1#!/usr/bin/env python3 2 3# generate_tls13_compat_tests.py 4# 5# Copyright The Mbed TLS Contributors 6# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 7 8""" 9Generate TLSv1.3 Compat test cases 10 11""" 12 13import sys 14import os 15import argparse 16import itertools 17from collections import namedtuple 18 19# define certificates configuration entry 20Certificate = namedtuple("Certificate", ['cafile', 'certfile', 'keyfile']) 21# define the certificate parameters for signature algorithms 22CERTIFICATES = { 23 'ecdsa_secp256r1_sha256': Certificate('data_files/test-ca2.crt', 24 'data_files/ecdsa_secp256r1.crt', 25 'data_files/ecdsa_secp256r1.key'), 26 'ecdsa_secp384r1_sha384': Certificate('data_files/test-ca2.crt', 27 'data_files/ecdsa_secp384r1.crt', 28 'data_files/ecdsa_secp384r1.key'), 29 'ecdsa_secp521r1_sha512': Certificate('data_files/test-ca2.crt', 30 'data_files/ecdsa_secp521r1.crt', 31 'data_files/ecdsa_secp521r1.key'), 32 'rsa_pss_rsae_sha256': Certificate('data_files/test-ca_cat12.crt', 33 'data_files/server2-sha256.crt', 'data_files/server2.key' 34 ) 35} 36 37CIPHER_SUITE_IANA_VALUE = { 38 "TLS_AES_128_GCM_SHA256": 0x1301, 39 "TLS_AES_256_GCM_SHA384": 0x1302, 40 "TLS_CHACHA20_POLY1305_SHA256": 0x1303, 41 "TLS_AES_128_CCM_SHA256": 0x1304, 42 "TLS_AES_128_CCM_8_SHA256": 0x1305 43} 44 45SIG_ALG_IANA_VALUE = { 46 "ecdsa_secp256r1_sha256": 0x0403, 47 "ecdsa_secp384r1_sha384": 0x0503, 48 "ecdsa_secp521r1_sha512": 0x0603, 49 'rsa_pss_rsae_sha256': 0x0804, 50} 51 52NAMED_GROUP_IANA_VALUE = { 53 'secp256r1': 0x17, 54 'secp384r1': 0x18, 55 'secp521r1': 0x19, 56 'x25519': 0x1d, 57 'x448': 0x1e, 58 # Only one finite field group to keep testing time within reasonable bounds. 59 'ffdhe2048': 0x100, 60} 61 62class TLSProgram: 63 """ 64 Base class for generate server/client command. 65 """ 66 67 # pylint: disable=too-many-arguments 68 def __init__(self, ciphersuite=None, signature_algorithm=None, named_group=None, 69 cert_sig_alg=None, compat_mode=True): 70 self._ciphers = [] 71 self._sig_algs = [] 72 self._named_groups = [] 73 self._cert_sig_algs = [] 74 if ciphersuite: 75 self.add_ciphersuites(ciphersuite) 76 if named_group: 77 self.add_named_groups(named_group) 78 if signature_algorithm: 79 self.add_signature_algorithms(signature_algorithm) 80 if cert_sig_alg: 81 self.add_cert_signature_algorithms(cert_sig_alg) 82 self._compat_mode = compat_mode 83 84 # add_ciphersuites should not override by sub class 85 def add_ciphersuites(self, *ciphersuites): 86 self._ciphers.extend( 87 [cipher for cipher in ciphersuites if cipher not in self._ciphers]) 88 89 # add_signature_algorithms should not override by sub class 90 def add_signature_algorithms(self, *signature_algorithms): 91 self._sig_algs.extend( 92 [sig_alg for sig_alg in signature_algorithms if sig_alg not in self._sig_algs]) 93 94 # add_named_groups should not override by sub class 95 def add_named_groups(self, *named_groups): 96 self._named_groups.extend( 97 [named_group for named_group in named_groups if named_group not in self._named_groups]) 98 99 # add_cert_signature_algorithms should not override by sub class 100 def add_cert_signature_algorithms(self, *signature_algorithms): 101 self._cert_sig_algs.extend( 102 [sig_alg for sig_alg in signature_algorithms if sig_alg not in self._cert_sig_algs]) 103 104 # pylint: disable=no-self-use 105 def pre_checks(self): 106 return [] 107 108 # pylint: disable=no-self-use 109 def cmd(self): 110 if not self._cert_sig_algs: 111 self._cert_sig_algs = list(CERTIFICATES.keys()) 112 return self.pre_cmd() 113 114 # pylint: disable=no-self-use 115 def post_checks(self): 116 return [] 117 118 # pylint: disable=no-self-use 119 def pre_cmd(self): 120 return ['false'] 121 122 # pylint: disable=unused-argument,no-self-use 123 def hrr_post_checks(self, named_group): 124 return [] 125 126 127class OpenSSLBase(TLSProgram): 128 """ 129 Generate base test commands for OpenSSL. 130 """ 131 132 NAMED_GROUP = { 133 'secp256r1': 'P-256', 134 'secp384r1': 'P-384', 135 'secp521r1': 'P-521', 136 'x25519': 'X25519', 137 'x448': 'X448', 138 'ffdhe2048': 'ffdhe2048', 139 } 140 141 def cmd(self): 142 ret = super().cmd() 143 144 if self._ciphers: 145 ciphersuites = ':'.join(self._ciphers) 146 ret += ["-ciphersuites {ciphersuites}".format(ciphersuites=ciphersuites)] 147 148 if self._sig_algs: 149 signature_algorithms = set(self._sig_algs + self._cert_sig_algs) 150 signature_algorithms = ':'.join(signature_algorithms) 151 ret += ["-sigalgs {signature_algorithms}".format( 152 signature_algorithms=signature_algorithms)] 153 154 if self._named_groups: 155 named_groups = ':'.join( 156 map(lambda named_group: self.NAMED_GROUP[named_group], self._named_groups)) 157 ret += ["-groups {named_groups}".format(named_groups=named_groups)] 158 159 ret += ['-msg -tls1_3'] 160 if not self._compat_mode: 161 ret += ['-no_middlebox'] 162 163 return ret 164 165 def pre_checks(self): 166 ret = ["requires_openssl_tls1_3"] 167 168 # ffdh groups require at least openssl 3.0 169 ffdh_groups = ['ffdhe2048'] 170 171 if any(x in ffdh_groups for x in self._named_groups): 172 ret = ["requires_openssl_tls1_3_with_ffdh"] 173 174 return ret 175 176 177class OpenSSLServ(OpenSSLBase): 178 """ 179 Generate test commands for OpenSSL server. 180 """ 181 182 def cmd(self): 183 ret = super().cmd() 184 ret += ['-num_tickets 0 -no_resume_ephemeral -no_cache'] 185 return ret 186 187 def post_checks(self): 188 return ['-c "HTTP/1.0 200 ok"'] 189 190 def pre_cmd(self): 191 ret = ['$O_NEXT_SRV_NO_CERT'] 192 for _, cert, key in map(lambda sig_alg: CERTIFICATES[sig_alg], self._cert_sig_algs): 193 ret += ['-cert {cert} -key {key}'.format(cert=cert, key=key)] 194 return ret 195 196 197class OpenSSLCli(OpenSSLBase): 198 """ 199 Generate test commands for OpenSSL client. 200 """ 201 202 def pre_cmd(self): 203 return ['$O_NEXT_CLI_NO_CERT', 204 '-CAfile {cafile}'.format(cafile=CERTIFICATES[self._cert_sig_algs[0]].cafile)] 205 206 207class GnuTLSBase(TLSProgram): 208 """ 209 Generate base test commands for GnuTLS. 