TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / d64e20de7fc62b25a710832f0a252a78800e0283 / . / tests / scripts / generate_tls13_compat_tests.py
blob: 28f82bde151f6e120f52e097b2533e779f98917a [file] [log] [blame]
Jerry Yu305bfc32021-11-24 16:04:47 +0800[diff] [blame]1#!/usr/bin/env python3
2
3# generate_tls13_compat_tests.py
4#
5# Copyright The Mbed TLS Contributors
6# SPDX-License-Identifier: Apache-2.0
7#
8# Licensed under the Apache License, Version 2.0 (the "License"); you may
9# not use this file except in compliance with the License.
10# You may obtain a copy of the License at
11#
12# http://www.apache.org/licenses/LICENSE-2.0
13#
14# Unless required by applicable law or agreed to in writing, software
15# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
16# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17# See the License for the specific language governing permissions and
18# limitations under the License.
19
20"""
21Generate TLSv1.3 Compat test cases
22
23"""
24
25import sys
26import abc
27import argparse
28
29# pylint: disable=useless-super-delegation
30
31CERTIFICATES = {
32 'ecdsa_secp256r1_sha256': (
33 'data_files/ecdsa_secp256r1_sha256.crt',
34 'data_files/ecdsa_secp256r1_sha256.key'),
35 'ecdsa_secp384r1_sha384': (
36 'data_files/ecdsa_secp384r1_sha384.crt',
37 'data_files/ecdsa_secp384r1_sha384.key'),
38 'ecdsa_secp521r1_sha512': (
39 'data_files/ecdsa_secp521r1_sha512.crt',
40 'data_files/ecdsa_secp521r1_sha512.key'),
Jerry Yu29deed42021-11-25 11:09:54 +0800[diff] [blame]41 'rsa_pss_rsae_sha256': (
42 'data_files/server2-sha256.crt', 'data_files/server2.key'
43 )
Jerry Yu305bfc32021-11-24 16:04:47 +0800[diff] [blame]44}
45
Jerry Yu29deed42021-11-25 11:09:54 +0800[diff] [blame]46CAFILE = {
47 'ecdsa_secp256r1_sha256': 'data_files/test-ca2.crt',
48 'ecdsa_secp384r1_sha384': 'data_files/test-ca2.crt',
49 'ecdsa_secp521r1_sha512': 'data_files/test-ca2.crt',
50 'rsa_pss_rsae_sha256': 'data_files/test-ca_cat12.crt'
51}
Jerry Yu305bfc32021-11-24 16:04:47 +0800[diff] [blame]52
53CIPHER_SUITE_IANA_VALUE = {
54 "TLS_AES_128_GCM_SHA256": 0x1301,
55 "TLS_AES_256_GCM_SHA384": 0x1302,
56 "TLS_CHACHA20_POLY1305_SHA256": 0x1303,
57 "TLS_AES_128_CCM_SHA256": 0x1304,
58 "TLS_AES_128_CCM_8_SHA256": 0x1305
59}
60
61SIG_ALG_IANA_VALUE = {
62 "ecdsa_secp256r1_sha256": 0x0403,
63 "ecdsa_secp384r1_sha384": 0x0503,
64 "ecdsa_secp521r1_sha512": 0x0603,
Jerry Yu29deed42021-11-25 11:09:54 +0800[diff] [blame]65 'rsa_pss_rsae_sha256': 0x0804,
Jerry Yu305bfc32021-11-24 16:04:47 +0800[diff] [blame]66}
67
68NAMED_GROUP_IANA_VALUE = {
69 'secp256r1': 0x17,
70 'secp384r1': 0x18,
71 'secp521r1': 0x19,
72 'x25519': 0x1d,
73 'x448': 0x1e,
74}
75
76
77def remove_duplicates(seq):
78 seen = set()
79 seen_add = seen.add
80 return [x for x in seq if not (x in seen or seen_add(x))]
81
82
83class TLSProgram(metaclass=abc.ABCMeta):
84 """
