summaryrefslogtreecommitdiffstats
path: root/security/nss/lib/smime/smimeutil.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/lib/smime/smimeutil.c')
-rw-r--r--security/nss/lib/smime/smimeutil.c19
1 files changed, 19 insertions, 0 deletions
diff --git a/security/nss/lib/smime/smimeutil.c b/security/nss/lib/smime/smimeutil.c
index 0e6bd32fd..a7df96e91 100644
--- a/security/nss/lib/smime/smimeutil.c
+++ b/security/nss/lib/smime/smimeutil.c
@@ -457,6 +457,25 @@ smime_choose_cipher(CERTCertificate *scert, CERTCertificate **rcerts)
cipher_votes[strong_mapi] += pref;
pref--;
} else {
+ if (pklen_bits > 3072) {
+ /* While support for AES 256 is a SHOULD+ in RFC 5751
+ * rather than a MUST, RSA and DSA keys longer than 3072
+ * bits provide more than 128 bits of security strength.
+ * So, AES 256 should be used to provide comparable
+ * security. */
+ cipher_abilities[aes256_mapi]++;
+ cipher_votes[aes256_mapi] += pref;
+ pref--;
+ }
+ if (pklen_bits > 1023) {
+ /* RFC 5751 mandates support for AES 128, but also says
+ * that RSA and DSA signature keys SHOULD NOT be less than
+ * 1024 bits. So, cast vote for AES 128 if key length
+ * is at least 1024 bits. */
+ cipher_abilities[aes128_mapi]++;
+ cipher_votes[aes128_mapi] += pref;
+ pref--;
+ }
if (pklen_bits > 512) {
/* cast votes for the strong algorithm */
cipher_abilities[strong_mapi]++;
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-23 22:06:30 +0000