diff --git a/tests/unit/s2n_config_test.c b/tests/unit/s2n_config_test.c index e43930bb188..8150e54a8c2 100644 --- a/tests/unit/s2n_config_test.c +++ b/tests/unit/s2n_config_test.c @@ -27,6 +27,7 @@ #include "tls/s2n_internal.h" #include "tls/s2n_record.h" #include "tls/s2n_security_policies.h" +#include "tls/s2n_tls.h" #include "tls/s2n_tls13.h" #include "unstable/npn.h" #include "utils/s2n_map.h" @@ -69,8 +70,7 @@ int main(int argc, char **argv) const s2n_mode modes[] = { S2N_CLIENT, S2N_SERVER }; - const struct s2n_security_policy *default_security_policy = NULL, *tls13_security_policy = NULL, *fips_security_policy = NULL; - EXPECT_SUCCESS(s2n_find_security_policy_from_version("default_tls13", &tls13_security_policy)); + const struct s2n_security_policy *default_security_policy = NULL, *fips_security_policy = NULL; EXPECT_SUCCESS(s2n_find_security_policy_from_version("default_fips", &fips_security_policy)); EXPECT_SUCCESS(s2n_find_security_policy_from_version("default", &default_security_policy)); @@ -94,9 +94,13 @@ int main(int argc, char **argv) /* Calling s2n_fetch_default_config() repeatedly returns the same object */ EXPECT_EQUAL(default_config, s2n_fetch_default_config()); - /* TLS1.3 default does not match non-TLS1.3 default */ + /* TLS1.3 default matches non-TLS1.3 default + * + * `s2n_enable_tls13_in_test` and `s2n_disable_tls13_in_test` control protocol via the use + * of `s2n_highest_protocol_version`. + */ EXPECT_SUCCESS(s2n_enable_tls13_in_test()); - EXPECT_NOT_EQUAL(default_config, s2n_fetch_default_config()); + EXPECT_EQUAL(default_config, s2n_fetch_default_config()); EXPECT_SUCCESS(s2n_disable_tls13_in_test()); EXPECT_SUCCESS(s2n_config_free(config)); @@ -114,6 +118,7 @@ int main(int argc, char **argv) EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy)); EXPECT_EQUAL(security_policy, default_security_policy); + EXPECT_EQUAL(s2n_highest_protocol_version, S2N_TLS12); EXPECT_SUCCESS(s2n_connection_free(conn)); } @@ -128,7 +133,8 @@ int main(int argc, char **argv) EXPECT_EQUAL(conn->config, s2n_fetch_default_config()); EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy)); - EXPECT_EQUAL(security_policy, tls13_security_policy); + EXPECT_EQUAL(security_policy, default_security_policy); + EXPECT_EQUAL(s2n_highest_protocol_version, S2N_TLS13); EXPECT_SUCCESS(s2n_connection_free(conn)); EXPECT_SUCCESS(s2n_disable_tls13_in_test()); @@ -160,7 +166,7 @@ int main(int argc, char **argv) EXPECT_SUCCESS(s2n_enable_tls13_in_test()); EXPECT_NOT_NULL(config = s2n_config_new()); - EXPECT_EQUAL(config->security_policy, tls13_security_policy); + EXPECT_EQUAL(config->security_policy, default_security_policy); EXPECT_SUCCESS(s2n_config_free(config)); EXPECT_SUCCESS(s2n_disable_tls13_in_test()); } diff --git a/tests/unit/s2n_connection_preferences_test.c b/tests/unit/s2n_connection_preferences_test.c index b5db6d7b4e5..bed3add41b8 100644 --- a/tests/unit/s2n_connection_preferences_test.c +++ b/tests/unit/s2n_connection_preferences_test.c @@ -28,12 +28,11 @@ int main(int argc, char **argv) BEGIN_TEST(); EXPECT_SUCCESS(s2n_disable_tls13_in_test()); - const struct s2n_security_policy *default_security_policy = NULL, *tls13_security_policy = NULL, *fips_security_policy = NULL; - EXPECT_SUCCESS(s2n_find_security_policy_from_version("default_tls13", &tls13_security_policy)); + const struct s2n_security_policy *default_security_policy = NULL, *fips_security_policy = NULL; EXPECT_SUCCESS(s2n_find_security_policy_from_version("default_fips", &fips_security_policy)); EXPECT_SUCCESS(s2n_find_security_policy_from_version("default", &default_security_policy)); - /* Test default TLS1.2 */ + /* Test default TLS 1.3 */ if (!s2n_is_in_fips_mode()) { struct s2n_connection *conn = NULL; const struct s2n_cipher_preferences *cipher_preferences = NULL; @@ -86,7 +85,7 @@ int main(int argc, char **argv) EXPECT_SUCCESS(s2n_connection_free(conn)); } - /* Test TLS1.3 */ + /* Test TLS1.3 and s2n_enable_tls13_in_test behavior */ { EXPECT_SUCCESS(s2n_enable_tls13_in_test()); struct s2n_connection *conn = NULL; @@ -100,19 +99,19 @@ int main(int argc, char **argv) EXPECT_NULL(conn->security_policy_override); EXPECT_SUCCESS(s2n_connection_get_cipher_preferences(conn, &cipher_preferences)); - EXPECT_EQUAL(cipher_preferences, tls13_security_policy->cipher_preferences); + EXPECT_EQUAL(cipher_preferences, default_security_policy->cipher_preferences); EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy)); - EXPECT_EQUAL(security_policy, tls13_security_policy); + EXPECT_EQUAL(security_policy, default_security_policy); EXPECT_SUCCESS(s2n_connection_get_kem_preferences(conn, &kem_preferences)); - EXPECT_EQUAL(kem_preferences, tls13_security_policy->kem_preferences); + EXPECT_EQUAL(kem_preferences, default_security_policy->kem_preferences); EXPECT_SUCCESS(s2n_connection_get_signature_preferences(conn, &signature_preferences)); - EXPECT_EQUAL(signature_preferences, tls13_security_policy->signature_preferences); + EXPECT_EQUAL(signature_preferences, default_security_policy->signature_preferences); EXPECT_SUCCESS(s2n_connection_get_ecc_preferences(conn, &ecc_preferences)); - EXPECT_EQUAL(ecc_preferences, tls13_security_policy->ecc_preferences); + EXPECT_EQUAL(ecc_preferences, default_security_policy->ecc_preferences); EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(conn, "test_all_tls13")); EXPECT_NOT_NULL(conn->security_policy_override); diff --git a/tests/unit/s2n_security_policies_test.c b/tests/unit/s2n_security_policies_test.c index efaf6901642..771226fef45 100644 --- a/tests/unit/s2n_security_policies_test.c +++ b/tests/unit/s2n_security_policies_test.c @@ -178,7 +178,7 @@ int main(int argc, char **argv) EXPECT_EQUAL(0, security_policy->kem_preferences->kem_count); EXPECT_NULL(security_policy->kem_preferences->tls13_kem_groups); EXPECT_EQUAL(0, security_policy->kem_preferences->tls13_kem_group_count); - EXPECT_FALSE(s2n_security_policy_supports_tls13(security_policy)); + EXPECT_TRUE(s2n_security_policy_supports_tls13(security_policy)); security_policy = NULL; EXPECT_SUCCESS(s2n_find_security_policy_from_version("default_tls13", &security_policy)); @@ -452,8 +452,6 @@ int main(int argc, char **argv) { char tls12_only_security_policy_strings[][255] = { - "default", - "default_fips", "ELBSecurityPolicy-TLS-1-0-2015-04", "ELBSecurityPolicy-TLS-1-0-2015-05", "ELBSecurityPolicy-2016-08", @@ -512,6 +510,8 @@ int main(int argc, char **argv) } char tls13_security_policy_strings[][255] = { + "default", + "default_fips", "default_tls13", "test_all", "test_all_tls13", @@ -1042,6 +1042,7 @@ int main(int argc, char **argv) const struct s2n_security_policy *versioned_policies[] = { &security_policy_20170210, &security_policy_20240501, + &security_policy_20240701, }; const struct s2n_supported_cert supported_certs[] = { @@ -1077,6 +1078,7 @@ int main(int argc, char **argv) const struct