Gitiles
Code Review Sign In
git01.mediatek.com / filogic / uboot / 0344c602eadc0802776b65ff90f0a02c856cf53c / . / tests / scripts / generate_tls13_compat_tests.py
blob: 8b28590b8742232689568b19b7f44151b5975f2e [file] [log] [blame]
Tom Rini0344c602024-10-08 13:56:50 -0600[diff] [blame^]1#!/usr/bin/env python3
2
3# generate_tls13_compat_tests.py
4#
5# Copyright The Mbed TLS Contributors
6# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
7
8"""
9Generate TLSv1.3 Compat test cases
10
11"""
12
13import sys
14import os
15import argparse
16import itertools
17from collections import namedtuple
18
19# define certificates configuration entry
20Certificate = namedtuple("Certificate", ['cafile', 'certfile', 'keyfile'])
21# define the certificate parameters for signature algorithms
22CERTIFICATES = {
23 'ecdsa_secp256r1_sha256': Certificate('data_files/test-ca2.crt',
24 'data_files/ecdsa_secp256r1.crt',
25 'data_files/ecdsa_secp256r1.key'),
26 'ecdsa_secp384r1_sha384': Certificate('data_files/test-ca2.crt',
27 'data_files/ecdsa_secp384r1.crt',
28 'data_files/ecdsa_secp384r1.key'),
29 'ecdsa_secp521r1_sha512': Certificate('data_files/test-ca2.crt',
30 'data_files/ecdsa_secp521r1.crt',
31 'data_files/ecdsa_secp521r1.key'),
32 'rsa_pss_rsae_sha256': Certificate('data_files/test-ca_cat12.crt',
33 'data_files/server2-sha256.crt', 'data_files/server2.key'
34 )
35}
36
37CIPHER_SUITE_IANA_VALUE = {
38 "TLS_AES_128_GCM_SHA256": 0x1301,
39 "TLS_AES_256_GCM_SHA384": 0x1302,
40 "TLS_CHACHA20_POLY1305_SHA256": 0x1303,
41 "TLS_AES_128_CCM_SHA256": 0x1304,
42 "TLS_AES_128_CCM_8_SHA256": 0x1305
43}
44
45SIG_ALG_IANA_VALUE = {
46 "ecdsa_secp256r1_sha256": 0x0403,
47 "ecdsa_secp384r1_sha384": 0x0503,
48 "ecdsa_secp521r1_sha512": 0x0603,
49 'rsa_pss_rsae_sha256': 0x0804,
50}
51
52NAMED_GROUP_IANA_VALUE = {
53 'secp256r1': 0x17,
54 'secp384r1': 0x18,
55 'secp521r1': 0x19,
56 'x25519': 0x1d,
57 'x448': 0x1e,
58 # Only one finite field group to keep testing time within reasonable bounds.
59 'ffdhe2048': 0x100,
60}
61
62class TLSProgram:
63 """
