Commit 3e00b4c9 authored by Bodo Möller's avatar Bodo Möller
Browse files

Improve optional 64-bit NIST-P224 implementation, and add NIST-P256 and 

NIST-P521. (Now -DEC_NISTP_64_GCC_128 enables all three of these;
-DEC_NISTP224_64_GCC_128 no longer works.)

Submitted by: Google Inc.
parent 4c3a7a02

CHANGES

+18 −12
Original line number Diff line number Diff line
@@ -232,6 +232,24 @@ 
  

 Changes between 1.0.0f and 1.0.1  [xx XXX xxxx]



  *) Add optional 64-bit optimized implementations of elliptic curves NIST-P224,

     NIST-P256, NIST-P521, with constant-time single point multiplication on

     typical inputs. Compiler support for the nonstandard type __uint128_t is

     required to use this. Code made available under Apache License version 2.0.



     To include this in your build of OpenSSL, use -DEC_NISTP_64_GCC_128 on

     the Configure (or config) command line, and run "make depend" (or "make

     update"). This enables the following EC_METHODs:



         EC_GFp_nistp224_method()

         EC_GFp_nistp256_method()

         EC_GFp_nistp521_method()



     EC_GROUP_new_by_curve_name() will automatically use these (while

     EC_GROUP_new_curve_GFp() currently prefers the more flexible

     implementations).

     [Emilia Käsper, Adam Langley, Bodo Moeller (Google)]



  *) Use type ossl_ssize_t instad of ssize_t which isn't available on

     all platforms. Move ssize_t definition from e_os.h to the public

     header file e_os2.h as it now appears in public header file cms.h
@@ -418,18 +436,6 @@ 
  *) Add functions to copy EVP_PKEY_METHOD and retrieve flags and id.

     [Steve Henson]



  *) Add EC_GFp_nistp224_method(), a 64-bit optimized implementation for

     elliptic curve NIST-P224 with constant-time single point multiplication on

     typical inputs.  EC_GROUP_new_by_curve_name() will automatically use this

     (while EC_GROUP_new_curve_GFp() currently won't and prefers the more

     flexible implementations).



     The implementation requires support for the nonstandard type __uint128_t,

     and so is disabled by default.  To include this in your build of OpenSSL,

     use -DEC_NISTP224_64_GCC_128 on the Configure (or config) command line,

     and run "make depend" (or "make update").

     [Emilia Käsper <emilia.kasper@esat.kuleuven.be> (Google)]



  *) Permit abbreviated handshakes when renegotiating using the function

     SSL_renegotiate_abbreviated().

     [Robin Seggelmann <seggelmann@fh-muenster.de>]

crypto/ec/Makefile

+7 −2
Original line number Diff line number Diff line
@@ -20,12 +20,14 @@ LIB=$(TOP)/libcrypto.a 
LIBSRC=	ec_lib.c ecp_smpl.c ecp_mont.c ecp_nist.c ec_cvt.c ec_mult.c\

	ec_err.c ec_curve.c ec_check.c ec_print.c ec_asn1.c ec_key.c\

	ec2_smpl.c ec2_mult.c ec_ameth.c ec_pmeth.c eck_prn.c \

	ecp_nistp224.c ecp_oct.c ec2_oct.c ec_oct.c

	ecp_nistp224.c ecp_nistp256.c ecp_nistp521.c ecp_nistputil.c \

	ecp_oct.c ec2_oct.c ec_oct.c



LIBOBJ=	ec_lib.o ecp_smpl.o ecp_mont.o ecp_nist.o ec_cvt.o ec_mult.o\

	ec_err.o ec_curve.o ec_check.o ec_print.o ec_asn1.o ec_key.o\

	ec2_smpl.o ec2_mult.o ec_ameth.o ec_pmeth.o eck_prn.o \

	ecp_nistp224.o ecp_oct.o ec2_oct.o ec_oct.o

	ecp_nistp224.o ecp_nistp256.o ecp_nistp521.o ecp_nistputil.o \

	ecp_oct.o ec2_oct.o ec_oct.o



SRC= $(LIBSRC)
@@ -240,6 +242,9 @@ ecp_nist.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h 
ecp_nist.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h

ecp_nist.o: ../../include/openssl/symhacks.h ec_lcl.h ecp_nist.c

ecp_nistp224.o: ../../include/openssl/opensslconf.h ecp_nistp224.c

ecp_nistp256.o: ../../include/openssl/opensslconf.h ecp_nistp256.c

ecp_nistp521.o: ../../include/openssl/opensslconf.h ecp_nistp521.c

ecp_nistputil.o: ../../include/openssl/opensslconf.h ecp_nistputil.c

ecp_oct.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h

ecp_oct.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h

ecp_oct.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h

crypto/ec/ec.h

+20 −2
Original line number Diff line number Diff line
@@ -151,12 +151,22 @@ const EC_METHOD *EC_GFp_mont_method(void); 
 */

const EC_METHOD *EC_GFp_nist_method(void);



