mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2025-08-01 03:34:39 +02:00
change type to short for comparision and up default min size
This commit is contained in:
Jacob Barthelmeh
@@ -278,7 +278,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
|
||||
int throughput = 0;
|
||||
int minDhKeyBits = DEFAULT_MIN_DHKEY_BITS;
|
||||
int minRsaKeyBits = DEFAULT_MIN_RSAKEY_BITS;
|
||||
int minEccKeyBits = DEFAULT_MIN_ECCKEY_BITS;
|
||||
short minEccKeyBits = DEFAULT_MIN_ECCKEY_BITS;
|
||||
int doListen = 1;
|
||||
int crlFlags = 0;
|
||||
int ret;
|
||||
@@ -652,7 +652,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
|
||||
}
|
||||
#endif
|
||||
#ifdef HAVE_ECC
|
||||
if (wolfSSL_CTX_SetMinEccKey_Sz(ctx, (word16)minEccKeyBits) != SSL_SUCCESS){
|
||||
if (wolfSSL_CTX_SetMinEccKey_Sz(ctx, minEccKeyBits) != SSL_SUCCESS){
|
||||
err_sys("Error setting minimum ECC key size");
|
||||
}
|
||||
#endif
|
||||
|
||||
@@ -5153,8 +5153,9 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
||||
#endif /* !NO_RSA */
|
||||
#ifdef HAVE_ECC
|
||||
case ECDSAk:
|
||||
if (dCert->pubKeySize < ssl->options.minEccKeySz) {
|
||||
WOLFSSL_MSG("ECC key in cert chain was too small");
|
||||
if (ssl->options.minEccKeySz < 0 ||
|
||||
dCert->pubKeySize < (word16)ssl->options.minEccKeySz) {
|
||||
WOLFSSL_MSG("ECC key size in cert chain error");
|
||||
ret = ECC_KEY_SIZE_E;
|
||||
}
|
||||
break;
|
||||
|
||||
23
src/ssl.c
23
src/ssl.c
@@ -484,9 +484,9 @@ int wolfSSL_GetObjectSize(void)
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_ECC
|
||||
int wolfSSL_CTX_SetMinEccKey_Sz(WOLFSSL_CTX* ctx, word16 keySz)
|
||||
int wolfSSL_CTX_SetMinEccKey_Sz(WOLFSSL_CTX* ctx, short keySz)
|
||||
{
|
||||
if (ctx == NULL || keySz % 8 != 0) {
|
||||
if (ctx == NULL || keySz < 0 || keySz % 8 != 0) {
|
||||
WOLFSSL_MSG("Key size must be divisable by 8 or ctx was null");
|
||||
return BAD_FUNC_ARG;
|
||||
}
|
||||
@@ -497,9 +497,9 @@ int wolfSSL_CTX_SetMinEccKey_Sz(WOLFSSL_CTX* ctx, word16 keySz)
|
||||
}
|
||||
|
||||
|
||||
int wolfSSL_SetMinEccKey_Sz(WOLFSSL* ssl, word16 keySz)
|
||||
int wolfSSL_SetMinEccKey_Sz(WOLFSSL* ssl, short keySz)
|
||||
{
|
||||
if (ssl == NULL || keySz % 8 != 0) {
|
||||
if (ssl == NULL || keySz < 0 || keySz % 8 != 0) {
|
||||
WOLFSSL_MSG("Key size must be divisable by 8 or ssl was null");
|
||||
return BAD_FUNC_ARG;
|
||||
}
|
||||
@@ -2633,9 +2633,10 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
|
||||
#endif /* !NO_RSA */
|
||||
#ifdef HAVE_ECC
|
||||
case ECDSAk:
|
||||
if (cert->pubKeySize < cm->minEccKeySz) {
|
||||
if (cm->minEccKeySz < 0 ||
|
||||
cert->pubKeySize < (word16)cm->minEccKeySz) {
|
||||
ret = ECC_KEY_SIZE_E;
|
||||
WOLFSSL_MSG(" CA ECC key is too small");
|
||||
WOLFSSL_MSG(" CA ECC key size error");
|
||||
}
|
||||
break;
|
||||
#endif /* HAVE_ECC */
|
||||
@@ -3670,15 +3671,17 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
|
||||
#ifdef HAVE_ECC
|
||||
