From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <development+bounces-428-archive=lists.ipfire.org@lists.ipfire.org>
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4ZypqZ0k9tz33BP
	for <archive@lists.ipfire.org>; Thu, 15 May 2025 12:07:22 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature RSA-PSS (4096 bits))
	(Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4ZypqV4Mq6z2yHY
	for <development@lists.ipfire.org>; Thu, 15 May 2025 12:07:18 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 4ZypqT4xYcz2Rc;
	Thu, 15 May 2025 12:07:17 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=202003ed25519; t=1747310837;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=fxH4F5nlEy/cKsxbswDsWqGlhfgW97IpBixh8nP9wyQ=;
	b=UzZ7o3mXertcoT94dWvgDqTs2tuHz+QIH9rMzqEUdzOXBajDdm1FXMUnv+N203L5GDhAyb
	igxGcnPHuS8wbODA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa;
	t=1747310837;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=fxH4F5nlEy/cKsxbswDsWqGlhfgW97IpBixh8nP9wyQ=;
	b=ivDeqsimJPP+dmmDI8+0vvfz49jkwXJBDU8Br754KW50J+hzWct0PF6eRyQHD0SS4wUcFy
	WikAKTJ2ANDI8QSasNMRQm6LYGTKINvJedUO7gxK9OfewH/iOq8fcIKHK1+BQrm6+ZYU+F
	CR336/U9m2aHeVKuCf8hjQHzHYSwaFqEQS4yzd1KyHWkbErmgFXgGsHF4Ilr7s4v3PAmTv
	BuFVh3q7f22HUhx78G048ZDVtUQagQXUkLtzHasBmY3pN9UwawNyw0ODIJj0lMyxebXs5j
	VSCVve6j0tNCfhLsaS6n6gBKRMANyKxkw+okhsrfu8kIidNqWILSlDtlZjtdng==
Date: Thu, 15 May 2025 13:07:18 +0100
From: Adam Gibbons <adam.gibbons@ipfire.org>
To: development@lists.ipfire.org, Adolf Belka <adolf.belka@ipfire.org>,
 =?ISO-8859-1?Q?Peter_M=FCller?= <peter.mueller@ipfire.org>
CC: "IPFire: Development-List" <development@lists.ipfire.org>
Subject: =?US-ASCII?Q?Re=3A_=5BPATCH_1/2=5D_vpnmain=2Ecgi=3A_Use_ML-?=
 =?US-ASCII?Q?KEM_only_as_a_hybrid_with_Curve_25519?=
In-Reply-To: <3a6eb02b-c613-4d2f-96f2-ff863c32989b@ipfire.org>
References: <8baae50f-cf7b-4af0-81ec-89d898966993@ipfire.org> <3a6eb02b-c613-4d2f-96f2-ff863c32989b@ipfire.org>
Message-ID: <FFA16413-56DE-49B7-A202-3C689CFA9636@ipfire.org>
Precedence: list
List-Id: <development.lists.ipfire.org>
List-Subscribe: <https://lists.ipfire.org/>,
 <mailto:development+subscribe@lists.ipfire.org?subject=subscribe>
List-Unsubscribe: <https://lists.ipfire.org/>,
 <mailto:development+unsubscribe@lists.ipfire.org?subject=unsubscribe>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development+help@lists.ipfire.org?subject=help>
Sender: <development@lists.ipfire.org>
Mail-Followup-To: <development@lists.ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary=----UYM7KGJ0XMNUIYAOAOPYWEPBZWG1UX
Content-Transfer-Encoding: 7bit

------UYM7KGJ0XMNUIYAOAOPYWEPBZWG1UX
Content-Type: text/plain;
 charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hi Peter and Adolf=2E

I agree, it's very good to see Peter on the list again :)

Adam=2E

On 15 May 2025 09:16:25 BST, Adolf Belka <adolf=2Ebelka@ipfire=2Eorg> wrot=
