| #!/usr/bin/env python3 |
| |
| # generate_tls13_compat_tests.py |
| # |
| # Copyright The Mbed TLS Contributors |
| # SPDX-License-Identifier: Apache-2.0 |
| # |
| # Licensed under the Apache License, Version 2.0 (the "License"); you may |
| # not use this file except in compliance with the License. |
| # You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| |
| """ |
| Generate TLSv1.3 Compat test cases |
| |
| """ |
| |
| import sys |
| import os |
| import abc |
| import argparse |
| import itertools |
| from collections import namedtuple |
| # pylint: disable=useless-super-delegation |
| |
| # define certificates configuration entry |
| Certificate = namedtuple("Certificate", ['cafile', 'certfile', 'keyfile']) |
| # define the certificate parameters for signature algorithms |
| CERTIFICATES = { |
| 'ecdsa_secp256r1_sha256': Certificate('data_files/test-ca2.crt', |
| 'data_files/ecdsa_secp256r1.crt', |
| 'data_files/ecdsa_secp256r1.key'), |
| 'ecdsa_secp384r1_sha384': Certificate('data_files/test-ca2.crt', |
| 'data_files/ecdsa_secp384r1.crt', |
| 'data_files/ecdsa_secp384r1.key'), |
| 'ecdsa_secp521r1_sha512': Certificate('data_files/test-ca2.crt', |
| 'data_files/ecdsa_secp521r1.crt', |
| 'data_files/ecdsa_secp521r1.key'), |
| 'rsa_pss_rsae_sha256': Certificate('data_files/test-ca_cat12.crt', |
| 'data_files/server2-sha256.crt', 'data_files/server2.key' |
| ) |
| } |
| |
| CIPHER_SUITE_IANA_VALUE = { |
| "TLS_AES_128_GCM_SHA256": 0x1301, |
| "TLS_AES_256_GCM_SHA384": 0x1302, |
| "TLS_CHACHA20_POLY1305_SHA256": 0x1303, |
| "TLS_AES_128_CCM_SHA256": 0x1304, |
| "TLS_AES_128_CCM_8_SHA256": 0x1305 |
| } |
| |
| SIG_ALG_IANA_VALUE = { |
| "ecdsa_secp256r1_sha256": 0x0403, |
| "ecdsa_secp384r1_sha384": 0x0503, |
| "ecdsa_secp521r1_sha512": 0x0603, |
| 'rsa_pss_rsae_sha256': 0x0804, |
| } |
| |
| NAMED_GROUP_IANA_VALUE = { |
| 'secp256r1': 0x17, |
| 'secp384r1': 0x18, |
| 'secp521r1': 0x19, |
| 'x25519': 0x1d, |
| 'x448': 0x1e, |
| } |
| |
| class TLSProgram(metaclass=abc.ABCMeta): |
| """ |
| Base class for generate server/client command. |
| """ |
| |
| def __init__(self, ciphersuite, signature_algorithm, named_group): |
| self._ciphers = [] |
| self._sig_algs = [] |
| self._named_groups = [] |
| self.add_ciphersuites(ciphersuite) |
| self.add_named_groups(named_group) |
| self.add_signature_algorithms(signature_algorithm) |
| |
| # add_ciphersuites should not override by sub class |
| def add_ciphersuites(self, *ciphersuites): |
| self._ciphers.extend( |
| [cipher for cipher in ciphersuites if cipher not in self._ciphers]) |
| |
| # add_signature_algorithms should not override by sub class |
| def add_signature_algorithms(self, *signature_algorithms): |
| self._sig_algs.extend( |
| [sig_alg for sig_alg in signature_algorithms if sig_alg not in self._sig_algs]) |
| |
| # add_signature_algorithms should not override by sub class |
| def add_named_groups(self, *named_groups): |
| self._named_groups.extend( |
| [named_group for named_group in named_groups if named_group not in self._named_groups]) |
| |
| @abc.abstractmethod |
| def pre_checks(self): |
| return [] |
| |
| @abc.abstractmethod |
| def cmd(self): |
| pass |
| |
| @abc.abstractmethod |
| def post_checks(self): |
| return [] |
| |
| |
| class OpenSSLServ(TLSProgram): |
| """ |
| Generate test commands for OpenSSL server. |
| """ |
| |
| NAMED_GROUP = { |
| 'secp256r1': 'P-256', |
| 'secp384r1': 'P-384', |
| 'secp521r1': 'P-521', |
| 'x25519': 'X25519', |
| 'x448': 'X448', |
