Merge branch 'main' into no-retry

awslabs · Nov 12, 2024 · 2195a32 · 2195a32
2 parents d0afc37 + c15417b
commit 2195a32
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 6 deletions.
diff --git a/.github/workflows/proof-alarm.yml b/.github/workflows/proof-alarm.yml
@@ -16,7 +16,7 @@ jobs:
     - name: Check
       run: |
         TMPFILE=$(mktemp)
-        echo "c624a28de5af7f851a240a1e65a26c01  source/linux/epoll_event_loop.c" > $TMPFILE
+        echo "1fdf8e7a914412cc7242b8d64732fa89  source/linux/epoll_event_loop.c" > $TMPFILE
         md5sum --check $TMPFILE
 
     # No further steps if successful

diff --git a/include/aws/io/tls_channel_handler.h b/include/aws/io/tls_channel_handler.h
@@ -34,14 +34,14 @@ enum aws_tls_cipher_pref {
     /* Deprecated */ AWS_IO_TLS_CIPHER_PREF_KMS_PQ_TLSv1_0_2020_02 = 3,
     /* Deprecated */ AWS_IO_TLS_CIPHER_PREF_KMS_PQ_SIKE_TLSv1_0_2020_02 = 4,
     /* Deprecated */ AWS_IO_TLS_CIPHER_PREF_KMS_PQ_TLSv1_0_2020_07 = 5,
+    /* Deprecated */ AWS_IO_TLS_CIPHER_PREF_PQ_TLSv1_0_2021_05 = 6,
 
     /*
-     * This TLS cipher preference list contains post-quantum key exchange algorithms that have been submitted to NIST
-     * for potential future standardization. Support for this preference list, or PQ algorithms present in it, may be
-     * removed at any time in the future. PQ algorithms in this preference list will be used in hybrid mode, and always
-     * combined with a classical ECDHE key exchange.
+     * This TLS cipher preference list contains post-quantum key exchange algorithms that have been standardized by
+     * NIST. PQ algorithms in this preference list will be used in hybrid mode, and always combined with a classical
+     * ECDHE key exchange.
      */
-    AWS_IO_TLS_CIPHER_PREF_PQ_TLSv1_0_2021_05 = 6,
+    AWS_IO_TLS_CIPHER_PREF_PQ_TLSV1_2_2024_10 = 7,
 
     AWS_IO_TLS_CIPHER_PREF_END_RANGE = 0xFFFF
 };

diff --git a/source/s2n/s2n_tls_channel_handler.c b/source/s2n/s2n_tls_channel_handler.c
@@ -270,6 +270,8 @@ bool aws_tls_is_cipher_pref_supported(enum aws_tls_cipher_pref cipher_pref) {
 #ifndef ANDROID
         case AWS_IO_TLS_CIPHER_PREF_PQ_TLSv1_0_2021_05:
             return true;
+        case AWS_IO_TLS_CIPHER_PREF_PQ_TLSV1_2_2024_10:
+            return true;
 #endif
 
         default:
@@ -1536,6 +1538,9 @@ static struct aws_tls_ctx *s_tls_ctx_new(
         case AWS_IO_TLS_CIPHER_PREF_PQ_TLSv1_0_2021_05:
             security_policy = "PQ-TLS-1-0-2021-05-26";
             break;
+        case AWS_IO_TLS_CIPHER_PREF_PQ_TLSV1_2_2024_10:
+            security_policy = "AWS-CRT-SDK-TLSv1.2-2023-PQ";
+            break;
         default:
             AWS_LOGF_ERROR(AWS_LS_IO_TLS, "Unrecognized TLS Cipher Preference: %d", options->cipher_pref);
             aws_raise_error(AWS_IO_TLS_CIPHER_PREF_UNSUPPORTED);