85 Base class for generate server/client command.
86 """
Jerry Yu29deed42021-11-25 11:09:54 +0800[diff] [blame]87
Jerry Yu305bfc32021-11-24 16:04:47 +0800[diff] [blame]88 def __init__(self, ciphersuite, signature_algorithm, named_group):
89 self._cipher = ciphersuite
90 self._sig_alg = signature_algorithm
91 self._named_group = named_group
92 self.add_ciphersuites(ciphersuite)
93 self.add_named_groups(named_group)
94 self.add_signature_algorithms(signature_algorithm)
95
96 @abc.abstractmethod
97 def add_ciphersuites(self, *ciphersuites):
98 pass
99
100 @abc.abstractmethod
101 def add_signature_algorithms(self, *signature_algorithms):
102 pass
103
104 @abc.abstractmethod
105 def add_named_groups(self, *named_groups):
106 pass
107
108 @abc.abstractmethod
109 def pre_checks(self):
110 return []
111
112 @abc.abstractmethod
113 def cmd(self):
114 pass
115
116 @abc.abstractmethod
117 def post_checks(self):
118 return []
119
120
121class OpenSSLServ(TLSProgram):
122 """
123 Generate test commands for OpenSSL server.
124 """
125 program = '$OPENSSL_NEXT'
126
127 def __init__(
128 self,
129 ciphersuite,
130 signature_algorithm,
131 named_group):
132 self.ciphersuites = []
133 self.named_groups = []
134 self.signature_algorithms = []
135 self.certificates = []
136 super().__init__(ciphersuite, signature_algorithm, named_group)
137
Jerry Yu305bfc32021-11-24 16:04:47 +0800[diff] [blame]138 def add_ciphersuites(self, *ciphersuites):
139 self.ciphersuites.extend(ciphersuites)
140
141 def add_signature_algorithms(self, *signature_algorithms):
142 self.signature_algorithms.extend(signature_algorithms)
143 for sig_alg in signature_algorithms:
144 self.certificates.append(CERTIFICATES[sig_alg])
145
146 NAMED_GROUP = {
147 'secp256r1': 'P-256',
148 'secp384r1': 'P-384',
149 'secp521r1': 'P-521',
150 'x25519': 'X25519',
151 'x448': 'X448',
152 }
153
154 def add_named_groups(self, *named_groups):
155 for named_group in named_groups:
156 self.named_groups.append(self.NAMED_GROUP[named_group])
157
158 def cmd(self):
159 ret = ['$O_NEXT_SRV_NO_CERT']
160 for cert, key in self.certificates:
161 ret += ['-cert {cert} -key {key}'.format(cert=cert, key=key)]
162 ret += ['-accept $SRV_PORT']
163 ciphersuites = ','.join(self.ciphersuites)
164 signature_algorithms = ','.join(self.signature_algorithms)
165 named_groups = ','.join(self.named_groups)
166 ret += ["-ciphersuites {ciphersuites}".format(ciphersuites=ciphersuites),
167 "-sigalgs {signature_algorithms}".format(
168 signature_algorithms=signature_algorithms),
169 "-groups {named_groups}".format(named_groups=named_groups)]
170 ret += ['-msg -tls1_3 -no_middlebox -num_tickets 0 -no_resume_ephemeral -no_cache']
171 return ' '.join(ret)
172
173 def pre_checks(self):
174 return ["requires_openssl_tls1_3"]
175
176 def post_checks(self):
Jerry Yu29deed42021-11-25 11:09:54 +0800[diff] [blame]177 return ['-c "HTTP/1.0 200 ok"']
Jerry Yu305bfc32021-11-24 16:04:47 +0800[diff] [blame]178
179
180class GnuTLSServ(TLSProgram):
181 """
