">= S2N_TLSX" vs "== S2N_TLSX"

[lrstewart]

Problem:

Our code currently uses a mix of ">= S2N_TLS13" and "== S2N_TLS13" checks. I would like to argue for switching all of the "=="s over to ">=": I believe "==" is shortsighted and will inevitably cause future developers pain.

When implementing TLS1.3, we have repeatedly run into problems because of "== S2N_TLS12" checks. We expect TLS1.3 code to behave like TLS1.2 code unless we specify otherwise, not like TLS1.1 code. Code regressing to pre-TLS1.2 because we raise the protocol version causes unexpected and sometimes difficult to diagnose issues (and could unexpectedly re-introduce vulnerabilities). It is unintuitive for code to default to the oldest implementation instead of the newest implementation. When we add a hypothetical TLS1.4, it is FAR more likely to build off of TLS1.3 than off of TLS1.1 or TLS1.0.

Examples of pain with "== S2N_TLS12":

• We had a fun bug with transcript hashes caused by a "== S2N_TLS12" check: https://github.com/awslabs/s2n/issues/1545
• Nicole had to correct MANY "== S2N_TLS12" checks when working on Client Auth because the cert code was updated between 1.1 and 1.2.

Proposed Solution:

• Find all "== S2N_TLS13" references and update them to ">= S2N_TLS13".
• Preemptively update any remaining "== S2N_TLS12" (I checked-- most of them look like they're in files that TLS1.3 no longer uses, but updating them won't hurt).
• Possibly add some code to our simple mistakes grepping script to check for "== S2N_TLS[0-9]+".

[lrstewart]

Note: we should also check for "!= S2N_TLSX".