ssl-opt needs debug messages
Many test cases in ssl-opt.sh need error messages (MBEDTLS_ERROR_C) or SSL
traces (MBEDTLS_DEBUG_C). Some sample configurations don't include these
options. When running ssl-opt.sh on those configurations, enable the
required options. They must be listed in the config*.h file, commented out.
Run ssl-opt in the following configurations with debug options:
ccm-psk-tls1_2, ccm-psk-dtls1_2, suite-b. Skip mini-tls1_1 for now because
it requires significant improvements to ssl-opt.sh (lots of missing
requires_xxx).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
diff --git a/configs/config-ccm-psk-dtls1_2.h b/configs/config-ccm-psk-dtls1_2.h
index 9150e05..0be4f05 100644
--- a/configs/config-ccm-psk-dtls1_2.h
+++ b/configs/config-ccm-psk-dtls1_2.h
@@ -99,6 +99,11 @@
//#define MBEDTLS_USE_PSA_CRYPTO
//#define MBEDTLS_PSA_CRYPTO_C
+/* Error messages and TLS debugging traces
+ * (huge code size increase, needed for tests/ssl-opt.sh) */
+//#define MBEDTLS_DEBUG_C
+//#define MBEDTLS_ERROR_C
+
#include "mbedtls/check_config.h"
#endif /* MBEDTLS_CONFIG_H */
diff --git a/configs/config-ccm-psk-tls1_2.h b/configs/config-ccm-psk-tls1_2.h
index 0e8f570..ca1e6c9 100644
--- a/configs/config-ccm-psk-tls1_2.h
+++ b/configs/config-ccm-psk-tls1_2.h
@@ -90,6 +90,11 @@
//#define MBEDTLS_USE_PSA_CRYPTO
//#define MBEDTLS_PSA_CRYPTO_C
+/* Error messages and TLS debugging traces
+ * (huge code size increase, needed for tests/ssl-opt.sh) */
+//#define MBEDTLS_DEBUG_C
+//#define MBEDTLS_ERROR_C
+
#include "mbedtls/check_config.h"
#endif /* MBEDTLS_CONFIG_H */
diff --git a/configs/config-mini-tls1_1.h b/configs/config-mini-tls1_1.h
index 9092829..78e31d5 100644
--- a/configs/config-mini-tls1_1.h
+++ b/configs/config-mini-tls1_1.h
@@ -82,4 +82,9 @@
#endif
#include "mbedtls/check_config.h"
+/* Error messages and TLS debugging traces
+ * (huge code size increase, needed for tests/ssl-opt.sh) */
+//#define MBEDTLS_DEBUG_C
+//#define MBEDTLS_ERROR_C
+
#endif /* MBEDTLS_CONFIG_H */
diff --git a/configs/config-suite-b.h b/configs/config-suite-b.h
index 05f14c8..3923ec0 100644
--- a/configs/config-suite-b.h
+++ b/configs/config-suite-b.h
@@ -119,6 +119,11 @@
#define MBEDTLS_PK_WRITE_C
#endif
+/* Error messages and TLS debugging traces
+ * (huge code size increase, needed for tests/ssl-opt.sh) */
+//#define MBEDTLS_DEBUG_C
+//#define MBEDTLS_ERROR_C
+
#include "mbedtls/check_config.h"
#endif /* MBEDTLS_CONFIG_H */
diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl
index 339a8ea..53833b1 100755
--- a/tests/scripts/test-ref-configs.pl
+++ b/tests/scripts/test-ref-configs.pl
@@ -34,10 +34,16 @@
},
'config-ccm-psk-dtls1_2.h' => {
'compat' => '-m dtls12 -f \'^TLS-PSK-WITH-AES-...-CCM-8\'',
+ 'opt' => ' ',
+ 'opt_needs_debug' => 1,
'test_again_with_use_psa' => 1
},
'config-mini-tls1_1.h' => {
'compat' => '-m tls1_1 -f \'^DES-CBC3-SHA$\|^TLS-RSA-WITH-3DES-EDE-CBC-SHA$\'', #',
+ ## Skip ssl-opt testing for now because ssl-opt.sh is missing a lot
+ ## of requires_xxx so it would try to run tests that don't apply.
+ # 'opt' => ' ',
+ # 'opt_needs_debug' => 1,
'test_again_with_use_psa' => 1
},
'config-no-entropy.h' => {
@@ -45,6 +51,8 @@
'config-suite-b.h' => {
'compat' => "-m tls12 -f 'ECDHE-ECDSA.*AES.*GCM' -p mbedTLS",
'test_again_with_use_psa' => 1,
+ 'opt' => ' ',
+ 'opt_needs_debug' => 1,
},
'config-symmetric-only.h' => {
'test_again_with_use_psa' => 0, # Uses PSA by default, no need to test it twice
@@ -136,6 +144,15 @@
my $opt = $data->{'opt'};
if( $opt )
{
+ if( $data->{'opt_needs_debug'} )
+ {
+ print "\nrebuilding with debug traces for ssl-opt\n";
+ system( "make clean" );
+ system( "scripts/config.py set MBEDTLS_DEBUG_C" );
+ system( "scripts/config.py set MBEDTLS_ERROR_C" );
+ system( "CFLAGS='-Os -Werror -Wall -Wextra' make" ) and abort "Failed to build: $conf +debug\n";
+ }
+
print "\nrunning ssl-opt.sh $opt\n";
system( "tests/ssl-opt.sh $opt" )
and abort "Failed ssl-opt.sh: $conf\n";