182 Generate test commands for GnuTLS server.
183 """
184
185 def __init__(self, ciphersuite, signature_algorithm, named_group):
186 self.priority_strings = []
187 self.certificates = []
188 super().__init__(ciphersuite, signature_algorithm, named_group)
189
190 CIPHER_SUITE = {
191 'TLS_AES_256_GCM_SHA384': [
192 'AES-256-GCM',
193 'SHA384',
194 'AEAD'],
195 'TLS_AES_128_GCM_SHA256': [
196 'AES-128-GCM',
197 'SHA256',
198 'AEAD'],
199 'TLS_CHACHA20_POLY1305_SHA256': [
200 'CHACHA20-POLY1305',
201 'SHA256',
202 'AEAD'],
203 'TLS_AES_128_CCM_SHA256': [
204 'AES-128-CCM',
205 'SHA256',
206 'AEAD'],
207 'TLS_AES_128_CCM_8_SHA256': [
208 'AES-128-CCM-8',
209 'SHA256',
210 'AEAD']}
211
212 def add_ciphersuites(self, *ciphersuites):
Jerry Yud64e20d2021-11-26 10:50:01 +0800[diff] [blame^]213 for ciphersuite in ciphersuites:
214 self.priority_strings.extend(self.CIPHER_SUITE[ciphersuite])
Jerry Yu305bfc32021-11-24 16:04:47 +0800[diff] [blame]215
216 SIGNATURE_ALGORITHM = {
217 'ecdsa_secp256r1_sha256': ['SIGN-ECDSA-SECP256R1-SHA256'],
218 'ecdsa_secp521r1_sha512': ['SIGN-ECDSA-SECP521R1-SHA512'],
Jerry Yu29deed42021-11-25 11:09:54 +0800[diff] [blame]219 'ecdsa_secp384r1_sha384': ['SIGN-ECDSA-SECP384R1-SHA384'],
220 'rsa_pss_rsae_sha256': ['SIGN-RSA-PSS-RSAE-SHA256']}
Jerry Yu305bfc32021-11-24 16:04:47 +0800[diff] [blame]221
222 def add_signature_algorithms(self, *signature_algorithms):
223 for sig_alg in signature_algorithms:
224 self.priority_strings.extend(self.SIGNATURE_ALGORITHM[sig_alg])
225 self.certificates.append(CERTIFICATES[sig_alg])
226
227 NAMED_GROUP = {
228 'secp256r1': ['GROUP-SECP256R1'],
229 'secp384r1': ['GROUP-SECP384R1'],
230 'secp521r1': ['GROUP-SECP521R1'],
231 'x25519': ['GROUP-X25519'],
232 'x448': ['GROUP-X448'],
233 }
234
235 def add_named_groups(self, *named_groups):
236 for named_group in named_groups:
237 self.priority_strings.extend(self.NAMED_GROUP[named_group])
238
239 def pre_checks(self):
240 return ["requires_gnutls_tls1_3",
241 "requires_gnutls_next_no_ticket",
242 "requires_gnutls_next_disable_tls13_compat", ]
243
244 def post_checks(self):
Jerry Yu29deed42021-11-25 11:09:54 +0800[diff] [blame]245 return ['-c "HTTP/1.0 200 OK"']
Jerry Yu305bfc32021-11-24 16:04:47 +0800[diff] [blame]246
247 def cmd(self):
248 ret = [
249 '$G_NEXT_SRV_NO_CERT',
250 '--http',
251 '--disable-client-cert',
252 '--debug=4']
253 for cert, key in self.certificates:
254 ret += ['--x509certfile {cert} --x509keyfile {key}'.format(
255 cert=cert, key=key)]
256 priority_strings = ':+'.join(['NONE'] +
257 list(set(self.priority_strings)) +
258 ['VERS-TLS1.3'])
259 priority_strings += ':%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE'
260 ret += ['--priority={priority_strings}'.format(
261 priority_strings=priority_strings)]
262 ret = ' '.join(ret)
263 return ret
264
265
266class MbedTLSCli(TLSProgram):
267 """