64 Base class for generate server/client command.
65 """
66
67 # pylint: disable=too-many-arguments
68 def __init__(self, ciphersuite=None, signature_algorithm=None, named_group=None,
69 cert_sig_alg=None, compat_mode=True):
70 self._ciphers = []
71 self._sig_algs = []
72 self._named_groups = []
73 self._cert_sig_algs = []
74 if ciphersuite:
75 self.add_ciphersuites(ciphersuite)
76 if named_group:
77 self.add_named_groups(named_group)
78 if signature_algorithm:
79 self.add_signature_algorithms(signature_algorithm)
80 if cert_sig_alg:
81 self.add_cert_signature_algorithms(cert_sig_alg)
82 self._compat_mode = compat_mode
83
84 # add_ciphersuites should not override by sub class
85 def add_ciphersuites(self, *ciphersuites):
86 self._ciphers.extend(
87 [cipher for cipher in ciphersuites if cipher not in self._ciphers])
88
89 # add_signature_algorithms should not override by sub class
90 def add_signature_algorithms(self, *signature_algorithms):
91 self._sig_algs.extend(
92 [sig_alg for sig_alg in signature_algorithms if sig_alg not in self._sig_algs])
93
94 # add_named_groups should not override by sub class
95 def add_named_groups(self, *named_groups):
96 self._named_groups.extend(
97 [named_group for named_group in named_groups if named_group not in self._named_groups])
98
99 # add_cert_signature_algorithms should not override by sub class
100 def add_cert_signature_algorithms(self, *signature_algorithms):
101 self._cert_sig_algs.extend(
102 [sig_alg for sig_alg in signature_algorithms if sig_alg not in self._cert_sig_algs])
103
104 # pylint: disable=no-self-use
105 def pre_checks(self):
106 return []
107
108 # pylint: disable=no-self-use
109 def cmd(self):
110 if not self._cert_sig_algs:
111 self._cert_sig_algs = list(CERTIFICATES.keys())
112 return self.pre_cmd()
113
114 # pylint: disable=no-self-use
115 def post_checks(self):
116 return []
117
118 # pylint: disable=no-self-use
119 def pre_cmd(self):
120 return ['false']
121
122 # pylint: disable=unused-argument,no-self-use
123 def hrr_post_checks(self, named_group):
124 return []
125
126
127class OpenSSLBase(TLSProgram):
128 """
129 Generate base test commands for OpenSSL.
130 """
131
132 NAMED_GROUP = {
133 'secp256r1': 'P-256',
134 'secp384r1': 'P-384',
135 'secp521r1': 'P-521',
136 'x25519': 'X25519',
137 'x448': 'X448',
138 'ffdhe2048': 'ffdhe2048',
139 }
140
141 def cmd(self):
142 ret = super().cmd()
143
144 if self._ciphers:
145 ciphersuites = ':'.join(self._ciphers)
146 ret += ["-ciphersuites {ciphersuites}".format(ciphersuites=ciphersuites)]
147
148 if self._sig_algs:
149 signature_algorithms = set(self._sig_algs + self._cert_sig_algs)
150 signature_algorithms = ':'.join(signature_algorithms)
151 ret += ["-sigalgs {signature_algorithms}".format(
152 signature_algorithms=signature_algorithms)]
153
154 if self._named_groups:
155 named_groups = ':'.join(
156 map(lambda named_group: self.NAMED_GROUP[named_group], self._named_groups))
157 ret += ["-groups {named_groups}".format(named_groups=named_groups)]
158
159 ret += ['-msg -tls1_3']
160 if not self._compat_mode:
161 ret += ['-no_middlebox']
162
163 return ret
164
165 def pre_checks(self):
166 ret = ["requires_openssl_tls1_3"]
167
168 # ffdh groups require at least openssl 3.0
169 ffdh_groups = ['ffdhe2048']
170
171 if any(x in ffdh_groups for x in self._named_groups):
172 ret = ["requires_openssl_tls1_3_with_ffdh"]
173
174 return ret
175
176
177class OpenSSLServ(OpenSSLBase):
178 """
179 Generate test commands for OpenSSL server.
180 """
181
182 def cmd(self):
183 ret = super().cmd()
184 ret += ['-num_tickets 0 -no_resume_ephemeral -no_cache']
185 return ret
186
187 def post_checks(self):
188 return ['-c "HTTP/1.0 200 ok"']
189
190 def pre_cmd(self):
191 ret = ['$O_NEXT_SRV_NO_CERT']
192 for _, cert, key in map(lambda sig_alg: CERTIFICATES[sig_alg], self._cert_sig_algs):
193 ret += ['-cert {cert} -key {key}'.format(cert=cert, key=key)]
194 return ret
195
196
197class OpenSSLCli(OpenSSLBase):
198 """
199 Generate test commands for OpenSSL client.
200 """
201
202 def pre_cmd(self):
203 return ['$O_NEXT_CLI_NO_CERT',
204 '-CAfile {cafile}'.format(cafile=CERTIFICATES[self._cert_sig_algs[0]].cafile)]
205
206
207class GnuTLSBase(TLSProgram):
208 """
