in tls/s2n_security_policies.c [1540:1568]
bool s2n_pq_kem_is_extension_required(const struct s2n_security_policy *security_policy)
{
if (security_policy == NULL) {
return false;
}
for (int i = 0; security_policy_selection[i].version != NULL; i++) {
if (security_policy_selection[i].security_policy == security_policy) {
return 1 == security_policy_selection[i].pq_kem_extension_required;
}
}
/* Preferences with no KEMs for the TLS 1.2 PQ KEM extension do not require that extension. */
if (security_policy->kem_preferences && security_policy->kem_preferences->kem_count == 0) {
return false;
}
/* If cipher preference is not in the official list, compute the result */
const struct s2n_cipher_preferences *cipher_preferences = security_policy->cipher_preferences;
if (cipher_preferences == NULL) {
return false;
}
for (size_t i = 0; i < cipher_preferences->count; i++) {
if (s2n_cipher_suite_requires_pq_extension(cipher_preferences->suites[i])) {
return true;
}
}
return false;
}