Add Support for ML-KEM TLS Groups

[geedo0]

Resolved issues:

Resolves PQCrypto-99

Description of changes:

NIST recently published FIPS-203 which standardizes the ML-KEM algorithm (formerly known as Kyber in s2n). Final standardization of the hybrid-PQ TLS groups to include the standardized version of ML-KEM is imminent. The draft for the final construction and IANA assignments is available here. The corresponding implementation of ML-KEM is merged and available in AWS-LC with a NID assigned here.

This PR implements draft-kwiatkowski-tls-ecdhe-mlkem with the assumption that it will be ratified as-is by the IETF. The document defines the TLS Groups SecP256r1MLKEM768 and X25519MLKEM768 which succeed the existing "temporary" draft code points for SecP256r1Kyber768Draft00 and X25519Kyber768Draft00. We expose these TLS groups under two new TLS security polices. An "IETF only" policy which drops support for all prior draft implementations which is intended to be the new default_pq policy. A "mixed" policy is also provided which includes support for all existing drafts which is intended to be used for interim compatibility for customers that have already deployed draft standards.

Call-outs:

• Portions of the source which used a "kyber" to qualify names have been changed to "evp_kem" to be more generic.
• A new preprocessor flag S2N_LIBCRYPTO_SUPPORTS_MLKEM was added to conditionally build in support for ML-KEM.
• Some effort was spent further cleaning up remnants from the removal of the "interned Kyber" code. In particular, the function s2n_pq_is_enabled is simply an alias for s2n_libcrypto_supports_evp_kem and references to this were either removed or renamed.

Testing:

How is this change tested (unit tests, fuzz tests, etc.)? Are there any testing steps to be verified by the reviewer?

• Existing tests around Kyber have been either updated or extended to validate the new ML-KEM support.
• This was not done exhaustively, there exist some tests that mention Kyber which I have not yet updated. The reviewer should call attention to any tests they believe need to be updated or remark that the testing provided thus far is adequate.
• The tests were run locally against the current tip of AWS-LC/main which includes support for ML-KEM-768.
• The current versions of AWS-LC in S2N's CI do not have ML-KEM support, please advise on how we should get those updated.

# Assert that tests succeeded locally using the latest AWS-LC
🍾 ➜  aws-lc git:(main) git show -q
commit 4ec9993058e23bcd5247b44458d9c4b8b603bc15 (HEAD -> main, upstream/main)
Author: dkostic <[email protected]>
Date:   Mon Aug 26 12:52:55 2024 -0700
...

🍾 ➜  cmake-build-debug git:(mlkem) ✗ ninja test
[0/1] Running tests...
Test project /Users/gcr/git-workplace/s2n-tls/cmake-build-debug
        Start   1: s2n_3des_test
  1/268 Test   #1: s2n_3des_test ....................................   Passed    4.78 sec
        Start   2: s2n_aead_aes_test
...
268/268 Test #268: s2n_x509_validator_time_verification_test ........   Passed    1.21 sec

100% tests passed, 0 tests failed out of 268

Label Time Summary:
unit    = 564.69 sec*proc (268 tests)

Total Test time (real) = 565.03 sec
🍾 ➜  cmake-build-debug git:(mlkem) ✗

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[geedo0]

After today, I'll be going on vacation and @alexw91 will be taking over the PR. To support this, I cleaned up the code, flipped the PR status to ready for review, and granted him permissions to push to my branch. Since the IETF document and AWS-LC's ML-KEM source are still in flux, I've advised the PQ team to hold off on merging this PR until those two items are settled. Beyond what's in the PR already, I also anticipate that we need to update the PQ integration test and also the version of AWS-LC inside the docker container.