/src/openssl/crypto/ec/ec_cvt.c

Source (jump to first uncovered line)
/*
 * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * ECDSA low level APIs are deprecated for public use, but still ok for
 * internal use.
 */
#include "internal/deprecated.h"

#include <openssl/err.h>
#include "crypto/bn.h"
#include "ec_local.h"

EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a,
                                 const BIGNUM *b, BN_CTX *ctx)
{
    const EC_METHOD *meth;
    EC_GROUP *ret;

#if defined(OPENSSL_BN_ASM_MONT)
    /*
     * This might appear controversial, but the fact is that generic
     * prime method was observed to deliver better performance even
     * for NIST primes on a range of platforms, e.g.: 60%-15%
     * improvement on IA-64, ~25% on ARM, 30%-90% on P4, 20%-25%
     * in 32-bit build and 35%--12% in 64-bit build on Core2...
     * Coefficients are relative to optimized bn_nist.c for most
     * intensive ECDSA verify and ECDH operations for 192- and 521-
     * bit keys respectively. Choice of these boundary values is
     * arguable, because the dependency of improvement coefficient
     * from key length is not a "monotone" curve. For example while
     * 571-bit result is 23% on ARM, 384-bit one is -1%. But it's
     * generally faster, sometimes "respectfully" faster, sometimes
     * "tolerably" slower... What effectively happens is that loop
     * with bn_mul_add_words is put against bn_mul_mont, and the
     * latter "wins" on short vectors. Correct solution should be
     * implementing dedicated NxN multiplication subroutines for
     * small N. But till it materializes, let's stick to generic
     * prime method...
     *                                              <@dot-asm>
     */
    meth = EC_GFp_mont_method();
#else
    if (BN_nist_mod_func(p))
        meth = EC_GFp_nist_method();
    else
        meth = EC_GFp_mont_method();
#endif

    ret = ossl_ec_group_new_ex(ossl_bn_get_libctx(ctx), NULL, meth);
    if (ret == NULL)
        return NULL;

    if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) {
        EC_GROUP_free(ret);
        return NULL;
    }

    return ret;
}

#ifndef OPENSSL_NO_EC2M
EC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a,
                                  const BIGNUM *b, BN_CTX *ctx)
{
    const EC_METHOD *meth;
    EC_GROUP *ret;

    meth = EC_GF2m_simple_method();

    ret = ossl_ec_group_new_ex(ossl_bn_get_libctx(ctx), NULL, meth);
    if (ret == NULL)
        return NULL;

    if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) {
        EC_GROUP_free(ret);
        return NULL;
    }

    return ret;
}
#endif

Coverage Report

Created: 2025-06-13 06:56

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
3		* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4		*
5		* Licensed under the Apache License 2.0 (the "License"). You may not use
6		* this file except in compliance with the License. You can obtain a copy
7		* in the file LICENSE in the source distribution or at
8		* https://www.openssl.org/source/license.html
9		*/
10
11		/*
12		* ECDSA low level APIs are deprecated for public use, but still ok for
13		* internal use.
14		*/
15		#include "internal/deprecated.h"
16
17		#include <openssl/err.h>
18		#include "crypto/bn.h"
19		#include "ec_local.h"
20
21		EC_GROUP EC_GROUP_new_curve_GFp(const BIGNUM p, const BIGNUM *a,
22		const BIGNUM b, BN_CTX ctx)
23	0	{
24	0	const EC_METHOD *meth;
25	0	EC_GROUP *ret;
26
27	0	#if defined(OPENSSL_BN_ASM_MONT)
28		/*
29		* This might appear controversial, but the fact is that generic
30		* prime method was observed to deliver better performance even
31		* for NIST primes on a range of platforms, e.g.: 60%-15%
32		* improvement on IA-64, ~25% on ARM, 30%-90% on P4, 20%-25%
33		* in 32-bit build and 35%--12% in 64-bit build on Core2...
34		* Coefficients are relative to optimized bn_nist.c for most
35		* intensive ECDSA verify and ECDH operations for 192- and 521-
36		* bit keys respectively. Choice of these boundary values is
37		* arguable, because the dependency of improvement coefficient
38		* from key length is not a "monotone" curve. For example while
39		* 571-bit result is 23% on ARM, 384-bit one is -1%. But it's
40		* generally faster, sometimes "respectfully" faster, sometimes
41		* "tolerably" slower... What effectively happens is that loop
42		* with bn_mul_add_words is put against bn_mul_mont, and the
43		* latter "wins" on short vectors. Correct solution should be
44		* implementing dedicated NxN multiplication subroutines for
45		* small N. But till it materializes, let's stick to generic
46		* prime method...
47		* <@dot-asm>
48		*/
49	0	meth = EC_GFp_mont_method();
50		#else
51		if (BN_nist_mod_func(p))
52		meth = EC_GFp_nist_method();
53		else
54		meth = EC_GFp_mont_method();
55		#endif
56
57	0	ret = ossl_ec_group_new_ex(ossl_bn_get_libctx(ctx), NULL, meth);
58	0	if (ret == NULL)
59	0	return NULL;
60
61	0	if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) {
62	0	EC_GROUP_free(ret);
63	0	return NULL;
64	0	}
65
66	0	return ret;
67	0	}
68
69		#ifndef OPENSSL_NO_EC2M
70		EC_GROUP EC_GROUP_new_curve_GF2m(const BIGNUM p, const BIGNUM *a,
71		const BIGNUM b, BN_CTX ctx)
72	0	{
73	0	const EC_METHOD *meth;
74	0	EC_GROUP *ret;
75
76	0	meth = EC_GF2m_simple_method();
77
78	0	ret = ossl_ec_group_new_ex(ossl_bn_get_libctx(ctx), NULL, meth);
79	0	if (ret == NULL)
80	0	return NULL;
81
82	0	if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) {
83	0	EC_GROUP_free(ret);
84	0	return NULL;
85	0	}
86
87	0	return ret;
88	0	}
89		#endif