The big diff is misleading. Applying each patch to the base 478b28ab12f
and comparing them, we see:
git range-diff 478b28ab12f2001a03261624261fd041f5439706..adcd4022f75953605a9bf9f6a4a45c0b4fd8ed94 478b28ab12f2001a03261624261fd041f5439706..6f1b1e1f451e61cd2bda0922eecaa8387397ac5a
1: adcd4022f ! 1: 6f1b1e1f4 Add additional post-quantum key agreements
@@ Commit message
This patch adds:
- 1. Support for MLKEM768X25519 under the codepoint 0x11ec. The version
- of BoringSSL we patch against did not support it yet.
+ 1. Support for X25519MLKEM768 under the codepoint 0x11ec. The version
+ of BoringSSL we patch against did not support it yet. Like recent
+ upstream, enable by default.
2. Supports for P256Kyber768Draft00 under 0xfe32, which we temporarily
need for compliance reasons. (Note that this is not the codepoint
@@ ssl/extensions.cc: static bool tls1_check_duplicate_extensions(const CBS *cbs) {
return true;
default:
return false;
+@@ ssl/extensions.cc: bool ssl_client_hello_get_extension(const SSL_CLIENT_HELLO *client_hello,
+ }
+
+ static const uint16_t kDefaultGroups[] = {
++ SSL_GROUP_X25519_MLKEM768,
+ SSL_GROUP_X25519,
+ SSL_GROUP_SECP256R1,
+ SSL_GROUP_SECP384R1,
## ssl/ssl_key_share.cc ##
@@
Per BoringSSL's FIPS policy, its `main` branch is the "update branch"
for FedRAMP compliance's purposes.
This means that we can stop using a specific BoringSSL branch when
enabling FIPS, as well as a number of hacks that allowed us to build
more recent BoringSSL versions with an older pre-compiled FIPS modules.
This also required slightly updating the main BoringSSL submodule, as
the previous version had an issue when building with the FIPS option
enabled. This is turn required some changes to the PQ patch as well as
some APIs that don't seem to be exposed publicly, as well as changing
some paths in the other patches.
In order to allow a smooth upgrade of internal projects, the `fips-compat`
feature is reduced in scope and renamed to `legacy-compat-deprecated` so
that we can incrementally upgrade internal BoringSSL forks. In practice
this shouldn't really be something anyone else would need, since in
order to work it requires a specific mix of BoringSSL version and
backported patches.
Fix three potential timing sidechannels. These don't affect ephemeral
usage of Kyber as in TLS, but it's good practice to get rid of them anyway.
Also adds IPDWing, a preliminary version of X-Wing using the initial public
draft (IPD) of ML-KEM. Don't use it.
Bas Westerbaan