fix: only initialize default tls 1.3 config in tests (#4302)

tests/fuzz/s2n_certificate_extensions_parse_test.c

@@ -25,6 +25,7 @@
 #include "api/s2n.h"
 #include "stuffer/s2n_stuffer.h"
 #include "tls/extensions/s2n_extension_list.h"
+#include "tls/s2n_config.h"
 #include "tls/s2n_connection.h"
 #include "tls/s2n_tls.h"
 #include "utils/s2n_safety.h"
@@ -50,6 +51,8 @@ static const uint8_t TLS_VERSIONS[] = {S2N_TLS13};
 
 int s2n_fuzz_init(int *argc, char **argv[])
 {
+    /* Initialize the trust store */
+    POSIX_GUARD_RESULT(s2n_config_testing_defaults_init_tls13_certs());
     POSIX_GUARD(s2n_enable_tls13_in_test());
     return S2N_SUCCESS;
 }

tls/s2n_config.c

@@ -241,14 +241,19 @@ int s2n_config_defaults_init(void)
         POSIX_GUARD(s2n_config_load_system_certs(&s2n_default_config));
     }
 
-    /* Set up TLS 1.3 defaults */
+    /* TLS 1.3 default config is only used in tests so avoid initialization costs in applications */
     POSIX_GUARD(s2n_config_init(&s2n_default_tls13_config));
     POSIX_GUARD(s2n_config_setup_tls13(&s2n_default_tls13_config));
-    POSIX_GUARD(s2n_config_load_system_certs(&s2n_default_tls13_config));
 
     return S2N_SUCCESS;
 }
 
+S2N_RESULT s2n_config_testing_defaults_init_tls13_certs(void)
+{
+    RESULT_GUARD_POSIX(s2n_config_load_system_certs(&s2n_default_tls13_config));
+    return S2N_RESULT_OK;
+}
+
 void s2n_wipe_static_configs(void)
 {
     s2n_config_cleanup(&s2n_default_fips_config);

tls/s2n_config.h

@@ -203,6 +203,7 @@ struct s2n_config {
 S2N_CLEANUP_RESULT s2n_config_ptr_free(struct s2n_config **config);
 
 int s2n_config_defaults_init(void);
+S2N_RESULT s2n_config_testing_defaults_init_tls13_certs(void);
 struct s2n_config *s2n_fetch_default_config(void);
 int s2n_config_set_unsafe_for_testing(struct s2n_config *config);