s2n_security_policy *versioned_policies[] = { &security_policy_20240416, &security_policy_20240502, + &security_policy_20240702, }; const struct s2n_supported_cert supported_certs[] = { diff --git a/tests/unit/s2n_tls13_support_test.c b/tests/unit/s2n_tls13_support_test.c index 867bb278c47..4e69997aa9d 100644 --- a/tests/unit/s2n_tls13_support_test.c +++ b/tests/unit/s2n_tls13_support_test.c @@ -28,14 +28,18 @@ int main(int argc, char **argv) { BEGIN_TEST(); + + /* TLS 1.3 is used by default */ + EXPECT_EQUAL(s2n_highest_protocol_version, S2N_TLS13); + EXPECT_SUCCESS(s2n_disable_tls13_in_test()); - /* TLS 1.3 is not used by default */ - EXPECT_FALSE(s2n_use_default_tls13_config()); + /* `s2n_disable_tls13_in_test` disables TLS 1.3 */ + EXPECT_EQUAL(s2n_highest_protocol_version, S2N_TLS12); - /* TLS1.3 is not supported or configured by default */ + /* TLS1.3 is supported and configured by default */ { - /* Client does not support or configure TLS 1.3 */ + /* Client does support and configure TLS 1.3 */ { struct s2n_connection *conn = NULL; EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_CLIENT)); @@ -44,12 +48,12 @@ int main(int argc, char **argv) const struct s2n_security_policy *security_policy = NULL; EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy)); - EXPECT_FALSE(s2n_security_policy_supports_tls13(security_policy)); + EXPECT_TRUE(s2n_security_policy_supports_tls13(security_policy)); EXPECT_SUCCESS(s2n_connection_free(conn)); }; - /* Server does not support or configure TLS 1.3 */ + /* Server does support and configure TLS 1.3 */ { struct s2n_connection *conn = NULL; EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER)); @@ -58,18 +62,18 @@ int main(int argc, char **argv) const struct s2n_security_policy *security_policy = NULL; EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy)); - EXPECT_FALSE(s2n_security_policy_supports_tls13(security_policy)); + EXPECT_TRUE(s2n_security_policy_supports_tls13(security_policy)); EXPECT_SUCCESS(s2n_connection_free(conn)); }; }; EXPECT_SUCCESS(s2n_enable_tls13_in_test()); - EXPECT_TRUE(s2n_use_default_tls13_config()); + EXPECT_EQUAL(s2n_highest_protocol_version, S2N_TLS13); /* Re-enabling has no effect */ EXPECT_SUCCESS(s2n_enable_tls13_in_test()); - EXPECT_TRUE(s2n_use_default_tls13_config()); + EXPECT_EQUAL(s2n_highest_protocol_version, S2N_TLS13); /* If "enabled", TLS1.3 is supported and configured */ { @@ -103,11 +107,11 @@ int main(int argc, char **argv) }; EXPECT_SUCCESS(s2n_disable_tls13_in_test()); - EXPECT_FALSE(s2n_use_default_tls13_config()); + EXPECT_EQUAL(s2n_highest_protocol_version, S2N_TLS12); /* Re-disabling has no effect */ EXPECT_SUCCESS(s2n_disable_tls13_in_test()); - EXPECT_FALSE(s2n_use_default_tls13_config()); + EXPECT_EQUAL(s2n_highest_protocol_version, S2N_TLS12); /* Test s2n_is_valid_tls13_cipher() */ { diff --git a/tls/s2n_cipher_preferences.c b/tls/s2n_cipher_preferences.c index 5615b02d993..d4c3a5ba4ed 100644 --- a/tls/s2n_cipher_preferences.c +++ b/tls/s2n_cipher_preferences.c @@ -327,6 +327,32 @@ const struct s2n_cipher_preferences cipher_preferences_20240331 = { .allow_chacha20_boosting = false, }; +/* + * TLS1.3 support. + * FIPS compliant. + * No DHE (would require extra setup with s2n_config_add_dhparams) + */ +struct s2n_cipher_suite *cipher_suites_20240701[] = { + &s2n_tls13_aes_256_gcm_sha384, + &s2n_tls13_aes_128_gcm_sha256, + /* TLS1.2 with ECDSA */ + &s2n_ecdhe_ecdsa_with_aes_128_gcm_sha256, + &s2n_ecdhe_ecdsa_with_aes_256_gcm_sha384, + &s2n_ecdhe_ecdsa_with_aes_128_cbc_sha256, + &s2n_ecdhe_ecdsa_with_aes_256_cbc_sha384, + /* TLS1.2 with RSA */ + &s2n_ecdhe_rsa_with_aes_128_gcm_sha256, + &s2n_ecdhe_rsa_with_aes_256_gcm_sha384, + &s2n_ecdhe_rsa_with_aes_128_cbc_sha256, + &s2n_ecdhe_rsa_with_aes_256_cbc_sha384, +}; + +const struct s2n_cipher_preferences cipher_preferences_20240701 = { + .count = s2n_array_len(cipher_suites_20240701), + .suites = cipher_suites_20240701, + .allow_chacha20_boosting = false, +}; + /* Same as 20160411, but with ChaCha20 added as 1st in Preference List */ struct s2n_cipher_suite *cipher_suites_20190122[] = { &s2n_ecdhe_rsa_with_chacha20_poly1305_sha256, diff --git a/tls/s2n_cipher_preferences.h b/tls/s2n_cipher_preferences.h index 37c86f3fd84..a9e6fabbf0e 100644 --- a/tls/s2n_cipher_preferences.h +++ b/tls/s2n_cipher_preferences.h @@ -27,6 +27,7 @@ struct s2n_cipher_preferences { bool allow_chacha20_boosting; }; +extern const struct s2n_cipher_preferences cipher_preferences_20240701; extern const struct s2n_cipher_preferences cipher_preferences_20230317; extern const struct s2n_cipher_preferences cipher_preferences_20240331; extern const struct s2n_cipher_preferences cipher_preferences_20140601; diff --git a/tls/s2n_config.c b/tls/s2n_config.c index f0bbb623266..de47245ab14 100644 --- a/tls/s2n_config.c +++ b/tls/s2n_config.c @@ -70,7 +70,6 @@ static int wall_clock(void *data, uint64_t *nanoseconds) static struct s2n_config s2n_default_config = { 0 }; static struct s2n_config s2n_default_fips_config = { 0 }; -static struct s2n_config s2n_default_tls13_config = { 0 }; static int s2n_config_setup_default(struct s2n_config *config) { @@ -78,12 +77,6 @@ static int s2n_config_setup_default(struct s2n_config *config) return S2N_SUCCESS; } -static int s2n_config_setup_tls13(struct s2n_config *config) -{ - POSIX_GUARD(s2n_config_set_cipher_preferences(config, "default_tls13")); - return S2N_SUCCESS; -} - static int s2n_config_setup_fips(struct s2n_config *config) { POSIX_GUARD(s2n_config_set_cipher_preferences(config, "default_fips")); @@ -105,11 +98,10 @@ static int s2n_config_init(struct s2n_config *config) config->client_hello_cb_mode = S2N_CLIENT_HELLO_CB_BLOCKING; - POSIX_GUARD(s2n_config_setup_default(config)); - if (s2n_use_default_tls13_config()) { - POSIX_GUARD(s2n_config_setup_tls13(config)); - } else if (s2n_is_in_fips_mode()) { + if (s2n_is_in_fips_mode()) { POSIX_GUARD(s2n_config_setup_fips(config)); + } else { + POSIX_GUARD(s2n_config_setup_default(config)); } POSIX_GUARD_PTR(config->domain_name_to_cert_map = s2n_map_new_with_initial_capacity(1)); @@ -212,9 +204,6 @@ int s2n_config_build_domain_name_to_cert_map(struct s2n_config *config, struct s struct s2n_config *s2n_fetch_default_config(void) { - if (s2n_use_default_tls13_config()) { - return &s2n_default_tls13_config; - } if (s2n_is_in_fips_mode()) { return &s2n_default_fips_config; } @@ -244,10 +233,6 @@ int s2n_config_defaults_init(void) POSIX_GUARD(s2n_config_load_system_certs(&s2n_default_config)); } - /* TLS 1.3 default config is only used in tests so avoid initialization costs in applications */ - POSIX_GUARD(s2n_config_init(&s2n_default_tls13_config)); - POSIX_GUARD(s2n_config_setup_tls13(&s2n_default_tls13_config)); - return S2N_SUCCESS; } @@ -255,7 +240,6 @@ void s2n_wipe_static_configs(void) { s2n_config_cleanup(&s2n_default_fips_config); s2n_config_cleanup(&s2n_default_config); - s2n_config_cleanup(&s2n_default_tls13_config); } int