e:
>Hallo Peter,
>
>Good to see you on the list again :+1:
>
>This patch sounds a good approach to take=2E
>
>Adolf=2E
>
>On 15/05/2025 10:06, Peter M=C3=BCller wrote:
>> In commit 887778e0888d51eb9942ae310a43f6d2813efad3, the post-quantum
>> key exchange algorithm ML-KEM was introduced, due to its support being
>> added in strongSwan 6=2E0=2E However, using PQC key exchanges is common=
ly
>> recommended only in conjunction with a traditional one, to avoid
>> encrypted traffic becoming subject to trivial decryption in case a PQC
>> algorithm proves weak, broken, or backdoored=2E OpenSSH, for instance,
>> combines ML-KEM 768 with Curve 25519 (mlkem768x25519-sha256), rather
>> than using ML-KEM alone=2E
>>=20
>> This patch changes the chipher suites offered for IPsec connections to
>> always use ML-KEM as a hybrid with Curve 25519=2E This is possible due =
to
>> strongSwan 6=2E0 having added support for IKE intermediary key exchange=
s
>> (RFC 9370); see https://docs=2Estrongswan=2Eorg/docs/latest/config/prop=
osals=2Ehtml#_key_exchange_methods
>> for additional information=2E
>>=20
>> We can reasonably assume an IPsec peer supporting ML-KEM will also
>> support Curve 25519, as this has been around for much longer, and is
>> used quite commonly=2E Even if this is not the case, or if the IPsec pe=
er
>> does not implement RFC 9370, any IPsec connection using our default
>> cipher selection will fall back to Curve 448, Curve 25519, or other,
>> hence continue working=2E
>>=20
>> IPsec connections already created will need their ciphers to be changed
>> once during the Core Update routine where this patch will be
>> incorporated=2E
>>=20
>> Tested-by: Peter M=C3=BCller <peter=2Emueller@ipfire=2Eorg>
>> Signed-off-by: Peter M=C3=BCller <peter=2Emueller@ipfire=2Eorg>
>> ---
>>   html/cgi-bin/vpnmain=2Ecgi | 36 ++++++++++++++++++------------------
>>   1 file changed, 18 insertions(+), 18 deletions(-)
>>=20
>> diff --git a/html/cgi-bin/vpnmain=2Ecgi b/html/cgi-bin/vpnmain=2Ecgi
>> index 4f81fecdf=2E=2E154b94033 100644
>> --- a/html/cgi-bin/vpnmain=2Ecgi
>> +++ b/html/cgi-bin/vpnmain=2Ecgi
>> @@ -2374,11 +2374,11 @@ END
>>   	#use default advanced value
>>   	$cgiparams{'IKE_ENCRYPTION'}		=3D 'chacha20poly1305|aes256gcm128|aes=
256'; #[18];
>>   	$cgiparams{'IKE_INTEGRITY'}		=3D 'sha2_512|sha2_256'; #[19];
>> -	$cgiparams{'IKE_GROUPTYPE'}             =3D 'mlkem1024|mlkem768|mlkem=
512|curve448|curve25519|e521|e384|4096|3072'; #[20];
>> +	$cgiparams{'IKE_GROUPTYPE'}             =3D 'x25519-ke1_mlkem1024|x25=
519-ke1_mlkem768|x25519-ke1_mlkem512|curve448|curve25519|e521|e384|4096|307=
2'; #[20];
>>   	$cgiparams{'IKE_LIFETIME'}		=3D '3'; #[16];
>>   	$cgiparams{'ESP_ENCRYPTION'}		=3D 'chacha20poly1305|aes256gcm128|aes=
256'; #[21];
>>   	$cgiparams{'ESP_INTEGRITY'}		=3D 'sha2_512|sha2_256'; #[22];