210 """ 211 212 CIPHER_SUITE = { 213 'TLS_AES_256_GCM_SHA384': [ 214 'AES-256-GCM', 215 'SHA384', 216 'AEAD'], 217 'TLS_AES_128_GCM_SHA256': [ 218 'AES-128-GCM', 219 'SHA256', 220 'AEAD'], 221 'TLS_CHACHA20_POLY1305_SHA256': [ 222 'CHACHA20-POLY1305', 223 'SHA256', 224 'AEAD'], 225 'TLS_AES_128_CCM_SHA256': [ 226 'AES-128-CCM', 227 'SHA256', 228 'AEAD'], 229 'TLS_AES_128_CCM_8_SHA256': [ 230 'AES-128-CCM-8', 231 'SHA256', 232 'AEAD']} 233 234 SIGNATURE_ALGORITHM = { 235 'ecdsa_secp256r1_sha256': ['SIGN-ECDSA-SECP256R1-SHA256'], 236 'ecdsa_secp521r1_sha512': ['SIGN-ECDSA-SECP521R1-SHA512'], 237 'ecdsa_secp384r1_sha384': ['SIGN-ECDSA-SECP384R1-SHA384'], 238 'rsa_pss_rsae_sha256': ['SIGN-RSA-PSS-RSAE-SHA256']} 239 240 NAMED_GROUP = { 241 'secp256r1': ['GROUP-SECP256R1'], 242 'secp384r1': ['GROUP-SECP384R1'], 243 'secp521r1': ['GROUP-SECP521R1'], 244 'x25519': ['GROUP-X25519'], 245 'x448': ['GROUP-X448'], 246 'ffdhe2048': ['GROUP-FFDHE2048'], 247 } 248 249 def pre_checks(self): 250 return ["requires_gnutls_tls1_3", 251 "requires_gnutls_next_no_ticket", 252 "requires_gnutls_next_disable_tls13_compat", ] 253 254 def cmd(self): 255 ret = super().cmd() 256 257 priority_string_list = [] 258 259 def update_priority_string_list(items, map_table): 260 for item in items: 261 for i in map_table[item]: 262 if i not in priority_string_list: 263 yield i 264 265 if self._ciphers: 266 priority_string_list.extend(update_priority_string_list( 267 self._ciphers, self.CIPHER_SUITE)) 268 else: 269 priority_string_list.extend(['CIPHER-ALL', 'MAC-ALL']) 270 271 if self._sig_algs: 272 signature_algorithms = set(self._sig_algs + self._cert_sig_algs) 273 priority_string_list.extend(update_priority_string_list( 274 signature_algorithms, self.SIGNATURE_ALGORITHM)) 275 else: 276 priority_string_list.append('SIGN-ALL') 277 278 279 if self._named_groups: 280 priority_string_list.extend(update_priority_string_list( 281 self._named_groups, self.NAMED_GROUP)) 282 else: 283 priority_string_list.append('GROUP-ALL') 284 285 priority_string_list = ['NONE'] + \ 286 priority_string_list + ['VERS-TLS1.3'] 287 288 priority_string = ':+'.join(priority_string_list) 289 priority_string += ':%NO_TICKETS' 290 291 if not self._compat_mode: 292 priority_string += [':%DISABLE_TLS13_COMPAT_MODE'] 293 294 ret += ['--priority={priority_string}'.format( 295 priority_string=priority_string)] 296 return ret 297 298class GnuTLSServ(GnuTLSBase): 299 """ 300 Generate test commands for GnuTLS server. 301 """ 302 303 def pre_cmd(self): 304 ret = ['$G_NEXT_SRV_NO_CERT', '--http', '--disable-client-cert', '--debug=4'] 305 306 for _, cert, key in map(lambda sig_alg: CERTIFICATES[sig_alg], self._cert_sig_algs): 307 ret += ['--x509certfile {cert} --x509keyfile {key}'.format( 308 cert=cert, key=key)] 309 return ret 310 311 def post_checks(self): 312 return ['-c "HTTP/1.0 200 OK"'] 313 314 315class GnuTLSCli(GnuTLSBase): 316 """ 317 Generate test commands for GnuTLS client. 318 """ 319 320 def pre_cmd(self): 321 return ['$G_NEXT_CLI_NO_CERT', '--debug=4', '--single-key-share', 322 '--x509cafile {cafile}'.format(cafile=CERTIFICATES[self._cert_sig_algs[0]].cafile)] 323 324 325class MbedTLSBase(TLSProgram): 326 """ 327 Generate base test commands for mbedTLS. 