209 Generate base test commands for GnuTLS.
210 """
211
212 CIPHER_SUITE = {
213 'TLS_AES_256_GCM_SHA384': [
214 'AES-256-GCM',
215 'SHA384',
216 'AEAD'],
217 'TLS_AES_128_GCM_SHA256': [
218 'AES-128-GCM',
219 'SHA256',
220 'AEAD'],
221 'TLS_CHACHA20_POLY1305_SHA256': [
222 'CHACHA20-POLY1305',
223 'SHA256',
224 'AEAD'],
225 'TLS_AES_128_CCM_SHA256': [
226 'AES-128-CCM',
227 'SHA256',
228 'AEAD'],
229 'TLS_AES_128_CCM_8_SHA256': [
230 'AES-128-CCM-8',
231 'SHA256',
232 'AEAD']}
233
234 SIGNATURE_ALGORITHM = {
235 'ecdsa_secp256r1_sha256': ['SIGN-ECDSA-SECP256R1-SHA256'],
236 'ecdsa_secp521r1_sha512': ['SIGN-ECDSA-SECP521R1-SHA512'],
237 'ecdsa_secp384r1_sha384': ['SIGN-ECDSA-SECP384R1-SHA384'],
238 'rsa_pss_rsae_sha256': ['SIGN-RSA-PSS-RSAE-SHA256']}
239
240 NAMED_GROUP = {
241 'secp256r1': ['GROUP-SECP256R1'],
242 'secp384r1': ['GROUP-SECP384R1'],
243 'secp521r1': ['GROUP-SECP521R1'],
244 'x25519': ['GROUP-X25519'],
245 'x448': ['GROUP-X448'],
246 'ffdhe2048': ['GROUP-FFDHE2048'],
247 }
248
249 def pre_checks(self):
250 return ["requires_gnutls_tls1_3",
251 "requires_gnutls_next_no_ticket",
252 "requires_gnutls_next_disable_tls13_compat", ]
253
254 def cmd(self):
255 ret = super().cmd()
256
257 priority_string_list = []
258
259 def update_priority_string_list(items, map_table):
260 for item in items:
261 for i in map_table[item]:
262 if i not in priority_string_list:
263 yield i
264
265 if self._ciphers:
266 priority_string_list.extend(update_priority_string_list(
267 self._ciphers, self.CIPHER_SUITE))
268 else:
269 priority_string_list.extend(['CIPHER-ALL', 'MAC-ALL'])
270
271 if self._sig_algs:
272 signature_algorithms = set(self._sig_algs + self._cert_sig_algs)
273 priority_string_list.extend(update_priority_string_list(
274 signature_algorithms, self.SIGNATURE_ALGORITHM))
275 else:
276 priority_string_list.append('SIGN-ALL')
277
278
279 if self._named_groups:
280 priority_string_list.extend(update_priority_string_list(
281 self._named_groups, self.NAMED_GROUP))
282 else:
283 priority_string_list.append('GROUP-ALL')
284
285 priority_string_list = ['NONE'] + \
286 priority_string_list + ['VERS-TLS1.3']
287
288 priority_string = ':+'.join(priority_string_list)
289 priority_string += ':%NO_TICKETS'
290
291 if not self._compat_mode:
292 priority_string += [':%DISABLE_TLS13_COMPAT_MODE']
293
294 ret += ['--priority={priority_string}'.format(
295 priority_string=priority_string)]
296 return ret
297
298class GnuTLSServ(GnuTLSBase):
299 """