>> -	$cgiparams{'ESP_GROUPTYPE'}             =3D 'mlkem1024|mlkem768|mlkem=
512|curve448|curve25519|e521|e384|4096|3072'; #[23];
>> +	$cgiparams{'ESP_GROUPTYPE'}             =3D 'x25519-ke1_mlkem1024|x25=
519-ke1_mlkem768|x25519-ke1_mlkem512|curve448|curve25519|e521|e384|4096|307=
2'; #[23];
>>   	$cgiparams{'ESP_KEYLIFE'}		=3D '1'; #[17];
>>   	$cgiparams{'COMPRESSION'}		=3D 'off'; #[13];
>>   	$cgiparams{'ONLY_PROPOSED'}		=3D 'on'; #[24];
>> @@ -2759,7 +2759,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}=
) ||
>>   			goto ADVANCED_ERROR;
>>   		}
>>   		foreach my $val (@temp) {
>> -			if ($val !~ /^(mlkem(1024|768|512)|curve448|curve25519|e521|e384|e2=
56|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|=
8192)$/) {
>> +			if ($val !~ /^(x25519-ke1_mlkem(1024|768|512)|curve448|curve25519|e=
521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072=
|4096|6144|8192)$/) {
>>   				$errormessage =3D $Lang::tr{'invalid input'};
>>   				goto ADVANCED_ERROR;
>>   			}
>> @@ -2800,7 +2800,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}=
) ||
>>   			goto ADVANCED_ERROR;
>>   		}
>>   		foreach my $val (@temp) {
>> -			if ($val !~ /^(mlkem(1024|768|512)|curve448|curve25519|e521|e384|e2=
56|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|=
8192|none)$/) {
>> +			if ($val !~ /^(x25519-ke1_mlkem(1024|768|512)|curve448|curve25519|e=
521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072=
|4096|6144|8192|none)$/) {
>>   				$errormessage =3D $Lang::tr{'invalid input'};
>>   				goto ADVANCED_ERROR;
>>   			}
>> @@ -2940,9 +2940,9 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}=
) ||
>>   	$checked{'IKE_INTEGRITY'}{'aesxcbc'} =3D '';
>>   	@temp =3D split('\|', $cgiparams{'IKE_INTEGRITY'});
>>   	foreach my $key (@temp) {$checked{'IKE_INTEGRITY'}{$key} =3D "select=
ed=3D'selected'"; }
>> -	$checked{'IKE_GROUPTYPE'}{'mlkem1024'} =3D '';
>> -	$checked{'IKE_GROUPTYPE'}{'mlkem768'} =3D '';
>> -	$checked{'IKE_GROUPTYPE'}{'mlkem512'} =3D '';
>> +	$checked{'IKE_GROUPTYPE'}{'x25519-ke1_mlkem1024'} =3D '';
>> +	$checked{'IKE_GROUPTYPE'}{'x25519-ke1_mlkem768'} =3D '';
>> +	$checked{'IKE_GROUPTYPE'}{'x25519-ke1_mlkem512'} =3D '';
>>   	$checked{'IKE_GROUPTYPE'}{'curve448'} =3D '';
>>   	$checked{'IKE_GROUPTYPE'}{'curve25519'} =3D '';
>>   	$checked{'IKE_GROUPTYPE'}{'768'} =3D '';
>> @@ -2983,9 +2983,9 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}=
) ||
>>   	$checked{'ESP_INTEGRITY'}{'aesxcbc'} =3D '';
>>   	@temp =3D split('\|', $cgiparams{'ESP_INTEGRITY'});
>>   	foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} =3D "select=
ed=3D'selected'"; }
>> -	$checked{'ESP_GROUPTYPE'}{'mlkem1024'} =3D '';
>> -	$checked{'ESP_GROUPTYPE'}{'mlkem768'} =3D '';
>> -	$checked{'ESP_GROUPTYPE'}{'mlkem512'} =3D '';
>> +	$checked{'ESP_GROUPTYPE'}{'x25519-ke1_mlkem1024'} =3D '';