| } |
| |
| def cmd(self): |
| ret = ['$O_NEXT_SRV_NO_CERT'] |
| for _, cert, key in map(lambda sig_alg: CERTIFICATES[sig_alg], self._sig_algs): |
| ret += ['-cert {cert} -key {key}'.format(cert=cert, key=key)] |
| ret += ['-accept $SRV_PORT'] |
| ciphersuites = ','.join(self._ciphers) |
| signature_algorithms = ','.join(self._sig_algs) |
| named_groups = ','.join( |
| map(lambda named_group: self.NAMED_GROUP[named_group], self._named_groups)) |
| ret += ["-ciphersuites {ciphersuites}".format(ciphersuites=ciphersuites), |
| "-sigalgs {signature_algorithms}".format( |
| signature_algorithms=signature_algorithms), |
| "-groups {named_groups}".format(named_groups=named_groups)] |
| ret += ['-msg -tls1_3 -no_middlebox -num_tickets 0 -no_resume_ephemeral -no_cache'] |
| return ' '.join(ret) |
| |
| def pre_checks(self): |
| return ["requires_openssl_tls1_3"] |
| |
| def post_checks(self): |
| return ['-c "HTTP/1.0 200 ok"'] |
| |
| |
| class GnuTLSServ(TLSProgram): |
| """ |
| Generate test commands for GnuTLS server. |
| """ |
| |
| CIPHER_SUITE = { |
| 'TLS_AES_256_GCM_SHA384': [ |
| 'AES-256-GCM', |
| 'SHA384', |
| 'AEAD'], |
| 'TLS_AES_128_GCM_SHA256': [ |
| 'AES-128-GCM', |
| 'SHA256', |
| 'AEAD'], |
| 'TLS_CHACHA20_POLY1305_SHA256': [ |
| 'CHACHA20-POLY1305', |
| 'SHA256', |
| 'AEAD'], |
| 'TLS_AES_128_CCM_SHA256': [ |
| 'AES-128-CCM', |
| 'SHA256', |
| 'AEAD'], |
| 'TLS_AES_128_CCM_8_SHA256': [ |
| 'AES-128-CCM-8', |
| 'SHA256', |
| 'AEAD']} |
| |
| SIGNATURE_ALGORITHM = { |
| 'ecdsa_secp256r1_sha256': ['SIGN-ECDSA-SECP256R1-SHA256'], |
| 'ecdsa_secp521r1_sha512': ['SIGN-ECDSA-SECP521R1-SHA512'], |
| 'ecdsa_secp384r1_sha384': ['SIGN-ECDSA-SECP384R1-SHA384'], |
| 'rsa_pss_rsae_sha256': ['SIGN-RSA-PSS-RSAE-SHA256']} |
| |
| NAMED_GROUP = { |
| 'secp256r1': ['GROUP-SECP256R1'], |
| 'secp384r1': ['GROUP-SECP384R1'], |
| 'secp521r1': ['GROUP-SECP521R1'], |
| 'x25519': ['GROUP-X25519'], |
| 'x448': ['GROUP-X448'], |
| } |
| |
| def pre_checks(self): |
| return ["requires_gnutls_tls1_3", |
| "requires_gnutls_next_no_ticket", |
| "requires_gnutls_next_disable_tls13_compat", ] |
| |
| def post_checks(self): |
| return ['-c "HTTP/1.0 200 OK"'] |
| |
| def cmd(self): |
| ret = ['$G_NEXT_SRV_NO_CERT', '--http', |
| '--disable-client-cert', '--debug=4'] |
| |
| for _, cert, key in map(lambda sig_alg: CERTIFICATES[sig_alg], self._sig_algs): |
| ret += ['--x509certfile {cert} --x509keyfile {key}'.format( |
| cert=cert, key=key)] |
| |
| priority_string_list = [] |
| |
| def update_priority_string_list(items, map_table): |
| for item in items: |
| for i in map_table[item]: |
| if i not in priority_string_list: |
| yield i |
| priority_string_list.extend(update_priority_string_list( |
| self._sig_algs, self.SIGNATURE_ALGORITHM)) |
| priority_string_list.extend( |
| update_priority_string_list(self._ciphers, self.CIPHER_SUITE)) |
| priority_string_list.extend(update_priority_string_list( |
| self._named_groups, self.NAMED_GROUP)) |
| priority_string_list = ['NONE'] + sorted(priority_string_list) + ['VERS-TLS1.3'] |
| |
| priority_string = ':+'.join(priority_string_list) |
| priority_string += ':%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE' |
| ret += ['--priority={priority_string}'.format( |
| priority_string=priority_string)] |
| ret = ' '.join(ret) |
| return ret |
| |
| |
| class MbedTLSCli(TLSProgram): |
| """ |
| Generate test commands for mbedTLS client. |
| """ |
| |
| CIPHER_SUITE = { |
| 'TLS_AES_256_GCM_SHA384': 'TLS1-3-AES-256-GCM-SHA384', |
