Add BearSSL device test using stack stress

Run a series of SSL connection and transmission tests that stress BearSSL and its stack usage to the device tests. Modify device tests to include a possible SPIFFS generation and upload when a make_spiffs.py file is present in a test directory.
esp8266 · devyte · Nov 15, 2018 · Sep 25, 2018 · Sep 25, 2018 · Sep 25, 2018
commit 65962f48129f5e670c48afb6de5d2b14734718a8
diff --git a/tests/README.md b/tests/README.md
@@ -114,6 +114,7 @@ Some tests need to connect to WiFi AP or to the PC running the tests. In the tes
 
 Environment variables can also be used to pass some information from the test code to the host side helper. To do that, test code can set an environment variable using `setenv` C function. Then the `teardown` host side helper can obtain the value of that variable using `request_env` function defined in `mock_decorators`.
 
+A SPIFFS filesystem may be generated on the host and uploade before a test by including a file called `make_spiffs.py` in the individual test directory.
 
 ### Building and running the tests
 

diff --git a/tests/device/Makefile b/tests/device/Makefile
@@ -5,6 +5,7 @@ ESP8266_CORE_PATH ?= ../..
 BUILD_DIR ?= $(PWD)/.build
 HARDWARE_DIR ?= $(PWD)/.hardware
 ESPTOOL ?= $(ESP8266_CORE_PATH)/tools/esptool/esptool
+MKSPIFFS ?= $(ESP8266_CORE_PATH)/tools/mkspiffs/mkspiffs
 UPLOAD_PORT ?= $(shell ls /dev/tty* | grep -m 1 -i USB)
 UPLOAD_BAUD ?= 921600
 UPLOAD_BOARD ?= nodemcu
@@ -55,6 +56,16 @@ ifneq ("$(NO_BUILD)","1")
 endif
 ifneq ("$(NO_UPLOAD)","1")
 	@test -n "$(UPLOAD_PORT)" || (echo "Failed to detect upload port, please export UPLOAD_PORT manually" && exit 1)
+	@test -e $(dir $@)/make_spiffs.py && (echo "Generating and uploading SPIFFS" && \
+		(cd $(dir $@) && python ./make_spiffs.py) && \
+		$(MKSPIFFS) --create $(dir $@)data/ --size 0xFB000 \
+			--block 8192 --page 256 $(LOCAL_BUILD_DIR)/spiffs.img && \
+		$(ESPTOOL) $(UPLOAD_VERBOSE_FLAG) \
+			-cp $(UPLOAD_PORT) \
+			-cb $(UPLOAD_BAUD) \
+			-cd $(UPLOAD_BOARD) \
+			-ca 0x300000 \
+			-cf $(LOCAL_BUILD_DIR)/spiffs.img ) || (echo "No SPIFFS to upload")
 	@echo Uploading binary
 	$(SILENT)$(ESPTOOL) $(UPLOAD_VERBOSE_FLAG)  \
 		-cp $(UPLOAD_PORT) \

diff --git a/tests/device/libraries/BSTest/runner.py b/tests/device/libraries/BSTest/runner.py
@@ -132,7 +132,7 @@ def run_tests(self):
 
     def run_test(self, index):
         self.sp.sendline('{}'.format(index))
-        timeout = 10
+        timeout = 20 # 10
         while timeout > 0:
             res = self.sp.expect(['>>>>>bs_test_start', EOF, TIMEOUT])
             if res == 0:

