gpg: Force the use of AES-256 in some cases

* g10/encrypt.c (create_dek_with_warnings): Forcefully use AES-256 if
PQC encryption was required or if all recipient keys are Kyber keys.
--

If --require-pqc-encryption was set, then it should be safe to always
force AES-256, without even checking if we are encrypting to Kyber keys
(if some recipients do not have Kyber keys, --require-pqc-encryption
will fail elsewhere).

Otherwise, we force AES-256 if we encrypt *only* to Kyber keys -- unless
the user explicitly requested another algo, in which case we assume they
know what they are doing.

GnuPG-bug-id: 7472
Signed-off-by: Damien Goutte-Gattat <dgouttegattat@incenp.org>

Man page entry extended

Signed-off-by: Werner Koch <wk@gnupg.org>

1 files changed, 19 insertions, 0 deletions

diff --git a/g10/encrypt.c b/g10/encrypt.c
index e4e56c8b1..9b27b595b 100644
--- a/g10/encrypt.c
+++ b/g10/encrypt.c
@@ -139,6 +139,25 @@ create_dek_with_warnings (pk_list_t pk_list)
       dek->algo = opt.def_cipher_algo;
     }
 
+  if (dek->algo != CIPHER_ALGO_AES256)
+    {
+      /* If quantum resistance was explicitly required, we force the
+       * use of AES256 no matter what. Otherwise, we force AES256 if we
+       * encrypt to Kyber keys only and the user did not explicity
+       * request another another algo. */
+      if (opt.flags.require_pqc_encryption)
+        dek->algo = CIPHER_ALGO_AES256;
+      else if (!opt.def_cipher_algo)
+        {
+          int non_kyber_pk = 0;
+          for ( ; pk_list; pk_list = pk_list->next)
+            if (pk_list->pk->pubkey_algo != PUBKEY_ALGO_KYBER)
+              non_kyber_pk += 1;
+          if (!non_kyber_pk)
+            dek->algo = CIPHER_ALGO_AES256;
+        }
+    }
+
   return dek;
 }