add ability to set Temp EC-DHE key size in octets for ctx or ssl, 20 - 66 allowed for 160bit - 521bit

cyassl/ctaocrypt/ecc.h

@@ -39,7 +39,8 @@ enum {
     ECC_MAXNAME    = 16,     /* MAX CURVE NAME LENGTH */
     SIG_HEADER_SZ  =  6,     /* ECC signature header size */
     ECC_BUFSIZE    = 256,    /* for exported keys temp buffer */
-    ECC_MAXSIZE    = 66      /* MAX Private Key size  */
+    ECC_MINSIZE    = 20,     /* MIN Private Key size */
+    ECC_MAXSIZE    = 66      /* MAX Private Key size */
 };
 
 

cyassl/internal.h

@@ -620,6 +620,9 @@ struct CYASSL_CTX {
     CallbackIOSend CBIOSend;
     CallbackCACache caCacheCallback;    /* CA cache addition callback */
     VerifyCallback  verifyCallback;     /* cert verification callback */
+#ifdef HAVE_ECC
+    word16          eccTempKeySz;       /* in octets 20 - 66 */
+#endif
 #ifndef NO_PSK
     byte        havePSK;                /* psk key set by user */
     psk_client_callback client_psk_cb;  /* client callback */
@@ -1030,12 +1033,13 @@ struct CYASSL {
 #endif
 #ifdef HAVE_ECC
     ecc_key         peerEccKey;              /* peer's  ECDHE key */
-    byte            peerEccKeyPresent;
     ecc_key         peerEccDsaKey;           /* peer's  ECDSA key */
-    byte            peerEccDsaKeyPresent;
     ecc_key         eccTempKey;              /* private ECDHE key */
-    byte            eccTempKeyPresent;
     ecc_key         eccDsaKey;               /* private ECDSA key */
+    word16          eccTempKeySz;            /* in octets 20 - 66 */
+    byte            peerEccKeyPresent;
+    byte            peerEccDsaKeyPresent;
+    byte            eccTempKeyPresent;
     byte            eccDsaKeyPresent;
 #endif
     hmacfp          hmac;

cyassl/ssl.h

@@ -679,6 +679,7 @@ CYASSL_API int  CyaSSL_SetTmpDH(CYASSL*, const unsigned char* p, int pSz,
                                 const unsigned char* g, int gSz);
 CYASSL_API int  CyaSSL_SetTmpDH_buffer(CYASSL*, const unsigned char* b, long sz,
                                        int format);
+CYASSL_API int  CyaSSL_SetTmpEC_DHE_Sz(CYASSL*, unsigned short);
 #ifndef NO_FILESYSTEM
     CYASSL_API int  CyaSSL_SetTmpDH_file(CYASSL*, const char* f, int format);
 #endif
@@ -688,6 +689,7 @@ CYASSL_API int  CyaSSL_CTX_SetTmpDH(CYASSL_CTX*, const unsigned char* p,
                                     int pSz, const unsigned char* g, int gSz);
 CYASSL_API int  CyaSSL_CTX_SetTmpDH_buffer(CYASSL_CTX*, const unsigned char* b,
                                            long sz, int format);
+CYASSL_API int  CyaSSL_CTX_SetTmpEC_DHE_Sz(CYASSL_CTX*, unsigned short);
 #ifndef NO_FILESYSTEM
     CYASSL_API int  CyaSSL_CTX_SetTmpDH_file(CYASSL_CTX*, const char* f,
                                              int format);

src/internal.c

@@ -342,6 +342,9 @@ int InitSSL_Ctx(CYASSL_CTX* ctx, CYASSL_METHOD* method)
     ctx->client_psk_cb      = 0;
     ctx->server_psk_cb      = 0;
 #endif /* NO_PSK */
+#ifdef HAVE_ECC
+    ctx->eccTempKeySz       = ECDHE_SIZE;   
+#endif
 
 #ifdef OPENSSL_EXTRA
     ctx->passwd_cb   = 0;
@@ -696,13 +699,14 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx)
 #endif
 
 #ifdef HAVE_ECC
+    ssl->eccTempKeySz = ctx->eccTempKeySz;
     ssl->peerEccKeyPresent = 0;
-    ecc_init(&ssl->peerEccKey);
     ssl->peerEccDsaKeyPresent = 0;
-    ecc_init(&ssl->peerEccDsaKey);
     ssl->eccDsaKeyPresent = 0;
-    ecc_init(&ssl->eccDsaKey);
     ssl->eccTempKeyPresent = 0;
+    ecc_init(&ssl->peerEccKey);
+    ecc_init(&ssl->peerEccDsaKey);
+    ecc_init(&ssl->eccDsaKey);
     ecc_init(&ssl->eccTempKey);
 #endif
 
@@ -829,15 +833,6 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx)
     ssl->toInfoOn = 0;
 #endif
 
-#ifdef HAVE_ECC
-    /* make ECDHE for server side */
-    if (ssl->options.side == SERVER_END) {
-        if (ecc_make_key(&ssl->rng, ECDHE_SIZE, &ssl->eccTempKey) != 0)
-            return ECC_MAKEKEY_ERROR;
-        ssl->eccTempKeyPresent = 1;
-    }
-#endif
-
     /* make sure server has DH parms, and add PSK if there, add NTRU too */
     if (ssl->options.side == SERVER_END) 
         InitSuites(&ssl->suites, ssl->version,ssl->options.haveDH, havePSK,

src/ssl.c

@@ -1363,6 +1363,34 @@ int CyaSSL_CTX_SetTmpDH_buffer(CYASSL_CTX* ctx, const unsigned char* buf,
 }
 
 
+#ifdef HAVE_ECC
+
+/* Set Temp CTX EC-DHE size in octets, should be 20 - 66 for 160 - 521 bit */
+int CyaSSL_CTX_SetTmpEC_DHE_Sz(CYASSL_CTX* ctx, word16 sz)
+{
+    if (ctx == NULL || sz < ECC_MINSIZE || sz > ECC_MAXSIZE)
+        return BAD_FUNC_ARG;
+
+    ctx->eccTempKeySz = sz;
+
+    return SSL_SUCCESS;
+}
+
+
+/* Set Temp SSL EC-DHE size in octets, should be 20 - 66 for 160 - 521 bit */
+int CyaSSL_SetTmpEC_DHE_Sz(CYASSL* ssl, word16 sz)
+{
+    if (ssl == NULL || sz < ECC_MINSIZE || sz > ECC_MAXSIZE)
+        return BAD_FUNC_ARG;
+
+    ssl->eccTempKeySz = sz;
+
+    return SSL_SUCCESS;
+}
+
+#endif /* HAVE_ECC */
+
+
 #if !defined(NO_FILESYSTEM)
 
 /* server Diffie-Hellman parameters */
@@ -1882,7 +1910,8 @@ int CyaSSL_set_cipher_list(CYASSL* ssl, const char* list)
         #ifdef HAVE_ECC
             /* in case used set_accept_state after init */
             if (ssl->eccTempKeyPresent == 0) {
-                if (ecc_make_key(&ssl->rng, ECDHE_SIZE, &ssl->eccTempKey) != 0){
+                if (ecc_make_key(&ssl->rng, ssl->eccTempKeySz,
+                                 &ssl->eccTempKey) != 0) {
                     ssl->error = ECC_MAKEKEY_ERROR;
                     CYASSL_ERROR(ssl->error);
                     return SSL_FATAL_ERROR;