Improve debug log enablement in unit tests

programs/Makefile

@@ -62,6 +62,7 @@ APPS = \
 	test/query_compile_time_config \
 	test/query_included_headers \
 	test/selftest \
+	test/ssl_unit_test_debug \
 	test/udp_proxy \
 	test/zeroize \
 	util/pem2der \
@@ -272,6 +273,10 @@ test/selftest$(EXEXT): test/selftest.c $(DEP)
 	echo "  CC    test/selftest.c"
 	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) test/selftest.c    $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
 
+test/ssl_unit_test_debug$(EXEXT): test/ssl_unit_test_debug.c $(DEP)
+	echo "  CC    test/selftest.c"
+	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) -I../library -I../tf-psa-crypto/core -I../tf-psa-crypto/drivers/builtin/src test/ssl_unit_test_debug.c    $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+
 test/udp_proxy$(EXEXT): test/udp_proxy.c $(DEP)
 	echo "  CC    test/udp_proxy.c"
 	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) test/udp_proxy.c    $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@

programs/test/CMakeLists.txt

@@ -7,6 +7,7 @@ set(executables
     query_compile_time_config
     query_included_headers
     selftest
+    ssl_unit_test_debug
     udp_proxy
     zeroize
 )
@@ -83,6 +84,9 @@ foreach(exe IN LISTS executables)
             ${MBEDTLS_FRAMEWORK_DIR}/tests/programs/query_config.h
             ${CMAKE_CURRENT_BINARY_DIR}/query_config.c)
     endif()
+    if(exe STREQUAL "ssl_unit_test_debug")
+        list(APPEND extra_sources $<TARGET_OBJECTS:mbedtls_test_helpers>)
+    endif()
     add_executable(${exe} ${source} $<TARGET_OBJECTS:mbedtls_test>
         ${extra_sources})
     set_base_compile_options(${exe})
@@ -101,6 +105,12 @@ foreach(exe IN LISTS executables)
     target_link_libraries(${exe} ${libs} ${CMAKE_THREAD_LIBS_INIT})
 endforeach()
 
+target_include_directories(ssl_unit_test_debug
+    PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../framework/tests/include
+    PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include
+    PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tf-psa-crypto/include
+    PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tf-psa-crypto/drivers/builtin/include)
+
 install(TARGETS ${executables}
         DESTINATION "bin"
         PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)

programs/test/ssl_unit_test_debug.c

@@ -0,0 +1,60 @@
+/*
+ *  Test the debug facility in SSL unit tests.
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/* Not needed directly by this program, but needed by internal headers
+ * included by test helper headers. */
+#define MBEDTLS_ALLOW_PRIVATE_ACCESS
+
+#include <mbedtls/build_info.h>
+#include <mbedtls/platform.h>
+
+#if !defined(MBEDTLS_DEBUG_C) ||                         \
+    !defined(MBEDTLS_SSL_CLI_C) ||                       \
+    !defined(MBEDTLS_SSL_SRV_C) ||                       \
+    !defined(MBEDTLS_SSL_PROTO_TLS1_2) ||                \
+    !defined(PSA_WANT_ALG_ECDSA) ||                      \
+    !defined(PSA_WANT_ALG_ECDH) ||                       \
+    !defined(PSA_WANT_ECC_SECP_R1_256) ||                \
+    !defined(PSA_WANT_ALG_SHA_256) ||                    \
+    !defined(PSA_WANT_ALG_CHACHA20_POLY1305) ||          \
+    !defined(MBEDTLS_PSA_CRYPTO_C)
+int main(void)
+{
+    mbedtls_printf("This program is unusable in this configuration.\n");
+    mbedtls_exit(0);
+}
+#else
+
+#include <stdlib.h>
+#include <mbedtls/debug.h>
+#include <test/ssl_helpers.h>
+
+int main(int argc, char *argv[])
+{
+    if (argc < 2) {
+        mbedtls_printf("Usage: ssl_unit_test_debug THRESHOLD\n");
+        mbedtls_exit(2);
+    }
+    int threshold = atoi(argv[1]);
+
+    mbedtls_test_handshake_test_options options;
+    mbedtls_test_init_handshake_options(&options);
+    options.client_min_version = MBEDTLS_SSL_VERSION_TLS1_2;
+    options.client_max_version = MBEDTLS_SSL_VERSION_TLS1_2;
+    options.expected_negotiated_version = MBEDTLS_SSL_VERSION_TLS1_2;
+
+    if (threshold >= 0) {
+        mbedtls_test_ssl_debug_stdout_threshold = threshold;
+    }
+
+    mbedtls_test_ssl_perform_handshake(&options);
+
+    mbedtls_test_free_handshake_options(&options);
+    mbedtls_exit(0);
+}
+
+#endif /* configuration allows running this program */

