ssl-opt needs debug messages

Many test cases in ssl-opt.sh need error messages (MBEDTLS_ERROR_C) or SSL
traces (MBEDTLS_DEBUG_C). Some sample configurations don't include these
options. When running ssl-opt.sh on those configurations, enable the
required options. They must be listed in the config*.h file, commented out.

Run ssl-opt in the following configurations with debug options:
ccm-psk-tls1_2, ccm-psk-dtls1_2, suite-b. Skip mini-tls1_1 for now because
it requires significant improvements to ssl-opt.sh (lots of missing
requires_xxx).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

configs/config-ccm-psk-dtls1_2.h

@@ -99,6 +99,11 @@
 //#define MBEDTLS_USE_PSA_CRYPTO
 //#define MBEDTLS_PSA_CRYPTO_C
 
+/* Error messages and TLS debugging traces
+ * (huge code size increase, needed for tests/ssl-opt.sh) */
+//#define MBEDTLS_DEBUG_C
+//#define MBEDTLS_ERROR_C
+
 #include "mbedtls/check_config.h"
 
 #endif /* MBEDTLS_CONFIG_H */

configs/config-ccm-psk-tls1_2.h

@@ -90,6 +90,11 @@
 //#define MBEDTLS_USE_PSA_CRYPTO
 //#define MBEDTLS_PSA_CRYPTO_C
 
+/* Error messages and TLS debugging traces
+ * (huge code size increase, needed for tests/ssl-opt.sh) */
+//#define MBEDTLS_DEBUG_C
+//#define MBEDTLS_ERROR_C
+
 #include "mbedtls/check_config.h"
 
 #endif /* MBEDTLS_CONFIG_H */

configs/config-mini-tls1_1.h

@@ -82,4 +82,9 @@
 #endif
 #include "mbedtls/check_config.h"
 
+/* Error messages and TLS debugging traces
+ * (huge code size increase, needed for tests/ssl-opt.sh) */
+//#define MBEDTLS_DEBUG_C
+//#define MBEDTLS_ERROR_C
+
 #endif /* MBEDTLS_CONFIG_H */

configs/config-suite-b.h

@@ -119,6 +119,11 @@
 #define MBEDTLS_PK_WRITE_C
 #endif
 
+/* Error messages and TLS debugging traces
+ * (huge code size increase, needed for tests/ssl-opt.sh) */
+//#define MBEDTLS_DEBUG_C
+//#define MBEDTLS_ERROR_C
+
 #include "mbedtls/check_config.h"
 
 #endif /* MBEDTLS_CONFIG_H */

tests/scripts/test-ref-configs.pl

@@ -34,10 +34,16 @@ my %configs = (
     },
     'config-ccm-psk-dtls1_2.h' => {
         'compat' => '-m dtls12 -f \'^TLS-PSK-WITH-AES-...-CCM-8\'',
+        'opt' => ' ',
+        'opt_needs_debug' => 1,
         'test_again_with_use_psa' => 1
     },
     'config-mini-tls1_1.h' => {
         'compat' => '-m tls1_1 -f \'^DES-CBC3-SHA$\|^TLS-RSA-WITH-3DES-EDE-CBC-SHA$\'', #',
+        ## Skip ssl-opt testing for now because ssl-opt.sh is missing a lot
+        ## of requires_xxx so it would try to run tests that don't apply.
+        # 'opt' => ' ',
+        # 'opt_needs_debug' => 1,
         'test_again_with_use_psa' => 1
     },
     'config-no-entropy.h' => {
@@ -45,6 +51,8 @@ my %configs = (
     'config-suite-b.h' => {
         'compat' => "-m tls12 -f 'ECDHE-ECDSA.*AES.*GCM' -p mbedTLS",
         'test_again_with_use_psa' => 1,
+        'opt' => ' ',
+        'opt_needs_debug' => 1,
     },
     'config-symmetric-only.h' => {
         'test_again_with_use_psa' => 0, # Uses PSA by default, no need to test it twice
@@ -136,6 +144,15 @@ sub perform_test {
     my $opt = $data->{'opt'};
     if( $opt )
     {
+        if( $data->{'opt_needs_debug'} )
+        {
+            print "\nrebuilding with debug traces for ssl-opt\n";
+            system( "make clean" );
+            system( "scripts/config.py set MBEDTLS_DEBUG_C" );
+            system( "scripts/config.py set MBEDTLS_ERROR_C" );
+            system( "CFLAGS='-Os -Werror -Wall -Wextra' make" ) and abort "Failed to build: $conf +debug\n";
+        }
+
         print "\nrunning ssl-opt.sh $opt\n";
         system( "tests/ssl-opt.sh $opt" )
             and abort "Failed ssl-opt.sh: $conf\n";