300 Generate test commands for GnuTLS server.
301 """
302
303 def pre_cmd(self):
304 ret = ['$G_NEXT_SRV_NO_CERT', '--http', '--disable-client-cert', '--debug=4']
305
306 for _, cert, key in map(lambda sig_alg: CERTIFICATES[sig_alg], self._cert_sig_algs):
307 ret += ['--x509certfile {cert} --x509keyfile {key}'.format(
308 cert=cert, key=key)]
309 return ret
310
311 def post_checks(self):
312 return ['-c "HTTP/1.0 200 OK"']
313
314
315class GnuTLSCli(GnuTLSBase):
316 """
317 Generate test commands for GnuTLS client.
318 """
319
320 def pre_cmd(self):
321 return ['$G_NEXT_CLI_NO_CERT', '--debug=4', '--single-key-share',
322 '--x509cafile {cafile}'.format(cafile=CERTIFICATES[self._cert_sig_algs[0]].cafile)]
323
324
325class MbedTLSBase(TLSProgram):
326 """
327 Generate base test commands for mbedTLS.
328 """
329
330 CIPHER_SUITE = {
331 'TLS_AES_256_GCM_SHA384': 'TLS1-3-AES-256-GCM-SHA384',
332 'TLS_AES_128_GCM_SHA256': 'TLS1-3-AES-128-GCM-SHA256',
333 'TLS_CHACHA20_POLY1305_SHA256': 'TLS1-3-CHACHA20-POLY1305-SHA256',
334 'TLS_AES_128_CCM_SHA256': 'TLS1-3-AES-128-CCM-SHA256',
335 'TLS_AES_128_CCM_8_SHA256': 'TLS1-3-AES-128-CCM-8-SHA256'}
336
337 def cmd(self):
338 ret = super().cmd()
339 ret += ['debug_level=4']
340
341
342 if self._ciphers:
343 ciphers = ','.join(
344 map(lambda cipher: self.CIPHER_SUITE[cipher], self._ciphers))
345 ret += ["force_ciphersuite={ciphers}".format(ciphers=ciphers)]
346
347 if self._sig_algs + self._cert_sig_algs:
348 ret += ['sig_algs={sig_algs}'.format(
349 sig_algs=','.join(set(self._sig_algs + self._cert_sig_algs)))]
350
351 if self._named_groups:
352 named_groups = ','.join(self._named_groups)
353 ret += ["groups={named_groups}".format(named_groups=named_groups)]
354 return ret
355
356 #pylint: disable=missing-function-docstring
357 def add_ffdh_group_requirements(self, requirement_list):
358 if 'ffdhe2048' in self._named_groups:
359 requirement_list.append('requires_config_enabled PSA_WANT_DH_RFC7919_2048')
360 if 'ffdhe3072' in self._named_groups:
361 requirement_list.append('requires_config_enabled PSA_WANT_DH_RFC7919_2048')
362 if 'ffdhe4096' in self._named_groups:
363 requirement_list.append('requires_config_enabled PSA_WANT_DH_RFC7919_2048')
364 if 'ffdhe6144' in self._named_groups:
365 requirement_list.append('requires_config_enabled PSA_WANT_DH_RFC7919_2048')
366 if 'ffdhe8192' in self._named_groups:
367 requirement_list.append('requires_config_enabled PSA_WANT_DH_RFC7919_2048')
368
369 def pre_checks(self):
370 ret = ['requires_config_enabled MBEDTLS_DEBUG_C',
371 'requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED']
372
373 if self._compat_mode:
374 ret += ['requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE']
375
376 if 'rsa_pss_rsae_sha256' in self._sig_algs + self._cert_sig_algs:
377 ret.append(
378 'requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT')
379
380 ec_groups = ['secp256r1', 'secp384r1', 'secp521r1', 'x25519', 'x448']
381 ffdh_groups = ['ffdhe2048', 'ffdhe3072', 'ffdhe4096', 'ffdhe6144', 'ffdhe8192']
382
383 if any(x in ec_groups for x in self._named_groups):
384 ret.append('requires_config_enabled PSA_WANT_ALG_ECDH')
385
386 if any(x in ffdh_groups for x in self._named_groups):
387 ret.append('requires_config_enabled PSA_WANT_ALG_FFDH')
388 self.add_ffdh_group_requirements(ret)
389
390 return ret
391
392
393class MbedTLSServ(MbedTLSBase):
394 """
