1#!/usr/bin/env python3 2 3# translate_ciphers.py 4# 5# Copyright The Mbed TLS Contributors 6# SPDX-License-Identifier: Apache-2.0 7# 8# Licensed under the Apache License, Version 2.0 (the "License"); you may 9# not use this file except in compliance with the License. 10# You may obtain a copy of the License at 11# 12# http://www.apache.org/licenses/LICENSE-2.0 13# 14# Unless required by applicable law or agreed to in writing, software 15# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 16# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 17# See the License for the specific language governing permissions and 18# limitations under the License. 19 20""" 21Translate standard ciphersuite names to GnuTLS, OpenSSL and Mbed TLS standards. 22 23To test the translation functions run: 24python3 -m unittest translate_cipher.py 25""" 26 27import re 28import argparse 29import unittest 30 31class TestTranslateCiphers(unittest.TestCase): 32 """ 33 Ensure translate_ciphers.py translates and formats ciphersuite names 34 correctly 35 """ 36 def test_translate_all_cipher_names(self): 37 """ 38 Translate standard ciphersuite names to GnuTLS, OpenSSL and 39 Mbed TLS counterpart. Use only a small subset of ciphers 40 that exercise each step of the translation functions 41 """ 42 ciphers = [ 43 ("TLS_ECDHE_ECDSA_WITH_NULL_SHA", 44 "+ECDHE-ECDSA:+NULL:+SHA1", 45 "ECDHE-ECDSA-NULL-SHA", 46 "TLS-ECDHE-ECDSA-WITH-NULL-SHA"), 47 ("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", 48 "+ECDHE-ECDSA:+AES-128-GCM:+AEAD", 49 "ECDHE-ECDSA-AES128-GCM-SHA256", 50 "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"), 51 ("TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA", 52 "+DHE-RSA:+3DES-CBC:+SHA1", 53 "EDH-RSA-DES-CBC3-SHA", 54 "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA"), 55 ("TLS_RSA_WITH_AES_256_CBC_SHA", 56 "+RSA:+AES-256-CBC:+SHA1", 57 "AES256-SHA", 58 "TLS-RSA-WITH-AES-256-CBC-SHA"), 59 ("TLS_PSK_WITH_3DES_EDE_CBC_SHA", 60 "+PSK:+3DES-CBC:+SHA1", 61 "PSK-3DES-EDE-CBC-SHA", 62 "TLS-PSK-WITH-3DES-EDE-CBC-SHA"), 63 ("TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", 64 None, 65 "ECDHE-ECDSA-CHACHA20-POLY1305", 66 "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256"), 67 ("TLS_ECDHE_ECDSA_WITH_AES_128_CCM", 68 "+ECDHE-ECDSA:+AES-128-CCM:+AEAD", 69 None, 70 "TLS-ECDHE-ECDSA-WITH-AES-128-CCM"), 71 ("TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384", 72 None, 73 "ECDHE-ARIA256-GCM-SHA384", 74 "TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384"), 75 ] 76 77 for s, g_exp, o_exp, m_exp in ciphers: 78 79 if g_exp is not None: 80 g = translate_gnutls(s) 81 self.assertEqual(g, g_exp) 82 83 if o_exp is not None: 84 o = translate_ossl(s) 85 self.assertEqual(o, o_exp) 86 87 if m_exp is not None: 88 m = translate_mbedtls(s) 89 self.assertEqual(m, m_exp) 90 91def translate_gnutls(s_cipher): 92 """ 93 Translate s_cipher from standard ciphersuite naming convention 94 and return the GnuTLS naming convention 95 """ 96 97 # Replace "_" with "-" to handle ciphersuite names based