TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 2c824b4fe5dab7e1526560be203bf705857e372a / . / framework / scripts / translate_ciphers.py
blob: 59335378770457efd7d9d54ab4e6ba5a268b18c3 [file] [log] [blame]
Minos Galanakis2c824b42025-03-20 09:28:45 +0000[diff] [blame^]1#!/usr/bin/env python3
2
3# translate_ciphers.py
4#
5# Copyright The Mbed TLS Contributors
6# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
7
8"""
9Translate standard ciphersuite names to GnuTLS, OpenSSL and Mbed TLS standards.
10
11To test the translation functions run:
12python3 -m unittest translate_cipher.py
13"""
14
15import re
16import argparse
17import unittest
18
19class TestTranslateCiphers(unittest.TestCase):
20 """
21 Ensure translate_ciphers.py translates and formats ciphersuite names
22 correctly
23 """
24 def test_translate_all_cipher_names(self):
25 """
26 Translate standard ciphersuite names to GnuTLS, OpenSSL and
27 Mbed TLS counterpart. Use only a small subset of ciphers
28 that exercise each step of the translation functions
29 """
30 ciphers = [
31 ("TLS_ECDHE_ECDSA_WITH_NULL_SHA",
32 "+ECDHE-ECDSA:+NULL:+SHA1",
33 "ECDHE-ECDSA-NULL-SHA",
34 "TLS-ECDHE-ECDSA-WITH-NULL-SHA"),
35 ("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
36 "+ECDHE-ECDSA:+AES-128-GCM:+AEAD",
37 "ECDHE-ECDSA-AES128-GCM-SHA256",
38 "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"),
39 ("TLS_RSA_WITH_AES_256_CBC_SHA",
40 "+RSA:+AES-256-CBC:+SHA1",
41 "AES256-SHA",
42 "TLS-RSA-WITH-AES-256-CBC-SHA"),
43 ("TLS_PSK_WITH_3DES_EDE_CBC_SHA",
44 "+PSK:+3DES-CBC:+SHA1",
45 "PSK-3DES-EDE-CBC-SHA",
46 "TLS-PSK-WITH-3DES-EDE-CBC-SHA"),
47 ("TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
48 None,
49 "ECDHE-ECDSA-CHACHA20-POLY1305",
50 "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256"),
51 ("TLS_ECDHE_ECDSA_WITH_AES_128_CCM",
52 "+ECDHE-ECDSA:+AES-128-CCM:+AEAD",
53 None,
54 "TLS-ECDHE-ECDSA-WITH-AES-128-CCM"),
55 ("TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384",
56 None,
57 "ECDHE-ARIA256-GCM-SHA384",
58 "TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384"),
59 ]
60
61 for s, g_exp, o_exp, m_exp in ciphers:
62
63 if g_exp is not None:
64 g = translate_gnutls(s)
65 self.assertEqual(g, g_exp)
66
67 if o_exp is not None:
68 o = translate_ossl(s)
69 self.assertEqual(o, o_exp)
70
71 if m_exp is not None:
72 m = translate_mbedtls(s)
73 self.assertEqual(m, m_exp)
74
75def translate_gnutls(s_cipher):
76 """
77 Translate s_cipher from standard ciphersuite naming convention
78 and return the GnuTLS naming convention
79 """
80
81 # Replace "_" with "-" to handle ciphersuite names based on Mbed TLS
82 # naming convention
83 s_cipher = s_cipher.replace("_", "-")
84
85 s_cipher = re.sub(r'\ATLS-', '+', s_cipher)
86 s_cipher = s_cipher.replace("-WITH-", ":+")
87 s_cipher = s_cipher.replace("-EDE", "")
88
89 # SHA in Mbed TLS == SHA1 GnuTLS,
90 # if the last 3 chars are SHA append 1
91 if s_cipher[-3:] == "SHA":
92 s_cipher = s_cipher+"1"
93
94 # CCM or CCM-8 should be followed by ":+AEAD"
95 # Replace "GCM:+SHAxyz" with "GCM:+AEAD"
96 if "CCM" in s_cipher or "GCM" in s_cipher:
97 s_cipher = re.sub(r"GCM-SHA\d\d\d", "GCM", s_cipher)
98 s_cipher = s_cipher+":+AEAD"
99
100 # Replace the last "-" with ":+"
101 else:
102 index = s_cipher.rindex("-")
103 s_cipher = s_cipher[:index] + ":+" + s_cipher[index+1:]
104
105 return s_cipher
106
107def translate_ossl(s_cipher):
108 """
109 Translate s_cipher from standard ciphersuite naming convention
110 and return the OpenSSL naming convention
111 """
112
113 # Replace "_" with "-" to handle ciphersuite names based on Mbed TLS
114 # naming convention
115 s_cipher = s_cipher.replace("_", "-")
116
117 s_cipher = re.sub(r'^TLS-', '', s_cipher)
118 s_cipher = s_cipher.replace("-WITH", "")
119
120 # Remove the "-" from "ABC-xyz"
121 s_cipher = s_cipher.replace("AES-", "AES")
122 s_cipher = s_cipher.replace("CAMELLIA-", "CAMELLIA")
123 s_cipher = s_cipher.replace("ARIA-", "ARIA")
124
125 # Remove "RSA" if it is at the beginning
126 s_cipher = re.sub(r'^RSA-', r'', s_cipher)
127
128 # For all circumstances outside of PSK
129 if "PSK" not in s_cipher:
130 s_cipher = s_cipher.replace("-EDE", "")
131 s_cipher = s_cipher.replace("3DES-CBC", "DES-CBC3")
132
133 # Remove "CBC" if it is not prefixed by DES
134 s_cipher = re.sub(r'(?<!DES-)CBC-', r'', s_cipher)
135
136 # ECDHE-RSA-ARIA does not exist in OpenSSL
137 s_cipher = s_cipher.replace("ECDHE-RSA-ARIA", "ECDHE-ARIA")
138
139 # POLY1305 should not be followed by anything
140 if "POLY1305" in s_cipher:
141 index = s_cipher.rindex("POLY1305")
142 s_cipher = s_cipher[:index+8]
143
144 # If DES is being used, Replace DHE with EDH
145 if "DES" in s_cipher and "DHE" in s_cipher and "ECDHE" not in s_cipher:
146 s_cipher = s_cipher.replace("DHE", "EDH")
147
148 return s_cipher
149
150def translate_mbedtls(s_cipher):
151 """
152 Translate s_cipher from standard ciphersuite naming convention
153 and return Mbed TLS ciphersuite naming convention
154 """
155
156 # Replace "_" with "-"
157 s_cipher = s_cipher.replace("_", "-")
158
159 return s_cipher
160
161def format_ciphersuite_names(mode, names):
162 t = {"g": translate_gnutls,
163 "o": translate_ossl,
164 "m": translate_mbedtls
165 }[mode]
166 return " ".join(c + '=' + t(c) for c in names)
167
168def main(target, names):
169 print(format_ciphersuite_names(target, names))
170
171if __name__ == "__main__":
172 PARSER = argparse.ArgumentParser()
173 PARSER.add_argument('target', metavar='TARGET', choices=['o', 'g', 'm'])
174 PARSER.add_argument('names', metavar='NAMES', nargs='+')
175 ARGS = PARSER.parse_args()
176 main(ARGS.target, ARGS.names)