Add deprecated PQ key agreements and SSL(CTX_)use_second_keyshare

BoringSSL upstream supports X25519Kyber768Draft00 already under
codepoint 0x6399, which is the recommended post-quantum key
agreement to use

This patch adds:

1. Support for X25519Kyber768Draft00 under the old codepoint 0xfe31.

2. Support for X25519Kyber512Draft00 under the codepoint 0xfe30. This
   key agreement should only be used for testing: to see if the smaller
   keyshare makes a difference.

3. SSL(_CTX)_use_second_keyshare

   By default as a a client BoringSSL will send a non post-quantum and a
   post-quantum keyshare if available. These functions allow one to change
   the behaviour to only send a single keyshare.

   Also add -disable-second-keyshare as a flag to `bssl client'

The patch also replaces Google's implementation of Kyber, by the
portable reference implementation, so as to support Kyber512.

Author: bwesterb

README.md

@@ -1,3 +1,9 @@
+**WARNING** [Upstream BoringSSL](https://boringssl.googlesource.com/boringssl/)
+now supports `X25519Kyber768Draft00` under the new codepoint `0x6399`.
+This fork is **deprecated**. It supports the old codepoints `0xfe30`
+and `0xfe31` for `X25519Kyber512Draft00` and `X25519Kyber768Draft00`
+respectively.
+
 # BoringSSL
 
 BoringSSL is a fork of OpenSSL that is designed to meet Google's needs.

crypto/CMakeLists.txt

@@ -173,8 +173,8 @@ add_library(
   ex_data.c
   hpke/hpke.c
   hrss/hrss.c
-  kyber/keccak.c
-  kyber/kyber.c
+  kyber/kyber512.c
+  kyber/kyber768.c
   lhash/lhash.c
   mem.c
   obj/obj.c