Add ML-KEM Support (#693)

alexw91 · web-flow · commit 11c9be9a03f1 · 2024-11-12T10:30:58.000-08:00
diff --git a/include/aws/io/tls_channel_handler.h b/include/aws/io/tls_channel_handler.h
@@ -34,14 +34,14 @@ enum aws_tls_cipher_pref {
     /* Deprecated */ AWS_IO_TLS_CIPHER_PREF_KMS_PQ_TLSv1_0_2020_02 = 3,
     /* Deprecated */ AWS_IO_TLS_CIPHER_PREF_KMS_PQ_SIKE_TLSv1_0_2020_02 = 4,
     /* Deprecated */ AWS_IO_TLS_CIPHER_PREF_KMS_PQ_TLSv1_0_2020_07 = 5,
+    /* Deprecated */ AWS_IO_TLS_CIPHER_PREF_PQ_TLSv1_0_2021_05 = 6,
 
     /*
-     * This TLS cipher preference list contains post-quantum key exchange algorithms that have been submitted to NIST
-     * for potential future standardization. Support for this preference list, or PQ algorithms present in it, may be
-     * removed at any time in the future. PQ algorithms in this preference list will be used in hybrid mode, and always
-     * combined with a classical ECDHE key exchange.
+     * This TLS cipher preference list contains post-quantum key exchange algorithms that have been standardized by
+     * NIST. PQ algorithms in this preference list will be used in hybrid mode, and always combined with a classical
+     * ECDHE key exchange.
      */
-    AWS_IO_TLS_CIPHER_PREF_PQ_TLSv1_0_2021_05 = 6,
+    AWS_IO_TLS_CIPHER_PREF_PQ_TLSV1_2_2024_10 = 7,
 
     AWS_IO_TLS_CIPHER_PREF_END_RANGE = 0xFFFF
 };
diff --git a/source/s2n/s2n_tls_channel_handler.c b/source/s2n/s2n_tls_channel_handler.c
@@ -270,6 +270,8 @@ bool aws_tls_is_cipher_pref_supported(enum aws_tls_cipher_pref cipher_pref) {
 #ifndef ANDROID
         case AWS_IO_TLS_CIPHER_PREF_PQ_TLSv1_0_2021_05:
             return true;
+        case AWS_IO_TLS_CIPHER_PREF_PQ_TLSV1_2_2024_10:
+            return true;
 #endif
 
         default:
@@ -1536,6 +1538,9 @@ static struct aws_tls_ctx *s_tls_ctx_new(
         case AWS_IO_TLS_CIPHER_PREF_PQ_TLSv1_0_2021_05:
             security_policy = "PQ-TLS-1-0-2021-05-26";
             break;
+        case AWS_IO_TLS_CIPHER_PREF_PQ_TLSV1_2_2024_10:
+            security_policy = "AWS-CRT-SDK-TLSv1.2-2023-PQ";
+            break;
         default:
             AWS_LOGF_ERROR(AWS_LS_IO_TLS, "Unrecognized TLS Cipher Preference: %d", options->cipher_pref);
             aws_raise_error(AWS_IO_TLS_CIPHER_PREF_UNSUPPORTED);
