From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <development+bounces-420-archive=lists.ipfire.org@lists.ipfire.org>
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4ZyjjG04LHz33BZ
	for <archive@lists.ipfire.org>; Thu, 15 May 2025 08:16:34 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4ZyjjB3cTLz2yTm
	for <development@lists.ipfire.org>; Thu, 15 May 2025 08:16:30 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 4Zyjj96b7mzkc;
	Thu, 15 May 2025 08:16:29 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa;
	t=1747296990;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=e0o1dm1JLFV2XK69oz6MthGR/rJNaCUCtPt5MVlRNc8=;
	b=ShYo58feQ3U6vTEmNLxKlPvcfC9cHYpIhfELTo8rqz/vdfggA1bd36Q+EOd0n9TcbkoMxU
	Y2uQNy4XHLFjAn4nNZcJB+7pDpP6gazK0FULtuwAbJvabekce73wVoIqBc7QrpcHIvPWu9
	hSyjrF2b8iRds/ekL9k1VBo0ho/rrnZ++wfl8RJBghp2dyt4GgVYOXoFX0xvJvJbQcK8Mi
	JQdF2e/V/90554q87Ke0DNnFJmKwFQTER/kZt53QyJXVXDBufWWOtcl4GB+yyXbviZPSWC
	tCFz+TRzstON0h99Gqfk0+jjOvc4woZLI7YBbNU3Nh/ugoDowEwAvEDDcFlfCQ==
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=202003ed25519; t=1747296990;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=e0o1dm1JLFV2XK69oz6MthGR/rJNaCUCtPt5MVlRNc8=;
	b=T7GwVbsVIMseOwB96ETTaVIHcf3WwtxxgpcVHVIyOINGoljFgvere7QXLtCVhg3Vc2lLOw
	l91rxsw3pebg0UDQ==
Message-ID: <3a6eb02b-c613-4d2f-96f2-ff863c32989b@ipfire.org>
Date: Thu, 15 May 2025 10:16:25 +0200
Precedence: list
List-Id: <development.lists.ipfire.org>
List-Subscribe: <https://lists.ipfire.org/>,
 <mailto:development+subscribe@lists.ipfire.org?subject=subscribe>
List-Unsubscribe: <https://lists.ipfire.org/>,
 <mailto:development+unsubscribe@lists.ipfire.org?subject=unsubscribe>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development+help@lists.ipfire.org?subject=help>
Sender: <development@lists.ipfire.org>
Mail-Followup-To: <development@lists.ipfire.org>
MIME-Version: 1.0
Subject: Re: [PATCH 1/2] vpnmain.cgi: Use ML-KEM only as a hybrid with Curve
 25519
To: =?UTF-8?Q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org>
References: <8baae50f-cf7b-4af0-81ec-89d898966993@ipfire.org>
Content-Language: en-GB
Cc: "IPFire: Development-List" <development@lists.ipfire.org>
From: Adolf Belka <adolf.belka@ipfire.org>
In-Reply-To: <8baae50f-cf7b-4af0-81ec-89d898966993@ipfire.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit

Hallo Peter,

Good to see you on the list again :+1:

This patch sounds a good approach to take.

Adolf.