on Mbed TLS 98 # naming convention 99 s_cipher = s_cipher.replace("_", "-") 100 101 s_cipher = re.sub(r'\ATLS-', '+', s_cipher) 102 s_cipher = s_cipher.replace("-WITH-", ":+") 103 s_cipher = s_cipher.replace("-EDE", "") 104 105 # SHA in Mbed TLS == SHA1 GnuTLS, 106 # if the last 3 chars are SHA append 1 107 if s_cipher[-3:] == "SHA": 108 s_cipher = s_cipher+"1" 109 110 # CCM or CCM-8 should be followed by ":+AEAD" 111 # Replace "GCM:+SHAxyz" with "GCM:+AEAD" 112 if "CCM" in s_cipher or "GCM" in s_cipher: 113 s_cipher = re.sub(r"GCM-SHA\d\d\d", "GCM", s_cipher) 114 s_cipher = s_cipher+":+AEAD" 115 116 # Replace the last "-" with ":+" 117 else: 118 index = s_cipher.rindex("-") 119 s_cipher = s_cipher[:index] + ":+" + s_cipher[index+1:] 120 121 return s_cipher 122 123def translate_ossl(s_cipher): 124 """ 125 Translate s_cipher from standard ciphersuite naming convention 126 and return the OpenSSL naming convention 127 """ 128 129 # Replace "_" with "-" to handle ciphersuite names based on Mbed TLS 130 # naming convention 131 s_cipher = s_cipher.replace("_", "-") 132 133 s_cipher = re.sub(r'^TLS-', '', s_cipher) 134 s_cipher = s_cipher.replace("-WITH", "") 135 136 # Remove the "-" from "ABC-xyz" 137 s_cipher = s_cipher.replace("AES-", "AES") 138 s_cipher = s_cipher.replace("CAMELLIA-", "CAMELLIA") 139 s_cipher = s_cipher.replace("ARIA-", "ARIA") 140 141 # Remove "RSA" if it is at the beginning 142 s_cipher = re.sub(r'^RSA-', r'', s_cipher) 143 144 # For all circumstances outside of PSK 145 if "PSK" not in s_cipher: 146 s_cipher = s_cipher.replace("-EDE", "") 147 s_cipher = s_cipher.replace("3DES-CBC", "DES-CBC3") 148 149 # Remove "CBC" if it is not prefixed by DES 150 s_cipher = re.sub(r'(?<!DES-)CBC-', r'', s_cipher) 151 152 # ECDHE-RSA-ARIA does not exist in OpenSSL 153 s_cipher = s_cipher.replace("ECDHE-RSA-ARIA", "ECDHE-ARIA") 154 155 # POLY1305 should not be followed by anything 156 if "POLY1305" in s_cipher: 157 index = s_cipher.rindex("POLY1305") 158 s_cipher = s_cipher[:index+8] 159 160 # If DES is being used, Replace DHE with EDH 161 if "DES" in s_cipher and "DHE" in s_cipher and "ECDHE" not in s_cipher: 162 s_cipher = s_cipher.replace("DHE", "EDH") 163 164 return s_cipher 165 166def translate_mbedtls(s_cipher): 167 """ 168 Translate s_cipher from standard ciphersuite naming convention 169 and return Mbed TLS ciphersuite naming convention 170 """ 171 172 # Replace "_" with "-" 173 s_cipher = s_cipher.replace("_", "-") 174 175 return s_cipher 176 177def format_ciphersuite_names(mode, names): 178 t = {"g": translate_gnutls, 179 "o": translate_ossl, 180 "m": translate_mbedtls 181 }[mode] 182 return " ".join(c + '=' + t(c) for c in names) 183 184def main(target, names): 185 print(format_ciphersuite_names(target, names)) 186 187if __name__ == "__main__": 188 PARSER = argparse.ArgumentParser() 189 PARSER.add_argument('target', metavar='TARGET', choices=['o', 'g', 'm']) 190 PARSER.add_argument('names', metavar='NAMES', nargs='+') 191 ARGS = PARSER.parse_args() 192 main(ARGS.target, ARGS.names) 193
