diff --git a/examples/server/server.c b/examples/server/server.c index 30b3c8562..d15217166 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -278,7 +278,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) int throughput = 0; int minDhKeyBits = DEFAULT_MIN_DHKEY_BITS; int minRsaKeyBits = DEFAULT_MIN_RSAKEY_BITS; - int minEccKeyBits = DEFAULT_MIN_ECCKEY_BITS; + short minEccKeyBits = DEFAULT_MIN_ECCKEY_BITS; int doListen = 1; int crlFlags = 0; int ret; @@ -652,7 +652,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) } #endif #ifdef HAVE_ECC - if (wolfSSL_CTX_SetMinEccKey_Sz(ctx, (word16)minEccKeyBits) != SSL_SUCCESS){ + if (wolfSSL_CTX_SetMinEccKey_Sz(ctx, minEccKeyBits) != SSL_SUCCESS){ err_sys("Error setting minimum ECC key size"); } #endif diff --git a/src/internal.c b/src/internal.c index b17aebad7..1e81e3b6e 100755 --- a/src/internal.c +++ b/src/internal.c @@ -5153,8 +5153,9 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, #endif /* !NO_RSA */ #ifdef HAVE_ECC case ECDSAk: - if (dCert->pubKeySize < ssl->options.minEccKeySz) { - WOLFSSL_MSG("ECC key in cert chain was too small"); + if (ssl->options.minEccKeySz < 0 || + dCert->pubKeySize < (word16)ssl->options.minEccKeySz) { + WOLFSSL_MSG("ECC key size in cert chain error"); ret = ECC_KEY_SIZE_E; } break; diff --git a/src/ssl.c b/src/ssl.c index cb082d6d1..1eaca0782 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -484,9 +484,9 @@ int wolfSSL_GetObjectSize(void) #endif #ifdef HAVE_ECC -int wolfSSL_CTX_SetMinEccKey_Sz(WOLFSSL_CTX* ctx, word16 keySz) +int wolfSSL_CTX_SetMinEccKey_Sz(WOLFSSL_CTX* ctx, short keySz) { - if (ctx == NULL || keySz % 8 != 0) { + if (ctx == NULL || keySz < 0 || keySz % 8 != 0) { WOLFSSL_MSG("Key size must be divisable by 8 or ctx was null"); return BAD_FUNC_ARG; } @@ -497,9 +497,9 @@ int wolfSSL_CTX_SetMinEccKey_Sz(WOLFSSL_CTX* ctx, word16 keySz) } -int wolfSSL_SetMinEccKey_Sz(WOLFSSL* ssl, word16 keySz) +int wolfSSL_SetMinEccKey_Sz(WOLFSSL* ssl, short keySz) { - if (ssl == NULL || keySz % 8 != 0) { + if (ssl == NULL || keySz < 0 || keySz % 8 != 0) { WOLFSSL_MSG("Key size must be divisable by 8 or ssl was null"); return BAD_FUNC_ARG; } @@ -2633,9 +2633,10 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify) #endif /* !NO_RSA */ #ifdef HAVE_ECC case ECDSAk: - if (cert->pubKeySize < cm->minEccKeySz) { + if (cm->minEccKeySz < 0 || + cert->pubKeySize < (word16)cm->minEccKeySz) { ret = ECC_KEY_SIZE_E; - WOLFSSL_MSG(" CA ECC key is too small"); + WOLFSSL_MSG(" CA ECC key size error"); } break; #endif /* HAVE_ECC */ @@ -3670,15 +3671,17 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, #ifdef HAVE_ECC case ECDSAk: if (ssl && !ssl->options.verifyNone) { - if (cert->pubKeySize < ssl->options.minEccKeySz) { + if (ssl->options.minEccKeySz < 0 || + cert->pubKeySize < (word16)ssl->options.minEccKeySz) { ret = ECC_KEY_SIZE_E; - WOLFSSL_MSG("Certificate ECC key size too small"); + WOLFSSL_MSG("Certificate ECC key size error"); } } else if (ctx && !ctx->verifyNone) { - if (cert->pubKeySize < ctx->minEccKeySz) { + if (ctx->minEccKeySz < 0 || + cert->pubKeySize < (word16)ctx->minEccKeySz) { ret = ECC_KEY_SIZE_E; - WOLFSSL_MSG("Certificate ECC key size too small"); + WOLFSSL_MSG("Certificate ECC key size error"); } } break; diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 27b7e5e51..e20d28433 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1068,7 +1068,7 @@ enum Misc { #ifdef WOLFSSL_MAX_STRENGTH #define WOLFSSL_MIN_ECC_BITS 256 #else - #define WOLFSSL_MIN_ECC_BITS 160 + #define WOLFSSL_MIN_ECC_BITS 224 #endif #endif /* WOLFSSL_MIN_ECC_BITS */ #if (WOLFSSL_MIN_ECC_BITS % 8) @@ -1519,7 +1519,7 @@ struct WOLFSSL_CERT_MANAGER { word16 minRsaKeySz; /* minimum allowed RSA key size */ #endif #ifdef HAVE_ECC - word16 minEccKeySz; /* minimum allowed ECC key size */ + short minEccKeySz; /* minimum allowed ECC key size */ #endif }; @@ -1921,7 +1921,7 @@ struct WOLFSSL_CTX { word16 minRsaKeySz; /* minimum RSA key size */ #endif #ifdef HAVE_ECC - word16 minEccKeySz; /* minimum ECC key size */ + short minEccKeySz; /* minimum ECC key size */ #endif CallbackIORecv CBIORecv; CallbackIOSend CBIOSend; @@ -2391,7 +2391,7 @@ typedef struct Options { word16 minRsaKeySz; /* minimum RSA key size */ #endif #ifdef HAVE_ECC - word16 minEccKeySz; /* minimum ECC key size */ + short minEccKeySz; /* minimum ECC key size */ #endif } Options; diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 1a8b896d3..755cde40e 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -944,8 +944,8 @@ WOLFSSL_API int wolfSSL_SetMinRsaKey_Sz(WOLFSSL*, unsigned short); #endif /* NO_RSA */ #ifdef HAVE_ECC -WOLFSSL_API int wolfSSL_CTX_SetMinEccKey_Sz(WOLFSSL_CTX*, unsigned short); -WOLFSSL_API int wolfSSL_SetMinEccKey_Sz(WOLFSSL*, unsigned short); +WOLFSSL_API int wolfSSL_CTX_SetMinEccKey_Sz(WOLFSSL_CTX*, short); +WOLFSSL_API int wolfSSL_SetMinEccKey_Sz(WOLFSSL*, short); #endif /* NO_RSA */ WOLFSSL_API int wolfSSL_SetTmpEC_DHE_Sz(WOLFSSL*, unsigned short); diff --git a/wolfssl/test.h b/wolfssl/test.h index 8fb6a4399..140ac64ea 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -239,7 +239,7 @@ #if !defined(NO_FILESYSTEM) && defined(WOLFSSL_MAX_STRENGTH) #define DEFAULT_MIN_ECCKEY_BITS 256 #else - #define DEFAULT_MIN_ECCKEY_BITS 112 /* secp112r1 smallest in wolfSSL */ + #define DEFAULT_MIN_ECCKEY_BITS 224 #endif /* all certs relative to wolfSSL home directory now */