||||||
|
("TLS_RSA_WITH_AES_256_CBC_SHA",
|
||||||
"+RSA:+AES-256-CBC:+SHA1",
|
"+RSA:+AES-256-CBC:+SHA1",
|
||||||
"AES256-SHA"),
|
"AES256-SHA",
|
||||||
("TLS-PSK-WITH-3DES-EDE-CBC-SHA",
|
"TLS-RSA-WITH-AES-256-CBC-SHA"),
|
||||||
|
("TLS_PSK_WITH_3DES_EDE_CBC_SHA",
|
||||||
"+PSK:+3DES-CBC:+SHA1",
|
"+PSK:+3DES-CBC:+SHA1",
|
||||||
"PSK-3DES-EDE-CBC-SHA"),
|
"PSK-3DES-EDE-CBC-SHA",
|
||||||
("TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256",
|
"TLS-PSK-WITH-3DES-EDE-CBC-SHA"),
|
||||||
|
("TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
|
||||||
None,
|
None,
|
||||||
"ECDHE-ECDSA-CHACHA20-POLY1305"),
|
"ECDHE-ECDSA-CHACHA20-POLY1305",
|
||||||
("TLS-ECDHE-ECDSA-WITH-AES-128-CCM",
|
"TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256"),
|
||||||
|
("TLS_ECDHE_ECDSA_WITH_AES_128_CCM",
|
||||||
"+ECDHE-ECDSA:+AES-128-CCM:+AEAD",
|
"+ECDHE-ECDSA:+AES-128-CCM:+AEAD",
|
||||||
None),
|
|
||||||
("TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384",
|
|
||||||
None,
|
None,
|
||||||
"ECDHE-ARIA256-GCM-SHA384"),
|
"TLS-ECDHE-ECDSA-WITH-AES-128-CCM"),
|
||||||
|
("TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384",
|
||||||
|
None,
|
||||||
|
"ECDHE-ARIA256-GCM-SHA384",
|
||||||
|
"TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384"),
|
||||||
]
|
]
|
||||||
|
|
||||||
for m, g_exp, o_exp in ciphers:
|
for s, g_exp, o_exp, m_exp in ciphers:
|
||||||
|
|
||||||
if g_exp is not None:
|
if g_exp is not None:
|
||||||
g = translate_gnutls(m)
|
g = translate_gnutls(s)
|
||||||
self.assertEqual(g, g_exp)
|
self.assertEqual(g, g_exp)
|
||||||
|
|
||||||
if o_exp is not None:
|
if o_exp is not None:
|
||||||
o = translate_ossl(m)
|
o = translate_ossl(s)
|
||||||
self.assertEqual(o, o_exp)
|
self.assertEqual(o, o_exp)
|
||||||
|
|
||||||
def translate_gnutls(m_cipher):
|
if m_exp is not None:
|
||||||
|
m = translate_mbedtls(s)
|
||||||
|
self.assertEqual(m, m_exp)
|
||||||
|
|
||||||
|
def translate_gnutls(s_cipher):
|
||||||
"""
|
"""
|
||||||
Translate m_cipher from Mbed TLS ciphersuite naming convention
|
Translate s_cipher from standard ciphersuite naming convention
|
||||||
and return the GnuTLS naming convention
|
and return the GnuTLS naming convention
|
||||||
"""
|
"""
|
||||||
|
|
||||||
m_cipher = re.sub(r'\ATLS-', '+', m_cipher)
|
# Replace "_" with "-" to handle ciphersuite names based on Mbed TLS
|
||||||
m_cipher = m_cipher.replace("-WITH-", ":+")
|
# naming convention
|
||||||
m_cipher = m_cipher.replace("-EDE", "")
|
s_cipher = s_cipher.replace("_", "-")
|
||||||
|
|
||||||
|
s_cipher = re.sub(r'\ATLS-', '+', s_cipher)
|
||||||
|
s_cipher = s_cipher.replace("-WITH-", ":+")
|
||||||
|
s_cipher = s_cipher.replace("-EDE", "")
|
||||||
|
|
||||||
# SHA in Mbed TLS == SHA1 GnuTLS,
|
