check_config: add missing check for TLS 1.3 key exchanges by valeriosetti · Pull Request #10650 · Mbed-TLS/mbedtls

valeriosetti · 2026-03-23T16:35:45Z

Description

Add a check to ensure that at least 1 key exchange is selected when TLS 1.3 is also enabled.

PR checklist

changelog not required because: minor, just adding a guard to a function
development PR not required because: this one
Mbed TLS 4.1 backport TODO!
TF-PSA-Crypto PR not required because: no change there
framework PR not required
3.6 PR not required because: not backported
tests not required because: no code change

ronald-cron-arm

This seems to be for a configuration where MBEDTLS_SSL_PROTO_TLS1_3 and MBEDTLS_SSL_SRV_C are defined but none of MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED and MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED.

In that case, I'd say that we rather miss in mbedtls_check_config.h for TLS 1.3 a check similar to the TLS 1.2 one:

mbedtls/library/mbedtls_check_config.h

Lines 135 to 143 in 8426c9b

    
           #if defined(MBEDTLS_SSL_PROTO_TLS1_2) &&                                    \ 
        
               !(defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                    \ 
        
                 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ||                  \ 
        
                 defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) ||                          \ 
        
                 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) ||                    \ 
        
                 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) ) 
        
           #error "One or more versions of the TLS protocol are enabled " \ 
        
                   "but no key exchange methods defined with MBEDTLS_KEY_EXCHANGE_xxxx" 
        
           #endif

.

valeriosetti · 2026-04-21T10:16:02Z

In that case, I'd say that we rather miss in mbedtls_check_config.h for TLS 1.3 a check similar to the TLS 1.2 one:

I just reshaped the PR to implement what you proposed here ;)
I split changes into 2 commits:

the 1st one should not be ported because it changes check_config and that might not be OK for an LTS branch;
the 2nd one can be ported IMO because it's simply updating the error message.

Wdyt?

ronald-cron-arm

LGTM apart from the pre-processor error.

ronald-cron-arm · 2026-04-22T09:20:11Z

+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) &&                                    \
+    !(defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) ||    \
+      defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) ||          \
+      defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) ) \


Suggested change

defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) ) \

defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) )

When MBEDTLS_SSL_PROTO_TLS1_3 is enabled ensure that at least one of the related key exchanges is also enabled. Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>

Align the error message to the one used for the same check in TLS 1.3. Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>

valeriosetti · 2026-04-22T13:17:18Z

Since the goal of the PR changed recently, I updated the title to make it more accurate of the content of the PR

github-project-automation Bot added this to Roadmap pull requests (new board) Mar 23, 2026

github-project-automation Bot moved this to In Development in Roadmap pull requests (new board) Mar 23, 2026

valeriosetti removed this from Roadmap pull requests (new board) Mar 23, 2026

valeriosetti added this to Community Mar 23, 2026

valeriosetti moved this to Triage in in Community Mar 23, 2026

valeriosetti mentioned this pull request Mar 23, 2026

[zep fromlist] library: tls13: add guard for ssl_tls13_client_hello_has_exts() zephyrproject-rtos/mbedtls#86

Closed

valeriosetti removed the needs-ci Needs to pass CI tests label Mar 23, 2026

github-project-automation Bot added this to Roadmap pull requests (new board) Mar 23, 2026

github-project-automation Bot moved this to In Development in Roadmap pull requests (new board) Mar 23, 2026

bjwtaylor previously approved these changes Mar 26, 2026

View reviewed changes

ronald-cron-arm self-requested a review April 15, 2026 12:56

ronald-cron-arm removed the needs-reviewer This PR needs someone to pick it up for review label Apr 15, 2026

valeriosetti mentioned this pull request Apr 17, 2026

ssl_tls13_server: suppress unused function warning #10697

Closed

7 tasks

ronald-cron-arm requested changes Apr 20, 2026

View reviewed changes

valeriosetti dismissed bjwtaylor’s stale review via 319bf4d April 21, 2026 10:14

valeriosetti force-pushed the fix-tls13-guard branch from fdd3316 to 319bf4d Compare April 21, 2026 10:14

valeriosetti requested review from bjwtaylor and ronald-cron-arm April 21, 2026 10:15

ronald-cron-arm requested changes Apr 22, 2026

View reviewed changes

valeriosetti added 2 commits April 22, 2026 15:00

check_config: add check for TLS 1.3 key exchanges

5ea7720

When MBEDTLS_SSL_PROTO_TLS1_3 is enabled ensure that at least one of the related key exchanges is also enabled. Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>

check_config: fix error message for missing TLS 1.2 key exchanges

c3d52b9

Align the error message to the one used for the same check in TLS 1.3. Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>

valeriosetti force-pushed the fix-tls13-guard branch from 319bf4d to c3d52b9 Compare April 22, 2026 13:01

valeriosetti requested a review from ronald-cron-arm April 22, 2026 13:02

valeriosetti changed the title ~~library: tls13: add guard for ssl_tls13_client_hello_has_exts()~~ check_config: add missing check for TLS 1.3 key exchanges Apr 22, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

check_config: add missing check for TLS 1.3 key exchanges#10650

check_config: add missing check for TLS 1.3 key exchanges#10650
valeriosetti wants to merge 2 commits intoMbed-TLS:developmentfrom
valeriosetti:fix-tls13-guard

valeriosetti commented Mar 23, 2026 •

edited

Loading

Uh oh!

ronald-cron-arm left a comment

Uh oh!

valeriosetti commented Apr 21, 2026 •

edited

Loading

Uh oh!

ronald-cron-arm left a comment

Uh oh!

ronald-cron-arm Apr 22, 2026

Uh oh!

valeriosetti commented Apr 22, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

	#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
	!(defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) \|\| \
	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) \|\| \
	defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) \|\| \
	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) \|\| \
	defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) )
	#error "One or more versions of the TLS protocol are enabled " \
	"but no key exchange methods defined with MBEDTLS_KEY_EXCHANGE_xxxx"
	#endif

	defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) ) \
	defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) )

Conversation

valeriosetti commented Mar 23, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

PR checklist

Uh oh!

ronald-cron-arm left a comment

Choose a reason for hiding this comment

Uh oh!

valeriosetti commented Apr 21, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

ronald-cron-arm left a comment

Choose a reason for hiding this comment

Uh oh!

ronald-cron-arm Apr 22, 2026

Choose a reason for hiding this comment

Uh oh!

valeriosetti commented Apr 22, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

valeriosetti commented Mar 23, 2026 •

edited

Loading

valeriosetti commented Apr 21, 2026 •

edited

Loading