1/* 2 * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved 4 * 5 * Licensed under the Apache License 2.0 (the "License"). You may not use 6 * this file except in compliance with the License. You can obtain a copy 7 * in the file LICENSE in the source distribution or at 8 * https://www.openssl.org/source/license.html 9 */ 10 11/* 12 * ECDSA low level APIs are deprecated for public use, but still ok for 13 * internal use. 14 */ 15#include "internal/deprecated.h" 16 17#include <openssl/err.h> 18#include "crypto/bn.h" 19#include "ec_local.h" 20 21EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, 22 const BIGNUM *b, BN_CTX *ctx) 23{ 24 const EC_METHOD *meth; 25 EC_GROUP *ret; 26 27#if defined(OPENSSL_BN_ASM_MONT) 28 /* 29 * This might appear controversial, but the fact is that generic 30 * prime method was observed to deliver better performance even 31 * for NIST primes on a range of platforms, e.g.: 60%-15% 32 * improvement on IA-64, ~25% on ARM, 30%-90% on P4, 20%-25% 33 * in 32-bit build and 35%--12% in 64-bit build on Core2... 34 * Coefficients are relative to optimized bn_nist.c for most 35 * intensive ECDSA verify and ECDH operations for 192- and 521- 36 * bit keys respectively. Choice of these boundary values is 37 * arguable, because the dependency of improvement coefficient 38 * from key length is not a "monotone" curve. For example while 39 * 571-bit result is 23% on ARM, 384-bit one is -1%. But it's 40 * generally faster, sometimes "respectfully" faster, sometimes 41 * "tolerably" slower... What effectively happens is that loop 42 * with bn_mul_add_words is put against bn_mul_mont, and the 43 * latter "wins" on short vectors. Correct solution should be 44 * implementing dedicated NxN multiplication subroutines for 45 * small N. But till it materializes, let's stick to generic 46 * prime method... 47 * <appro> 48 */ 49 meth = EC_GFp_mont_method(); 50#else 51 if (BN_nist_mod_func(p)) 52 meth = EC_GFp_nist_method(); 53 else 54 meth = EC_GFp_mont_method(); 55#endif 56 57 ret = ossl_ec_group_new_ex(ossl_bn_get_libctx(ctx), NULL, meth); 58 if (ret == NULL) 59 return NULL; 60 61 if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) { 62 EC_GROUP_free(ret); 63 return NULL; 64 } 65 66 return ret; 67} 68 69#ifndef OPENSSL_NO_EC2M 70EC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a, 71 const BIGNUM *b, BN_CTX *ctx) 72{ 73 const EC_METHOD *meth; 74 EC_GROUP *ret; 75 76 meth = EC_GF2m_simple_method(); 77 78 ret = ossl_ec_group_new_ex(ossl_bn_get_libctx(ctx), NULL, meth); 79 if (ret == NULL) 80 return NULL; 81 82 if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) { 83 EC_GROUP_free(ret); 84 return NULL; 85 } 86 87 return ret; 88} 89#endif 90