From d85326a119c34789055c388fcd18bb0161fbfd21 Mon Sep 17 00:00:00 2001
From: Dimitri Staessens <dimitri@ouroboros.rocks>
Date: Sat, 14 Feb 2026 14:33:50 +0100
Subject: irmd: Add strength-based crypto negotiation

Each side's configured cipher, KDF, and KEX algorithm now
represents a minimum security floor ("at least this strong").

Cipher and KDF use strongest-wins: the server compares ranks
and selects the stronger of client vs server config. The
negotiated values are sent in the response header. The client
verifies the server's response meets its own minimum, which
prevents downgrade attacks on the wire.

KEX uses a minimum-floor check: the server extracts the
client's algorithm from its public key and rejects if it
ranks below the server's configured algorithm. A server
configured with ML-KEM will reject all classical algorithms.

Special case: for client-encap KEM, the client has already
derived its key using its KDF, so the server must use the
same KDF and can only reject if it is too weak.

The supported_nids arrays are ordered weakest to strongest
and serve as the single source of truth for ranking.

Cipher ranking (weakest to strongest):
  aes-128-ctr, aes-192-ctr, aes-256-ctr,
  aes-128-gcm, aes-192-gcm, aes-256-gcm,
  chacha20-poly1305

KDF ranking (weakest to strongest):
  blake2s256, sha256, sha3-256, sha384,
  sha3-384, blake2b512, sha512, sha3-512

KEX ranking (weakest to strongest):
  ffdhe2048, prime256v1, X25519, ffdhe3072,
  secp384r1, ffdhe4096, X448, secp521r1,
  ML-KEM-512, ML-KEM-768, ML-KEM-1024,
  X25519MLKEM768, X448MLKEM1024

Negotiation outcomes:
  strong srv cipher + weak cli cipher  -> use strongest
  weak srv cipher + strong cli cipher  -> use strongest
  srv encryption + cli none            -> server rejects
  srv none + cli encryption            -> use client's
  strong srv KEX + weak cli KEX        -> server rejects
  weak srv KEX + strong cli KEX        -> succeeds
  wire tamper to weaker cipher         -> client rejects

Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
---
 enc.conf.in | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'enc.conf.in')

diff --git a/enc.conf.in b/enc.conf.in
index 64502fbb..8f91d717 100644
--- a/enc.conf.in
+++ b/enc.conf.in
@@ -73,8 +73,8 @@
 #   sha3-256            SHA3-256
 #   sha3-384            SHA3-384
 #   sha3-512            SHA3-512
-#   blake2b512          BLAKE2b-512 (requires OpenSSL 1.1.0+)
-#   blake2s256          BLAKE2s-256 (requires OpenSSL 1.1.0+)
+#   blake2b512          BLAKE2b-512
+#   blake2s256          BLAKE2s-256
 #
 # KEM Mode (kem_mode=):
 # ---------------------
-- 
cgit v1.2.3