# SHA in Mbed TLS == SHA1 GnuTLS,
|
||||||
# if the last 3 chars are SHA append 1
|
# if the last 3 chars are SHA append 1
|
||||||
if m_cipher[-3:] == "SHA":
|
if s_cipher[-3:] == "SHA":
|
||||||
m_cipher = m_cipher+"1"
|
s_cipher = s_cipher+"1"
|
||||||
|
|
||||||
# CCM or CCM-8 should be followed by ":+AEAD"
|
# CCM or CCM-8 should be followed by ":+AEAD"
|
||||||
# Replace "GCM:+SHAxyz" with "GCM:+AEAD"
|
# Replace "GCM:+SHAxyz" with "GCM:+AEAD"
|
||||||
if "CCM" in m_cipher or "GCM" in m_cipher:
|
if "CCM" in s_cipher or "GCM" in s_cipher:
|
||||||
m_cipher = re.sub(r"GCM-SHA\d\d\d", "GCM", m_cipher)
|
s_cipher = re.sub(r"GCM-SHA\d\d\d", "GCM", s_cipher)
|
||||||
m_cipher = m_cipher+":+AEAD"
|
s_cipher = s_cipher+":+AEAD"
|
||||||
|
|
||||||
# Replace the last "-" with ":+"
|
# Replace the last "-" with ":+"
|
||||||
else:
|
else:
|
||||||
index = m_cipher.rindex("-")
|
index = s_cipher.rindex("-")
|
||||||
m_cipher = m_cipher[:index] + ":+" + m_cipher[index+1:]
|
s_cipher = s_cipher[:index] + ":+" + s_cipher[index+1:]
|
||||||
|
|
||||||
return m_cipher
|
return s_cipher
|
||||||
|
|
||||||
def translate_ossl(m_cipher):
|
def translate_ossl(s_cipher):
|
||||||
"""
|
"""
|
||||||
Translate m_cipher from Mbed TLS ciphersuite naming convention
|
Translate s_cipher from standard ciphersuite naming convention
|
||||||
and return the OpenSSL naming convention
|
and return the OpenSSL naming convention
|
||||||
"""
|
"""
|
||||||
|
|
||||||
m_cipher = re.sub(r'^TLS-', '', m_cipher)
|
# Replace "_" with "-" to handle ciphersuite names based on Mbed TLS
|
||||||
m_cipher = m_cipher.replace("-WITH", "")
|
# naming convention
|
||||||
|
s_cipher = s_cipher.replace("_", "-")
|
||||||
|
|
||||||
|
s_cipher = re.sub(r'^TLS-', '', s_cipher)
|
||||||
|
s_cipher = s_cipher.replace("-WITH", "")
|
||||||
|
|
||||||
# Remove the "-" from "ABC-xyz"
|
# Remove the "-" from "ABC-xyz"
|
||||||
m_cipher = m_cipher.replace("AES-", "AES")
|
s_cipher = s_cipher.replace("AES-", "AES")
|
||||||
m_cipher = m_cipher.replace("CAMELLIA-", "CAMELLIA")
|
s_cipher = s_cipher.replace("CAMELLIA-", "CAMELLIA")
|
||||||
m_cipher = m_cipher.replace("ARIA-", "ARIA")
|
s_cipher = s_cipher.replace("ARIA-", "ARIA")
|
||||||
|
|
||||||
# Remove "RSA" if it is at the beginning
|
# Remove "RSA" if it is at the beginning
|
||||||
m_cipher = re.sub(r'^RSA-', r'', m_cipher)
|
s_cipher = re.sub(r'^RSA-', r'', s_cipher)
|
||||||
|
|
||||||
# For all circumstances outside of PSK
|
# For all circumstances outside of PSK
|
||||||
if "PSK" not in m_cipher:
|
if "PSK" not in s_cipher:
|
||||||
m_cipher = m_cipher.replace("-EDE", "")
|
s_cipher = s_cipher.replace("-EDE", "")
|
||||||
m_cipher = m_cipher.replace("3DES-CBC", "DES-CBC3")
|
s_cipher = s_cipher.replace("3DES-CBC", "DES-CBC3")