>> +	$checked{'ESP_GROUPTYPE'}{'x25519-ke1_mlkem768'} =3D '';
>> +	$checked{'ESP_GROUPTYPE'}{'x25519-ke1_mlkem512'} =3D '';
>>   	$checked{'ESP_GROUPTYPE'}{'curve448'} =3D '';
>>   	$checked{'ESP_GROUPTYPE'}{'curve25519'} =3D '';
>>   	$checked{'ESP_GROUPTYPE'}{'768'} =3D '';
>> @@ -3151,9 +3151,9 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}=
) ||
>>   			<td class=3D'boldbase' width=3D"15%">$Lang::tr{'grouptype'}</td>
>>   			<td class=3D'boldbase'>
>>   				<select name=3D'IKE_GROUPTYPE' multiple=3D'multiple' size=3D'6' s=
tyle=3D'width: 100%'>
>> -					<option value=3D'mlkem1024' $checked{'IKE_GROUPTYPE'}{'mlkem1024'=
}>ML-KEM 1024 (256 bit)</option>
>> -					<option value=3D'mlkem768' $checked{'IKE_GROUPTYPE'}{'mlkem768'}>=
ML-KEM 768 (192 bit)</option>
>> -					<option value=3D'mlkem512' $checked{'IKE_GROUPTYPE'}{'mlkem512'}>=
ML-KEM 512 (128 bit)</option>
>> +					<option value=3D'x25519-ke1_mlkem1024' $checked{'IKE_GROUPTYPE'}{=
'x25519-ke1_mlkem1024'}>Curve 25519 x ML-KEM 1024 (256 bit)</option>
>> +					<option value=3D'x25519-ke1_mlkem768' $checked{'IKE_GROUPTYPE'}{'=
x25519-ke1_mlkem768'}>Curve 25519 x ML-KEM 768 (192 bit)</option>
>> +					<option value=3D'x25519-ke1_mlkem512' $checked{'IKE_GROUPTYPE'}{'=
x25519-ke1_mlkem512'}>Curve 25519 x ML-KEM 512 (128 bit)</option>
>>   					<option value=3D'curve448' $checked{'IKE_GROUPTYPE'}{'curve448'}=
>Curve 448 (224 bit)</option>
>>   					<option value=3D'curve25519' $checked{'IKE_GROUPTYPE'}{'curve255=
19'}>Curve 25519 (128 bit)</option>
>>   					<option value=3D'e521' $checked{'IKE_GROUPTYPE'}{'e521'}>ECP-521=
 (NIST)</option>
>> @@ -3177,9 +3177,9 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}=
) ||
>>   			</td>
>>   			<td class=3D'boldbase'>
>>   				<select name=3D'ESP_GROUPTYPE' multiple=3D'multiple' size=3D'6' s=
tyle=3D'width: 100%'>
>> -					<option value=3D'mlkem1024' $checked{'ESP_GROUPTYPE'}{'mlkem1024'=
}>ML-KEM 1024 (256 bit)</option>
>> -					<option value=3D'mlkem768' $checked{'ESP_GROUPTYPE'}{'mlkem768'}>=
ML-KEM 768 (192 bit)</option>
>> -					<option value=3D'mlkem512' $checked{'ESP_GROUPTYPE'}{'mlkem512'}>=
ML-KEM 512 (128 bit)</option>
>> +					<option value=3D'x25519-ke1_mlkem1024' $checked{'ESP_GROUPTYPE'}{=
'x25519-ke1_mlkem1024'}>Curve 25519 x ML-KEM 1024 (256 bit)</option>
>> +					<option value=3D'x25519-ke1_mlkem768' $checked{'ESP_GROUPTYPE'}{'=
x25519-ke1_mlkem768'}>Curve 25519 x ML-KEM 768 (192 bit)</option>
>> +					<option value=3D'x25519-ke1_mlkem512' $checked{'ESP_GROUPTYPE'}{'=
x25519-ke1_mlkem512'}>Curve 25519 x ML-KEM 512 (128 bit)</option>
>>   					<option value=3D'curve448' $checked{'ESP_GROUPTYPE'}{'curve448'}=
>Curve 448 (224 bit)</option>
>>   					<option value=3D'curve25519' $checked{'ESP_GROUPTYPE'}{'curve255=
19'}>Curve 25519 (128 bit)</option>
>>   					<option value=3D'e521' $checked{'ESP_GROUPTYPE'}{'e521'}>ECP-521=
