| 1 | /*
|
|---|
| 2 | * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
|
|---|
| 3 | * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
|---|
| 4 | *
|
|---|
| 5 | * Licensed under the Apache License 2.0 (the "License"). You may not use
|
|---|
| 6 | * this file except in compliance with the License. You can obtain a copy
|
|---|
| 7 | * in the file LICENSE in the source distribution or at
|
|---|
| 8 | * https://www.openssl.org/source/license.html
|
|---|
| 9 | */
|
|---|
| 10 |
|
|---|
| 11 | /*
|
|---|
| 12 | * ECDSA low level APIs are deprecated for public use, but still ok for
|
|---|
| 13 | * internal use.
|
|---|
| 14 | */
|
|---|
| 15 | #include "internal/deprecated.h"
|
|---|
| 16 |
|
|---|
| 17 | #include <openssl/err.h>
|
|---|
| 18 | #include "crypto/bn.h"
|
|---|
| 19 | #include "ec_local.h"
|
|---|
| 20 |
|
|---|
| 21 | EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a,
|
|---|
| 22 | const BIGNUM *b, BN_CTX *ctx)
|
|---|
| 23 | {
|
|---|
| 24 | const EC_METHOD *meth;
|
|---|
| 25 | EC_GROUP *ret;
|
|---|
| 26 |
|
|---|
| 27 | #if defined(OPENSSL_BN_ASM_MONT)
|
|---|
| 28 | /*
|
|---|
| 29 | * This might appear controversial, but the fact is that generic
|
|---|
| 30 | * prime method was observed to deliver better performance even
|
|---|
| 31 | * for NIST primes on a range of platforms, e.g.: 60%-15%
|
|---|
| 32 | * improvement on IA-64, ~25% on ARM, 30%-90% on P4, 20%-25%
|
|---|
| 33 | * in 32-bit build and 35%--12% in 64-bit build on Core2...
|
|---|
| 34 | * Coefficients are relative to optimized bn_nist.c for most
|
|---|
| 35 | * intensive ECDSA verify and ECDH operations for 192- and 521-
|
|---|
| 36 | * bit keys respectively. Choice of these boundary values is
|
|---|
| 37 | * arguable, because the dependency of improvement coefficient
|
|---|
| 38 | * from key length is not a "monotone" curve. For example while
|
|---|
| 39 | * 571-bit result is 23% on ARM, 384-bit one is -1%. But it's
|
|---|
| 40 | * generally faster, sometimes "respectfully" faster, sometimes
|
|---|
| 41 | * "tolerably" slower... What effectively happens is that loop
|
|---|
| 42 | * with bn_mul_add_words is put against bn_mul_mont, and the
|
|---|
| 43 | * latter "wins" on short vectors. Correct solution should be
|
|---|
| 44 | * implementing dedicated NxN multiplication subroutines for
|
|---|
| 45 | * small N. But till it materializes, let's stick to generic
|
|---|
| 46 | * prime method...
|
|---|
| 47 | * <appro>
|
|---|
| 48 | */
|
|---|
| 49 | meth = EC_GFp_mont_method();
|
|---|
| 50 | #else
|
|---|
| 51 | if (BN_nist_mod_func(p))
|
|---|
| 52 | meth = EC_GFp_nist_method();
|
|---|
| 53 | else
|
|---|
| 54 | meth = EC_GFp_mont_method();
|
|---|
| 55 | #endif
|
|---|
| 56 |
|
|---|
| 57 | ret = ossl_ec_group_new_ex(ossl_bn_get_libctx(ctx), NULL, meth);
|
|---|
| 58 | if (ret == NULL)
|
|---|
| 59 | return NULL;
|
|---|
| 60 |
|
|---|
| 61 | if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) {
|
|---|
| 62 | EC_GROUP_free(ret);
|
|---|
| 63 | return NULL;
|
|---|
| 64 | }
|
|---|
| 65 |
|
|---|
| 66 | return ret;
|
|---|
| 67 | }
|
|---|
| 68 |
|
|---|
| 69 | #ifndef OPENSSL_NO_EC2M
|
|---|
| 70 | EC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a,
|
|---|
| 71 | const BIGNUM *b, BN_CTX *ctx)
|
|---|
| 72 | {
|
|---|
| 73 | const EC_METHOD *meth;
|
|---|
| 74 | EC_GROUP *ret;
|
|---|
| 75 |
|
|---|
| 76 | meth = EC_GF2m_simple_method();
|
|---|
| 77 |
|
|---|
| 78 | ret = ossl_ec_group_new_ex(ossl_bn_get_libctx(ctx), NULL, meth);
|
|---|
| 79 | if (ret == NULL)
|
|---|
| 80 | return NULL;
|
|---|
| 81 |
|
|---|
| 82 | if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) {
|
|---|
| 83 | EC_GROUP_free(ret);
|
|---|
| 84 | return NULL;
|
|---|
| 85 | }
|
|---|
| 86 |
|
|---|
| 87 | return ret;
|
|---|
| 88 | }
|
|---|
| 89 | #endif
|
|---|