On 15/05/2025 10:06, Peter Müller wrote:
> In commit 887778e0888d51eb9942ae310a43f6d2813efad3, the post-quantum
> key exchange algorithm ML-KEM was introduced, due to its support being
> added in strongSwan 6.0. However, using PQC key exchanges is commonly
> recommended only in conjunction with a traditional one, to avoid
> encrypted traffic becoming subject to trivial decryption in case a PQC
> algorithm proves weak, broken, or backdoored. OpenSSH, for instance,
> combines ML-KEM 768 with Curve 25519 (mlkem768x25519-sha256), rather
> than using ML-KEM alone.
> 
> This patch changes the chipher suites offered for IPsec connections to
> always use ML-KEM as a hybrid with Curve 25519. This is possible due to
> strongSwan 6.0 having added support for IKE intermediary key exchanges
> (RFC 9370); see https://docs.strongswan.org/docs/latest/config/proposals.html#_key_exchange_methods
> for additional information.
> 
> We can reasonably assume an IPsec peer supporting ML-KEM will also
> support Curve 25519, as this has been around for much longer, and is
> used quite commonly. Even if this is not the case, or if the IPsec peer
> does not implement RFC 9370, any IPsec connection using our default
> cipher selection will fall back to Curve 448, Curve 25519, or other,
> hence continue working.
> 
> IPsec connections already created will need their ciphers to be changed
> once during the Core Update routine where this patch will be
> incorporated.
> 
> Tested-by: Peter Müller <peter.mueller@ipfire.org>
> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
> ---
>   html/cgi-bin/vpnmain.cgi | 36 ++++++++++++++++++------------------
>   1 file changed, 18 insertions(+), 18 deletions(-)
> 
> diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
> index 4f81fecdf..154b94033 100644
> --- a/html/cgi-bin/vpnmain.cgi
> +++ b/html/cgi-bin/vpnmain.cgi
> @@ -2374,11 +2374,11 @@ END
>   	#use default advanced value
>   	$cgiparams{'IKE_ENCRYPTION'}		= 'chacha20poly1305|aes256gcm128|aes256'; #[18];
>   	$cgiparams{'IKE_INTEGRITY'}		= 'sha2_512|sha2_256'; #[19];
> -	$cgiparams{'IKE_GROUPTYPE'}             = 'mlkem1024|mlkem768|mlkem512|curve448|curve25519|e521|e384|4096|3072'; #[20];
> +	$cgiparams{'IKE_GROUPTYPE'}             = 'x25519-ke1_mlkem1024|x25519-ke1_mlkem768|x25519-ke1_mlkem512|curve448|curve25519|e521|e384|4096|3072'; #[20];
>   	$cgiparams{'IKE_LIFETIME'}		= '3'; #[16];
>   	$cgiparams{'ESP_ENCRYPTION'}		= 'chacha20poly1305|aes256gcm128|aes256'; #[21];
>   	$cgiparams{'ESP_INTEGRITY'}		= 'sha2_512|sha2_256'; #[22];
> -	$cgiparams{'ESP_GROUPTYPE'}             = 'mlkem1024|mlkem768|mlkem512|curve448|curve25519|e521|e384|4096|3072'; #[23];
> +	$cgiparams{'ESP_GROUPTYPE'}             = 'x25519-ke1_mlkem1024|x25519-ke1_mlkem768|x25519-ke1_mlkem512|curve448|curve25519|e521|e384|4096|3072'; #[23];
>   	$cgiparams{'ESP_KEYLIFE'}		= '1'; #[17];
>   	$cgiparams{'COMPRESSION'}		= 'off'; #[13];
>   	$cgiparams{'ONLY_PROPOSED'}		= 'on'; #[24];
> @@ -2759,7 +2759,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
>   			goto ADVANCED_ERROR;
>   		}
>   		foreach my $val (@temp) {
> -			if ($val !~ /^(mlkem(1024|768|512)|curve448|curve25519|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|8192)$/) {
> +			if ($val !~ /^(x25519-ke1_mlkem(1024|768|512)|curve448|curve25519|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|8192)$/) {
>   				$errormessage = $Lang::tr{'invalid input'};
>   				goto ADVANCED_ERROR;
>   			}
> @@ -2800,7 +2800,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
>   			goto ADVANCED_ERROR;
>   		}
>   		foreach my $val (@temp) {
> -			if ($val !~ /^(mlkem(1024|768|512)|curve448|curve25519|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|8192|none)$/) {
> +			if ($val !~ /^(x25519-ke1_mlkem(1024|768|512)|curve448|curve25519|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|8192|none)$/) {
>   				$errormessage = $Lang::tr{'invalid input'};
>   				goto ADVANCED_ERROR;
>   			}
> @@ -2940,9 +2940,9 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
>   	$checked{'IKE_INTEGRITY'}{'aesxcbc'} = '';
>   	@temp = split('\|', $cgiparams{'IKE_INTEGRITY'});
>   	foreach my $key (@temp) {$checked{'IKE_INTEGRITY'}{$key} = "selected='selected'"; }
> -	$checked{'IKE_GROUPTYPE'}{'mlkem1024'} = '';
