1/*
2 * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4 *
5 * Licensed under the Apache License 2.0 (the "License").  You may not use
6 * this file except in compliance with the License.  You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
9 */
10
11/*
12 * ECDSA low level APIs are deprecated for public use, but still ok for
13 * internal use.
14 */
15#include "internal/deprecated.h"
16
17#include <openssl/err.h>
18#include "crypto/bn.h"
19#include "ec_local.h"
20
21EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a,
22                                 const BIGNUM *b, BN_CTX *ctx)
23{
24    const EC_METHOD *meth;
25    EC_GROUP *ret;
26
27#if defined(OPENSSL_BN_ASM_MONT)
28    /*
29     * This might appear controversial, but the fact is that generic
30     * prime method was observed to deliver better performance even
31     * for NIST primes on a range of platforms, e.g.: 60%-15%
32     * improvement on IA-64, ~25% on ARM, 30%-90% on P4, 20%-25%
33     * in 32-bit build and 35%--12% in 64-bit build on Core2...
34     * Coefficients are relative to optimized bn_nist.c for most
35     * intensive ECDSA verify and ECDH operations for 192- and 521-
36     * bit keys respectively. Choice of these boundary values is
37     * arguable, because the dependency of improvement coefficient
38     * from key length is not a "monotone" curve. For example while
39     * 571-bit result is 23% on ARM, 384-bit one is -1%. But it's
40     * generally faster, sometimes "respectfully" faster, sometimes
41     * "tolerably" slower... What effectively happens is that loop
42     * with bn_mul_add_words is put against bn_mul_mont, and the
43     * latter "wins" on short vectors. Correct solution should be
44     * implementing dedicated NxN multiplication subroutines for
45     * small N. But till it materializes, let's stick to generic
46     * prime method...
47     *                                              <appro>
48     */
49    meth = EC_GFp_mont_method();
50#else
51    if (BN_nist_mod_func(p))
52        meth = EC_GFp_nist_method();
53    else
54        meth = EC_GFp_mont_method();
55#endif
56
57    ret = ossl_ec_group_new_ex(ossl_bn_get_libctx(ctx), NULL, meth);
58    if (ret == NULL)
59        return NULL;
60
61    if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) {
62        EC_GROUP_free(ret);
63        return NULL;
64    }
65
66    return ret;
67}
68
69#ifndef OPENSSL_NO_EC2M
70EC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a,
71                                  const BIGNUM *b, BN_CTX *ctx)
72{
73    const EC_METHOD *meth;
74    EC_GROUP *ret;
75
76    meth = EC_GF2m_simple_method();
77
78    ret = ossl_ec_group_new_ex(ossl_bn_get_libctx(ctx), NULL, meth);
79    if (ret == NULL)
80        return NULL;
81
82    if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) {
83        EC_GROUP_free(ret);
84        return NULL;
85    }
86
87    return ret;
88}
89#endif
90