diff --git a/tests/device/test_BearSSL/make_spiffs.py b/tests/device/test_BearSSL/make_spiffs.py
@@ -0,0 +1,66 @@
+#!/usr/bin/python
+
+# This script pulls the list of Mozilla trusted certificate authorities
+# from the web at the "mozurl" below, parses the file to grab the PEM
+# for each cert, and then generates DER files in a new ./data directory
+# Upload these to a SPIFFS filesystem and use the CertManager to parse
+# and use them for your outgoing SSL connections.
+#
+# Script by Earle F. Philhower, III.  Released to the public domain.
+
+import csv
+import os
+from subprocess import Popen, PIPE, call
+import urllib2
+try:
+    # for Python 2.x
+    from StringIO import StringIO
+except ImportError:
+    # for Python 3.x
+    from io import StringIO
+
+# Mozilla's URL for the CSV file with included PEM certs
+mozurl = "https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReportPEMCSV"
+
+# Load the manes[] and pems[] array from the URL
+names = []
+pems = []
+response = urllib2.urlopen(mozurl)
+csvData = response.read()
+csvReader = csv.reader(StringIO(csvData))
+for row in csvReader:
+    names.append(row[0]+":"+row[1]+":"+row[2])
+    pems.append(row[28])
+del names[0] # Remove headers
+del pems[0] # Remove headers
+
+# Try and make ./data, skip if present
+try:
+    os.mkdir("data")
+except:
+    pass
+
+derFiles = []
+idx = 0
+# Process the text PEM using openssl into DER files
+for i in range(0, len(pems)):
+    certName = "data/ca_%03d.der" % (idx);
+    thisPem = pems[i].replace("'", "")
+    print names[i] + " -> " + certName
+    ssl = Popen(['openssl','x509','-inform','PEM','-outform','DER','-out', certName], shell = False, stdin = PIPE)
+    pipe = ssl.stdin
+    pipe.write(thisPem)
+    pipe.close()
+    ssl.wait()
+    if os.path.exists(certName):
+        derFiles.append(certName)
+        idx = idx + 1
+
+if os.path.exists("data/certs.ar"):
+    os.unlink("data/certs.ar");
+
+arCmd = ['ar', 'q', 'data/certs.ar'] + derFiles;
+call( arCmd )
+
+for der in derFiles:
+    os.unlink(der)
diff --git a/tests/stress/bearssl/bssl_stack_usage.ino → tests/device/test_BearSSL/test_BearSSL.ino b/tests/stress/bearssl/bssl_stack_usage.ino → tests/device/test_BearSSL/test_BearSSL.ino
@@ -8,13 +8,21 @@
 // November 2018 by Earle F. Philhower, III
 // Released to the public domain
 
+#include <Arduino.h>
+#include <BSTest.h>
 #include <ESP8266WiFi.h>
 #include <CertStoreBearSSL.h>
+#include <FS.h>
 #include <time.h>
 #include <StackThunk.h>
 
-const char *ssid = "....";
-const char *pass = "....";
+extern "C" {
+#include "user_interface.h"
+}
+
+BS_ENV_DECLARE();
+
+void setClock();
 
 // A single, global CertStore which can be used by all
 // connections.  Needs to stay live the entire time any of
@@ -25,7 +33,6 @@ BearSSL::CertStore certStore;
 // model in a future release. Expect some changes to the interface,
 // no matter what, as the SD and SPIFFS filesystem get unified.
 
-#include <FS.h>
 class SPIFFSCertStoreFile : public BearSSL::CertStoreFile {
   public:
     SPIFFSCertStoreFile(const char *name) {
@@ -59,6 +66,39 @@ class SPIFFSCertStoreFile : public BearSSL::CertStoreFile {
 SPIFFSCertStoreFile certs_idx("/certs.idx"); // Generated by the ESP8266
 SPIFFSCertStoreFile certs_ar("/certs.ar"); // Uploaded by the user
 
+
+void setup()
+{
+    Serial.begin(115200);
+    Serial.setDebugOutput(true);
+    WiFi.persistent(false);
+    WiFi.mode(WIFI_STA);
+    WiFi.begin(getenv("STA_SSID"), getenv("STA_PASS"));
+    while (WiFi.status() != WL_CONNECTED) {
+        delay(500);
+    }
+    setClock();
+    SPIFFS.begin();
+    int numCerts = certStore.initCertStore(&certs_idx, &certs_ar);
+    Serial.printf("Number of CA certs read: %d\n", numCerts);
+    if (numCerts == 0) {
+        Serial.printf("No certs found. Did you run certs-from-mozill.py and upload the SPIFFS directory before running?\n");
+        REQUIRE(1==0);
+    }
+    BS_RUN(Serial);
+}
+
+static void stopAll()
+{
+    WiFiClient::stopAll();
+}
+
+static void disconnectWiFI()
+{
+    wifi_station_disconnect();
+}
+
+
 // Set time via NTP, as required for x.509 validation
 void setClock() {
   configTime(3 * 3600, 0, "pool.ntp.org", "time.nist.gov");
@@ -120,75 +160,61 @@ void fetchURL(BearSSL::WiFiClientSecure *client, const char *host, const uint16_
   Serial.printf("\n-------\n");
 }
 
-void setup() {
-  Serial.begin(115200);
-  SPIFFS.begin();
-  Serial.println();
-  Serial.println();
-
-  // We start by connecting to a WiFi network
-  Serial.print("Connecting to ");
-  Serial.println(ssid);
-  WiFi.mode(WIFI_STA);
-  WiFi.begin(ssid, pass);
-
-  while (WiFi.status() != WL_CONNECTED) {
-    delay(500);
-    Serial.print(".");
-  }
-  Serial.println("");
 
