TLS 1.3 can be enabled without any cipher suite

[gilles-peskine-arm]

It is possible to enable TLS 1.3 (MBEDTLS_SSL_PROTO_TLS1_3), but make it effectively impossible by not enabling any cipher suite. All TLS 1.3 cipher suites require one of AES+GCM or AES+CCM or ChachaPoly, as well as the matching hash among SHA-256 and SHA-384. For example, depends.py PSA_WANT_KEY_TYPE_ARIA (depends.py MBEDTLS_ARIA_C in 3.6) makes TLS 1.3 impossible since neither AES nor ChachaPoly is enabled, but TLS 1.3 is still offered in the protocol negotiation.

(In contrast, check_config.h has clauses about MBEDTLS_SSL_PROTO_TLS1_3 needing handshake features, although I'm not sure they're complete.)

I'm not sure what the resolution is: a stricter check_config.h (might be dangerous in 3.6 LTS)?

[mpg]

I re-discovered this semi-independently (that is, working on the same thing), and my first reaction is we should have a check in check_config.h. After a bit more thinking, that's still my opinion. As you noted, we have checks for HKDF and handshake hashes already. I'll point out that since most of the handshake is encrypted in 1.3, we can't even complete a handshake without a cipher suite available. So ciphersuites are handshake dependencies just as much as HKDF and hashes.

I have trouble making up my mind about 3.6 though.

[mpg]

Well actually I think I've made up my mind about 3.6: we already have dependencies for HKDF and hashes there, and as I was saying above, ciphersuites are just as necessary as those to complete a handshake (ie even if you only do a handshake an are not interested in exchanging ApplicationData afterwards), so there's having dependencies for one but not the other is fully inconsistent.

[gilles-peskine-arm]

In a minor release, and especially in an LTS, I'm very wary of adding things to check_config.h unless there's already a compilation error. This can break applications that were working perfectly fine and just happened to include a feature they didn't use. This is especially a concern for applications that use the default mbedtls_config.h and then add or remove selected things in MBEDTLS_USER_CONFIG_FILE.

By the way, this can also happen in our test scripts. In fact that was part of the problem in https://github.com/Mbed-TLS/mbedtls/pull/10072 — we have configurations in all.sh where TLS 1.3 doesn't work, but it's ok because we weren't running ssl-opt.sh and the only test cases in test_suite_ssl that use 1.3 are guarded by some crypto mechanism that's disabled in that configuration. So the CI would complain that just adding something in check_config.h isn't enough, we also need to work on components-configuration-crypto.sh.