]>
Commit | Line | Data |
---|---|---|
35b73a1f | 1 | /* |
1212818e | 2 | * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. |
aa8f3d76 | 3 | * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved |
65e81670 | 4 | * |
a7f182b7 | 5 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
4f22f405 RS |
6 | * this file except in compliance with the License. You can obtain a copy |
7 | * in the file LICENSE in the source distribution or at | |
8 | * https://www.openssl.org/source/license.html | |
65e81670 | 9 | */ |
4f22f405 | 10 | |
5c6bf031 | 11 | #include <openssl/err.h> |
25f2138b | 12 | #include "crypto/bn.h" |
65e81670 | 13 | #include "ec_lcl.h" |
0657bf9c | 14 | |
0f113f3e MC |
15 | EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, |
16 | const BIGNUM *b, BN_CTX *ctx) | |
17 | { | |
18 | const EC_METHOD *meth; | |
19 | EC_GROUP *ret; | |
5c6bf031 | 20 | |
62f29eb1 | 21 | #if defined(OPENSSL_BN_ASM_MONT) |
0f113f3e MC |
22 | /* |
23 | * This might appear controversial, but the fact is that generic | |
24 | * prime method was observed to deliver better performance even | |
25 | * for NIST primes on a range of platforms, e.g.: 60%-15% | |
26 | * improvement on IA-64, ~25% on ARM, 30%-90% on P4, 20%-25% | |
27 | * in 32-bit build and 35%--12% in 64-bit build on Core2... | |
28 | * Coefficients are relative to optimized bn_nist.c for most | |
29 | * intensive ECDSA verify and ECDH operations for 192- and 521- | |
30 | * bit keys respectively. Choice of these boundary values is | |
31 | * arguable, because the dependency of improvement coefficient | |
32 | * from key length is not a "monotone" curve. For example while | |
33 | * 571-bit result is 23% on ARM, 384-bit one is -1%. But it's | |
34 | * generally faster, sometimes "respectfully" faster, sometimes | |
35 | * "tolerably" slower... What effectively happens is that loop | |
36 | * with bn_mul_add_words is put against bn_mul_mont, and the | |
37 | * latter "wins" on short vectors. Correct solution should be | |
38 | * implementing dedicated NxN multiplication subroutines for | |
39 | * small N. But till it materializes, let's stick to generic | |
40 | * prime method... | |
41 | * <appro> | |
42 | */ | |
43 | meth = EC_GFp_mont_method(); | |
fdf6dac8 | 44 | #else |
0f113f3e MC |
45 | if (BN_nist_mod_func(p)) |
46 | meth = EC_GFp_nist_method(); | |
47 | else | |
48 | meth = EC_GFp_mont_method(); | |
fdf6dac8 | 49 | #endif |
0657bf9c | 50 | |
a9612d6c | 51 | ret = EC_GROUP_new_ex(bn_get_lib_ctx(ctx), meth); |
0f113f3e MC |
52 | if (ret == NULL) |
53 | return NULL; | |
0657bf9c | 54 | |
9cc570d4 | 55 | if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) { |
0f113f3e MC |
56 | EC_GROUP_clear_free(ret); |
57 | return NULL; | |
58 | } | |
59 | ||
60 | return ret; | |
61 | } | |
7793f30e | 62 | |
b3310161 | 63 | #ifndef OPENSSL_NO_EC2M |
0f113f3e MC |
64 | EC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a, |
65 | const BIGNUM *b, BN_CTX *ctx) | |
66 | { | |
67 | const EC_METHOD *meth; | |
68 | EC_GROUP *ret; | |
69 | ||
70 | meth = EC_GF2m_simple_method(); | |
71 | ||
a9612d6c | 72 | ret = EC_GROUP_new_ex(bn_get_lib_ctx(ctx), meth); |
0f113f3e MC |
73 | if (ret == NULL) |
74 | return NULL; | |
7793f30e | 75 | |
9cc570d4 | 76 | if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) { |
0f113f3e MC |
77 | EC_GROUP_clear_free(ret); |
78 | return NULL; | |
79 | } | |
7793f30e | 80 | |
0f113f3e MC |
81 | return ret; |
82 | } | |
b3310161 | 83 | #endif |