268 Generate test commands for mbedTLS client.
269 """
Jerry Yu29deed42021-11-25 11:09:54 +0800[diff] [blame]270
Jerry Yu305bfc32021-11-24 16:04:47 +0800[diff] [blame]271 def __init__(self, ciphersuite, signature_algorithm, named_group):
272 self.ciphersuites = []
273 self.certificates = []
274 self.signature_algorithms = []
275 self.named_groups = []
276 self.needed_named_groups = []
277 super().__init__(ciphersuite, signature_algorithm, named_group)
278
279 CIPHER_SUITE = {
280 'TLS_AES_256_GCM_SHA384': 'TLS1-3-AES-256-GCM-SHA384',
281 'TLS_AES_128_GCM_SHA256': 'TLS1-3-AES-128-GCM-SHA256',
282 'TLS_CHACHA20_POLY1305_SHA256': 'TLS1-3-CHACHA20-POLY1305-SHA256',
283 'TLS_AES_128_CCM_SHA256': 'TLS1-3-AES-128-CCM-SHA256',
284 'TLS_AES_128_CCM_8_SHA256': 'TLS1-3-AES-128-CCM-8-SHA256'}
285
286 def add_ciphersuites(self, *ciphersuites):
Jerry Yud64e20d2021-11-26 10:50:01 +0800[diff] [blame^]287 for ciphersuite in ciphersuites:
288 self.ciphersuites.append(self.CIPHER_SUITE[ciphersuite])
Jerry Yu305bfc32021-11-24 16:04:47 +0800[diff] [blame]289
290 def add_signature_algorithms(self, *signature_algorithms):
291 for sig_alg in signature_algorithms:
292 self.signature_algorithms.append(sig_alg)
293 if sig_alg == 'ecdsa_secp256r1_sha256':
294 self.needed_named_groups.append('secp256r1')
295 elif sig_alg == 'ecdsa_secp521r1_sha512':
296 self.needed_named_groups.append('secp521r1')
297 elif sig_alg == 'ecdsa_secp384r1_sha384':
298 self.needed_named_groups.append('secp384r1')
299
300 self.certificates.append(CERTIFICATES[sig_alg])
301
302 def add_named_groups(self, *named_groups):
303 for named_group in named_groups:
304 self.named_groups.append(named_group)
305
306 def pre_checks(self):
Jerry Yu29deed42021-11-25 11:09:54 +0800[diff] [blame]307
308 ret = ['requires_config_enabled MBEDTLS_DEBUG_C',
309 'requires_config_enabled MBEDTLS_SSL_CLI_C',
310 'requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL',
311 'requires_config_disabled MBEDTLS_USE_PSA_CRYPTO']
312 if 'rsa_pss_rsae_sha256' in self.signature_algorithms:
313 ret.append(
314 'requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT')
315 return ret
Jerry Yu305bfc32021-11-24 16:04:47 +0800[diff] [blame]316
317 def post_checks(self):
318
319 check_strings = ["ECDH curve: {group}".format(group=self._named_group),
320 "server hello, chosen ciphersuite: ( {:04x} ) - {}".format(
321 CIPHER_SUITE_IANA_VALUE[self._cipher],
322 self.CIPHER_SUITE[self._cipher]),
323 "Certificate Verify: Signature algorithm ( {:04x} )".format(
324 SIG_ALG_IANA_VALUE[self._sig_alg]),
325 "Verifying peer X.509 certificate... ok", ]
326 return ['-c "{}"'.format(i) for i in check_strings]
327
328 def cmd(self):
329 ret = ['$P_CLI']
330 ret += [
331 'server_addr=127.0.0.1 server_port=$SRV_PORT',
332 'debug_level=4 force_version=tls1_3']
Jerry Yu29deed42021-11-25 11:09:54 +0800[diff] [blame]333 ret += ['ca_file={CAFILE}'.format(CAFILE=CAFILE[self._sig_alg])]
Jerry Yu305bfc32021-11-24 16:04:47 +0800[diff] [blame]334 self.ciphersuites = list(set(self.ciphersuites))
335 cipher = ','.join(self.ciphersuites)
336 if cipher:
337 ret += ["force_ciphersuite={cipher}".format(cipher=cipher)]
338 self.named_groups = remove_duplicates(
339 self.named_groups + self.needed_named_groups)
340 group = ','.join(self.named_groups)
341 if group:
342 ret += ["curves={group}".format(group=group)]
343 sig_alg = ','.join(self.signature_algorithms)
344 ret += ['sig_algs={sig_alg}'.format(sig_alg=sig_alg)]
345 ret = ' '.join(ret)
346 return ret
347
348
349SERVER_CLS = {'OpenSSL': OpenSSLServ, 'GnuTLS': GnuTLSServ}
350CLIENT_CLS = {'mbedTLS': MbedTLSCli}
351
352
Jerry Yu29deed42021-11-25 11:09:54 +0800[diff] [blame]353def generate_compat_test(server=None, client=None, cipher=None, # pylint: disable=unused-argument
Jerry Yu305bfc32021-11-24 16:04:47 +0800[diff] [blame]354 sig_alg=None, named_group=None, **kwargs):
355 """
