/src/openssl/crypto/ec/ec_cvt.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* crypto/ec/ec_cvt.c */ |
2 | | /* |
3 | | * Originally written by Bodo Moeller for the OpenSSL project. |
4 | | */ |
5 | | /* ==================================================================== |
6 | | * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. |
7 | | * |
8 | | * Redistribution and use in source and binary forms, with or without |
9 | | * modification, are permitted provided that the following conditions |
10 | | * are met: |
11 | | * |
12 | | * 1. Redistributions of source code must retain the above copyright |
13 | | * notice, this list of conditions and the following disclaimer. |
14 | | * |
15 | | * 2. Redistributions in binary form must reproduce the above copyright |
16 | | * notice, this list of conditions and the following disclaimer in |
17 | | * the documentation and/or other materials provided with the |
18 | | * distribution. |
19 | | * |
20 | | * 3. All advertising materials mentioning features or use of this |
21 | | * software must display the following acknowledgment: |
22 | | * "This product includes software developed by the OpenSSL Project |
23 | | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" |
24 | | * |
25 | | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
26 | | * endorse or promote products derived from this software without |
27 | | * prior written permission. For written permission, please contact |
28 | | * openssl-core@openssl.org. |
29 | | * |
30 | | * 5. Products derived from this software may not be called "OpenSSL" |
31 | | * nor may "OpenSSL" appear in their names without prior written |
32 | | * permission of the OpenSSL Project. |
33 | | * |
34 | | * 6. Redistributions of any form whatsoever must retain the following |
35 | | * acknowledgment: |
36 | | * "This product includes software developed by the OpenSSL Project |
37 | | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" |
38 | | * |
39 | | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
40 | | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
41 | | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
42 | | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
43 | | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
44 | | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
45 | | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
46 | | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
47 | | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
48 | | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
49 | | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
50 | | * OF THE POSSIBILITY OF SUCH DAMAGE. |
51 | | * ==================================================================== |
52 | | * |
53 | | * This product includes cryptographic software written by Eric Young |
54 | | * (eay@cryptsoft.com). This product includes software written by Tim |
55 | | * Hudson (tjh@cryptsoft.com). |
56 | | * |
57 | | */ |
58 | | /* ==================================================================== |
59 | | * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. |
60 | | * |
61 | | * Portions of the attached software ("Contribution") are developed by |
62 | | * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. |
63 | | * |
64 | | * The Contribution is licensed pursuant to the OpenSSL open source |
65 | | * license provided above. |
66 | | * |
67 | | * The elliptic curve binary polynomial software is originally written by |
68 | | * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories. |
69 | | * |
70 | | */ |
71 | | |
72 | | #include <openssl/err.h> |
73 | | #include "ec_lcl.h" |
74 | | |