-  Serial.println("WiFi connected");
-  Serial.println("IP address: ");
-  Serial.println(WiFi.localIP());
-
-  setClock(); // Required for X.509 validation
-
-  int numCerts = certStore.initCertStore(&certs_idx, &certs_ar);
-  Serial.printf("Number of CA certs read: %d\n", numCerts);
-  if (numCerts == 0) {
-    Serial.printf("No certs found. Did you run certs-from-mozill.py and upload the SPIFFS directory before running?\n");
-    return; // Can't connect to anything w/o certs!
-  }
+int run(const char *str)
+{
+    BearSSL::WiFiClientSecure *bear = new BearSSL::WiFiClientSecure();
+    // Integrate the cert store with this connection
+    bear->setCertStore(&certStore);
 
-  BearSSL::WiFiClientSecure *bear = new BearSSL::WiFiClientSecure();
-  // Integrate the cert store with this connection
-  bear->setCertStore(&certStore);
-  const char *badssl[] = { "ecc384", "expired", "wrong.host", "self-signed", "untrusted-root", "revoked",
-                           "pinning-test", "no-common-name", "no-subject", "incomplete-chain", "sha1-intermediate",
-                           "sha256", "sha384", "sha512", "1000-sans", "10000-sans", "ecc256", "ecc384", "rsa2048",
-                           "rsa4096", "extended-validataion", "dh480", "dh512", "dh1024", "dh2048",
-                           "dh-small-subgroup", "dh-composite", "static-rsa", "tls-v1-0", "tls-v1-1",
-                           "tls-v1-2", "invalid-expected-sct"};
-  char buff[100];
-  uint32_t maxUsage = 0;
-  for (size_t i=0; i<sizeof(badssl)/sizeof(badssl[0]); i++) {
+    char buff[100];
+    uint32_t maxUsage = 0;
     stack_thunk_repaint();
-    sprintf(buff, "%s.badssl.com", badssl[i]);
+    sprintf(buff, "%s.badssl.com", str);
     Serial.printf("%s: ", buff);
     fetchURL(bear, buff, 443, "/");
     Serial.printf("Stack: %d\n", stack_thunk_get_max_usage());
     maxUsage = std::max(maxUsage, stack_thunk_get_max_usage());
-  }
-  delete bear;
+    delete bear;
 
-  printf("\n\n\nMAX THUNK STACK USAGE: %d\n", maxUsage);
+    printf("\n\n\nMAX THUNK STACK USAGE: %d\n", maxUsage);
+    return maxUsage;
 }
 
+#define TC(x) TEST_CASE("BearSSL - Maximum stack usage < 5600 bytes @ "x".badssl.org", "[bearssl]") { REQUIRE(run(x) < 5600); }
+
+TC("expired")
+TC("wrong.host")
+TC("self-signed")
+TC("untrusted-root")
+TC("revoked")
+TC("pinning-test")
+TC("no-common-name")
+TC("no-subject")
+TC("incomplete-chain")
+TC("sha1-intermediate")
+TC("sha256")
+TC("sha384")
+TC("sha512")
+TC("1000-sans")
+// TC("10000-sans") // Runs for >10 seconds, so causes false failure.  Covered by the 1000 SAN anyway
+TC("ecc256")
+TC("ecc384")
+TC("rsa2048")
+TC("rsa4096")
+TC("extended-validation")
+TC("dh480")
+TC("dh512")
+TC("dh1024")
+TC("dh2048")
+TC("dh-small-subgroup")
+TC("dh-composite")
+TC("static-rsa")
+TC("tls-v1-0")
+TC("tls-v1-1")
+TC("tls-v1-2")
+TC("invalid-expected-sct")
+
 void loop() {
-  Serial.printf("\nPlease enter a website address (www.blah.com) to connect to: ");
-  String site;
-  do {
-    site = Serial.readString();
-  } while (site == "");
-  Serial.printf("https://%s/\n", site.c_str());
-
-  BearSSL::WiFiClientSecure *bear = new BearSSL::WiFiClientSecure();
-  // Integrate the cert store with this connection
-  bear->setCertStore(&certStore);
-  stack_thunk_repaint();
-  fetchURL(bear, site.c_str(), 443, "/");
-  Serial.printf("Stack: %d\n", stack_thunk_get_max_usage());
-  delete bear;
 }
Original file line number	Diff line number	Diff line change
Expand Up		@@ -114,6 +114,7 @@ Some tests need to connect to WiFi AP or to the PC running the tests. In the tes

		Environment variables can also be used to pass some information from the test code to the host side helper. To do that, test code can set an environment variable using `setenv` C function. Then the `teardown` host side helper can obtain the value of that variable using `request_env` function defined in `mock_decorators`.

		A SPIFFS filesystem may be generated on the host and uploade before a test by including a file called `make_spiffs.py` in the individual test directory.

		### Building and running the tests

Expand Down