395 Generate test commands for mbedTLS server.
396 """
397
398 def cmd(self):
399 ret = super().cmd()
400 ret += ['tls13_kex_modes=ephemeral cookies=0 tickets=0']
401 return ret
402
403 def pre_checks(self):
404 return ['requires_config_enabled MBEDTLS_SSL_SRV_C'] + super().pre_checks()
405
406 def post_checks(self):
407 check_strings = ["Protocol is TLSv1.3"]
408 if self._ciphers:
409 check_strings.append(
410 "server hello, chosen ciphersuite: {} ( id={:04d} )".format(
411 self.CIPHER_SUITE[self._ciphers[0]],
412 CIPHER_SUITE_IANA_VALUE[self._ciphers[0]]))
413 if self._sig_algs:
414 check_strings.append(
415 "received signature algorithm: 0x{:x}".format(
416 SIG_ALG_IANA_VALUE[self._sig_algs[0]]))
417
418 for named_group in self._named_groups:
419 check_strings += ['got named group: {named_group}({iana_value:04x})'.format(
420 named_group=named_group,
421 iana_value=NAMED_GROUP_IANA_VALUE[named_group])]
422
423 check_strings.append("Certificate verification was skipped")
424 return ['-s "{}"'.format(i) for i in check_strings]
425
426 def pre_cmd(self):
427 ret = ['$P_SRV']
428 for _, cert, key in map(lambda sig_alg: CERTIFICATES[sig_alg], self._cert_sig_algs):
429 ret += ['crt_file={cert} key_file={key}'.format(cert=cert, key=key)]
430 return ret
431
432 def hrr_post_checks(self, named_group):
433 return ['-s "HRR selected_group: {:s}"'.format(named_group)]
434
435
436class MbedTLSCli(MbedTLSBase):
437 """
438 Generate test commands for mbedTLS client.
439 """
440
441 def pre_cmd(self):
442 return ['$P_CLI',
443 'ca_file={cafile}'.format(cafile=CERTIFICATES[self._cert_sig_algs[0]].cafile)]
444
445 def pre_checks(self):
446 return ['requires_config_enabled MBEDTLS_SSL_CLI_C'] + super().pre_checks()
447
448 def hrr_post_checks(self, named_group):
449 ret = ['-c "received HelloRetryRequest message"']
450 ret += ['-c "selected_group ( {:d} )"'.format(NAMED_GROUP_IANA_VALUE[named_group])]
451 return ret
452
453 def post_checks(self):
454 check_strings = ["Protocol is TLSv1.3"]
455 if self._ciphers:
456 check_strings.append(
457 "server hello, chosen ciphersuite: ( {:04x} ) - {}".format(
458 CIPHER_SUITE_IANA_VALUE[self._ciphers[0]],
459 self.CIPHER_SUITE[self._ciphers[0]]))
460 if self._sig_algs:
461 check_strings.append(
462 "Certificate Verify: Signature algorithm ( {:04x} )".format(
463 SIG_ALG_IANA_VALUE[self._sig_algs[0]]))
464
465 for named_group in self._named_groups:
466 check_strings += ['NamedGroup: {named_group} ( {iana_value:x} )'.format(
467 named_group=named_group,
468 iana_value=NAMED_GROUP_IANA_VALUE[named_group])]
469
470 check_strings.append("Verifying peer X.509 certificate... ok")
471 return ['-c "{}"'.format(i) for i in check_strings]
472
473
474SERVER_CLASSES = {'OpenSSL': OpenSSLServ, 'GnuTLS': GnuTLSServ, 'mbedTLS': MbedTLSServ}
475CLIENT_CLASSES = {'OpenSSL': OpenSSLCli, 'GnuTLS': GnuTLSCli, 'mbedTLS': MbedTLSCli}
476
477
478def generate_compat_test(client=None, server=None, cipher=None, named_group=None, sig_alg=None):
479 """
