From 27e1cbe98b7298672a29f79d75ff144d62af3259 Mon Sep 17 00:00:00 2001
From: Kristofers Solo <dev@kristofers.xyz>
Date: Tue, 3 Feb 2026 14:00:35 +0200
Subject: [PATCH] feat: add hybrid PQ key exchange support (X25519MLKEM768)

- Update server and runner to use X25519MLKEM768 kx group from aws_lc_rs
- Both --mode x25519 and --mode x25519mlkem768 now work
- Integration tested end-to-end with both modes
---
 runner/src/main.rs | 9 +++++----
 server/src/main.rs | 9 +++++----
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/runner/src/main.rs b/runner/src/main.rs
index a5adeb7..083aea2 100644
--- a/runner/src/main.rs
+++ b/runner/src/main.rs
@@ -15,7 +15,10 @@ use miette::miette;
 use rustls::{
     ClientConfig, DigitallySignedStruct, SignatureScheme,
     client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier},
-    crypto::aws_lc_rs::{self, kx_group::X25519},
+    crypto::aws_lc_rs::{
+        self,
+        kx_group::{X25519, X25519MLKEM768},
+    },
     pki_types::{CertificateDer, ServerName, UnixTime},
     version::TLS13,
 };
@@ -126,9 +129,7 @@ fn build_tls_config(mode: KeyExchangeMode) -> miette::Result<Arc<ClientConfig>>
     let mut provider = aws_lc_rs::default_provider();
     provider.kx_groups = match mode {
         KeyExchangeMode::X25519 => vec![X25519],
-        KeyExchangeMode::X25519Mlkem768 => {
-            todo!("Configure hybrid PQ key exchange")
-        }
+        KeyExchangeMode::X25519Mlkem768 => vec![X25519MLKEM768],
     };
 
     let config = ClientConfig::builder_with_provider(Arc::new(provider))
diff --git a/server/src/main.rs b/server/src/main.rs
index 27d9614..9741029 100644
--- a/server/src/main.rs
+++ b/server/src/main.rs
@@ -13,7 +13,10 @@ use common::{
 use miette::miette;
 use rustls::{
     ServerConfig,
-    crypto::aws_lc_rs::{self, kx_group::X25519},
+    crypto::aws_lc_rs::{
+        self,
+        kx_group::{X25519, X25519MLKEM768},
+    },
     pki_types::{CertificateDer, PrivateKeyDer},
     server::Acceptor,
     version::TLS13,
@@ -47,9 +50,7 @@ fn build_tls_config(
     let mut provider = aws_lc_rs::default_provider();
     provider.kx_groups = match mode {
         KeyExchangeMode::X25519 => vec![X25519],
-        KeyExchangeMode::X25519Mlkem768 => {
-            todo!("Configure hybrid PQ key exchange")
-        }
+        KeyExchangeMode::X25519Mlkem768 => vec![X25519MLKEM768],
     };
 
     // Convert certificate chain