328 """ 329 330 CIPHER_SUITE = { 331 'TLS_AES_256_GCM_SHA384': 'TLS1-3-AES-256-GCM-SHA384', 332 'TLS_AES_128_GCM_SHA256': 'TLS1-3-AES-128-GCM-SHA256', 333 'TLS_CHACHA20_POLY1305_SHA256': 'TLS1-3-CHACHA20-POLY1305-SHA256', 334 'TLS_AES_128_CCM_SHA256': 'TLS1-3-AES-128-CCM-SHA256', 335 'TLS_AES_128_CCM_8_SHA256': 'TLS1-3-AES-128-CCM-8-SHA256'} 336 337 def cmd(self): 338 ret = super().cmd() 339 ret += ['debug_level=4'] 340 341 342 if self._ciphers: 343 ciphers = ','.join( 344 map(lambda cipher: self.CIPHER_SUITE[cipher], self._ciphers)) 345 ret += ["force_ciphersuite={ciphers}".format(ciphers=ciphers)] 346 347 if self._sig_algs + self._cert_sig_algs: 348 ret += ['sig_algs={sig_algs}'.format( 349 sig_algs=','.join(set(self._sig_algs + self._cert_sig_algs)))] 350 351 if self._named_groups: 352 named_groups = ','.join(self._named_groups) 353 ret += ["groups={named_groups}".format(named_groups=named_groups)] 354 return ret 355 356 #pylint: disable=missing-function-docstring 357 def add_ffdh_group_requirements(self, requirement_list): 358 if 'ffdhe2048' in self._named_groups: 359 requirement_list.append('requires_config_enabled PSA_WANT_DH_RFC7919_2048') 360 if 'ffdhe3072' in self._named_groups: 361 requirement_list.append('requires_config_enabled PSA_WANT_DH_RFC7919_2048') 362 if 'ffdhe4096' in self._named_groups: 363 requirement_list.append('requires_config_enabled PSA_WANT_DH_RFC7919_2048') 364 if 'ffdhe6144' in self._named_groups: 365 requirement_list.append('requires_config_enabled PSA_WANT_DH_RFC7919_2048') 366 if 'ffdhe8192' in self._named_groups: 367 requirement_list.append('requires_config_enabled PSA_WANT_DH_RFC7919_2048') 368 369 def pre_checks(self): 370 ret = ['requires_config_enabled MBEDTLS_DEBUG_C', 371 'requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED'] 372 373 if self._compat_mode: 374 ret += ['requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE'] 375 376 if 'rsa_pss_rsae_sha256' in self._sig_algs + self._cert_sig_algs: 377 ret.append( 378 'requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT') 379 380 ec_groups = ['secp256r1', 'secp384r1', 'secp521r1', 'x25519', 'x448'] 381 ffdh_groups = ['ffdhe2048', 'ffdhe3072', 'ffdhe4096', 'ffdhe6144', 'ffdhe8192'] 382 383 if any(x in ec_groups for x in self._named_groups): 384 ret.append('requires_config_enabled PSA_WANT_ALG_ECDH') 385 386 if any(x in ffdh_groups for x in self._named_groups): 387 ret.append('requires_config_enabled PSA_WANT_ALG_FFDH') 388 self.add_ffdh_group_requirements(ret) 389 390 return ret 391 392 393class MbedTLSServ(MbedTLSBase): 394 """ 395 Generate test commands for mbedTLS server. 