 (NIST)</option>
>> @@ -3757,7 +3757,7 @@ sub make_algos($$$$$) {
>>   				if ($mode eq "ike") {
>>   					push(@algo, $int);
>>   -					if ($grp =3D~ m/^mlkem(\d+)$/) {
>> +					if ($grp =3D~ m/^x25519-ke1_mlkem(\d+)$/) {
>>   						push(@algo, "$grp");
>>   					} elsif ($grp =3D~ m/^e(=2E*)$/) {
>>   						push(@algo, "ecp$1");
>> @@ -3776,7 +3776,7 @@ sub make_algos($$$$$) {
>>     					if (!$pfs || $grp eq "none") {
>>   						# noop
>> -					} elsif ($grp =3D~ m/^mlkem(\d+)$/) {
>> +					} elsif ($grp =3D~ m/^x25519-ke1_mlkem(\d+)$/) {
>>   						push(@algo, "$grp");
>>   					} elsif ($grp =3D~ m/^e(=2E*)$/) {
>>   						push(@algo, "ecp$1");
>
>

------UYM7KGJ0XMNUIYAOAOPYWEPBZWG1UX
Content-Type: text/html;
 charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html><head></head><body><div dir=3D"auto">Hi Peter and Adolf=2E<br><br>I a=
gree, it's very good to see Peter on the list again :)<br><br>Adam=2E</div>=
<br><br><div class=3D"gmail_quote"><div dir=3D"auto">On 15 May 2025 09:16:2=
5 BST, Adolf Belka &lt;adolf=2Ebelka@ipfire=2Eorg&gt; wrote:</div><blockquo=
te class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0=2E8ex; border-left:=
 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<pre class=3D"k9mail"><div dir=3D"auto">Hallo Peter,<br><br>Good to see yo=
u on the list again :+1:<br><br>This patch sounds a good approach to take=
=2E<br><br>Adolf=2E<br><br>On 15/05/2025 10:06, Peter M=C3=BCller wrote:<br=
></div><blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 1ex 0=2E8=
ex; border-left: 1px solid #729fcf; padding-left: 1ex;"><div dir=3D"auto">I=
n commit 887778e0888d51eb9942ae310a43f6d2813efad3, the post-quantum<br>key =
exchange algorithm ML-KEM was introduced, due to its support being<br>added=
 in strongSwan 6=2E0=2E However, using PQC key exchanges is commonly<br>rec=
ommended only in conjunction with a traditional one, to avoid<br>encrypted =
traffic becoming subject to trivial decryption in case a PQC<br>algorithm p=
roves weak, broken, or backdoored=2E OpenSSH, for instance,<br>combines ML-=
KEM 768 with Curve 25519 (mlkem768x25519-sha256), rather<br>than using ML-K=
EM alone=2E<br><br>This patch changes the chipher suites offered for IPsec =
connections to<br>always use ML-KEM as a hybrid with Curve 25519=2E This is=
 possible due to<br>strongSwan 6=2E0 having added support for IKE intermedi=
ary key exchanges<br>(RFC 9370); see <a href=3D"https://docs=2Estrongswan=
=2Eorg/docs/latest/config/proposals=2Ehtml#_key_exchange_methods">https://d=
ocs=2Estrongswan=2Eorg/docs/latest/config/proposals=2Ehtml#_key_exchange_me=
thods</a><br>for additional information=2E<br><br>We can reasonably assume =
an IPsec peer supporting ML-KEM will also<br>support Curve 25519, as this h=
as been around for much longer, and is<br>used quite commonly=2E Even if th=