| 'TLS_AES_128_GCM_SHA256': 'TLS1-3-AES-128-GCM-SHA256', |
| 'TLS_CHACHA20_POLY1305_SHA256': 'TLS1-3-CHACHA20-POLY1305-SHA256', |
| 'TLS_AES_128_CCM_SHA256': 'TLS1-3-AES-128-CCM-SHA256', |
| 'TLS_AES_128_CCM_8_SHA256': 'TLS1-3-AES-128-CCM-8-SHA256'} |
| |
| def cmd(self): |
| ret = ['$P_CLI'] |
| ret += ['server_addr=127.0.0.1', 'server_port=$SRV_PORT', |
| 'debug_level=4', 'force_version=tls13'] |
| ret += ['ca_file={cafile}'.format( |
| cafile=CERTIFICATES[self._sig_algs[0]].cafile)] |
| |
| if self._ciphers: |
| ciphers = ','.join( |
| map(lambda cipher: self.CIPHER_SUITE[cipher], self._ciphers)) |
| ret += ["force_ciphersuite={ciphers}".format(ciphers=ciphers)] |
| |
| if self._sig_algs: |
| ret += ['sig_algs={sig_algs}'.format( |
| sig_algs=','.join(self._sig_algs))] |
| for sig_alg in self._sig_algs: |
| if sig_alg in ('ecdsa_secp256r1_sha256', |
| 'ecdsa_secp384r1_sha384', |
| 'ecdsa_secp521r1_sha512'): |
| self.add_named_groups(sig_alg.split('_')[1]) |
| |
| if self._named_groups: |
| named_groups = ','.join(self._named_groups) |
| ret += ["curves={named_groups}".format(named_groups=named_groups)] |
| |
| ret = ' '.join(ret) |
| return ret |
| |
| def pre_checks(self): |
| ret = ['requires_config_enabled MBEDTLS_DEBUG_C', |
| 'requires_config_enabled MBEDTLS_SSL_CLI_C', |
| 'requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL', |
| 'requires_config_disabled MBEDTLS_USE_PSA_CRYPTO'] |
| if 'rsa_pss_rsae_sha256' in self._sig_algs: |
| ret.append( |
| 'requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT') |
| return ret |
| |
| def post_checks(self): |
| check_strings = ["ECDH curve: {group}".format(group=self._named_groups[0]), |
| "server hello, chosen ciphersuite: ( {:04x} ) - {}".format( |
| CIPHER_SUITE_IANA_VALUE[self._ciphers[0]], |
| self.CIPHER_SUITE[self._ciphers[0]]), |
| "Certificate Verify: Signature algorithm ( {:04x} )".format( |
| SIG_ALG_IANA_VALUE[self._sig_algs[0]]), |
| "Verifying peer X.509 certificate... ok", ] |
| return ['-c "{}"'.format(i) for i in check_strings] |
| |
| |
| SERVER_CLASSES = {'OpenSSL': OpenSSLServ, 'GnuTLS': GnuTLSServ} |
| CLIENT_CLASSES = {'mbedTLS': MbedTLSCli} |
| |
| |
| def generate_compat_test(server=None, client=None, cipher=None, sig_alg=None, named_group=None): |
| """ |
| Generate test case with `ssl-opt.sh` format. |
| """ |
| name = 'TLS 1.3 {client[0]}->{server[0]}: {cipher},{named_group},{sig_alg}'.format( |
| client=client, server=server, cipher=cipher, sig_alg=sig_alg, named_group=named_group) |
| server_object = SERVER_CLASSES[server](cipher, sig_alg, named_group) |
| client_object = CLIENT_CLASSES[client](cipher, sig_alg, named_group) |
| |
| cmd = ['run_test "{}"'.format(name), '"{}"'.format( |
| server_object.cmd()), '"{}"'.format(client_object.cmd()), '0'] |
| cmd += server_object.post_checks() |
| cmd += client_object.post_checks() |
| prefix = ' \\\n' + (' '*9) |
| cmd = prefix.join(cmd) |
| return '\n'.join(server_object.pre_checks() + client_object.pre_checks() + [cmd]) |
| |
| |
| SSL_OUTPUT_HEADER = '''#!/bin/sh |
| |
| # {filename} |
| # |
| # Copyright The Mbed TLS Contributors |
| # SPDX-License-Identifier: Apache-2.0 |
| # |
| # Licensed under the Apache License, Version 2.0 (the "License"); you may |
| # not use this file except in compliance with the License. |
| # You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| # |
| # Purpose |
| # |
| # List TLS1.3 compat test cases. They are generated by |