396 """ 397 398 def cmd(self): 399 ret = super().cmd() 400 ret += ['tls13_kex_modes=ephemeral cookies=0 tickets=0'] 401 return ret 402 403 def pre_checks(self): 404 return ['requires_config_enabled MBEDTLS_SSL_SRV_C'] + super().pre_checks() 405 406 def post_checks(self): 407 check_strings = ["Protocol is TLSv1.3"] 408 if self._ciphers: 409 check_strings.append( 410 "server hello, chosen ciphersuite: {} ( id={:04d} )".format( 411 self.CIPHER_SUITE[self._ciphers[0]], 412 CIPHER_SUITE_IANA_VALUE[self._ciphers[0]])) 413 if self._sig_algs: 414 check_strings.append( 415 "received signature algorithm: 0x{:x}".format( 416 SIG_ALG_IANA_VALUE[self._sig_algs[0]])) 417 418 for named_group in self._named_groups: 419 check_strings += ['got named group: {named_group}({iana_value:04x})'.format( 420 named_group=named_group, 421 iana_value=NAMED_GROUP_IANA_VALUE[named_group])] 422 423 check_strings.append("Certificate verification was skipped") 424 return ['-s "{}"'.format(i) for i in check_strings] 425 426 def pre_cmd(self): 427 ret = ['$P_SRV'] 428 for _, cert, key in map(lambda sig_alg: CERTIFICATES[sig_alg], self._cert_sig_algs): 429 ret += ['crt_file={cert} key_file={key}'.format(cert=cert, key=key)] 430 return ret 431 432 def hrr_post_checks(self, named_group): 433 return ['-s "HRR selected_group: {:s}"'.format(named_group)] 434 435 436class MbedTLSCli(MbedTLSBase): 437 """ 438 Generate test commands for mbedTLS client. 439 """ 440 441 def pre_cmd(self): 442 return ['$P_CLI', 443 'ca_file={cafile}'.format(cafile=CERTIFICATES[self._cert_sig_algs[0]].cafile)] 444 445 def pre_checks(self): 446 return ['requires_config_enabled MBEDTLS_SSL_CLI_C'] + super().pre_checks() 447 448 def hrr_post_checks(self, named_group): 449 ret = ['-c "received HelloRetryRequest message"'] 450 ret += ['-c "selected_group ( {:d} )"'.format(NAMED_GROUP_IANA_VALUE[named_group])] 451 return ret 452 453 def post_checks(self): 454 check_strings = ["Protocol is TLSv1.3"] 455 if self._ciphers: 456 check_strings.append( 457 "server hello, chosen ciphersuite: ( {:04x} ) - {}".format( 458 CIPHER_SUITE_IANA_VALUE[self._ciphers[0]], 459 self.CIPHER_SUITE[self._ciphers[0]])) 460 if self._sig_algs: 461 check_strings.append( 462 "Certificate Verify: Signature algorithm ( {:04x} )".format( 463 SIG_ALG_IANA_VALUE[self._sig_algs[0]])) 464 465 for named_group in self._named_groups: 466 check_strings += ['NamedGroup: {named_group} ( {iana_value:x} )'.format( 467 named_group=named_group, 468 iana_value=NAMED_GROUP_IANA_VALUE[named_group])] 469 470 check_strings.append("Verifying peer X.509 certificate... ok") 471 return ['-c "{}"'.format(i) for i in check_strings] 472 473 474SERVER_CLASSES = {'OpenSSL': OpenSSLServ, 'GnuTLS': GnuTLSServ, 'mbedTLS': MbedTLSServ} 475CLIENT_CLASSES = {'OpenSSL': OpenSSLCli, 'GnuTLS': GnuTLSCli, 'mbedTLS': MbedTLSCli} 476 477 478def generate_compat_test(client=None, server=None, cipher=None, named_group=None, sig_alg=None): 479 """ 480 Generate test case with `ssl-opt.sh` format. 