Package: strongswan Tags: patch thanksI've been slowly working to replace algorithms I rely on with PQC resistant algorithms. strongSwan 6.0.0 contained optional ML-KEM support, which we didn't enable (likely because it's an obscure looking flag).
I've patched strongSwan to build the ml plugin, which I added to libstrongswan-extra-plugins, as is our convention. Attached is a debdiff.
I've built this on trixie and sid, and have tested[1] this for my personal site-to-site VPN configuration. It looks good so far - from -list-sas:
```
AES_GCM_16-256/PRF_HMAC_SHA2_384/ECP_384/KE1_ML_KEM_1024
established 296s ago, rekeying in 12729s
```
And the output of list-algs:
```
$ swanctl --list-algs | grep -i KEM
ML_KEM_512[openssl]
ML_KEM_768[openssl]
ML_KEM_1024[openssl]
```
Thanks for maintaining strongSwan
[1]: specifically, i'm using
proposals = aes256gcm16-prfsha384-prfsha512-ecp384-ke1_mlkem1024
with success.
--
⢀⣴⠾⠻⢶⣦⠀ Paul Tagliamonte <paultag>
⣾⠁⢠⠒⠀⣿⡁ https://people.debian.org/~paultag | https://pault.ag/
⢿⡄⠘⠷⠚⠋ Debian, the universal operating system.
⠈⠳⣄⠀⠀ 4096R / FEF2 EB20 16E6 A856 B98C E820 2DCD 6B5D E858 ADF3
diff -Nru strongswan-6.0.5/debian/changelog strongswan-6.0.5/debian/changelog --- strongswan-6.0.5/debian/changelog 2026-03-24 05:28:49.000000000 -0400 +++ strongswan-6.0.5/debian/changelog 2026-04-06 12:16:55.000000000 -0400 @@ -1,3 +1,9 @@ +strongswan (6.0.5-2) UNRELEASED; urgency=medium + + * enable ML-KEM algorithms (mlkem512, mlkem768 and mlkem1024). + + -- Paul Tagliamonte <[email protected]> Mon, 06 Apr 2026 12:16:55 -0400 + strongswan (6.0.5-1) unstable; urgency=medium * d/usr.sbin.swanctl: add setuid/setgid caps to swanctl apparmor profile diff -Nru strongswan-6.0.5/debian/libstrongswan-extra-plugins.install strongswan-6.0.5/debian/libstrongswan-extra-plugins.install --- strongswan-6.0.5/debian/libstrongswan-extra-plugins.install 2026-03-24 05:28:49.000000000 -0400 +++ strongswan-6.0.5/debian/libstrongswan-extra-plugins.install 2026-04-06 12:16:55.000000000 -0400 @@ -16,6 +16,7 @@ usr/lib/ipsec/plugins/libstrongswan-ldap.so usr/lib/ipsec/plugins/libstrongswan-md5.so usr/lib/ipsec/plugins/libstrongswan-mgf1.so +usr/lib/ipsec/plugins/libstrongswan-ml.so usr/lib/ipsec/plugins/libstrongswan-pgp.so usr/lib/ipsec/plugins/libstrongswan-pkcs11.so usr/lib/ipsec/plugins/libstrongswan-pkcs12.so @@ -41,6 +42,7 @@ usr/share/strongswan/templates/config/plugins/ldap.conf usr/share/strongswan/templates/config/plugins/md5.conf usr/share/strongswan/templates/config/plugins/mgf1.conf +usr/share/strongswan/templates/config/plugins/ml.conf usr/share/strongswan/templates/config/plugins/pgp.conf usr/share/strongswan/templates/config/plugins/pkcs11.conf usr/share/strongswan/templates/config/plugins/pkcs12.conf @@ -66,6 +68,7 @@ etc/strongswan.d/charon/ldap.conf etc/strongswan.d/charon/md5.conf etc/strongswan.d/charon/mgf1.conf +etc/strongswan.d/charon/ml.conf etc/strongswan.d/charon/pgp.conf etc/strongswan.d/charon/pkcs11.conf etc/strongswan.d/charon/pkcs12.conf @@ -91,6 +94,7 @@ etc/strongswan.d/charon-cmd/ldap.conf etc/strongswan.d/charon-cmd/md5.conf etc/strongswan.d/charon-cmd/mgf1.conf +etc/strongswan.d/charon-cmd/ml.conf etc/strongswan.d/charon-cmd/pkcs11.conf etc/strongswan.d/charon-cmd/pkcs12.conf etc/strongswan.d/charon-cmd/rc2.conf @@ -114,6 +118,7 @@ etc/strongswan.d/charon-nm/ldap.conf etc/strongswan.d/charon-nm/md5.conf etc/strongswan.d/charon-nm/mgf1.conf +etc/strongswan.d/charon-nm/ml.conf etc/strongswan.d/charon-nm/pkcs11.conf etc/strongswan.d/charon-nm/rc2.conf etc/strongswan.d/charon-nm/sha1.conf diff -Nru strongswan-6.0.5/debian/rules strongswan-6.0.5/debian/rules --- strongswan-6.0.5/debian/rules 2026-03-24 05:28:49.000000000 -0400 +++ strongswan-6.0.5/debian/rules 2026-04-06 12:15:06.000000000 -0400 @@ -38,6 +38,7 @@ --enable-mediation \ --enable-md5 \ --enable-mgf1 \ + --enable-ml \ --enable-openssl \ --enable-pkcs11 \ --enable-pkcs12 \
signature.asc
Description: PGP signature
