projects / thirdparty / openssl.git / blame
| Commit | Line | Data |
|---|---|---|
| 35b73a1f | 1 | /* |
| 33388b44 | 2 | * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. |
| aa8f3d76 | 3 | * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved |
| 65e81670 | 4 | * |
| a7f182b7 | 5 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
| 4f22f405 RS |
6 | * this file except in compliance with the License. You can obtain a copy |
| 7 | * in the file LICENSE in the source distribution or at | |
| 8 | * https://www.openssl.org/source/license.html | |
| 65e81670 | 9 | */ |
| 4f22f405 | 10 | |
| 579422c8 P |
11 | /* |
| 12 | * ECDSA low level APIs are deprecated for public use, but still ok for | |
| 13 | * internal use. | |
| 14 | */ | |
| 15 | #include "internal/deprecated.h" | |
| 16 | ||
| 5c6bf031 | 17 | #include <openssl/err.h> |
| 25f2138b | 18 | #include "crypto/bn.h" |
| 706457b7 | 19 | #include "ec_local.h" |
| 0657bf9c | 20 | |
| 0f113f3e MC |
21 | EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, |
| 22 | const BIGNUM *b, BN_CTX *ctx) | |
| 23 | { | |
| 24 | const EC_METHOD *meth; | |
| 25 | EC_GROUP *ret; | |
| 5c6bf031 | 26 | |
| 62f29eb1 | 27 | #if defined(OPENSSL_BN_ASM_MONT) |
| 0f113f3e MC |
28 | /* |
| 29 | * This might appear controversial, but the fact is that generic | |
| 30 | * prime method was observed to deliver better performance even | |
| 31 | * for NIST primes on a range of platforms, e.g.: 60%-15% | |
| 32 | * improvement on IA-64, ~25% on ARM, 30%-90% on P4, 20%-25% | |
| 33 | * in 32-bit build and 35%--12% in 64-bit build on Core2... | |
| 34 | * Coefficients are relative to optimized bn_nist.c for most | |
| 35 | * intensive ECDSA verify and ECDH operations for 192- and 521- | |
| 36 | * bit keys respectively. Choice of these boundary values is | |
| 37 | * arguable, because the dependency of improvement coefficient | |
| 38 | * from key length is not a "monotone" curve. For example while | |
| 39 | * 571-bit result is 23% on ARM, 384-bit one is -1%. But it's | |
| 40 | * generally faster, sometimes "respectfully" faster, sometimes | |
| 41 | * "tolerably" slower... What effectively happens is that loop | |
| 42 | * with bn_mul_add_words is put against bn_mul_mont, and the | |
| 43 | * latter "wins" on short vectors. Correct solution should be | |
| 44 | * implementing dedicated NxN multiplication subroutines for | |
| 45 | * small N. But till it materializes, let's stick to generic | |
| 46 | * prime method... | |
| 47 | * <appro> | |
| 48 | */ | |
| 49 | meth = EC_GFp_mont_method(); | |
| fdf6dac8 | 50 | #else |
| 0f113f3e MC |
51 | if (BN_nist_mod_func(p)) |
| 52 | meth = EC_GFp_nist_method(); | |
| 53 | else | |
| 54 | meth = EC_GFp_mont_method(); | |
| fdf6dac8 | 55 | #endif |
| 0657bf9c | 56 | |
| a9612d6c | 57 | ret = EC_GROUP_new_ex(bn_get_lib_ctx(ctx), meth); |
| 0f113f3e MC |
58 | if (ret == NULL) |
| 59 | return NULL; | |
| 0657bf9c | 60 | |
| 9cc570d4 | 61 | if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) { |
| cdf8d0db | 62 | EC_GROUP_free(ret); |
| 0f113f3e MC |
63 | return NULL; |
| 64 | } | |
| 65 | ||
| 66 | return ret; | |
| 67 | } | |
| 7793f30e | 68 | |
| b3310161 | 69 | #ifndef OPENSSL_NO_EC2M |
| 0f113f3e MC |
70 | EC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a, |
| 71 | const BIGNUM *b, BN_CTX *ctx) | |
| 72 | { | |
| 73 | const EC_METHOD *meth; | |
| 74 | EC_GROUP *ret; | |
| 75 | ||
| 76 | meth = EC_GF2m_simple_method(); | |
| 77 | ||
| a9612d6c | 78 | ret = EC_GROUP_new_ex(bn_get_lib_ctx(ctx), meth); |
| 0f113f3e MC |
79 | if (ret == NULL) |
| 80 | return NULL; | |
| 7793f30e | 81 | |
| 9cc570d4 | 82 | if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) { |
| cdf8d0db | 83 | EC_GROUP_free(ret); |
| 0f113f3e MC |
84 | return NULL; |
| 85 | } | |
| 7793f30e | 86 | |
| 0f113f3e MC |
87 | return ret; |
| 88 | } | |
| b3310161 | 89 | #endif |