481 """ 482 name = 'TLS 1.3 {client[0]}->{server[0]}: {cipher},{named_group},{sig_alg}'.format( 483 client=client, server=server, cipher=cipher[4:], sig_alg=sig_alg, named_group=named_group) 484 485 server_object = SERVER_CLASSES[server](ciphersuite=cipher, 486 named_group=named_group, 487 signature_algorithm=sig_alg, 488 cert_sig_alg=sig_alg) 489 client_object = CLIENT_CLASSES[client](ciphersuite=cipher, 490 named_group=named_group, 491 signature_algorithm=sig_alg, 492 cert_sig_alg=sig_alg) 493 494 cmd = ['run_test "{}"'.format(name), 495 '"{}"'.format(' '.join(server_object.cmd())), 496 '"{}"'.format(' '.join(client_object.cmd())), 497 '0'] 498 cmd += server_object.post_checks() 499 cmd += client_object.post_checks() 500 cmd += ['-C "received HelloRetryRequest message"'] 501 prefix = ' \\\n' + (' '*9) 502 cmd = prefix.join(cmd) 503 return '\n'.join(server_object.pre_checks() + client_object.pre_checks() + [cmd]) 504 505 506def generate_hrr_compat_test(client=None, server=None, 507 client_named_group=None, server_named_group=None, 508 cert_sig_alg=None): 509 """ 510 Generate Hello Retry Request test case with `ssl-opt.sh` format. 511 """ 512 name = 'TLS 1.3 {client[0]}->{server[0]}: HRR {c_named_group} -> {s_named_group}'.format( 513 client=client, server=server, c_named_group=client_named_group, 514 s_named_group=server_named_group) 515 server_object = SERVER_CLASSES[server](named_group=server_named_group, 516 cert_sig_alg=cert_sig_alg) 517 518 client_object = CLIENT_CLASSES[client](named_group=client_named_group, 519 cert_sig_alg=cert_sig_alg) 520 client_object.add_named_groups(server_named_group) 521 522 cmd = ['run_test "{}"'.format(name), 523 '"{}"'.format(' '.join(server_object.cmd())), 524 '"{}"'.format(' '.join(client_object.cmd())), 525 '0'] 526 cmd += server_object.post_checks() 527 cmd += client_object.post_checks() 528 cmd += server_object.hrr_post_checks(server_named_group) 529 cmd += client_object.hrr_post_checks(server_named_group) 530 prefix = ' \\\n' + (' '*9) 531 cmd = prefix.join(cmd) 532 return '\n'.join(server_object.pre_checks() + 533 client_object.pre_checks() + 534 [cmd]) 535 536SSL_OUTPUT_HEADER = '''#!/bin/sh 537 538# {filename} 539# 540# Copyright The Mbed TLS Contributors 541# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 542# 543# Purpose 544# 545# List TLS1.3 compat test cases. They are generated by 546# `{cmd}`. 547# 548# PLEASE DO NOT EDIT THIS FILE. IF NEEDED, PLEASE MODIFY `generate_tls13_compat_tests.py` 549# AND REGENERATE THIS FILE. 550# 551''' 552 553def main(): 554 """ 555 Main function of this program 556 """ 557 parser = argparse.ArgumentParser() 558 559 parser.add_argument('-o', '--output', nargs='?', 560 default=None, help='Output file path if `-a` was set') 561 562 parser.add_argument('-a', '--generate-all-tls13-compat-tests', action='store_true', 563 default=False, help='Generate all available tls13 compat tests') 564 565 parser.add_argument('--list-ciphers', action='store_true', 566 default=False, help='List supported ciphersuites') 567 568 parser.add_argument('--list-sig-algs', action='store_true', 569 default=False, help='List supported signature algorithms') 570 571 parser.add_argument('--list-named-groups', action='store_true', 572 default=False, help='List supported named groups') 573 574 parser.add_argument('--list-servers', action='store_true', 575 default=False, help='List supported TLS servers') 576 577 parser.add_argument('--list-clients', action='store_true', 578 