480 Generate test case with `ssl-opt.sh` format.
481 """
482 name = 'TLS 1.3 {client[0]}->{server[0]}: {cipher},{named_group},{sig_alg}'.format(
483 client=client, server=server, cipher=cipher[4:], sig_alg=sig_alg, named_group=named_group)
484
485 server_object = SERVER_CLASSES[server](ciphersuite=cipher,
486 named_group=named_group,
487 signature_algorithm=sig_alg,
488 cert_sig_alg=sig_alg)
489 client_object = CLIENT_CLASSES[client](ciphersuite=cipher,
490 named_group=named_group,
491 signature_algorithm=sig_alg,
492 cert_sig_alg=sig_alg)
493
494 cmd = ['run_test "{}"'.format(name),
495 '"{}"'.format(' '.join(server_object.cmd())),
496 '"{}"'.format(' '.join(client_object.cmd())),
497 '0']
498 cmd += server_object.post_checks()
499 cmd += client_object.post_checks()
500 cmd += ['-C "received HelloRetryRequest message"']
501 prefix = ' \\\n' + (' '*9)
502 cmd = prefix.join(cmd)
503 return '\n'.join(server_object.pre_checks() + client_object.pre_checks() + [cmd])
504
505
506def generate_hrr_compat_test(client=None, server=None,
507 client_named_group=None, server_named_group=None,
508 cert_sig_alg=None):
509 """
510 Generate Hello Retry Request test case with `ssl-opt.sh` format.
511 """
512 name = 'TLS 1.3 {client[0]}->{server[0]}: HRR {c_named_group} -> {s_named_group}'.format(
513 client=client, server=server, c_named_group=client_named_group,
514 s_named_group=server_named_group)
515 server_object = SERVER_CLASSES[server](named_group=server_named_group,
516 cert_sig_alg=cert_sig_alg)
517
518 client_object = CLIENT_CLASSES[client](named_group=client_named_group,
519 cert_sig_alg=cert_sig_alg)
520 client_object.add_named_groups(server_named_group)
521
522 cmd = ['run_test "{}"'.format(name),
523 '"{}"'.format(' '.join(server_object.cmd())),
524 '"{}"'.format(' '.join(client_object.cmd())),
525 '0']
526 cmd += server_object.post_checks()
527 cmd += client_object.post_checks()
528 cmd += server_object.hrr_post_checks(server_named_group)
529 cmd += client_object.hrr_post_checks(server_named_group)
530 prefix = ' \\\n' + (' '*9)
531 cmd = prefix.join(cmd)
532 return '\n'.join(server_object.pre_checks() +
533 client_object.pre_checks() +
534 [cmd])
535
536SSL_OUTPUT_HEADER = '''#!/bin/sh
537
538# {filename}
539#
540# Copyright The Mbed TLS Contributors
541# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
542#
543# Purpose
544#
545# List TLS1.3 compat test cases. They are generated by
546# `{cmd}`.
547#
548# PLEASE DO NOT EDIT THIS FILE. IF NEEDED, PLEASE MODIFY `generate_tls13_compat_tests.py`
549# AND REGENERATE THIS FILE.
