feat: add hybrid PQ key exchange support (X25519MLKEM768)

- Update server and runner to use X25519MLKEM768 kx group from aws_lc_rs
- Both --mode x25519 and --mode x25519mlkem768 now work
- Integration tested end-to-end with both modes

runner/src/main.rs

@@ -15,7 +15,10 @@ use miette::miette;
 use rustls::{
     ClientConfig, DigitallySignedStruct, SignatureScheme,
     client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier},
-    crypto::aws_lc_rs::{self, kx_group::X25519},
+    crypto::aws_lc_rs::{
+        self,
+        kx_group::{X25519, X25519MLKEM768},
+    },
     pki_types::{CertificateDer, ServerName, UnixTime},
     version::TLS13,
 };
@@ -126,9 +129,7 @@ fn build_tls_config(mode: KeyExchangeMode) -> miette::Result<Arc<ClientConfig>>
     let mut provider = aws_lc_rs::default_provider();
     provider.kx_groups = match mode {
         KeyExchangeMode::X25519 => vec![X25519],
-        KeyExchangeMode::X25519Mlkem768 => {
+        KeyExchangeMode::X25519Mlkem768 => vec![X25519MLKEM768],
-            todo!("Configure hybrid PQ key exchange")
-        }
     };
 
     let config = ClientConfig::builder_with_provider(Arc::new(provider))

server/src/main.rs

@@ -13,7 +13,10 @@ use common::{
 use miette::miette;
 use rustls::{
     ServerConfig,
-    crypto::aws_lc_rs::{self, kx_group::X25519},
+    crypto::aws_lc_rs::{
+        self,
+        kx_group::{X25519, X25519MLKEM768},
+    },
     pki_types::{CertificateDer, PrivateKeyDer},
     server::Acceptor,
     version::TLS13,
@@ -47,9 +50,7 @@ fn build_tls_config(
     let mut provider = aws_lc_rs::default_provider();
     provider.kx_groups = match mode {
         KeyExchangeMode::X25519 => vec![X25519],
-        KeyExchangeMode::X25519Mlkem768 => {
+        KeyExchangeMode::X25519Mlkem768 => vec![X25519MLKEM768],
-            todo!("Configure hybrid PQ key exchange")
-        }
     };
 
     // Convert certificate chain