case ECDSAk:
|
||||
if (ssl && !ssl->options.verifyNone) {
|
||||
if (cert->pubKeySize < ssl->options.minEccKeySz) {
|
||||
if (ssl->options.minEccKeySz < 0 ||
|
||||
cert->pubKeySize < (word16)ssl->options.minEccKeySz) {
|
||||
ret = ECC_KEY_SIZE_E;
|
||||
WOLFSSL_MSG("Certificate ECC key size too small");
|
||||
WOLFSSL_MSG("Certificate ECC key size error");
|
||||
}
|
||||
}
|
||||
else if (ctx && !ctx->verifyNone) {
|
||||
if (cert->pubKeySize < ctx->minEccKeySz) {
|
||||
if (ctx->minEccKeySz < 0 ||
|
||||
cert->pubKeySize < (word16)ctx->minEccKeySz) {
|
||||
ret = ECC_KEY_SIZE_E;
|
||||
WOLFSSL_MSG("Certificate ECC key size too small");
|
||||
WOLFSSL_MSG("Certificate ECC key size error");
|
||||
}
|
||||
}
|
||||
break;
|
||||
|
||||
@@ -1068,7 +1068,7 @@ enum Misc {
|
||||
#ifdef WOLFSSL_MAX_STRENGTH
|
||||
#define WOLFSSL_MIN_ECC_BITS 256
|
||||
#else
|
||||
#define WOLFSSL_MIN_ECC_BITS 160
|
||||
#define WOLFSSL_MIN_ECC_BITS 224
|
||||
#endif
|
||||
#endif /* WOLFSSL_MIN_ECC_BITS */
|
||||
#if (WOLFSSL_MIN_ECC_BITS % 8)
|
||||
@@ -1519,7 +1519,7 @@ struct WOLFSSL_CERT_MANAGER {
|
||||
word16 minRsaKeySz; /* minimum allowed RSA key size */
|
||||
#endif
|
||||
#ifdef HAVE_ECC
|
||||
word16 minEccKeySz; /* minimum allowed ECC key size */
|
||||
short minEccKeySz; /* minimum allowed ECC key size */
|
||||
#endif
|
||||
};
|
||||
|
||||
@@ -1921,7 +1921,7 @@ struct WOLFSSL_CTX {
|
||||
word16 minRsaKeySz; /* minimum RSA key size */
|
||||
#endif
|
||||
#ifdef HAVE_ECC
|
||||
word16 minEccKeySz; /* minimum ECC key size */
|
||||
short minEccKeySz; /* minimum ECC key size */
|
||||
#endif
|
||||
CallbackIORecv CBIORecv;
|
||||
CallbackIOSend CBIOSend;
|
||||
@@ -2391,7 +2391,7 @@ typedef struct Options {
|
||||
word16 minRsaKeySz; /* minimum RSA key size */
|
||||
#endif
|
||||
#ifdef HAVE_ECC
|
||||
word16 minEccKeySz; /* minimum ECC key size */
|
||||
short minEccKeySz; /* minimum ECC key size */
|
||||
#endif
|
||||
|
||||
} Options;
|
||||
|
||||
@@ -944,8 +944,8 @@ WOLFSSL_API int wolfSSL_SetMinRsaKey_Sz(WOLFSSL*, unsigned short);
|
||||
#endif /* NO_RSA */
|
||||
|
||||
#ifdef HAVE_ECC
|
||||
WOLFSSL_API int wolfSSL_CTX_SetMinEccKey_Sz(WOLFSSL_CTX*, unsigned short);
|
||||
WOLFSSL_API int wolfSSL_SetMinEccKey_Sz(WOLFSSL*, unsigned short);
|
||||
WOLFSSL_API int wolfSSL_CTX_SetMinEccKey_Sz(WOLFSSL_CTX*, short);
|
||||
WOLFSSL_API int wolfSSL_SetMinEccKey_Sz(WOLFSSL*, short);
|
||||
#endif /* NO_RSA */
|
||||
|
||||
WOLFSSL_API int wolfSSL_SetTmpEC_DHE_Sz(WOLFSSL*, unsigned short);
|
||||
|
||||
@@ -239,7 +239,7 @@
|
||||
#if !defined(NO_FILESYSTEM) && defined(WOLFSSL_MAX_STRENGTH)
|
||||
#define DEFAULT_MIN_ECCKEY_BITS 256
|
||||
#else
|
||||
#define DEFAULT_MIN_ECCKEY_BITS 112 /* secp112r1 smallest in wolfSSL */
|
||||
#define DEFAULT_MIN_ECCKEY_BITS 224
|
||||
#endif
|
||||
|
||||
/* all certs relative to wolfSSL home directory now */
|
||||
|
||||
Reference in New Issue
Block a user