Add PQ_DEFAULT enum to aws_tls_cipher_pref (#707)

awslabs · Feb 11, 2025 · b1774b6 · b1774b6
1 parent 3041dab
commit b1774b6
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/include/aws/io/tls_channel_handler.h b/include/aws/io/tls_channel_handler.h
@@ -43,6 +43,9 @@ enum aws_tls_cipher_pref {
      */
     AWS_IO_TLS_CIPHER_PREF_PQ_TLSV1_2_2024_10 = 7,
 
+    /* Recommended default policy with post-quantum algorithm support. This policy may change over time. */
+    AWS_IO_TLS_CIPHER_PREF_PQ_DEFAULT = 8,
+
     AWS_IO_TLS_CIPHER_PREF_END_RANGE = 0xFFFF
 };
 

diff --git a/source/s2n/s2n_tls_channel_handler.c b/source/s2n/s2n_tls_channel_handler.c
@@ -272,6 +272,8 @@ bool aws_tls_is_cipher_pref_supported(enum aws_tls_cipher_pref cipher_pref) {
             return true;
         case AWS_IO_TLS_CIPHER_PREF_PQ_TLSV1_2_2024_10:
             return true;
+        case AWS_IO_TLS_CIPHER_PREF_PQ_DEFAULT:
+            return true;
 #endif
 
         default:
@@ -1535,6 +1537,10 @@ static struct aws_tls_ctx *s_tls_ctx_new(
             /* No-Op, if the user configured a minimum_tls_version then a version-specific Cipher Preference was set
              */
             break;
+        case AWS_IO_TLS_CIPHER_PREF_PQ_DEFAULT:
+            /* The specific PQ policy used here may change over time. */
+            security_policy = "AWS-CRT-SDK-TLSv1.2-2023-PQ";
+            break;
         case AWS_IO_TLS_CIPHER_PREF_PQ_TLSv1_0_2021_05:
             security_policy = "PQ-TLS-1-0-2021-05-26";
             break;