From 88f7125cf80f7f1e3d364247405af2b70d63af40 Mon Sep 17 00:00:00 2001
From: Alex Weibel <aweibel@amazon.com>
Date: Wed, 30 Oct 2024 16:37:37 -0700
Subject: [PATCH] Add ML-KEM Support

---
 include/aws/io/tls_channel_handler.h | 10 +++++-----
 source/s2n/s2n_tls_channel_handler.c |  5 +++++
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/include/aws/io/tls_channel_handler.h b/include/aws/io/tls_channel_handler.h
index f44335b12..087b333a3 100644
--- a/include/aws/io/tls_channel_handler.h
+++ b/include/aws/io/tls_channel_handler.h
@@ -34,14 +34,14 @@ enum aws_tls_cipher_pref {
     /* Deprecated */ AWS_IO_TLS_CIPHER_PREF_KMS_PQ_TLSv1_0_2020_02 = 3,
     /* Deprecated */ AWS_IO_TLS_CIPHER_PREF_KMS_PQ_SIKE_TLSv1_0_2020_02 = 4,
     /* Deprecated */ AWS_IO_TLS_CIPHER_PREF_KMS_PQ_TLSv1_0_2020_07 = 5,
+    /* Deprecated */ AWS_IO_TLS_CIPHER_PREF_PQ_TLSv1_0_2021_05 = 6,
 
     /*
-     * This TLS cipher preference list contains post-quantum key exchange algorithms that have been submitted to NIST
-     * for potential future standardization. Support for this preference list, or PQ algorithms present in it, may be
-     * removed at any time in the future. PQ algorithms in this preference list will be used in hybrid mode, and always
-     * combined with a classical ECDHE key exchange.
+     * This TLS cipher preference list contains post-quantum key exchange algorithms that have been standardized by
+     * NIST. PQ algorithms in this preference list will be used in hybrid mode, and always combined with a classical
+     * ECDHE key exchange.
      */
-    AWS_IO_TLS_CIPHER_PREF_PQ_TLSv1_0_2021_05 = 6,
+    AWS_IO_TLS_CIPHER_PREF_PQ_TLSV1_2_2024_10 = 7,
 
     AWS_IO_TLS_CIPHER_PREF_END_RANGE = 0xFFFF
 };
diff --git a/source/s2n/s2n_tls_channel_handler.c b/source/s2n/s2n_tls_channel_handler.c
index e9560608e..db605f026 100644
--- a/source/s2n/s2n_tls_channel_handler.c
+++ b/source/s2n/s2n_tls_channel_handler.c
@@ -271,6 +271,8 @@ bool aws_tls_is_cipher_pref_supported(enum aws_tls_cipher_pref cipher_pref) {
 #ifndef ANDROID
         case AWS_IO_TLS_CIPHER_PREF_PQ_TLSv1_0_2021_05:
             return true;
+        case AWS_IO_TLS_CIPHER_PREF_PQ_TLSV1_2_2024_10:
+            return true;
 #endif
 
         default:
@@ -1537,6 +1539,9 @@ static struct aws_tls_ctx *s_tls_ctx_new(
         case AWS_IO_TLS_CIPHER_PREF_PQ_TLSv1_0_2021_05:
             security_policy = "PQ-TLS-1-0-2021-05-26";
             break;
+        case AWS_IO_TLS_CIPHER_PREF_PQ_TLSV1_2_2024_10:
+            security_policy = "AWS-CRT-SDK-TLSv1.2-2023-PQ";
+            break;
         default:
             AWS_LOGF_ERROR(AWS_LS_IO_TLS, "Unrecognized TLS Cipher Preference: %d", options->cipher_pref);
             aws_raise_error(AWS_IO_TLS_CIPHER_PREF_UNSUPPORTED);