Hello, I am also interested in the NTRU key exchange algorithm for the same reasons Nicolas Braud-Santoni explains. Prior to realizing that this bug existed, I had tested the strongswan with the attached patch which enables additional plugins.
Note that I enabled BLISS but have no intention of using it due to the requirement have having to redeploy certificates. Also note that I enabled ChaCha20/Poly1305, which would be interesting to use on systems which don't have AES-NI CPU instructions, but unfortunuately I do not have enough hosts running a 4.2 kernel so I cannot test this cipher at the moment. FYI, Linux 4.2 is required to use this cipher, otherwise error "received netlink error: Function not implemented (38)" occurs while adding SAD entries. Very similar to the problem of enabling AES-GCM-256 on kernels older than ~4.1. Finally note that I enabled SHA3 but hadn't tested with it because I'm using AEAD ciphers exclusively. Let me know if it would be at all useful for me to clean up the patch such that it only enables NTRU. -- Gerald Turner <gtur...@unzane.com> Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D
From 75df33a0622731cb3e0760ed3543b2f5845b476d Mon Sep 17 00:00:00 2001
From: Gerald Turner <Gerald Turner gerald.tur...@xo.com>
Date: Thu, 26 Nov 2015 16:01:46 -0800
Subject: [PATCH 2/2] Configure and install bliss, chapoly, ntru, and sha3
plugins
---
debian/changelog | 1 +
debian/control | 4 ++++
debian/libstrongswan-extra-plugins.install | 12 ++++++++++++
debian/rules | 1 +
4 files changed, 18 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 4182835..3fc87ee 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,7 @@ strongswan (5.3.4-1.1) UNRELEASED; urgency=medium
* debian/rules:
- enable the aesni plugin.
+ - enable bliss, chapoly, ntru, and sha3 plugins.
-- Gerald Turner <gtur...@unzane.com> Thu, 26 Nov 2015 15:17:09 -0800
diff --git a/debian/control b/debian/control
index 4717b1e..e1f61c9 100644
--- a/debian/control
+++ b/debian/control
@@ -124,6 +124,10 @@ Description: strongSwan utility and crypto library (extra plugins)
rdrand instruction found on Ivy Bridge processors)
- aesni (AES crypto primitives using Intel AES-NI and PCLMULQDQ instructions
found on Ivy Bridge processors)
+ - bliss (BLISS post-quantum signature scheme)
+ - chapoly (ChaCha20/Poly1305 AEAD cipher)
+ - ntru (NTRU lattice-based post-quantum encryption algorithm)
+ - sha3 (SHA3 Keccak-F1600 hash algorithm family)
- test-vectors (Set of test vectors for various algorithms)
Package: libcharon-extra-plugins
diff --git a/debian/libstrongswan-extra-plugins.install b/debian/libstrongswan-extra-plugins.install
index 2a7c209..2f08aa0 100644
--- a/debian/libstrongswan-extra-plugins.install
+++ b/debian/libstrongswan-extra-plugins.install
@@ -6,6 +6,10 @@ usr/lib/ipsec/plugins/libstrongswan-curl.so
usr/lib/ipsec/plugins/libstrongswan-gcrypt.so
usr/lib/ipsec/plugins/libstrongswan-ldap.so
usr/lib/ipsec/plugins/libstrongswan-pkcs11.so
+usr/lib/ipsec/plugins/libstrongswan-bliss.so
+usr/lib/ipsec/plugins/libstrongswan-chapoly.so
+usr/lib/ipsec/plugins/libstrongswan-ntru.so
+usr/lib/ipsec/plugins/libstrongswan-sha3.so
usr/lib/ipsec/plugins/libstrongswan-test-vectors.so
# default configuration files
usr/share/strongswan/templates/config/plugins/ccm.conf
@@ -15,6 +19,10 @@ usr/share/strongswan/templates/config/plugins/curl.conf
usr/share/strongswan/templates/config/plugins/gcrypt.conf
usr/share/strongswan/templates/config/plugins/ldap.conf
usr/share/strongswan/templates/config/plugins/pkcs11.conf
+usr/share/strongswan/templates/config/plugins/bliss.conf
+usr/share/strongswan/templates/config/plugins/chapoly.conf
+usr/share/strongswan/templates/config/plugins/ntru.conf
+usr/share/strongswan/templates/config/plugins/sha3.conf
usr/share/strongswan/templates/config/plugins/test-vectors.conf
etc/strongswan.d/charon/ccm.conf
etc/strongswan.d/charon/cmac.conf
@@ -23,4 +31,8 @@ etc/strongswan.d/charon/curl.conf
etc/strongswan.d/charon/gcrypt.conf
etc/strongswan.d/charon/ldap.conf
etc/strongswan.d/charon/pkcs11.conf
+etc/strongswan.d/charon/bliss.conf
+etc/strongswan.d/charon/chapoly.conf
+etc/strongswan.d/charon/ntru.conf
+etc/strongswan.d/charon/sha3.conf
etc/strongswan.d/charon/test-vectors.conf
diff --git a/debian/rules b/debian/rules
index 3c8e139..be5c182 100755
--- a/debian/rules
+++ b/debian/rules
@@ -22,6 +22,7 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \
--enable-error-notify \
--enable-unity \
--enable-connmark \
+ --enable-bliss --enable-chapoly --enable-ntru --enable-sha3 \
--disable-blowfish --disable-des # BSD-Young license
#--with-user=strongswan --with-group=nogroup
# --enable-kernel-pfkey --enable-kernel-klips \
--
2.6.2
signature.asc
Description: PGP signature
