mirror of
https://github.com/openssl/openssl.git
synced 2024-12-21 06:09:35 +08:00
8020d79b40
Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14512)
90 lines
2.9 KiB
C
90 lines
2.9 KiB
C
/*
|
|
* Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
|
|
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
|
*
|
|
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
* this file except in compliance with the License. You can obtain a copy
|
|
* in the file LICENSE in the source distribution or at
|
|
* https://www.openssl.org/source/license.html
|
|
*/
|
|
|
|
/*
|
|
* ECDSA low level APIs are deprecated for public use, but still ok for
|
|
* internal use.
|
|
*/
|
|
#include "internal/deprecated.h"
|
|
|
|
#include <openssl/err.h>
|
|
#include "crypto/bn.h"
|
|
#include "ec_local.h"
|
|
|
|
EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a,
|
|
const BIGNUM *b, BN_CTX *ctx)
|
|
{
|
|
const EC_METHOD *meth;
|
|
EC_GROUP *ret;
|
|
|
|
#if defined(OPENSSL_BN_ASM_MONT)
|
|
/*
|
|
* This might appear controversial, but the fact is that generic
|
|
* prime method was observed to deliver better performance even
|
|
* for NIST primes on a range of platforms, e.g.: 60%-15%
|
|
* improvement on IA-64, ~25% on ARM, 30%-90% on P4, 20%-25%
|
|
* in 32-bit build and 35%--12% in 64-bit build on Core2...
|
|
* Coefficients are relative to optimized bn_nist.c for most
|
|
* intensive ECDSA verify and ECDH operations for 192- and 521-
|
|
* bit keys respectively. Choice of these boundary values is
|
|
* arguable, because the dependency of improvement coefficient
|
|
* from key length is not a "monotone" curve. For example while
|
|
* 571-bit result is 23% on ARM, 384-bit one is -1%. But it's
|
|
* generally faster, sometimes "respectfully" faster, sometimes
|
|
* "tolerably" slower... What effectively happens is that loop
|
|
* with bn_mul_add_words is put against bn_mul_mont, and the
|
|
* latter "wins" on short vectors. Correct solution should be
|
|
* implementing dedicated NxN multiplication subroutines for
|
|
* small N. But till it materializes, let's stick to generic
|
|
* prime method...
|
|
* <appro>
|
|
*/
|
|
meth = EC_GFp_mont_method();
|
|
#else
|
|
if (BN_nist_mod_func(p))
|
|
meth = EC_GFp_nist_method();
|
|
else
|
|
meth = EC_GFp_mont_method();
|
|
#endif
|
|
|
|
ret = ossl_ec_group_new_ex(ossl_bn_get_libctx(ctx), NULL, meth);
|
|
if (ret == NULL)
|
|
return NULL;
|
|
|
|
if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) {
|
|
EC_GROUP_free(ret);
|
|
return NULL;
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
#ifndef OPENSSL_NO_EC2M
|
|
EC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a,
|
|
const BIGNUM *b, BN_CTX *ctx)
|
|
{
|
|
const EC_METHOD *meth;
|
|
EC_GROUP *ret;
|
|
|
|
meth = EC_GF2m_simple_method();
|
|
|
|
ret = ossl_ec_group_new_ex(ossl_bn_get_libctx(ctx), NULL, meth);
|
|
if (ret == NULL)
|
|
return NULL;
|
|
|
|
if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) {
|
|
EC_GROUP_free(ret);
|
|
return NULL;
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
#endif
|