is is not the case, or if the IPsec peer<br>does not implement RFC 9370, an=
y IPsec connection using our default<br>cipher selection will fall back to =
Curve 448, Curve 25519, or other,<br>hence continue working=2E<br><br>IPsec=
 connections already created will need their ciphers to be changed<br>once =
during the Core Update routine where this patch will be<br>incorporated=2E<=
br><br>Tested-by: Peter M=C3=BCller &lt;peter=2Emueller@ipfire=2Eorg&gt;<br=
>Signed-off-by: Peter M=C3=BCller &lt;peter=2Emueller@ipfire=2Eorg&gt;<hr> =
 html/cgi-bin/vpnmain=2Ecgi | 36 ++++++++++++++++++------------------<br>  =
1 file changed, 18 insertions(+), 18 deletions(-)<br><br>diff --git a/html/=
cgi-bin/vpnmain=2Ecgi b/html/cgi-bin/vpnmain=2Ecgi<br>index 4f81fecdf=2E=2E=
154b94033 100644<br>--- a/html/cgi-bin/vpnmain=2Ecgi<br>+++ b/html/cgi-bin/=
vpnmain=2Ecgi<br>@@ -2374,11 +2374,11 @@ END<br>  	#use default advanced va=
lue<br>  	$cgiparams{'IKE_ENCRYPTION'}		=3D 'chacha20poly1305|aes256gcm128|=
aes256'; #[18];<br>  	$cgiparams{'IKE_INTEGRITY'}		=3D 'sha2_512|sha2_256';=
 #[19];<br>-	$cgiparams{'IKE_GROUPTYPE'}             =3D 'mlkem1024|mlkem76=
8|mlkem512|curve448|curve25519|e521|e384|4096|3072'; #[20];<br>+	$cgiparams=
{'IKE_GROUPTYPE'}             =3D 'x25519-ke1_mlkem1024|x25519-ke1_mlkem768=
|x25519-ke1_mlkem512|curve448|curve25519|e521|e384|4096|3072'; #[20];<br>  =
	$cgiparams{'IKE_LIFETIME'}		=3D '3'; #[16];<br>  	$cgiparams{'ESP_ENCRYPTI=
ON'}		=3D 'chacha20poly1305|aes256gcm128|aes256'; #[21];<br>  	$cgiparams{'=
ESP_INTEGRITY'}		=3D 'sha2_512|sha2_256'; #[22];<br>-	$cgiparams{'ESP_GROUP=
TYPE'}             =3D 'mlkem1024|mlkem768|mlkem512|curve448|curve25519|e52=
1|e384|4096|3072'; #[23];<br>+	$cgiparams{'ESP_GROUPTYPE'}             =3D =
'x25519-ke1_mlkem1024|x25519-ke1_mlkem768|x25519-ke1_mlkem512|curve448|curv=
e25519|e521|e384|4096|3072'; #[23];<br>  	$cgiparams{'ESP_KEYLIFE'}		=3D '1=
'; #[17];<br>  	$cgiparams{'COMPRESSION'}		=3D 'off'; #[13];<br>  	$cgipara=
ms{'ONLY_PROPOSED'}		=3D 'on'; #[24];<br>@@ -2759,7 +2759,7 @@ if(($cgipara=
ms{'ACTION'} eq $Lang::tr{'advanced'}) ||<br>  			goto ADVANCED_ERROR;<br> =
 		}<br>  		foreach my $val (@temp) {<br>-			if ($val !~ /^(mlkem(1024|768|=
512)|curve448|curve25519|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224=
bp|768|1024|1536|2048|3072|4096|6144|8192)$/) {<br>+			if ($val !~ /^(x2551=
9-ke1_mlkem(1024|768|512)|curve448|curve25519|e521|e384|e256|e224|e192|e512=
bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|8192)$/) {<br>  	=
			$errormessage =3D $Lang::tr{'invalid input'};<br>  				goto ADVANCED_ERR=
OR;<br>  			}<br>@@ -2800,7 +2800,7 @@ if(($cgiparams{'ACTION'} eq $Lang::t=
r{'advanced'}) ||<br>  			goto ADVANCED_ERROR;<br>  		}<br>  		foreach my $=
val (@temp) {<br>-			if ($val !~ /^(mlkem(1024|768|512)|curve448|curve25519=
