2
0

ec_cvt.c 2.8 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889
  1. /*
  2. * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  4. *
  5. * Licensed under the Apache License 2.0 (the "License"). You may not use
  6. * this file except in compliance with the License. You can obtain a copy
  7. * in the file LICENSE in the source distribution or at
  8. * https://www.openssl.org/source/license.html
  9. */
  10. /*
  11. * ECDSA low level APIs are deprecated for public use, but still ok for
  12. * internal use.
  13. */
  14. #include "internal/deprecated.h"
  15. #include <openssl/err.h>
  16. #include "crypto/bn.h"
  17. #include "ec_local.h"
  18. EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a,
  19. const BIGNUM *b, BN_CTX *ctx)
  20. {
  21. const EC_METHOD *meth;
  22. EC_GROUP *ret;
  23. #if defined(OPENSSL_BN_ASM_MONT)
  24. /*
  25. * This might appear controversial, but the fact is that generic
  26. * prime method was observed to deliver better performance even
  27. * for NIST primes on a range of platforms, e.g.: 60%-15%
  28. * improvement on IA-64, ~25% on ARM, 30%-90% on P4, 20%-25%
  29. * in 32-bit build and 35%--12% in 64-bit build on Core2...
  30. * Coefficients are relative to optimized bn_nist.c for most
  31. * intensive ECDSA verify and ECDH operations for 192- and 521-
  32. * bit keys respectively. Choice of these boundary values is
  33. * arguable, because the dependency of improvement coefficient
  34. * from key length is not a "monotone" curve. For example while
  35. * 571-bit result is 23% on ARM, 384-bit one is -1%. But it's
  36. * generally faster, sometimes "respectfully" faster, sometimes
  37. * "tolerably" slower... What effectively happens is that loop
  38. * with bn_mul_add_words is put against bn_mul_mont, and the
  39. * latter "wins" on short vectors. Correct solution should be
  40. * implementing dedicated NxN multiplication subroutines for
  41. * small N. But till it materializes, let's stick to generic
  42. * prime method...
  43. * <appro>
  44. */
  45. meth = EC_GFp_mont_method();
  46. #else
  47. if (BN_nist_mod_func(p))
  48. meth = EC_GFp_nist_method();
  49. else
  50. meth = EC_GFp_mont_method();
  51. #endif
  52. ret = EC_GROUP_new_ex(bn_get_lib_ctx(ctx), meth);
  53. if (ret == NULL)
  54. return NULL;
  55. if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) {
  56. EC_GROUP_free(ret);
  57. return NULL;
  58. }
  59. return ret;
  60. }
  61. #ifndef OPENSSL_NO_EC2M
  62. EC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a,
  63. const BIGNUM *b, BN_CTX *ctx)
  64. {
  65. const EC_METHOD *meth;
  66. EC_GROUP *ret;
  67. meth = EC_GF2m_simple_method();
  68. ret = EC_GROUP_new_ex(bn_get_lib_ctx(ctx), meth);
  69. if (ret == NULL)
  70. return NULL;
  71. if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) {
  72. EC_GROUP_free(ret);
  73. return NULL;
  74. }
  75. return ret;
  76. }
  77. #endif