| # `generate_tls13_compat_tests.py -a`. |
| # |
| # PLEASE DO NOT EDIT THIS FILE. IF NEEDED, PLEASE MODIFY `generate_tls13_compat_tests.py` |
| # AND REGENERATE THIS FILE. |
| # |
| ''' |
| |
| |
| def main(): |
| """ |
| Main function of this program |
| """ |
| parser = argparse.ArgumentParser() |
| |
| parser.add_argument('-o', '--output', nargs='?', |
| default=None, help='Output file path if `-a` was set') |
| |
| parser.add_argument('-a', '--generate-all-tls13-compat-tests', action='store_true', |
| default=False, help='Generate all available tls13 compat tests') |
| |
| parser.add_argument('--list-ciphers', action='store_true', |
| default=False, help='List supported ciphersuites') |
| |
| parser.add_argument('--list-sig-algs', action='store_true', |
| default=False, help='List supported signature algorithms') |
| |
| parser.add_argument('--list-named-groups', action='store_true', |
| default=False, help='List supported named groups') |
| |
| parser.add_argument('--list-servers', action='store_true', |
| default=False, help='List supported TLS servers') |
| |
| parser.add_argument('--list-clients', action='store_true', |
| default=False, help='List supported TLS Clients') |
| |
| parser.add_argument('server', choices=SERVER_CLASSES.keys(), nargs='?', |
| default=list(SERVER_CLASSES.keys())[0], |
| help='Choose TLS server program for test') |
| parser.add_argument('client', choices=CLIENT_CLASSES.keys(), nargs='?', |
| default=list(CLIENT_CLASSES.keys())[0], |
| help='Choose TLS client program for test') |
| parser.add_argument('cipher', choices=CIPHER_SUITE_IANA_VALUE.keys(), nargs='?', |
| default=list(CIPHER_SUITE_IANA_VALUE.keys())[0], |
| help='Choose cipher suite for test') |
| parser.add_argument('sig_alg', choices=SIG_ALG_IANA_VALUE.keys(), nargs='?', |
| default=list(SIG_ALG_IANA_VALUE.keys())[0], |
| help='Choose cipher suite for test') |
| parser.add_argument('named_group', choices=NAMED_GROUP_IANA_VALUE.keys(), nargs='?', |
| default=list(NAMED_GROUP_IANA_VALUE.keys())[0], |
| help='Choose cipher suite for test') |
| |
| args = parser.parse_args() |
| |
| def get_all_test_cases(): |
| for cipher, sig_alg, named_group, server, client in \ |
| itertools.product(CIPHER_SUITE_IANA_VALUE.keys(), SIG_ALG_IANA_VALUE.keys(), |
| NAMED_GROUP_IANA_VALUE.keys(), SERVER_CLASSES.keys(), |
| CLIENT_CLASSES.keys()): |
| yield generate_compat_test(cipher=cipher, sig_alg=sig_alg, named_group=named_group, |
| server=server, client=client) |
| |
| if args.generate_all_tls13_compat_tests: |
| if args.output: |
| with open(args.output, 'w', encoding="utf-8") as f: |
| f.write(SSL_OUTPUT_HEADER.format( |
| filename=os.path.basename(args.output))) |
| f.write('\n\n'.join(get_all_test_cases())) |
| f.write('\n') |
| else: |
| print('\n'.join(get_all_test_cases())) |
| return 0 |
| |
| if args.list_ciphers or args.list_sig_algs or args.list_named_groups \ |
| or args.list_servers or args.list_clients: |
| if args.list_ciphers: |
| print(*CIPHER_SUITE_IANA_VALUE.keys()) |
| if args.list_sig_algs: |
| print(*SIG_ALG_IANA_VALUE.keys()) |
| if args.list_named_groups: |
| print(*NAMED_GROUP_IANA_VALUE.keys()) |
| if args.list_servers: |
| print(*SERVER_CLASSES.keys()) |
| if args.list_clients: |
| print(*CLIENT_CLASSES.keys()) |
| return 0 |
| |
| print(generate_compat_test(server=args.server, client=args.client, sig_alg=args.sig_alg, |
| cipher=args.cipher, named_group=args.named_group)) |
| return 0 |
| |
| |
| if __name__ == "__main__": |
| sys.exit(main()) |