[Pkg-swan-devel] Bug#1132871: enable ml-kem algorithms

Paul Tagliamonte paultag at debian.org
Mon Apr 6 17:48:11 BST 2026 

Package: strongswan
Tags: patch
thanks

I've been slowly working to replace algorithms I rely on with PQC 
resistant algorithms. strongSwan 6.0.0 contained optional ML-KEM
support, which we didn't enable (likely because it's an obscure looking 
flag).

I've patched strongSwan to build the ml plugin, which I added to 
libstrongswan-extra-plugins, as is our convention. Attached is a 
debdiff.

I've built this on trixie and sid, and have tested[1] this for my personal 
site-to-site VPN configuration. It looks good so far - from -list-sas:

```
   AES_GCM_16-256/PRF_HMAC_SHA2_384/ECP_384/KE1_ML_KEM_1024
   established 296s ago, rekeying in 12729s
```

And the output of list-algs:

```
$ swanctl --list-algs | grep -i KEM
   ML_KEM_512[openssl]
   ML_KEM_768[openssl]
   ML_KEM_1024[openssl]
```

Thanks for maintaining strongSwan


[1]: specifically, i'm using
      proposals = aes256gcm16-prfsha384-prfsha512-ecp384-ke1_mlkem1024
      with success.

-- 
   ⢀⣴⠾⠻⢶⣦⠀               Paul Tagliamonte <paultag>
   ⣾⠁⢠⠒⠀⣿⡁  https://people.debian.org/~paultag | https://pault.ag/
   ⢿⡄⠘⠷⠚⠋        Debian, the universal operating system.
   ⠈⠳⣄⠀⠀  4096R / FEF2 EB20 16E6 A856 B98C  E820 2DCD 6B5D E858 ADF3
-------------- next part --------------
diff -Nru strongswan-6.0.5/debian/changelog strongswan-6.0.5/debian/changelog
--- strongswan-6.0.5/debian/changelog	2026-03-24 05:28:49.000000000 -0400
+++ strongswan-6.0.5/debian/changelog	2026-04-06 12:16:55.000000000 -0400
@@ -1,3 +1,9 @@
+strongswan (6.0.5-2) UNRELEASED; urgency=medium
+
+  * enable ML-KEM algorithms (mlkem512, mlkem768 and mlkem1024).
+
+ -- Paul Tagliamonte <paultag at debian.org>  Mon, 06 Apr 2026 12:16:55 -0400
+
 strongswan (6.0.5-1) unstable; urgency=medium
 
   * d/usr.sbin.swanctl: add setuid/setgid caps to swanctl apparmor profile
diff -Nru strongswan-6.0.5/debian/libstrongswan-extra-plugins.install strongswan-6.0.5/debian/libstrongswan-extra-plugins.install
--- strongswan-6.0.5/debian/libstrongswan-extra-plugins.install	2026-03-24 05:28:49.000000000 -0400
+++ strongswan-6.0.5/debian/libstrongswan-extra-plugins.install	2026-04-06 12:16:55.000000000 -0400
@@ -16,6 +16,7 @@
 usr/lib/ipsec/plugins/libstrongswan-ldap.so
 usr/lib/ipsec/plugins/libstrongswan-md5.so
 usr/lib/ipsec/plugins/libstrongswan-mgf1.so
+usr/lib/ipsec/plugins/libstrongswan-ml.so
 usr/lib/ipsec/plugins/libstrongswan-pgp.so
 usr/lib/ipsec/plugins/libstrongswan-pkcs11.so
 usr/lib/ipsec/plugins/libstrongswan-pkcs12.so
@@ -41,6 +42,7 @@
 usr/share/strongswan/templates/config/plugins/ldap.conf
 usr/share/strongswan/templates/config/plugins/md5.conf
 usr/share/strongswan/templates/config/plugins/mgf1.conf
+usr/share/strongswan/templates/config/plugins/ml.conf
 usr/share/strongswan/templates/config/plugins/pgp.conf
 usr/share/strongswan/templates/config/plugins/pkcs11.conf
 usr/share/strongswan/templates/config/plugins/pkcs12.conf
@@ -66,6 +68,7 @@
 etc/strongswan.d/charon/ldap.conf
 etc/strongswan.d/charon/md5.conf
 etc/strongswan.d/charon/mgf1.conf
+etc/strongswan.d/charon/ml.conf
 etc/strongswan.d/charon/pgp.conf
 etc/strongswan.d/charon/pkcs11.conf
 etc/strongswan.d/charon/pkcs12.conf
@@ -91,6 +94,7 @@
 etc/strongswan.d/charon-cmd/ldap.conf
 etc/strongswan.d/charon-cmd/md5.conf
 etc/strongswan.d/charon-cmd/mgf1.conf
+etc/strongswan.d/charon-cmd/ml.conf
 etc/strongswan.d/charon-cmd/pkcs11.conf
 etc/strongswan.d/charon-cmd/pkcs12.conf
 etc/strongswan.d/charon-cmd/rc2.conf
@@ -114,6 +118,7 @@
 etc/strongswan.d/charon-nm/ldap.conf
 etc/strongswan.d/charon-nm/md5.conf
 etc/strongswan.d/charon-nm/mgf1.conf
+etc/strongswan.d/charon-nm/ml.conf
 etc/strongswan.d/charon-nm/pkcs11.conf
 etc/strongswan.d/charon-nm/rc2.conf
 etc/strongswan.d/charon-nm/sha1.conf
diff -Nru strongswan-6.0.5/debian/rules strongswan-6.0.5/debian/rules
--- strongswan-6.0.5/debian/rules	2026-03-24 05:28:49.000000000 -0400
+++ strongswan-6.0.5/debian/rules	2026-04-06 12:15:06.000000000 -0400
@@ -38,6 +38,7 @@
 		--enable-mediation \
 		--enable-md5 \
 		--enable-mgf1 \
+		--enable-ml \
 		--enable-openssl \
 		--enable-pkcs11 \
 		--enable-pkcs12 \
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-swan-devel/attachments/20260406/b8d9a7bd/attachment.sig>

More information about the Pkg-swan-devel mailing list