75 | | #ifdef OPENSSL_FIPS |
76 | | # include <openssl/fips.h> |
77 | | #endif |
78 | | |
79 | | EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, |
80 | | const BIGNUM *b, BN_CTX *ctx) |
81 | 0 | { |
82 | 0 | const EC_METHOD *meth; |
83 | 0 | EC_GROUP *ret; |
84 | |
|
85 | | #ifdef OPENSSL_FIPS |
86 | | if (FIPS_mode()) |
87 | | return FIPS_ec_group_new_curve_gfp(p, a, b, ctx); |
88 | | #endif |
89 | 0 | #if defined(OPENSSL_BN_ASM_MONT) |
90 | | /* |
91 | | * This might appear controversial, but the fact is that generic |
92 | | * prime method was observed to deliver better performance even |
93 | | * for NIST primes on a range of platforms, e.g.: 60%-15% |
94 | | * improvement on IA-64, ~25% on ARM, 30%-90% on P4, 20%-25% |
95 | | * in 32-bit build and 35%--12% in 64-bit build on Core2... |
96 | | * Coefficients are relative to optimized bn_nist.c for most |
97 | | * intensive ECDSA verify and ECDH operations for 192- and 521- |
98 | | * bit keys respectively. Choice of these boundary values is |
99 | | * arguable, because the dependency of improvement coefficient |
100 | | * from key length is not a "monotone" curve. For example while |
101 | | * 571-bit result is 23% on ARM, 384-bit one is -1%. But it's |
102 | | * generally faster, sometimes "respectfully" faster, sometimes |
103 | | * "tolerably" slower... What effectively happens is that loop |
104 | | * with bn_mul_add_words is put against bn_mul_mont, and the |
105 | | * latter "wins" on short vectors. Correct solution should be |
106 | | * implementing dedicated NxN multiplication subroutines for |
107 | | * small N. But till it materializes, let's stick to generic |
108 | | * prime method... |
109 | | * <appro> |
110 | | */ |
111 | 0 | meth = EC_GFp_mont_method(); |
112 | | #else |
113 | | meth = EC_GFp_nist_method(); |
114 | | #endif |
115 | |
|
116 | 0 | ret = EC_GROUP_new(meth); |
117 | 0 | if (ret == NULL) |
118 | 0 | return NULL; |
119 | | |
120 | 0 | if (!EC_GROUP_set_curve_GFp(ret, p, a, b, ctx)) { |
121 | 0 | unsigned long err; |
122 | |
|
123 | 0 | err = ERR_peek_last_error(); |
124 | |
|
125 | 0 | if (!(ERR_GET_LIB(err) == ERR_LIB_EC && |
126 | 0 | ((ERR_GET_REASON(err) == EC_R_NOT_A_NIST_PRIME) || |
127 | 0 | (ERR_GET_REASON(err) == EC_R_NOT_A_SUPPORTED_NIST_PRIME)))) { |
128 | | /* real error */ |
129 | |
|
130 | 0 | EC_GROUP_clear_free(ret); |
131 | 0 | return NULL; |
132 | 0 | } |
133 | | |
134 | | /* |
135 | | * not an actual error, we just cannot use EC_GFp_nist_method |
136 | | */ |
137 | | |
138 | 0 | ERR_clear_error(); |
139 | |
|
140 | 0 | EC_GROUP_clear_free(ret); |
141 | 0 | meth = EC_GFp_mont_method(); |
142 | |
|
143 | 0 | ret = EC_GROUP_new(meth); |
144 | 0 | if (ret == NULL) |
145 | 0 | return NULL; |
146 | | |
147 | 0 | if (!EC_GROUP_set_curve_GFp(ret, p, a, b, ctx)) { |
148 | 0 | EC_GROUP_clear_free(ret); |
149 | 0 | return NULL; |
150 | 0 | } |
151 | 0 | } |
152 | | |
153 | 0 | return ret; |
154 | 0 | } |
155 | | |
156 | | #ifndef OPENSSL_NO_EC2M |
157 | | EC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a, |
158 | | const BIGNUM *b, BN_CTX *ctx) |
159 | 0 | { |
160 | 0 | const EC_METHOD *meth; |
161 | 0 | EC_GROUP *ret; |
162 | |
|
163 | | # ifdef OPENSSL_FIPS |
164 | | if (FIPS_mode()) |
165 | | return FIPS_ec_group_new_curve_gf2m(p, a, b, ctx); |
166 | | # endif |
167 | 0 | meth = EC_GF2m_simple_method(); |
168 | |
|
169 | 0 | ret = EC_GROUP_new(meth); |
170 | 0 | if (ret == NULL) |
171 | 0 | return NULL; |
172 | | |
173 | 0 | if (!EC_GROUP_set_curve_GF2m(ret, p, a, b, ctx)) { |
174 | 0 | EC_GROUP_clear_free(ret); |
175 | 0 | return NULL; |
176 | 0 | } |
177 | | |
178 | 0 | return ret; |
179 | 0 | } |
180 | | #endif |