1e1051a39Sopenharmony_ci/* 2e1051a39Sopenharmony_ci * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. 3e1051a39Sopenharmony_ci * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved 4e1051a39Sopenharmony_ci * 5e1051a39Sopenharmony_ci * Licensed under the Apache License 2.0 (the "License"). You may not use 6e1051a39Sopenharmony_ci * this file except in compliance with the License. You can obtain a copy 7e1051a39Sopenharmony_ci * in the file LICENSE in the source distribution or at 8e1051a39Sopenharmony_ci * https://www.openssl.org/source/license.html 9e1051a39Sopenharmony_ci */ 10e1051a39Sopenharmony_ci 11e1051a39Sopenharmony_ci/* 12e1051a39Sopenharmony_ci * ECDSA low level APIs are deprecated for public use, but still ok for 13e1051a39Sopenharmony_ci * internal use. 14e1051a39Sopenharmony_ci */ 15e1051a39Sopenharmony_ci#include "internal/deprecated.h" 16e1051a39Sopenharmony_ci 17e1051a39Sopenharmony_ci#include <openssl/err.h> 18e1051a39Sopenharmony_ci#include "crypto/bn.h" 19e1051a39Sopenharmony_ci#include "ec_local.h" 20e1051a39Sopenharmony_ci 21e1051a39Sopenharmony_ciEC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, 22e1051a39Sopenharmony_ci const BIGNUM *b, BN_CTX *ctx) 23e1051a39Sopenharmony_ci{ 24e1051a39Sopenharmony_ci const EC_METHOD *meth; 25e1051a39Sopenharmony_ci EC_GROUP *ret; 26e1051a39Sopenharmony_ci 27e1051a39Sopenharmony_ci#if defined(OPENSSL_BN_ASM_MONT) 28e1051a39Sopenharmony_ci /* 29e1051a39Sopenharmony_ci * This might appear controversial, but the fact is that generic 30e1051a39Sopenharmony_ci * prime method was observed to deliver better performance even 31e1051a39Sopenharmony_ci * for NIST primes on a range of platforms, e.g.: 60%-15% 32e1051a39Sopenharmony_ci * improvement on IA-64, ~25% on ARM, 30%-90% on P4, 20%-25% 33e1051a39Sopenharmony_ci * in 32-bit build and 35%--12% in 64-bit build on Core2... 34e1051a39Sopenharmony_ci * Coefficients are relative to optimized bn_nist.c for most 35e1051a39Sopenharmony_ci * intensive ECDSA verify and ECDH operations for 192- and 521- 36e1051a39Sopenharmony_ci * bit keys respectively. Choice of these boundary values is 37e1051a39Sopenharmony_ci * arguable, because the dependency of improvement coefficient 38e1051a39Sopenharmony_ci * from key length is not a "monotone" curve. For example while 39e1051a39Sopenharmony_ci * 571-bit result is 23% on ARM, 384-bit one is -1%. But it's 40e1051a39Sopenharmony_ci * generally faster, sometimes "respectfully" faster, sometimes 41e1051a39Sopenharmony_ci * "tolerably" slower... What effectively happens is that loop 42e1051a39Sopenharmony_ci * with bn_mul_add_words is put against bn_mul_mont, and the 43e1051a39Sopenharmony_ci * latter "wins" on short vectors. Correct solution should be 44e1051a39Sopenharmony_ci * implementing dedicated NxN multiplication subroutines for 45e1051a39Sopenharmony_ci * small N. But till it materializes, let's stick to generic 46e1051a39Sopenharmony_ci * prime method... 47e1051a39Sopenharmony_ci * <appro> 48e1051a39Sopenharmony_ci */ 49e1051a39Sopenharmony_ci meth = EC_GFp_mont_method(); 50e1051a39Sopenharmony_ci#else 51e1051a39Sopenharmony_ci if (BN_nist_mod_func(p)) 52e1051a39Sopenharmony_ci meth = EC_GFp_nist_method(); 53e1051a39Sopenharmony_ci else 54e1051a39Sopenharmony_ci meth = EC_GFp_mont_method(); 55e1051a39Sopenharmony_ci#endif 56e1051a39Sopenharmony_ci 57e1051a39Sopenharmony_ci ret = ossl_ec_group_new_ex(ossl_bn_get_libctx(ctx), NULL, meth); 58e1051a39Sopenharmony_ci if (ret == NULL) 59e1051a39Sopenharmony_ci return NULL; 60e1051a39Sopenharmony_ci 61e1051a39Sopenharmony_ci if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) { 62e1051a39Sopenharmony_ci EC_GROUP_free(ret); 63e1051a39Sopenharmony_ci return NULL; 64e1051a39Sopenharmony_ci } 65e1051a39Sopenharmony_ci 66e1051a39Sopenharmony_ci return ret; 67e1051a39Sopenharmony_ci} 68e1051a39Sopenharmony_ci 69e1051a39Sopenharmony_ci#ifndef OPENSSL_NO_EC2M 70e1051a39Sopenharmony_ciEC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a, 71e1051a39Sopenharmony_ci const BIGNUM *b, BN_CTX *ctx) 72e1051a39Sopenharmony_ci{ 73e1051a39Sopenharmony_ci const EC_METHOD *meth; 74e1051a39Sopenharmony_ci EC_GROUP *ret; 75e1051a39Sopenharmony_ci 76e1051a39Sopenharmony_ci meth = EC_GF2m_simple_method(); 77e1051a39Sopenharmony_ci 78e1051a39Sopenharmony_ci ret = ossl_ec_group_new_ex(ossl_bn_get_libctx(ctx), NULL, meth); 79e1051a39Sopenharmony_ci if (ret == NULL) 80e1051a39Sopenharmony_ci return NULL; 81e1051a39Sopenharmony_ci 82e1051a39Sopenharmony_ci if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) { 83e1051a39Sopenharmony_ci EC_GROUP_free(ret); 84e1051a39Sopenharmony_ci return NULL; 85e1051a39Sopenharmony_ci } 86e1051a39Sopenharmony_ci 87e1051a39Sopenharmony_ci return ret; 88e1051a39Sopenharmony_ci} 89e1051a39Sopenharmony_ci#endif 90