programs/test/ssl_unit_test_debug_demo.sh

@@ -0,0 +1,54 @@
+#!/bin/sh
+#
+# Copyright The Mbed TLS Contributors
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+
+. "${0%/*}/../../framework/scripts/demo_common.sh"
+
+msg <<'EOF'
+This script tests that SSL debugging logs are working in unit tests.
+EOF
+
+# Expected dependencies
+depends_on MBEDTLS_DEBUG_C MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_2
+# Dependencies due to test helper limitations (could be partly relaxed with
+# some work)
+depends_on PSA_WANT_ALG_ECDSA PSA_WANT_ALG_ECDH PSA_WANT_ECC_SECP_R1_256
+depends_on PSA_WANT_ALG_SHA_256 PSA_WANT_ALG_CHACHA20_POLY1305
+
+program="${0%/*}"/ssl_unit_test_debug
+tmp_out="$program.out"
+files_to_clean="$tmp_out"
+
+go () {
+    "$program" "$@" >"$tmp_out"
+}
+
+check_log () {
+    run "Check for a level $1 $2 log" \
+        grep -q -E "^$2: [^ ]+: \\|$1\\| " "$tmp_out"
+}
+
+check_no_log () {
+    run "Check the absence of a level $1 log" \
+        grep -L ": \\|$1\\| " "$tmp_out"
+}
+
+run "Run with the default settings" go -1
+run "Check that stdout is empty" test ! -s "$tmp_out"
+
+run "Run with threshold=0" go 0
+run "Check that stdout is empty" test ! -s "$tmp_out"
+
+run "Run with threshold=1" go 1
+check_log 1 Client
+check_log 1 Server
+check_no_log 2
+
+run "Run with threshold=4" go 4
+check_log 1 Client
+check_log 4 Client
+check_log 1 Server
+check_log 4 Server
+
+cleanup

tests/include/test/ssl_helpers.h

@@ -117,10 +117,11 @@ typedef struct mbedtls_test_handshake_test_options {
     int expected_srv_fragments;
     int renegotiate;
     int legacy_renegotiation;
-    void *srv_log_obj;
-    void *cli_log_obj;
-    void (*srv_log_fun)(void *, int, const char *, int, const char *);
-    void (*cli_log_fun)(void *, int, const char *, int, const char *);
+#if defined(MBEDTLS_DEBUG_C)
+    int debug_threshold;
+    const char *srv_log_pattern;
+    const char *cli_log_pattern;
+#endif
     int resize_buffers;
     int early_data;
     int max_early_data_size;
@@ -195,6 +196,10 @@ typedef struct mbedtls_test_ssl_endpoint {
     mbedtls_ssl_config conf;
     mbedtls_test_mock_socket socket;
     uintptr_t user_data_cookie; /* A unique value associated with this endpoint */
+#if defined(MBEDTLS_DEBUG_C)
+    mbedtls_test_ssl_log_pattern log_pattern;
+    int debug_threshold;
+#endif /* MBEDTLS_DEBUG_C */
 
     /* Objects only used by DTLS.
      * They should be guarded by MBEDTLS_SSL_PROTO_DTLS, but
@@ -221,14 +226,29 @@ typedef struct mbedtls_test_ssl_endpoint {
  */
 int mbedtls_test_random(void *p_rng, unsigned char *output, size_t output_len);
 
-/*
- * This function can be passed to mbedtls to receive output logs from it. In
- * this case, it will count the instances of a mbedtls_test_ssl_log_pattern
- * in the received logged messages.
+#if defined(MBEDTLS_DEBUG_C)
+/** Debug handler passed to mbedtls_ssl_conf_dbg().
+ *
+ * \p ctx is the #mbedtls_test_ssl_endpoint structure.
+ *
+ * \note This function is meant to be called unconditionally
+ *       (in particular, regardless of the log level).
+ *       It can optionally make logs available for debugging.
+ *       Inspection, e.g. through log patterns, is conditional on the
+ *       level being at least the `debug_threshold` configured in the
+ *       endpoint.
+ */
+void mbedtls_test_ssl_debug_handler(void *ctx, int level,
+                                    const char *file, int line,
+                                    const char *msg);
+
+/** Debug messages up to this level are printed to stdout.
+ *
+ * \note In unit tests, you need to run the test suite with `-v`,
+ *       otherwise stdout is suppressed.
  */
-void mbedtls_test_ssl_log_analyzer(void *ctx, int level,
-                                   const char *file, int line,
-                                   const char *str);
+extern int mbedtls_test_ssl_debug_stdout_threshold;
+#endif /* MBEDTLS_DEBUG_C */
 
 void mbedtls_test_init_handshake_options(
     mbedtls_test_handshake_test_options *opts);