1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
|
#!/usr/bin/env python3
# translate_ciphers.py
#
# Copyright The Mbed TLS Contributors
# SPDX-License-Identifier: Apache-2.0
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""
Translate ciphersuite names in Mbed TLS format to OpenSSL and GNUTLS
standards.
To test the translation functions run:
python3 -m unittest translate_cipher.py
"""
import re
import argparse
import unittest
class TestTranslateCiphers(unittest.TestCase):
"""
Ensure translate_ciphers.py translates and formats ciphersuite names
correctly
"""
def test_translate_all_cipher_names(self):
"""
Translate MbedTLS ciphersuite names to their OpenSSL and
GnuTLS counterpart. Use only a small subset of ciphers
that exercise each step of the translate functions
"""
ciphers = [
("TLS-ECDHE-ECDSA-WITH-NULL-SHA",
"+ECDHE-ECDSA:+NULL:+SHA1",
"ECDHE-ECDSA-NULL-SHA"),
("TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256",
"+ECDHE-ECDSA:+AES-128-GCM:+AEAD",
"ECDHE-ECDSA-AES128-GCM-SHA256"),
("TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA",
"+DHE-RSA:+3DES-CBC:+SHA1",
"EDH-RSA-DES-CBC3-SHA"),
("TLS-RSA-WITH-AES-256-CBC-SHA",
"+RSA:+AES-256-CBC:+SHA1",
"AES256-SHA"),
("TLS-PSK-WITH-3DES-EDE-CBC-SHA",
"+PSK:+3DES-CBC:+SHA1",
"PSK-3DES-EDE-CBC-SHA"),
("TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256",
None,
"ECDHE-ECDSA-CHACHA20-POLY1305"),
("TLS-ECDHE-ECDSA-WITH-AES-128-CCM",
"+ECDHE-ECDSA:+AES-128-CCM:+AEAD",
None),
("TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384",
None,
"ECDHE-ARIA256-GCM-SHA384"),
]
for m, g_exp, o_exp in ciphers:
if g_exp is not None:
g = translate_gnutls(m)
self.assertEqual(g, g_exp)
if o_exp is not None:
o = translate_ossl(m)
self.assertEqual(o, o_exp)
def translate_gnutls(m_cipher):
"""
Translate m_cipher from Mbed TLS ciphersuite naming convention
and return the GnuTLS naming convention
"""
m_cipher = re.sub(r'\ATLS-', '+', m_cipher)
m_cipher = m_cipher.replace("-WITH-", ":+")
m_cipher = m_cipher.replace("-EDE", "")
# SHA in Mbed TLS == SHA1 GnuTLS,
# if the last 3 chars are SHA append 1
if m_cipher[-3:] == "SHA":
m_cipher = m_cipher+"1"
# CCM or CCM-8 should be followed by ":+AEAD"
# Replace "GCM:+SHAxyz" with "GCM:+AEAD"
if "CCM" in m_cipher or "GCM" in m_cipher:
m_cipher = re.sub(r"GCM-SHA\d\d\d", "GCM", m_cipher)
m_cipher = m_cipher+":+AEAD"
# Replace the last "-" with ":+"
else:
index = m_cipher.rindex("-")
m_cipher = m_cipher[:index] + ":+" + m_cipher[index+1:]
return m_cipher
def translate_ossl(m_cipher):
"""
Translate m_cipher from Mbed TLS ciphersuite naming convention
and return the OpenSSL naming convention
"""
m_cipher = re.sub(r'^TLS-', '', m_cipher)
m_cipher = m_cipher.replace("-WITH", "")
# Remove the "-" from "ABC-xyz"
m_cipher = m_cipher.replace("AES-", "AES")
m_cipher = m_cipher.replace("CAMELLIA-", "CAMELLIA")
m_cipher = m_cipher.replace("ARIA-", "ARIA")
# Remove "RSA" if it is at the beginning
m_cipher = re.sub(r'^RSA-', r'', m_cipher)
# For all circumstances outside of PSK
if "PSK" not in m_cipher:
m_cipher = m_cipher.replace("-EDE", "")
m_cipher = m_cipher.replace("3DES-CBC", "DES-CBC3")
# Remove "CBC" if it is not prefixed by DES
m_cipher = re.sub(r'(?<!DES-)CBC-', r'', m_cipher)
# ECDHE-RSA-ARIA does not exist in OpenSSL
m_cipher = m_cipher.replace("ECDHE-RSA-ARIA", "ECDHE-ARIA")
# POLY1305 should not be followed by anything
if "POLY1305" in m_cipher:
index = m_cipher.rindex("POLY1305")
m_cipher = m_cipher[:index+8]
# If DES is being used, Replace DHE with EDH
if "DES" in m_cipher and "DHE" in m_cipher and "ECDHE" not in m_cipher:
m_cipher = m_cipher.replace("DHE", "EDH")
return m_cipher
def format_ciphersuite_names(mode, names):
t = {"g": translate_gnutls, "o": translate_ossl}[mode]
return " ".join(t(c) for c in names)
def main(target, names):
print(format_ciphersuite_names(target, names))
if __name__ == "__main__":
PARSER = argparse.ArgumentParser()
PARSER.add_argument('target', metavar='TARGET', choices=['o', 'g'])
PARSER.add_argument('names', metavar='NAMES', nargs='+')
ARGS = PARSER.parse_args()
main(ARGS.target, ARGS.names)
|