default=False, help='List supported TLS Clients') 579 580 parser.add_argument('server', choices=SERVER_CLASSES.keys(), nargs='?', 581 default=list(SERVER_CLASSES.keys())[0], 582 help='Choose TLS server program for test') 583 parser.add_argument('client', choices=CLIENT_CLASSES.keys(), nargs='?', 584 default=list(CLIENT_CLASSES.keys())[0], 585 help='Choose TLS client program for test') 586 parser.add_argument('cipher', choices=CIPHER_SUITE_IANA_VALUE.keys(), nargs='?', 587 default=list(CIPHER_SUITE_IANA_VALUE.keys())[0], 588 help='Choose cipher suite for test') 589 parser.add_argument('sig_alg', choices=SIG_ALG_IANA_VALUE.keys(), nargs='?', 590 default=list(SIG_ALG_IANA_VALUE.keys())[0], 591 help='Choose cipher suite for test') 592 parser.add_argument('named_group', choices=NAMED_GROUP_IANA_VALUE.keys(), nargs='?', 593 default=list(NAMED_GROUP_IANA_VALUE.keys())[0], 594 help='Choose cipher suite for test') 595 596 args = parser.parse_args() 597 598 def get_all_test_cases(): 599 # Generate normal compat test cases 600 for client, server, cipher, named_group, sig_alg in \ 601 itertools.product(CLIENT_CLASSES.keys(), 602 SERVER_CLASSES.keys(), 603 CIPHER_SUITE_IANA_VALUE.keys(), 604 NAMED_GROUP_IANA_VALUE.keys(), 605 SIG_ALG_IANA_VALUE.keys()): 606 if server == 'mbedTLS' or client == 'mbedTLS': 607 yield generate_compat_test(client=client, server=server, 608 cipher=cipher, named_group=named_group, 609 sig_alg=sig_alg) 610 611 612 # Generate Hello Retry Request compat test cases 613 for client, server, client_named_group, server_named_group in \ 614 itertools.product(CLIENT_CLASSES.keys(), 615 SERVER_CLASSES.keys(), 616 NAMED_GROUP_IANA_VALUE.keys(), 617 NAMED_GROUP_IANA_VALUE.keys()): 618 619 if (client == 'mbedTLS' or server == 'mbedTLS') and \ 620 client_named_group != server_named_group: 621 yield generate_hrr_compat_test(client=client, server=server, 622 client_named_group=client_named_group, 623 server_named_group=server_named_group, 624 cert_sig_alg="ecdsa_secp256r1_sha256") 625 626 if args.generate_all_tls13_compat_tests: 627 if args.output: 628 with open(args.output, 'w', encoding="utf-8") as f: 629 f.write(SSL_OUTPUT_HEADER.format( 630 filename=os.path.basename(args.output), cmd=' '.join(sys.argv))) 631 f.write('\n\n'.join(get_all_test_cases())) 632 f.write('\n') 633 else: 634 print('\n\n'.join(get_all_test_cases())) 635 return 0 636 637 if args.list_ciphers or args.list_sig_algs or args.list_named_groups \ 638 or args.list_servers or args.list_clients: 639 if args.list_ciphers: 640 print(*CIPHER_SUITE_IANA_VALUE.keys()) 641 if args.list_sig_algs: 642 print(*SIG_ALG_IANA_VALUE.keys()) 643 if args.list_named_groups: 644 print(*NAMED_GROUP_IANA_VALUE.keys()) 645 if args.list_servers: 646 print(*SERVER_CLASSES.keys()) 647 if args.list_clients: 648 print(*CLIENT_CLASSES.keys()) 649 return 0 650 651 print(generate_compat_test(server=args.server, client=args.client, sig_alg=args.sig_alg, 652 cipher=args.cipher, named_group=args.named_group)) 653 return 0 654 655 656if __name__ == "__main__": 657 sys.exit(main()) 658