Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ML-KEM PQ TLS Policy Support #862

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add ML-KEM PQ TLS Policy Support #862

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7e3db92
Update AWS-LC and S2N to versions with ML-KEM support
alexw91 Jan 23, 2025
acaf3d3
Add ML-KEM TLS Security Policy
alexw91 Jan 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions codebuild/cd/test-fips-branch.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,12 +9,12 @@ cd ./crt/aws-lc || exit 1
# Get the current commit hash
current_commit=$(git rev-parse HEAD)

# Check if the current commit is from the "fips-2022-11-02" branch
if git merge-base --is-ancestor "$current_commit" "origin/fips-2022-11-02"; then
echo "Current aws-lc commit is from the 'fips-2022-11-02' branch"
# Check if the current commit is from the "AWS-LC-FIPS-3.0.0" branch
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is AWS-LC-FIPS-3.0.0 approved yet?

if git merge-base --is-ancestor "$current_commit" "AWS-LC-FIPS-3.0.0"; then
echo "Current aws-lc commit is from the 'AWS-LC-FIPS-3.0.0' branch"
status=0
else
echo "Error: Current aws-lc commit is not from the 'fips-2022-11-02' branch"
echo "Error: Current aws-lc commit is not from the 'AWS-LC-FIPS-3.0.0' branch"
status=1
fi

Expand Down
2 changes: 1 addition & 1 deletion crt/aws-lc
Open in desktop
Submodule aws-lc updated from 634f19 to dd5948
2 changes: 1 addition & 1 deletion crt/s2n
Open in desktop
Submodule s2n updated from 2e79e7 to 6cc9f5
36 changes: 15 additions & 21 deletions src/main/java/software/amazon/awssdk/crt/io/TlsCipherPreference.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,54 +18,48 @@ public enum TlsCipherPreference {
TLS_CIPHER_SYSTEM_DEFAULT(0),

/**
* @deprecated This TlsCipherPreference is no longer supported. Use TLS_CIPHER_PREF_PQ_TLSv1_0_2021_05 instead.
* @deprecated This TlsCipherPreference is no longer supported. Use TLS_CIPHER_PREF_PQ_TLSv1_2_2023 instead.
*/
@Deprecated
TLS_CIPHER_KMS_PQ_TLSv1_0_2019_06(1),

/**
* @deprecated This TlsCipherPreference is no longer supported. Use TLS_CIPHER_PREF_PQ_TLSv1_0_2021_05 instead.
* @deprecated This TlsCipherPreference is no longer supported. Use TLS_CIPHER_PREF_PQ_TLSv1_2_2023 instead.
*/
@Deprecated
TLS_CIPHER_PREF_KMS_PQ_SIKE_TLSv1_0_2019_11(2),

/**
* @deprecated This TlsCipherPreference is no longer supported. Use TLS_CIPHER_PREF_PQ_TLSv1_0_2021_05 instead.
* @deprecated This TlsCipherPreference is no longer supported. Use TLS_CIPHER_PREF_PQ_TLSv1_2_2023 instead.
*/
@Deprecated
TLS_CIPHER_PREF_KMS_PQ_TLSv1_0_2020_02(3),

/**
* @deprecated This TlsCipherPreference is no longer supported. Use TLS_CIPHER_PREF_PQ_TLSv1_0_2021_05 instead.
* @deprecated This TlsCipherPreference is no longer supported. Use TLS_CIPHER_PREF_PQ_TLSv1_2_2023 instead.
*/
@Deprecated
TLS_CIPHER_PREF_KMS_PQ_SIKE_TLSv1_0_2020_02(4),

/**
* @deprecated This TlsCipherPreference is no longer supported. Use TLS_CIPHER_PREF_PQ_TLSv1_0_2021_05 instead.
* @deprecated This TlsCipherPreference is no longer supported. Use TLS_CIPHER_PREF_PQ_TLSv1_2_2023 instead.
*/
@Deprecated
TLS_CIPHER_PREF_KMS_PQ_TLSv1_0_2020_07(5),

/**
* This TlsCipherPreference supports TLS 1.0 through TLS 1.3, and contains Kyber Round 3 as its highest priority
* PQ algorithm. PQ algorithms in this preference list will be used in hybrid mode, and will be combined with a
* classical ECDHE key exchange.
*
* NIST has announced that Kyber will be first post-quantum key-agreement algorithm that it will standardize.
* However, the NIST standardization process might introduce minor changes that may cause the final Kyber standard
* to differ from the Kyber Round 3 implementation available in this preference list.
*
* Since this TlsCipherPreference contains algorithms that have not yet been officially standardized by NIST, this
* preference list, and any of the PQ algorithms in it, may stop being supported at any time.
* @deprecated This TlsCipherPreference is no longer supported. Use TLS_CIPHER_PREF_PQ_TLSv1_2_2023 instead.
*/
@Deprecated
TLS_CIPHER_PREF_PQ_TLSv1_0_2021_05(6),

/**
* This TlsCipherPreference is a clone of the "AWS-CRT-SDK-TLSv1.2-2023" s2n TLS Policy, but with the following PQ SupportedGroups added:
* - X25519MLKEM768, P256MLKEM768, SecP256r1Kyber768Draft00, X25519Kyber768Draft00, secp384r1_kyber-768-r3, secp521r1_kyber-1024-r3, secp256r1_kyber-512-r3, x25519_kyber-512-r3
*
* For more info see:
* - https://tools.ietf.org/html/draft-campagna-tls-bike-sike-hybrid
* - https://datatracker.ietf.org/doc/html/draft-ietf-tls-hybrid-design
* - https://aws.amazon.com/blogs/security/how-to-tune-tls-for-hybrid-post-quantum-cryptography-with-kyber/
* - https://nvlpubs.nist.gov/nistpubs/ir/2022/NIST.IR.8413.pdf
* Both X25519MLKEM768 and P256MLKEM768 will be standardized by the IETF soon. Hybrid Groups that contain Kyber may be removed in the future.
*/
TLS_CIPHER_PREF_PQ_TLSv1_0_2021_05(6);
TLS_CIPHER_PREF_PQ_TLSv1_2_2023(7);

private int val;

Expand Down
Loading