From 72e3fddbfe7b9f8e691076dbeea5588b9f20cc2f Mon Sep 17 00:00:00 2001 From: Damien Goutte-Gattat via Gnupg-devel Date: Fri, 3 Jan 2025 20:59:58 +0000 Subject: [PATCH] gpg: Force the use of AES-256 in some cases * g10/encrypt.c (create_dek_with_warnings): Forcefully use AES-256 if PQC encryption was required or if all recipient keys are Kyber keys. -- If --require-pqc-encryption was set, then it should be safe to always force AES-256, without even checking if we are encrypting to Kyber keys (if some recipients do not have Kyber keys, --require-pqc-encryption will fail elsewhere). Otherwise, we force AES-256 if we encrypt *only* to Kyber keys -- unless the user explicitly requested another algo, in which case we assume they know what they are doing. GnuPG-bug-id: 7472 Signed-off-by: Damien Goutte-Gattat Man page entry extended Signed-off-by: Werner Koch --- doc/gpg.texi | 10 ++++++---- g10/encrypt.c | 19 +++++++++++++++++++ 2 files changed, 25 insertions(+), 4 deletions(-) diff --git a/doc/gpg.texi b/doc/gpg.texi index f2bb95d04..b8cd0bb65 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -3149,10 +3149,12 @@ keys into non-VS-NfD compliant keys. @opindex require-pqc-encryption This option forces the use of quantum-resistant encryption algorithms. If not all public keys are quantum-resistant the encryption will fail. -On decryption a warning is printed for all non-quantum-resistant keys. -As of now the Kyber (ML-KEM768 and ML-KEM1024) algorithms are -considered quantum-resistant; Kyber is always used in a composite -scheme along with a classic ECC algorithm. +The use of the symmetric encryption algorithm AES-256 is also enforced +by this option. On decryption a warning is printed for all +non-quantum-resistant keys. As of now the Kyber (ML-KEM768 and +ML-KEM1024) algorithms and AES-256 are considered quantum-resistant; +Kyber is always used in a composite scheme along with a classic ECC +algorithm. @item --require-compliance @opindex require-compliance diff --git a/g10/encrypt.c b/g10/encrypt.c index e4e56c8b1..9b27b595b 100644 --- a/g10/encrypt.c +++ b/g10/encrypt.c @@ -139,6 +139,25 @@ create_dek_with_warnings (pk_list_t pk_list) dek->algo = opt.def_cipher_algo; } + if (dek->algo != CIPHER_ALGO_AES256) + { + /* If quantum resistance was explicitly required, we force the + * use of AES256 no matter what. Otherwise, we force AES256 if we + * encrypt to Kyber keys only and the user did not explicity + * request another another algo. */ + if (opt.flags.require_pqc_encryption) + dek->algo = CIPHER_ALGO_AES256; + else if (!opt.def_cipher_algo) + { + int non_kyber_pk = 0; + for ( ; pk_list; pk_list = pk_list->next) + if (pk_list->pk->pubkey_algo != PUBKEY_ALGO_KYBER) + non_kyber_pk += 1; + if (!non_kyber_pk) + dek->algo = CIPHER_ALGO_AES256; + } + } + return dek; }