s2n_config_load_system_certs(struct s2n_config *config) diff --git a/tls/s2n_security_policies.c b/tls/s2n_security_policies.c index 54bfc431762..2597766cbc8 100644 --- a/tls/s2n_security_policies.c +++ b/tls/s2n_security_policies.c @@ -20,10 +20,11 @@ #include "tls/s2n_connection.h" #include "utils/s2n_safety.h" -/* TLS1.2 default as of 05/24 */ -const struct s2n_security_policy security_policy_20240501 = { +/* TODO update the date before merge */ +/* default as of 07/01. Supports TLS 1.3 */ +const struct s2n_security_policy security_policy_20240701 = { .minimum_protocol_version = S2N_TLS12, - .cipher_preferences = &cipher_preferences_20240331, + .cipher_preferences = &cipher_preferences_20240701, .kem_preferences = &kem_preferences_null, .signature_preferences = &s2n_signature_preferences_20240501, .ecc_preferences = &s2n_ecc_preferences_20240501, @@ -32,10 +33,11 @@ const struct s2n_security_policy security_policy_20240501 = { }, }; -/* FIPS default as of 05/24 */ -const struct s2n_security_policy security_policy_20240502 = { +/* TODO update the date before merge */ +/* FIPS default as of 07/01. Supports TLS 1.3 */ +const struct s2n_security_policy security_policy_20240702 = { .minimum_protocol_version = S2N_TLS12, - .cipher_preferences = &cipher_preferences_20240331, + .cipher_preferences = &cipher_preferences_20240701, .kem_preferences = &kem_preferences_null, .signature_preferences = &s2n_signature_preferences_20240501, .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110, @@ -72,6 +74,30 @@ const struct s2n_security_policy security_policy_20240730 = { }, }; +const struct s2n_security_policy security_policy_20240501 = { + .minimum_protocol_version = S2N_TLS12, + .cipher_preferences = &cipher_preferences_20240331, + .kem_preferences = &kem_preferences_null, + .signature_preferences = &s2n_signature_preferences_20240501, + .ecc_preferences = &s2n_ecc_preferences_20240501, + .rules = { + [S2N_PERFECT_FORWARD_SECRECY] = true, + }, +}; + +const struct s2n_security_policy security_policy_20240502 = { + .minimum_protocol_version = S2N_TLS12, + .cipher_preferences = &cipher_preferences_20240331, + .kem_preferences = &kem_preferences_null, + .signature_preferences = &s2n_signature_preferences_20240501, + .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110, + .ecc_preferences = &s2n_ecc_preferences_20201021, + .rules = { + [S2N_PERFECT_FORWARD_SECRECY] = true, + [S2N_FIPS_140_3] = true, + }, +}; + const struct s2n_security_policy security_policy_20241001 = { .minimum_protocol_version = S2N_TLS12, .cipher_preferences = &cipher_preferences_cloudfront_tls_1_2_2019, @@ -1227,10 +1253,12 @@ const struct s2n_security_policy security_policy_null = { }; struct s2n_security_policy_selection security_policy_selection[] = { - { .version = "default", .security_policy = &security_policy_20240501, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, + { .version = "default", .security_policy = &security_policy_20240701, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, { .version = "default_tls13", .security_policy = &security_policy_20240503, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, - { .version = "default_fips", .security_policy = &security_policy_20240502, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, + { .version = "default_fips", .security_policy = &security_policy_20240702, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, { .version = "default_pq", .security_policy = &security_policy_20241001, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, + { .version = "20240701", .security_policy = &security_policy_20240701, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, + { .version = "20240702", .security_policy = &security_policy_20240702, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, { .version = "20241106", .security_policy = &security_policy_20241106, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, { .version = "20240501", .security_policy = &security_policy_20240501, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, { .version = "20240502", .security_policy = &security_policy_20240502, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, diff --git a/tls/s2n_security_policies.h b/tls/s2n_security_policies.h index 8387831449e..f539f2f928f 100644 --- a/tls/s2n_security_policies.h +++ b/tls/s2n_security_policies.h @@ -94,11 +94,14 @@ struct s2n_security_policy_selection { extern struct s2n_security_policy_selection security_policy_selection[]; -/* Defaults as of 05/24 */ -extern const struct s2n_security_policy security_policy_20240501; -extern const struct s2n_security_policy security_policy_20240502; +/* Defaults as of 05/24 + * TODO updated date*/ +extern const struct s2n_security_policy security_policy_20240701; +extern const struct s2n_security_policy security_policy_20240702; extern const struct s2n_security_policy security_policy_20240503; +extern const struct s2n_security_policy security_policy_20240501; +extern const struct s2n_security_policy security_policy_20240502; extern const struct s2n_security_policy security_policy_20241106; extern const struct s2n_security_policy security_policy_20140601; extern const struct s2n_security_policy security_policy_20141001; diff --git a/tls/s2n_tls13.c b/tls/s2n_tls13.c index 1ff247e2f97..8e70fb9288a 100644 --- a/tls/s2n_tls13.c +++ b/tls/s2n_tls13.c @@ -20,13 +20,6 @@ #include "crypto/s2n_rsa_signing.h" #include "tls/s2n_tls.h" -bool s2n_use_default_tls13_config_flag = false; - -bool s2n_use_default_tls13_config() -{ - return s2n_use_default_tls13_config_flag; -} - bool s2n_is_tls13_fully_supported() { /* Older versions of Openssl (eg 1.0.2) do not support RSA PSS, which is required for TLS 1.3. */ @@ -58,7 +51,6 @@ int s2n_enable_tls13() int s2n_enable_tls13_in_test() { s2n_highest_protocol_version = S2N_TLS13; - s2n_use_default_tls13_config_flag = true; return S2N_SUCCESS; } @@ -72,7 +64,6 @@ int s2n_disable_tls13_in_test() { POSIX_ENSURE(s2n_in_unit_test(), S2N_ERR_NOT_IN_UNIT_TEST); s2n_highest_protocol_version = S2N_TLS12; - s2n_use_default_tls13_config_flag = false; return S2N_SUCCESS; } @@ -85,7 +76,6 @@ int s2n_reset_tls13_in_test() { POSIX_ENSURE(s2n_in_unit_test(), S2N_ERR_NOT_IN_UNIT_TEST); s2n_highest_protocol_version = S2N_TLS13; - s2n_use_default_tls13_config_flag = false; return S2N_SUCCESS; } diff --git a/tls/s2n_tls13.h b/tls/s2n_tls13.h index d13fe3a355a..3543ccc8cc2 100644 --- a/tls/s2n_tls13.h +++ b/tls/s2n_tls13.h @@ -36,7 +36,6 @@ S2N_API __attribute__((deprecated)) int s2n_enable_tls13(); /* from RFC: https://tools.ietf.org/html/rfc8446#section-4.1.3*/ extern uint8_t hello_retry_req_random[S2N_TLS_RANDOM_DATA_LEN]; -bool s2n_use_default_tls13_config(); bool s2n_is_tls13_fully_supported(); int s2n_get_highest_fully_supported_tls_version(); int s2n_enable_tls13_in_test();