[Pkg-swan-devel] ChaCha20 and Poly1305

[Rui Santos]

On Sat, Aug 27, 2016 at 9:27 AM, Yves-Alexis Perez <corsac at debian.org> wrote:
> On ven., 2016-08-26 at 18:06 +0100, Rui Santos wrote:
>> Is it possible for any maintainer to include these plugins?
>
> See #803787 and #814927.

Well, I'm not sure what do you mean by see bugs xxxx.
This is not only my first post at pkg-swan-devel, but also on Debian
itself. So, if you feel that this is not the right place nor the right
approach, please do tell me so.

Regarding bugs #803787 and #814927
I do understand you reluctance, in adding more features to an already
complex stack. However, I would just like to mention a few advantages:
- IETF RFC 7634 states that there are probable future problems with
AES ciphers, and state this cypher as the "standby cipher" to replace
it;
- ChaCha20-Poly1305 cypher is faster than AES cyphers, in most of the
use cases, on non-HW AES accelerated hardware. This is a great and
welcome feature for a lot of mobile devices;
- A few large scale organizations, seem to already have implemented
this cypher on their servers, and browsers are now supporting it, or
in the process of supporting it;
- Nicolas Braud-Santoni also states valid points on #803787, IMHO.

So my point is, that this cipher seems to be gaining supporters and is
here to stay. Why not enable it and make strongSwan and Debian one of
the choices to implement it?

I would just like to mention that:
1) I took Gerald Turner patch, and changed it a bit, just to enable
chapoly and ntru plugins (--enable-chapoly --enable-ntru);
2) Dowloaded you source package and applied the patch mentioned on 1);
3) Compiled strongSwan and build a new package with the changes.
As a result, I was able to get the cipher working, as the referred RFC
instructs.

Also, as a comment to one of your replies, if the intention is ti
place the support for this cipher in the extra plugins, I think that
would be just fine.

Cheers,
Rui

>