change type to short for comparision and up default min size

examples/server/server.c

@@ -278,7 +278,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
     int    throughput = 0;
     int    minDhKeyBits  = DEFAULT_MIN_DHKEY_BITS;
     int    minRsaKeyBits = DEFAULT_MIN_RSAKEY_BITS;
-    int    minEccKeyBits = DEFAULT_MIN_ECCKEY_BITS;
+    short  minEccKeyBits = DEFAULT_MIN_ECCKEY_BITS;
     int    doListen = 1;
     int    crlFlags = 0;
     int    ret;
@@ -652,7 +652,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
     }
 #endif
 #ifdef HAVE_ECC
-    if (wolfSSL_CTX_SetMinEccKey_Sz(ctx, (word16)minEccKeyBits) != SSL_SUCCESS){
+    if (wolfSSL_CTX_SetMinEccKey_Sz(ctx, minEccKeyBits) != SSL_SUCCESS){
         err_sys("Error setting minimum ECC key size");
     }
 #endif

src/internal.c

@@ -5153,8 +5153,9 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                 #endif /* !NO_RSA */
                 #ifdef HAVE_ECC
                 case ECDSAk:
-                    if (dCert->pubKeySize < ssl->options.minEccKeySz) {
+                    if (ssl->options.minEccKeySz < 0 ||
-                        WOLFSSL_MSG("ECC key in cert chain was too small");
+                        dCert->pubKeySize < (word16)ssl->options.minEccKeySz) {
+                        WOLFSSL_MSG("ECC key size in cert chain error");
                         ret = ECC_KEY_SIZE_E;
                     }
                     break;

src/ssl.c

@@ -484,9 +484,9 @@ int wolfSSL_GetObjectSize(void)
 #endif
 
 #ifdef HAVE_ECC
-int wolfSSL_CTX_SetMinEccKey_Sz(WOLFSSL_CTX* ctx, word16 keySz)
+int wolfSSL_CTX_SetMinEccKey_Sz(WOLFSSL_CTX* ctx, short keySz)
 {
-    if (ctx == NULL || keySz % 8 != 0) {
+    if (ctx == NULL || keySz < 0 || keySz % 8 != 0) {
         WOLFSSL_MSG("Key size must be divisable by 8 or ctx was null");
         return BAD_FUNC_ARG;
     }
@@ -497,9 +497,9 @@ int wolfSSL_CTX_SetMinEccKey_Sz(WOLFSSL_CTX* ctx, word16 keySz)
 }
 
 
-int wolfSSL_SetMinEccKey_Sz(WOLFSSL* ssl, word16 keySz)
+int wolfSSL_SetMinEccKey_Sz(WOLFSSL* ssl, short keySz)
 {
-    if (ssl == NULL || keySz % 8 != 0) {
+    if (ssl == NULL || keySz < 0 || keySz % 8 != 0) {
         WOLFSSL_MSG("Key size must be divisable by 8 or ssl was null");
         return BAD_FUNC_ARG;
     }
@@ -2633,9 +2633,10 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
             #endif /* !NO_RSA */
             #ifdef HAVE_ECC
             case ECDSAk:
-                if (cert->pubKeySize < cm->minEccKeySz) {
+                if (cm->minEccKeySz < 0 ||
+                                   cert->pubKeySize < (word16)cm->minEccKeySz) {
                     ret = ECC_KEY_SIZE_E;
-                    WOLFSSL_MSG("    CA ECC key is too small");
+                    WOLFSSL_MSG("    CA ECC key size error");
                 }
                 break;
             #endif /* HAVE_ECC */
@@ -3670,15 +3671,17 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
         #ifdef HAVE_ECC
             case ECDSAk:
                 if (ssl && !ssl->options.verifyNone) {
-                    if (cert->pubKeySize < ssl->options.minEccKeySz) {
+                    if (ssl->options.minEccKeySz < 0 ||
+                          cert->pubKeySize < (word16)ssl->options.minEccKeySz) {
                         ret = ECC_KEY_SIZE_E;
-                        WOLFSSL_MSG("Certificate ECC key size too small");
+                        WOLFSSL_MSG("Certificate ECC key size error");
                     }
                 }
                 else if (ctx && !ctx->verifyNone) {
-                    if (cert->pubKeySize < ctx->minEccKeySz) {
+                    if (ctx->minEccKeySz < 0 ||
+                                  cert->pubKeySize < (word16)ctx->minEccKeySz) {
                         ret = ECC_KEY_SIZE_E;
-                        WOLFSSL_MSG("Certificate ECC key size too small");
+                        WOLFSSL_MSG("Certificate ECC key size error");
                     }
                 }
                 break;

