diff options
| author | Damien Goutte-Gattat via Gnupg-devel <gnupg-devel@gnupg.org> | 2025-01-03 21:59:58 +0100 |
|---|---|---|
| committer | Werner Koch <wk@gnupg.org> | 2025-01-06 18:17:07 +0100 |
| commit | 72e3fddbfe7b9f8e691076dbeea5588b9f20cc2f (patch) | |
| tree | 7708fcdfda3abc023c8dd9fbadadb4534a7987f8 | |
| parent | gpg: Allow smaller session keys with Kyber (diff) | |
| download | gnupg2-72e3fddbfe7b9f8e691076dbeea5588b9f20cc2f.tar.xz gnupg2-72e3fddbfe7b9f8e691076dbeea5588b9f20cc2f.zip | |
gpg: Force the use of AES-256 in some cases
* g10/encrypt.c (create_dek_with_warnings): Forcefully use AES-256 if
PQC encryption was required or if all recipient keys are Kyber keys.
--
If --require-pqc-encryption was set, then it should be safe to always
force AES-256, without even checking if we are encrypting to Kyber keys
(if some recipients do not have Kyber keys, --require-pqc-encryption
will fail elsewhere).
Otherwise, we force AES-256 if we encrypt *only* to Kyber keys -- unless
the user explicitly requested another algo, in which case we assume they
know what they are doing.
GnuPG-bug-id: 7472
Signed-off-by: Damien Goutte-Gattat <dgouttegattat@incenp.org>
Man page entry extended
Signed-off-by: Werner Koch <wk@gnupg.org>
| -rw-r--r-- | doc/gpg.texi | 10 | ||||
| -rw-r--r-- | g10/encrypt.c | 19 |
2 files changed, 25 insertions, 4 deletions
diff --git a/doc/gpg.texi b/doc/gpg.texi index f2bb95d04..b8cd0bb65 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -3149,10 +3149,12 @@ keys into non-VS-NfD compliant keys. @opindex require-pqc-encryption This option forces the use of quantum-resistant encryption algorithms. If not all public keys are quantum-resistant the encryption will fail. -On decryption a warning is printed for all non-quantum-resistant keys. -As of now the Kyber (ML-KEM768 and ML-KEM1024) algorithms are -considered quantum-resistant; Kyber is always used in a composite -scheme along with a classic ECC algorithm. +The use of the symmetric encryption algorithm AES-256 is also enforced +by this option. On decryption a warning is printed for all +non-quantum-resistant keys. As of now the Kyber (ML-KEM768 and +ML-KEM1024) algorithms and AES-256 are considered quantum-resistant; +Kyber is always used in a composite scheme along with a classic ECC +algorithm. @item --require-compliance @opindex require-compliance diff --git a/g10/encrypt.c b/g10/encrypt.c index e4e56c8b1..9b27b595b 100644 --- a/g10/encrypt.c +++ b/g10/encrypt.c @@ -139,6 +139,25 @@ create_dek_with_warnings (pk_list_t pk_list) dek->algo = opt.def_cipher_algo; } + if (dek->algo != CIPHER_ALGO_AES256) + { + /* If quantum resistance was explicitly required, we force the + * use of AES256 no matter what. Otherwise, we force AES256 if we + * encrypt to Kyber keys only and the user did not explicity + * request another another algo. */ + if (opt.flags.require_pqc_encryption) + dek->algo = CIPHER_ALGO_AES256; + else if (!opt.def_cipher_algo) + { + int non_kyber_pk = 0; + for ( ; pk_list; pk_list = pk_list->next) + if (pk_list->pk->pubkey_algo != PUBKEY_ALGO_KYBER) + non_kyber_pk += 1; + if (!non_kyber_pk) + dek->algo = CIPHER_ALGO_AES256; + } + } + return dek; } |