550#
551'''
552
553def main():
554 """
555 Main function of this program
556 """
557 parser = argparse.ArgumentParser()
558
559 parser.add_argument('-o', '--output', nargs='?',
560 default=None, help='Output file path if `-a` was set')
561
562 parser.add_argument('-a', '--generate-all-tls13-compat-tests', action='store_true',
563 default=False, help='Generate all available tls13 compat tests')
564
565 parser.add_argument('--list-ciphers', action='store_true',
566 default=False, help='List supported ciphersuites')
567
568 parser.add_argument('--list-sig-algs', action='store_true',
569 default=False, help='List supported signature algorithms')
570
571 parser.add_argument('--list-named-groups', action='store_true',
572 default=False, help='List supported named groups')
573
574 parser.add_argument('--list-servers', action='store_true',
575 default=False, help='List supported TLS servers')
576
577 parser.add_argument('--list-clients', action='store_true',
578 default=False, help='List supported TLS Clients')
579
580 parser.add_argument('server', choices=SERVER_CLASSES.keys(), nargs='?',
581 default=list(SERVER_CLASSES.keys())[0],
582 help='Choose TLS server program for test')
583 parser.add_argument('client', choices=CLIENT_CLASSES.keys(), nargs='?',
584 default=list(CLIENT_CLASSES.keys())[0],
585 help='Choose TLS client program for test')
586 parser.add_argument('cipher', choices=CIPHER_SUITE_IANA_VALUE.keys(), nargs='?',
587 default=list(CIPHER_SUITE_IANA_VALUE.keys())[0],
588 help='Choose cipher suite for test')
589 parser.add_argument('sig_alg', choices=SIG_ALG_IANA_VALUE.keys(), nargs='?',
590 default=list(SIG_ALG_IANA_VALUE.keys())[0],
591 help='Choose cipher suite for test')
592 parser.add_argument('named_group', choices=NAMED_GROUP_IANA_VALUE.keys(), nargs='?',
593 default=list(NAMED_GROUP_IANA_VALUE.keys())[0],
594 help='Choose cipher suite for test')
595
596 args = parser.parse_args()
597
598 def get_all_test_cases():
599 # Generate normal compat test cases
600 for client, server, cipher, named_group, sig_alg in \
601 itertools.product(CLIENT_CLASSES.keys(),
602 SERVER_CLASSES.keys(),
603 CIPHER_SUITE_IANA_VALUE.keys(),
604 NAMED_GROUP_IANA_VALUE.keys(),
605 SIG_ALG_IANA_VALUE.keys()):
606 if server == 'mbedTLS' or client == 'mbedTLS':
607 yield generate_compat_test(client=client, server=server,
608 cipher=cipher, named_group=named_group,
609 sig_alg=sig_alg)
610
611
612 # Generate Hello Retry Request compat test cases
613 for client, server, client_named_group, server_named_group in \
614 itertools.product(CLIENT_CLASSES.keys(),
615 SERVER_CLASSES.keys(),
616 NAMED_GROUP_IANA_VALUE.keys(),
617 NAMED_GROUP_IANA_VALUE.keys()):
618
619 if (client == 'mbedTLS' or server == 'mbedTLS') and \
620 client_named_group != server_named_group:
621 yield generate_hrr_compat_test(client=client, server=server,
622 client_named_group=client_named_group,
623 server_named_group=server_named_group,
624 cert_sig_alg="ecdsa_secp256r1_sha256")
625
626 if args.generate_all_tls13_compat_tests:
627 if args.output:
628 with open(args.output, 'w', encoding="utf-8") as f:
629 f.write(SSL_OUTPUT_HEADER.format(
630 filename=os.path.basename(args.output), cmd=' '.join(sys.argv)))
631 f.write('\n\n'.join(get_all_test_cases()))
632 f.write('\n')
633 else:
634 print('\n\n'.join(get_all_test_cases()))
635 return 0
636
637 if args.list_ciphers or args.list_sig_algs or args.list_named_groups \
638 or args.list_servers or args.list_clients:
639 if args.list_ciphers:
640 print(*CIPHER_SUITE_IANA_VALUE.keys())
641 if args.list_sig_algs:
642 print(*SIG_ALG_IANA_VALUE.keys())
643 if args.list_named_groups:
644 print(*NAMED_GROUP_IANA_VALUE.keys())
645 if args.list_servers:
646 print(*SERVER_CLASSES.keys())
647 if args.list_clients:
648 print(*CLIENT_CLASSES.keys())
649 return 0
650
651 print(generate_compat_test(server=args.server, client=args.client, sig_alg=args.sig_alg,
652 cipher=args.cipher, named_group=args.named_group))
653 return 0
654
655
656if __name__ == "__main__":
657 sys.exit(main())