Default to PQ TLS for s2n handlers if TLSv1.3 is negotiated (#740)

WillChilds-Klein · DmitriyMusatkin · web-flow · commit 8906a02cb204 · 2025-10-02T11:24:25.000-07:00
Co-authored-by: Dmitriy Musatkin &lt;63878209+DmitriyMusatkin@users.noreply.github.com&gt;
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -232,6 +232,16 @@ else()
    set (TARGET_DIR "static")
 endif()
 
+if(${CMAKE_SYSTEM_NAME} STREQUAL "OpenBSD")
+  # OpenBSD by defaults links with --execute-only, which is problematic because
+  # some AWS assembly sources still have references to static data in the .text section
+  if(NOT BUILD_SHARED_LIBS)
+    set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -Wl,--no-execute-only")
+  else()
+    set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} -Wl,--no-execute-only")
+  endif()
+endif()
+
 install(EXPORT "${PROJECT_NAME}-targets"
         DESTINATION "${CMAKE_INSTALL_LIBDIR}/cmake/${PROJECT_NAME}/${TARGET_DIR}"
         NAMESPACE AWS::
diff --git a/include/aws/io/tls_channel_handler.h b/include/aws/io/tls_channel_handler.h
@@ -51,6 +51,9 @@ enum aws_tls_cipher_pref {
      */
     AWS_IO_TLS_CIPHER_PREF_TLSV1_2_2025_07 = 9,
 
+    /* This security policy was the system default before PQ was enabled by default. */
+    AWS_IO_TLS_CIPHER_PREF_TLSV1_0_2023_06 = 10,
+
     AWS_IO_TLS_CIPHER_PREF_END_RANGE = 0xFFFF
 };
 
diff --git a/source/s2n/s2n_tls_channel_handler.c b/source/s2n/s2n_tls_channel_handler.c
@@ -264,16 +264,9 @@ bool aws_tls_is_alpn_available(void) {
 
 bool aws_tls_is_cipher_pref_supported(enum aws_tls_cipher_pref cipher_pref) {
     switch (cipher_pref) {
-        case AWS_IO_TLS_CIPHER_PREF_SYSTEM_DEFAULT:
-            return true;
-            /* PQ Crypto no-ops on android for now */
-#ifndef ANDROID
-        case AWS_IO_TLS_CIPHER_PREF_PQ_TLSV1_2_2024_10:
-            return true;
         case AWS_IO_TLS_CIPHER_PREF_PQ_DEFAULT:
-            return true;
-#endif
-
+        case AWS_IO_TLS_CIPHER_PREF_PQ_TLSV1_2_2024_10:
+        case AWS_IO_TLS_CIPHER_PREF_SYSTEM_DEFAULT:
         case AWS_IO_TLS_CIPHER_PREF_TLSV1_2_2025_07:
             return true;
         default:
@@ -1519,14 +1512,14 @@ static struct aws_tls_ctx *s_tls_ctx_new(
                 security_policy = "AWS-CRT-SDK-TLSv1.1-2023";
                 break;
             case AWS_IO_TLSv1_2:
-                security_policy = "AWS-CRT-SDK-TLSv1.2-2023";
+                security_policy = "AWS-CRT-SDK-TLSv1.2-2025-PQ";
                 break;
             case AWS_IO_TLSv1_3:
-                security_policy = "AWS-CRT-SDK-TLSv1.3-2023";
+                security_policy = "AWS-CRT-SDK-TLSv1.3-2025-PQ";
                 break;
             case AWS_IO_TLS_VER_SYS_DEFAULTS:
             default:
-                security_policy = "AWS-CRT-SDK-TLSv1.0-2023";
+                security_policy = "AWS-CRT-SDK-TLSv1.0-2025-PQ";
         }
     }
 
@@ -1537,14 +1530,17 @@ static struct aws_tls_ctx *s_tls_ctx_new(
             break;
         case AWS_IO_TLS_CIPHER_PREF_PQ_DEFAULT:
             /* The specific PQ policy used here may change over time. */
-            security_policy = "AWS-CRT-SDK-TLSv1.2-2023-PQ";
+            security_policy = "AWS-CRT-SDK-TLSv1.2-2025-PQ";
             break;
         case AWS_IO_TLS_CIPHER_PREF_PQ_TLSV1_2_2024_10:
             security_policy = "AWS-CRT-SDK-TLSv1.2-2023-PQ";
             break;
         case AWS_IO_TLS_CIPHER_PREF_TLSV1_2_2025_07:
             security_policy = "AWS-CRT-SDK-TLSv1.2-2025";
             break;
+        case AWS_IO_TLS_CIPHER_PREF_TLSV1_0_2023_06:
+            security_policy = "AWS-CRT-SDK-TLSv1.2-2025";
+            break;
         default:
             AWS_LOGF_ERROR(AWS_LS_IO_TLS, "Unrecognized TLS Cipher Preference: %d", options->cipher_pref);
             aws_raise_error(AWS_IO_TLS_CIPHER_PREF_UNSUPPORTED);
