mirror of
https://github.com/espressif/mbedtls.git
synced 2025-07-13 10:15:49 +08:00
f80458a160
For easier maintenance the framework repository is flattened here and added to the forked branch in source format.
181 lines
5.7 KiB
Python
Executable File
181 lines
5.7 KiB
Python
Executable File
#!/usr/bin/env python3
|
|
|
|
# translate_ciphers.py
|
|
#
|
|
# Copyright The Mbed TLS Contributors
|
|
# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
|
|
|
"""
|
|
Translate standard ciphersuite names to GnuTLS, OpenSSL and Mbed TLS standards.
|
|
|
|
To test the translation functions run:
|
|
python3 -m unittest translate_cipher.py
|
|
"""
|
|
|
|
import re
|
|
import argparse
|
|
import unittest
|
|
|
|
class TestTranslateCiphers(unittest.TestCase):
|
|
"""
|
|
Ensure translate_ciphers.py translates and formats ciphersuite names
|
|
correctly
|
|
"""
|
|
def test_translate_all_cipher_names(self):
|
|
"""
|
|
Translate standard ciphersuite names to GnuTLS, OpenSSL and
|
|
Mbed TLS counterpart. Use only a small subset of ciphers
|
|
that exercise each step of the translation functions
|
|
"""
|
|
ciphers = [
|
|
("TLS_ECDHE_ECDSA_WITH_NULL_SHA",
|
|
"+ECDHE-ECDSA:+NULL:+SHA1",
|
|
"ECDHE-ECDSA-NULL-SHA",
|
|
"TLS-ECDHE-ECDSA-WITH-NULL-SHA"),
|
|
("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
|
|
"+ECDHE-ECDSA:+AES-128-GCM:+AEAD",
|
|
"ECDHE-ECDSA-AES128-GCM-SHA256",
|
|
"TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"),
|
|
("TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
|
|
"+DHE-RSA:+3DES-CBC:+SHA1",
|
|
"EDH-RSA-DES-CBC3-SHA",
|
|
"TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA"),
|
|
("TLS_RSA_WITH_AES_256_CBC_SHA",
|
|
"+RSA:+AES-256-CBC:+SHA1",
|
|
"AES256-SHA",
|
|
"TLS-RSA-WITH-AES-256-CBC-SHA"),
|
|
("TLS_PSK_WITH_3DES_EDE_CBC_SHA",
|
|
"+PSK:+3DES-CBC:+SHA1",
|
|
"PSK-3DES-EDE-CBC-SHA",
|
|
"TLS-PSK-WITH-3DES-EDE-CBC-SHA"),
|
|
("TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
|
|
None,
|
|
"ECDHE-ECDSA-CHACHA20-POLY1305",
|
|
"TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256"),
|
|
("TLS_ECDHE_ECDSA_WITH_AES_128_CCM",
|
|
"+ECDHE-ECDSA:+AES-128-CCM:+AEAD",
|
|
None,
|
|
"TLS-ECDHE-ECDSA-WITH-AES-128-CCM"),
|
|
("TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384",
|
|
None,
|
|
"ECDHE-ARIA256-GCM-SHA384",
|
|
"TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384"),
|
|
]
|
|
|
|
for s, g_exp, o_exp, m_exp in ciphers:
|
|
|
|
if g_exp is not None:
|
|
g = translate_gnutls(s)
|
|
self.assertEqual(g, g_exp)
|
|
|
|
if o_exp is not None:
|
|
o = translate_ossl(s)
|
|
self.assertEqual(o, o_exp)
|
|
|
|
if m_exp is not None:
|
|
m = translate_mbedtls(s)
|
|
self.assertEqual(m, m_exp)
|
|
|
|
def translate_gnutls(s_cipher):
|
|
"""
|
|
Translate s_cipher from standard ciphersuite naming convention
|
|
and return the GnuTLS naming convention
|
|
"""
|
|
|
|
# Replace "_" with "-" to handle ciphersuite names based on Mbed TLS
|
|
# naming convention
|
|
s_cipher = s_cipher.replace("_", "-")
