feat: add hybrid PQ key exchange support (X25519MLKEM768)

- Update server and runner to use X25519MLKEM768 kx group from aws_lc_rs - Both --mode x25519 and --mode x25519mlkem768 now work - Integration tested end-to-end with both modes
2026-03-22 00:36:21 +00:00 · 2026-02-03 14:00:35 +02:00
parent b03cc2a386
commit 27e1cbe98b
2 changed files with 10 additions and 8 deletions
--- a/server/src/main.rs
+++ b/server/src/main.rs
@@ -13,7 +13,10 @@ use common::{
 use miette::miette;
 use rustls::{
    ServerConfig,
-    crypto::aws_lc_rs::{self, kx_group::X25519},
+    crypto::aws_lc_rs::{
+        self,
+        kx_group::{X25519, X25519MLKEM768},
+    },
    pki_types::{CertificateDer, PrivateKeyDer},
    server::Acceptor,
    version::TLS13,
@@ -47,9 +50,7 @@ fn build_tls_config(
    let mut provider = aws_lc_rs::default_provider();
    provider.kx_groups = match mode {
        KeyExchangeMode::X25519 => vec![X25519],
-        KeyExchangeMode::X25519Mlkem768 => {
-            todo!("Configure hybrid PQ key exchange")
-        }
+        KeyExchangeMode::X25519Mlkem768 => vec![X25519MLKEM768],
    };

    // Convert certificate chain