356 Generate test case with `ssl-opt.sh` format.
357 """
358 name = 'TLS1.3 {client[0]}->{server[0]}: {cipher},{named_group},{sig_alg}'.format(
359 client=client, server=server, cipher=cipher, sig_alg=sig_alg, named_group=named_group)
360 server = SERVER_CLS[server](cipher, sig_alg, named_group)
361 client = CLIENT_CLS[client](cipher, sig_alg, named_group)
362
363 cmd = ['run_test "{}"'.format(name), '"{}"'.format(
364 server.cmd()), '"{}"'.format(client.cmd()), '0']
365 cmd += server.post_checks()
366 cmd += client.post_checks()
367 prefix = ' \\\n' + (' '*12)
368 cmd = prefix.join(cmd)
369 print('\n'.join(server.pre_checks() + client.pre_checks() + [cmd]))
370 return 0
Jerry Yu29deed42021-11-25 11:09:54 +0800[diff] [blame]371
372
Jerry Yu305bfc32021-11-24 16:04:47 +0800[diff] [blame]373def main():
374 parser = argparse.ArgumentParser()
375
376 parser.add_argument('--list-ciphers', action='store_true',
377 default=False, help='List supported ciphersuites')
378
379 parser.add_argument('--list-sig-algs', action='store_true',
380 default=False, help='List supported signature algorithms')
381
382 parser.add_argument('--list-named-groups', action='store_true',
383 default=False, help='List supported named groups')
384
385 parser.add_argument('--list-servers', action='store_true',
386 default=False, help='List supported TLS servers')
387
388 parser.add_argument('--list-clients', action='store_true',
389 default=False, help='List supported TLS Clients')
390
391 parser.add_argument('server', choices=SERVER_CLS.keys(), nargs='?',
392 default=list(SERVER_CLS.keys())[0],
393 help='Choose TLS server program for test')
394 parser.add_argument('client', choices=CLIENT_CLS.keys(), nargs='?',
395 default=list(CLIENT_CLS.keys())[0],
396 help='Choose TLS client program for test')
397 parser.add_argument('cipher', choices=CIPHER_SUITE_IANA_VALUE.keys(), nargs='?',
398 default=list(CIPHER_SUITE_IANA_VALUE.keys())[0],
399 help='Choose cipher suite for test')
400 parser.add_argument('sig_alg', choices=SIG_ALG_IANA_VALUE.keys(), nargs='?',
401 default=list(SIG_ALG_IANA_VALUE.keys())[0],
402 help='Choose cipher suite for test')
403 parser.add_argument('named_group', choices=NAMED_GROUP_IANA_VALUE.keys(), nargs='?',
404 default=list(NAMED_GROUP_IANA_VALUE.keys())[0],
405 help='Choose cipher suite for test')
406
407 args = parser.parse_args()
408 if args.list_ciphers or args.list_sig_algs or args.list_named_groups \
Jerry Yu29deed42021-11-25 11:09:54 +0800[diff] [blame]409 or args.list_servers or args.list_clients:
Jerry Yu305bfc32021-11-24 16:04:47 +0800[diff] [blame]410 if args.list_ciphers:
411 print(*CIPHER_SUITE_IANA_VALUE.keys())
412 if args.list_sig_algs:
413 print(*SIG_ALG_IANA_VALUE.keys())
414 if args.list_named_groups:
415 print(*NAMED_GROUP_IANA_VALUE.keys())
416 if args.list_servers:
417 print(*SERVER_CLS.keys())
418 if args.list_clients:
419 print(*CLIENT_CLS.keys())
420 return 0
421 return generate_compat_test(**vars(args))
422
Jerry Yu29deed42021-11-25 11:09:54 +0800[diff] [blame]423
Jerry Yu305bfc32021-11-24 16:04:47 +0800[diff] [blame]424if __name__ == "__main__":
425 sys.exit(main())