> -	$checked{'IKE_GROUPTYPE'}{'mlkem768'} = '';
> -	$checked{'IKE_GROUPTYPE'}{'mlkem512'} = '';
> +	$checked{'IKE_GROUPTYPE'}{'x25519-ke1_mlkem1024'} = '';
> +	$checked{'IKE_GROUPTYPE'}{'x25519-ke1_mlkem768'} = '';
> +	$checked{'IKE_GROUPTYPE'}{'x25519-ke1_mlkem512'} = '';
>   	$checked{'IKE_GROUPTYPE'}{'curve448'} = '';
>   	$checked{'IKE_GROUPTYPE'}{'curve25519'} = '';
>   	$checked{'IKE_GROUPTYPE'}{'768'} = '';
> @@ -2983,9 +2983,9 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
>   	$checked{'ESP_INTEGRITY'}{'aesxcbc'} = '';
>   	@temp = split('\|', $cgiparams{'ESP_INTEGRITY'});
>   	foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} = "selected='selected'"; }
> -	$checked{'ESP_GROUPTYPE'}{'mlkem1024'} = '';
> -	$checked{'ESP_GROUPTYPE'}{'mlkem768'} = '';
> -	$checked{'ESP_GROUPTYPE'}{'mlkem512'} = '';
> +	$checked{'ESP_GROUPTYPE'}{'x25519-ke1_mlkem1024'} = '';
> +	$checked{'ESP_GROUPTYPE'}{'x25519-ke1_mlkem768'} = '';
> +	$checked{'ESP_GROUPTYPE'}{'x25519-ke1_mlkem512'} = '';
>   	$checked{'ESP_GROUPTYPE'}{'curve448'} = '';
>   	$checked{'ESP_GROUPTYPE'}{'curve25519'} = '';
>   	$checked{'ESP_GROUPTYPE'}{'768'} = '';
> @@ -3151,9 +3151,9 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
>   			<td class='boldbase' width="15%">$Lang::tr{'grouptype'}</td>
>   			<td class='boldbase'>
>   				<select name='IKE_GROUPTYPE' multiple='multiple' size='6' style='width: 100%'>
> -					<option value='mlkem1024' $checked{'IKE_GROUPTYPE'}{'mlkem1024'}>ML-KEM 1024 (256 bit)</option>
> -					<option value='mlkem768' $checked{'IKE_GROUPTYPE'}{'mlkem768'}>ML-KEM 768 (192 bit)</option>
> -					<option value='mlkem512' $checked{'IKE_GROUPTYPE'}{'mlkem512'}>ML-KEM 512 (128 bit)</option>
> +					<option value='x25519-ke1_mlkem1024' $checked{'IKE_GROUPTYPE'}{'x25519-ke1_mlkem1024'}>Curve 25519 x ML-KEM 1024 (256 bit)</option>
> +					<option value='x25519-ke1_mlkem768' $checked{'IKE_GROUPTYPE'}{'x25519-ke1_mlkem768'}>Curve 25519 x ML-KEM 768 (192 bit)</option>
> +					<option value='x25519-ke1_mlkem512' $checked{'IKE_GROUPTYPE'}{'x25519-ke1_mlkem512'}>Curve 25519 x ML-KEM 512 (128 bit)</option>
>   					<option value='curve448' $checked{'IKE_GROUPTYPE'}{'curve448'}>Curve 448 (224 bit)</option>
>   					<option value='curve25519' $checked{'IKE_GROUPTYPE'}{'curve25519'}>Curve 25519 (128 bit)</option>
>   					<option value='e521' $checked{'IKE_GROUPTYPE'}{'e521'}>ECP-521 (NIST)</option>
> @@ -3177,9 +3177,9 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
>   			</td>
>   			<td class='boldbase'>
>   				<select name='ESP_GROUPTYPE' multiple='multiple' size='6' style='width: 100%'>
> -					<option value='mlkem1024' $checked{'ESP_GROUPTYPE'}{'mlkem1024'}>ML-KEM 1024 (256 bit)</option>
> -					<option value='mlkem768' $checked{'ESP_GROUPTYPE'}{'mlkem768'}>ML-KEM 768 (192 bit)</option>
> -					<option value='mlkem512' $checked{'ESP_GROUPTYPE'}{'mlkem512'}>ML-KEM 512 (128 bit)</option>
> +					<option value='x25519-ke1_mlkem1024' $checked{'ESP_GROUPTYPE'}{'x25519-ke1_mlkem1024'}>Curve 25519 x ML-KEM 1024 (256 bit)</option>
> +					<option value='x25519-ke1_mlkem768' $checked{'ESP_GROUPTYPE'}{'x25519-ke1_mlkem768'}>Curve 25519 x ML-KEM 768 (192 bit)</option>
> +					<option value='x25519-ke1_mlkem512' $checked{'ESP_GROUPTYPE'}{'x25519-ke1_mlkem512'}>Curve 25519 x ML-KEM 512 (128 bit)</option>
>   					<option value='curve448' $checked{'ESP_GROUPTYPE'}{'curve448'}>Curve 448 (224 bit)</option>
>   					<option value='curve25519' $checked{'ESP_GROUPTYPE'}{'curve25519'}>Curve 25519 (128 bit)</option>
>   					<option value='e521' $checked{'ESP_GROUPTYPE'}{'e521'}>ECP-521 (NIST)</option>
> @@ -3757,7 +3757,7 @@ sub make_algos($$$$$) {
>   				if ($mode eq "ike") {
>   					push(@algo, $int);
>   
> -					if ($grp =~ m/^mlkem(\d+)$/) {
> +					if ($grp =~ m/^x25519-ke1_mlkem(\d+)$/) {
>   						push(@algo, "$grp");
>   					} elsif ($grp =~ m/^e(.*)$/) {
>   						push(@algo, "ecp$1");
> @@ -3776,7 +3776,7 @@ sub make_algos($$$$$) {
>   
>   					if (!$pfs || $grp eq "none") {
>   						# noop
> -					} elsif ($grp =~ m/^mlkem(\d+)$/) {
> +					} elsif ($grp =~ m/^x25519-ke1_mlkem(\d+)$/) {
>   						push(@algo, "$grp");
>   					} elsif ($grp =~ m/^e(.*)$/) {
>   						push(@algo, "ecp$1");