xref: /openssl/crypto/ec/ec_cvt.c (revision 8020d79b)
1 /*
2  * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
3  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4  *
5  * Licensed under the Apache License 2.0 (the "License").  You may not use
6  * this file except in compliance with the License.  You can obtain a copy
7  * in the file LICENSE in the source distribution or at
8  * https://www.openssl.org/source/license.html
9  */
10 
11 /*
12  * ECDSA low level APIs are deprecated for public use, but still ok for
13  * internal use.
14  */
15 #include "internal/deprecated.h"
16 
17 #include <openssl/err.h>
18 #include "crypto/bn.h"
19 #include "ec_local.h"
20 
EC_GROUP_new_curve_GFp(const BIGNUM * p,const BIGNUM * a,const BIGNUM * b,BN_CTX * ctx)21 EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a,
22                                  const BIGNUM *b, BN_CTX *ctx)
23 {
24     const EC_METHOD *meth;
25     EC_GROUP *ret;
26 
27 #if defined(OPENSSL_BN_ASM_MONT)
28     /*
29      * This might appear controversial, but the fact is that generic
30      * prime method was observed to deliver better performance even
31      * for NIST primes on a range of platforms, e.g.: 60%-15%
32      * improvement on IA-64, ~25% on ARM, 30%-90% on P4, 20%-25%
33      * in 32-bit build and 35%--12% in 64-bit build on Core2...
34      * Coefficients are relative to optimized bn_nist.c for most
35      * intensive ECDSA verify and ECDH operations for 192- and 521-
36      * bit keys respectively. Choice of these boundary values is
37      * arguable, because the dependency of improvement coefficient
38      * from key length is not a "monotone" curve. For example while
39      * 571-bit result is 23% on ARM, 384-bit one is -1%. But it's
40      * generally faster, sometimes "respectfully" faster, sometimes
41      * "tolerably" slower... What effectively happens is that loop
42      * with bn_mul_add_words is put against bn_mul_mont, and the
43      * latter "wins" on short vectors. Correct solution should be
44      * implementing dedicated NxN multiplication subroutines for
45      * small N. But till it materializes, let's stick to generic
46      * prime method...
47      *                                              <appro>
48      */
49     meth = EC_GFp_mont_method();
50 #else
51     if (BN_nist_mod_func(p))
52         meth = EC_GFp_nist_method();
53     else
54         meth = EC_GFp_mont_method();
55 #endif
56 
57     ret = ossl_ec_group_new_ex(ossl_bn_get_libctx(ctx), NULL, meth);
58     if (ret == NULL)
59         return NULL;
60 
61     if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) {
62         EC_GROUP_free(ret);
63         return NULL;
64     }
65 
66     return ret;
67 }
68 
69 #ifndef OPENSSL_NO_EC2M
EC_GROUP_new_curve_GF2m(const BIGNUM * p,const BIGNUM * a,const BIGNUM * b,BN_CTX * ctx)70 EC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a,
71                                   const BIGNUM *b, BN_CTX *ctx)
72 {
73     const EC_METHOD *meth;
74     EC_GROUP *ret;
75 
76     meth = EC_GF2m_simple_method();
77 
78     ret = ossl_ec_group_new_ex(ossl_bn_get_libctx(ctx), NULL, meth);
79     if (ret == NULL)
80         return NULL;
81 
82     if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) {
83         EC_GROUP_free(ret);
84         return NULL;
85     }
86 
87     return ret;
88 }
89 #endif
90