PQ: fix timing sidechannels and add IPDWing

Fix three potential timing sidechannels. These don't affect ephemeral usage of Kyber as in TLS, but it's good practice to get rid of them anyway. Also adds IPDWing, a preliminary version of X-Wing using the initial public draft (IPD) of ML-KEM. Don't use it.
2024-06-24 21:42:20 +02:00 · 2024-06-24 21:42:20 +02:00 · 4725a930d5
parent 6ca7b34fd0
commit 4725a930d5
3 changed files with 1412 additions and 883 deletions
--- a/boring-sys/patches/boring-pq.patch
+++ b/boring-sys/patches/boring-pq.patch
--- a/boring/src/lib.rs
+++ b/boring/src/lib.rs
@ -83,6 +83,10 @@
 //! boxes.
 //! - `P256Kyber768Draft00`. Similar again to `X25519Kyber768Draft00`, but uses P256 as classical
 //! part. It uses a non-standard codepoint. Not recommended.
+//! - `IPDWing`. A preliminary version of
+//! [X-Wing](https://datatracker.ietf.org/doc/draft-connolly-cfrg-xwing-kem/02/).
+//! Similar to `X25519Kyber768Draft00Old`, but uses a newer (but not yet final) version of Kyber
+//! called ML-KEM-ipd. Not recommended.
 //!
 //! Presently all these key agreements are deployed by Cloudflare, but we do not guarantee continued
 //! support for them.
--- a/boring/src/ssl/mod.rs
+++ b/boring/src/ssl/mod.rs
@ -703,6 +703,9 @@ impl SslCurve {
    #[cfg(feature = "pq-experimental")]
    pub const P256_KYBER768_DRAFT00: SslCurve = SslCurve(ffi::NID_P256Kyber768Draft00);

+    #[cfg(feature = "pq-experimental")]
+    pub const IPD_WING: SslCurve = SslCurve(ffi::NID_IPDWing);
+
    /// Returns the curve name
    ///
    /// This corresponds to [`SSL_get_curve_name`]