|
|
|
|
s_cipher = re.sub(r'\ATLS-', '+', s_cipher)
|
|
s_cipher = s_cipher.replace("-WITH-", ":+")
|
|
s_cipher = s_cipher.replace("-EDE", "")
|
|
|
|
# SHA in Mbed TLS == SHA1 GnuTLS,
|
|
# if the last 3 chars are SHA append 1
|
|
if s_cipher[-3:] == "SHA":
|
|
s_cipher = s_cipher+"1"
|
|
|
|
# CCM or CCM-8 should be followed by ":+AEAD"
|
|
# Replace "GCM:+SHAxyz" with "GCM:+AEAD"
|
|
if "CCM" in s_cipher or "GCM" in s_cipher:
|
|
s_cipher = re.sub(r"GCM-SHA\d\d\d", "GCM", s_cipher)
|
|
s_cipher = s_cipher+":+AEAD"
|
|
|
|
# Replace the last "-" with ":+"
|
|
else:
|
|
index = s_cipher.rindex("-")
|
|
s_cipher = s_cipher[:index] + ":+" + s_cipher[index+1:]
|
|
|
|
return s_cipher
|
|
|
|
def translate_ossl(s_cipher):
|
|
"""
|
|
Translate s_cipher from standard ciphersuite naming convention
|
|
and return the OpenSSL naming convention
|
|
"""
|
|
|
|
# Replace "_" with "-" to handle ciphersuite names based on Mbed TLS
|
|
# naming convention
|
|
s_cipher = s_cipher.replace("_", "-")
|
|
|
|
s_cipher = re.sub(r'^TLS-', '', s_cipher)
|
|
s_cipher = s_cipher.replace("-WITH", "")
|
|
|
|
# Remove the "-" from "ABC-xyz"
|
|
s_cipher = s_cipher.replace("AES-", "AES")
|
|
s_cipher = s_cipher.replace("CAMELLIA-", "CAMELLIA")
|
|
s_cipher = s_cipher.replace("ARIA-", "ARIA")
|
|
|
|
# Remove "RSA" if it is at the beginning
|
|
s_cipher = re.sub(r'^RSA-', r'', s_cipher)
|
|
|
|
# For all circumstances outside of PSK
|
|
if "PSK" not in s_cipher:
|
|
s_cipher = s_cipher.replace("-EDE", "")
|
|
s_cipher = s_cipher.replace("3DES-CBC", "DES-CBC3")
|
|
|
|
# Remove "CBC" if it is not prefixed by DES
|
|
s_cipher = re.sub(r'(?<!DES-)CBC-', r'', s_cipher)
|
|
|
|
# ECDHE-RSA-ARIA does not exist in OpenSSL
|
|
s_cipher = s_cipher.replace("ECDHE-RSA-ARIA", "ECDHE-ARIA")
|
|
|
|
# POLY1305 should not be followed by anything
|
|
if "POLY1305" in s_cipher:
|
|
index = s_cipher.rindex("POLY1305")
|
|
s_cipher = s_cipher[:index+8]
|
|
|
|
# If DES is being used, Replace DHE with EDH
|
|
if "DES" in s_cipher and "DHE" in s_cipher and "ECDHE" not in s_cipher:
|
|
s_cipher = s_cipher.replace("DHE", "EDH")
|
|
|
|
return s_cipher
|
|
|
|
def translate_mbedtls(s_cipher):
|
|
"""
|
|
Translate s_cipher from standard ciphersuite naming convention
|
|
and return Mbed TLS ciphersuite naming convention
|
|
"""
|
|
|
|
# Replace "_" with "-"
|
|
s_cipher = s_cipher.replace("_", "-")
|
|
|
|
return s_cipher
|
|
|
|
def format_ciphersuite_names(mode, names):
|
|
t = {"g": translate_gnutls,
|
|
"o": translate_ossl,
|
|
"m": translate_mbedtls
|
|
}[mode]
|
|
return " ".join(c + '=' + t(c) for c in names)
|
|
|
|
def main(target, names):
|
|
print(format_ciphersuite_names(target, names))
|
|
|
|
if __name__ == "__main__":
|
|
PARSER = argparse.ArgumentParser()
|
|
PARSER.add_argument('target', metavar='TARGET', choices=['o', 'g', 'm'])
|
|
PARSER.add_argument('names', metavar='NAMES', nargs='+')
|
|
ARGS = PARSER.parse_args()
|
|
main(ARGS.target, ARGS.names)
|