wolfssl/internal.h

@@ -1068,7 +1068,7 @@ enum Misc {
     #ifdef WOLFSSL_MAX_STRENGTH
         #define WOLFSSL_MIN_ECC_BITS  256
     #else
-        #define WOLFSSL_MIN_ECC_BITS 160
+        #define WOLFSSL_MIN_ECC_BITS 224
     #endif
 #endif /* WOLFSSL_MIN_ECC_BITS */
 #if (WOLFSSL_MIN_ECC_BITS % 8)
@@ -1519,7 +1519,7 @@ struct WOLFSSL_CERT_MANAGER {
     word16          minRsaKeySz;         /* minimum allowed RSA key size */
 #endif
 #ifdef HAVE_ECC
-    word16          minEccKeySz;         /* minimum allowed ECC key size */
+    short           minEccKeySz;         /* minimum allowed ECC key size */
 #endif
 };
 
@@ -1921,7 +1921,7 @@ struct WOLFSSL_CTX {
     word16      minRsaKeySz;      /* minimum RSA key size */
 #endif
 #ifdef HAVE_ECC
-    word16      minEccKeySz;      /* minimum ECC key size */
+    short       minEccKeySz;      /* minimum ECC key size */
 #endif
     CallbackIORecv CBIORecv;
     CallbackIOSend CBIOSend;
@@ -2391,7 +2391,7 @@ typedef struct Options {
     word16          minRsaKeySz;      /* minimum RSA key size */
 #endif
 #ifdef HAVE_ECC
-    word16          minEccKeySz;      /* minimum ECC key size */
+    short           minEccKeySz;      /* minimum ECC key size */
 #endif
 
 } Options;

wolfssl/ssl.h

@@ -944,8 +944,8 @@ WOLFSSL_API int wolfSSL_SetMinRsaKey_Sz(WOLFSSL*, unsigned short);
 #endif /* NO_RSA */
 
 #ifdef HAVE_ECC
-WOLFSSL_API int wolfSSL_CTX_SetMinEccKey_Sz(WOLFSSL_CTX*, unsigned short);
+WOLFSSL_API int wolfSSL_CTX_SetMinEccKey_Sz(WOLFSSL_CTX*, short);
-WOLFSSL_API int wolfSSL_SetMinEccKey_Sz(WOLFSSL*, unsigned short);
+WOLFSSL_API int wolfSSL_SetMinEccKey_Sz(WOLFSSL*, short);
 #endif /* NO_RSA */
 
 WOLFSSL_API int  wolfSSL_SetTmpEC_DHE_Sz(WOLFSSL*, unsigned short);

wolfssl/test.h

@@ -239,7 +239,7 @@
 #if !defined(NO_FILESYSTEM) && defined(WOLFSSL_MAX_STRENGTH)
     #define DEFAULT_MIN_ECCKEY_BITS 256
 #else
-    #define DEFAULT_MIN_ECCKEY_BITS 112 /* secp112r1 smallest in wolfSSL */
+    #define DEFAULT_MIN_ECCKEY_BITS 224
 #endif
 
 /* all certs relative to wolfSSL home directory now */