|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|30=
72|4096|6144|8192|none)$/) {<br>+			if ($val !~ /^(x25519-ke1_mlkem(1024|76=
8|512)|curve448|curve25519|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e2=
24bp|768|1024|1536|2048|3072|4096|6144|8192|none)$/) {<br>  				$errormessa=
ge =3D $Lang::tr{'invalid input'};<br>  				goto ADVANCED_ERROR;<br>  			}<=
br>@@ -2940,9 +2940,9 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'})=
 ||<br>  	$checked{'IKE_INTEGRITY'}{'aesxcbc'} =3D '';<br>  	@temp =3D spli=
t('\|', $cgiparams{'IKE_INTEGRITY'});<br>  	foreach my $key (@temp) {$check=
ed{'IKE_INTEGRITY'}{$key} =3D "selected=3D'selected'"; }<br>-	$checked{'IKE=
_GROUPTYPE'}{'mlkem1024'} =3D '';<br>-	$checked{'IKE_GROUPTYPE'}{'mlkem768'=
} =3D '';<br>-	$checked{'IKE_GROUPTYPE'}{'mlkem512'} =3D '';<br>+	$checked{=
'IKE_GROUPTYPE'}{'x25519-ke1_mlkem1024'} =3D '';<br>+	$checked{'IKE_GROUPTY=
PE'}{'x25519-ke1_mlkem768'} =3D '';<br>+	$checked{'IKE_GROUPTYPE'}{'x25519-=
ke1_mlkem512'} =3D '';<br>  	$checked{'IKE_GROUPTYPE'}{'curve448'} =3D '';<=
br>  	$checked{'IKE_GROUPTYPE'}{'curve25519'} =3D '';<br>  	$checked{'IKE_G=
ROUPTYPE'}{'768'} =3D '';<br>@@ -2983,9 +2983,9 @@ if(($cgiparams{'ACTION'}=
 eq $Lang::tr{'advanced'}) ||<br>  	$checked{'ESP_INTEGRITY'}{'aesxcbc'} =
=3D '';<br>  	@temp =3D split('\|', $cgiparams{'ESP_INTEGRITY'});<br>  	for=
each my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} =3D "selected=3D'sele=
cted'"; }<br>-	$checked{'ESP_GROUPTYPE'}{'mlkem1024'} =3D '';<br>-	$checked=
{'ESP_GROUPTYPE'}{'mlkem768'} =3D '';<br>-	$checked{'ESP_GROUPTYPE'}{'mlkem=
512'} =3D '';<br>+	$checked{'ESP_GROUPTYPE'}{'x25519-ke1_mlkem1024'} =3D ''=
;<br>+	$checked{'ESP_GROUPTYPE'}{'x25519-ke1_mlkem768'} =3D '';<br>+	$check=
ed{'ESP_GROUPTYPE'}{'x25519-ke1_mlkem512'} =3D '';<br>  	$checked{'ESP_GROU=
PTYPE'}{'curve448'} =3D '';<br>  	$checked{'ESP_GROUPTYPE'}{'curve25519'} =
=3D '';<br>  	$checked{'ESP_GROUPTYPE'}{'768'} =3D '';<br>@@ -3151,9 +3151,=
9 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||<br>  			&lt;td c=
lass=3D'boldbase' width=3D"15%"&gt;$Lang::tr{'grouptype'}&lt;/td&gt;<br>  	=
		&lt;td class=3D'boldbase'&gt;<br>  				&lt;select name=3D'IKE_GROUPTYPE' =
multiple=3D'multiple' size=3D'6' style=3D'width: 100%'&gt;<br>-					&lt;opt=
ion value=3D'mlkem1024' $checked{'IKE_GROUPTYPE'}{'mlkem1024'}&gt;ML-KEM 10=
24 (256 bit)&lt;/option&gt;<br>-					&lt;option value=3D'mlkem768' $checked=
{'IKE_GROUPTYPE'}{'mlkem768'}&gt;ML-KEM 768 (192 bit)&lt;/option&gt;<br>-		=
			&lt;option value=3D'mlkem512' $checked{'IKE_GROUPTYPE'}{'mlkem512'}&gt;M=
L-KEM 512 (128 bit)&lt;/option&gt;<br>+					&lt;option value=3D'x25519-ke1_=
mlkem1024' $checked{'IKE_GROUPTYPE'}{'x25519-ke1_mlkem1024'}&gt;Curve 25519=
 x ML-KEM 1024 (256 bit)&lt;/option&gt;<br>+					&lt;option value=3D'x25519=