|
||||||
|
|
||||||
# Remove "CBC" if it is not prefixed by DES
|
# Remove "CBC" if it is not prefixed by DES
|
||||||
m_cipher = re.sub(r'(?<!DES-)CBC-', r'', m_cipher)
|
s_cipher = re.sub(r'(?<!DES-)CBC-', r'', s_cipher)
|
||||||
|
|
||||||
# ECDHE-RSA-ARIA does not exist in OpenSSL
|
# ECDHE-RSA-ARIA does not exist in OpenSSL
|
||||||
m_cipher = m_cipher.replace("ECDHE-RSA-ARIA", "ECDHE-ARIA")
|
s_cipher = s_cipher.replace("ECDHE-RSA-ARIA", "ECDHE-ARIA")
|
||||||
|
|
||||||
# POLY1305 should not be followed by anything
|
# POLY1305 should not be followed by anything
|
||||||
if "POLY1305" in m_cipher:
|
if "POLY1305" in s_cipher:
|
||||||
index = m_cipher.rindex("POLY1305")
|
index = s_cipher.rindex("POLY1305")
|
||||||
m_cipher = m_cipher[:index+8]
|
s_cipher = s_cipher[:index+8]
|
||||||
|
|
||||||
# If DES is being used, Replace DHE with EDH
|
# If DES is being used, Replace DHE with EDH
|
||||||
if "DES" in m_cipher and "DHE" in m_cipher and "ECDHE" not in m_cipher:
|
if "DES" in s_cipher and "DHE" in s_cipher and "ECDHE" not in s_cipher:
|
||||||
m_cipher = m_cipher.replace("DHE", "EDH")
|
s_cipher = s_cipher.replace("DHE", "EDH")
|
||||||
|
|
||||||
return m_cipher
|
return s_cipher
|
||||||
|
|
||||||
|
def translate_mbedtls(s_cipher):
|
||||||
|
"""
|
||||||
|
Translate s_cipher from standard ciphersuite naming convention
|
||||||
|
and return Mbed TLS ciphersuite naming convention
|
||||||
|
"""
|
||||||
|
|
||||||
|
# Replace "_" with "-"
|
||||||
|
s_cipher = s_cipher.replace("_", "-")
|
||||||
|
|
||||||
|
return s_cipher
|
||||||
|
|
||||||
def format_ciphersuite_names(mode, names):
|
def format_ciphersuite_names(mode, names):
|
||||||
t = {"g": translate_gnutls, "o": translate_ossl}[mode]
|
t = {"g": translate_gnutls,
|
||||||
return " ".join(t(c) for c in names)
|
"o": translate_ossl,
|
||||||
|
"m": translate_mbedtls
|
||||||
|
}[mode]
|
||||||
|
return " ".join(c + '=' + t(c) for c in names)
|
||||||
|
|
||||||
def main(target, names):
|
def main(target, names):
|
||||||
print(format_ciphersuite_names(target, names))
|
print(format_ciphersuite_names(target, names))
|
||||||
|
|
||||||
if __name__ == "__main__":
|
if __name__ == "__main__":
|
||||||
PARSER = argparse.ArgumentParser()
|
PARSER = argparse.ArgumentParser()
|
||||||
PARSER.add_argument('target', metavar='TARGET', choices=['o', 'g'])
|
PARSER.add_argument('target', metavar='TARGET', choices=['o', 'g', 'm'])
|
||||||
PARSER.add_argument('names', metavar='NAMES', nargs='+')
|
PARSER.add_argument('names', metavar='NAMES', nargs='+')
|
||||||
ARGS = PARSER.parse_args()
|
ARGS = PARSER.parse_args()
|
||||||
main(ARGS.target, ARGS.names)
|
main(ARGS.target, ARGS.names)
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user