-ke1_mlkem768' $checked{'IKE_GROUPTYPE'}{'x25519-ke1_mlkem768'}&gt;Curve 25=
519 x ML-KEM 768 (192 bit)&lt;/option&gt;<br>+					&lt;option value=3D'x255=
19-ke1_mlkem512' $checked{'IKE_GROUPTYPE'}{'x25519-ke1_mlkem512'}&gt;Curve =
25519 x ML-KEM 512 (128 bit)&lt;/option&gt;<br>  					&lt;option value=3D'c=
urve448' $checked{'IKE_GROUPTYPE'}{'curve448'}&gt;Curve 448 (224 bit)&lt;/o=
ption&gt;<br>  					&lt;option value=3D'curve25519' $checked{'IKE_GROUPTYPE=
'}{'curve25519'}&gt;Curve 25519 (128 bit)&lt;/option&gt;<br>  					&lt;opti=
on value=3D'e521' $checked{'IKE_GROUPTYPE'}{'e521'}&gt;ECP-521 (NIST)&lt;/o=
ption&gt;<br>@@ -3177,9 +3177,9 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'a=
dvanced'}) ||<br>  			&lt;/td&gt;<br>  			&lt;td class=3D'boldbase'&gt;<br>=
  				&lt;select name=3D'ESP_GROUPTYPE' multiple=3D'multiple' size=3D'6' st=
yle=3D'width: 100%'&gt;<br>-					&lt;option value=3D'mlkem1024' $checked{'E=
SP_GROUPTYPE'}{'mlkem1024'}&gt;ML-KEM 1024 (256 bit)&lt;/option&gt;<br>-			=
		&lt;option value=3D'mlkem768' $checked{'ESP_GROUPTYPE'}{'mlkem768'}&gt;ML=
-KEM 768 (192 bit)&lt;/option&gt;<br>-					&lt;option value=3D'mlkem512' $c=
hecked{'ESP_GROUPTYPE'}{'mlkem512'}&gt;ML-KEM 512 (128 bit)&lt;/option&gt;<=
br>+					&lt;option value=3D'x25519-ke1_mlkem1024' $checked{'ESP_GROUPTYPE'=
}{'x25519-ke1_mlkem1024'}&gt;Curve 25519 x ML-KEM 1024 (256 bit)&lt;/option=
&gt;<br>+					&lt;option value=3D'x25519-ke1_mlkem768' $checked{'ESP_GROUPT=
YPE'}{'x25519-ke1_mlkem768'}&gt;Curve 25519 x ML-KEM 768 (192 bit)&lt;/opti=
on&gt;<br>+					&lt;option value=3D'x25519-ke1_mlkem512' $checked{'ESP_GROU=
PTYPE'}{'x25519-ke1_mlkem512'}&gt;Curve 25519 x ML-KEM 512 (128 bit)&lt;/op=
tion&gt;<br>  					&lt;option value=3D'curve448' $checked{'ESP_GROUPTYPE'}{=
'curve448'}&gt;Curve 448 (224 bit)&lt;/option&gt;<br>  					&lt;option valu=
e=3D'curve25519' $checked{'ESP_GROUPTYPE'}{'curve25519'}&gt;Curve 25519 (12=
8 bit)&lt;/option&gt;<br>  					&lt;option value=3D'e521' $checked{'ESP_GRO=
UPTYPE'}{'e521'}&gt;ECP-521 (NIST)&lt;/option&gt;<br>@@ -3757,7 +3757,7 @@ =
sub make_algos($$$$$) {<br>  				if ($mode eq "ike") {<br>  					push(@algo=
, $int);<br>  -					if ($grp =3D~ m/^mlkem(\d+)$/) {<br>+					if ($grp =3D~=
 m/^x25519-ke1_mlkem(\d+)$/) {<br>  						push(@algo, "$grp");<br>  					} =
elsif ($grp =3D~ m/^e(=2E*)$/) {<br>  						push(@algo, "ecp$1");<br>@@ -37=
76,7 +3776,7 @@ sub make_algos($$$$$) {<br>    					if (!$pfs || $grp eq "n=
one") {<br>  						# noop<br>-					} elsif ($grp =3D~ m/^mlkem(\d+)$/) {<br=
>+					} elsif ($grp =3D~ m/^x25519-ke1_mlkem(\d+)$/) {<br>  						push(@al=
go, "$grp");<br>  					} elsif ($grp =3D~ m/^e(=2E*)$/) {<br>  						push(@=
algo, "ecp$1");<br></div></blockquote><div dir=3D"auto"><br><br></div></pre=
></blockquote></div></body></html>
------UYM7KGJ0XMNUIYAOAOPYWEPBZWG1UX--