#ifndef OPENSSL_NO_EC_NISTP224_64_GCC_128

#ifdef EC_NISTP_64_GCC_128

#ifndef OPENSSL_SYS_WIN32

/** Returns 64-bit optimized methods for nistp224

 *  \return  EC_METHOD object

 */

#ifndef OPENSSL_SYS_WIN32

const EC_METHOD *EC_GFp_nistp224_method(void);



/** Returns 64-bit optimized methods for nistp256

 *  \return  EC_METHOD object

 */

const EC_METHOD *EC_GFp_nistp256_method(void);



/** Returns 64-bit optimized methods for nistp521

 *  \return  EC_METHOD object

 */

const EC_METHOD *EC_GFp_nistp521_method(void);

#endif

#endif
@@ -1005,6 +1015,12 @@ void ERR_load_EC_strings(void); 
#define EC_F_EC_GFP_NISTP224_GROUP_SET_CURVE		 225

#define EC_F_EC_GFP_NISTP224_POINTS_MUL			 228

#define EC_F_EC_GFP_NISTP224_POINT_GET_AFFINE_COORDINATES 226

#define EC_F_EC_GFP_NISTP256_GROUP_SET_CURVE		 230

#define EC_F_EC_GFP_NISTP256_POINTS_MUL			 231

#define EC_F_EC_GFP_NISTP256_POINT_GET_AFFINE_COORDINATES 232

#define EC_F_EC_GFP_NISTP521_GROUP_SET_CURVE		 233

#define EC_F_EC_GFP_NISTP521_POINTS_MUL			 234

#define EC_F_EC_GFP_NISTP521_POINT_GET_AFFINE_COORDINATES 235

#define EC_F_EC_GFP_NIST_FIELD_MUL			 200

#define EC_F_EC_GFP_NIST_FIELD_SQR			 201

#define EC_F_EC_GFP_NIST_GROUP_SET_CURVE		 202
@@ -1079,6 +1095,8 @@ void ERR_load_EC_strings(void); 
#define EC_F_I2D_ECPRIVATEKEY				 192

#define EC_F_I2O_ECPUBLICKEY				 151

#define EC_F_NISTP224_PRE_COMP_NEW			 227

#define EC_F_NISTP256_PRE_COMP_NEW			 236

#define EC_F_NISTP521_PRE_COMP_NEW			 237

#define EC_F_O2I_ECPUBLICKEY				 152

#define EC_F_OLD_EC_PRIV_DECODE				 222

#define EC_F_PKEY_EC_CTRL				 197

crypto/ec/ec_curve.c

+10 −3
Original line number Diff line number Diff line
@@ -1903,16 +1903,19 @@ static const ec_list_element curve_list[] = { 
	/* SECG secp192r1 is the same as X9.62 prime192v1 and hence omitted */

	{ NID_secp192k1, &_EC_SECG_PRIME_192K1.h, 0, "SECG curve over a 192 bit prime field" },

	{ NID_secp224k1, &_EC_SECG_PRIME_224K1.h, 0, "SECG curve over a 224 bit prime field" },

#ifdef EC_NISTP224_64_GCC_128

        { NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method, "NIST/SECG curve over a 224 bit prime field,\n"

	  "\t\t64-bit optimized implementation." },

#ifdef EC_NISTP_64_GCC_128

	{ NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method, "NIST/SECG curve over a 224 bit prime field" },

#else

	{ NID_secp224r1, &_EC_NIST_PRIME_224.h, 0, "NIST/SECG curve over a 224 bit prime field" },

#endif

	{ NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0, "SECG curve over a 256 bit prime field" },

	/* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */

	{ NID_secp384r1, &_EC_NIST_PRIME_384.h, 0, "NIST/SECG curve over a 384 bit prime field" },

#ifdef EC_NISTP_64_GCC_128

	{ NID_secp521r1, &_EC_NIST_PRIME_521.h, EC_GFp_nistp521_method, "NIST/SECG curve over a 521 bit prime field" },

#else

	{ NID_secp521r1, &_EC_NIST_PRIME_521.h, 0, "NIST/SECG curve over a 521 bit prime field" },

#endif

	/* X9.62 curves */

	{ NID_X9_62_prime192v1, &_EC_NIST_PRIME_192.h, 0, "NIST/X9.62/SECG curve over a 192 bit prime field" },

	{ NID_X9_62_prime192v2, &_EC_X9_62_PRIME_192V2.h, 0, "X9.62 curve over a 192 bit prime field" },
@@ -1920,7 +1923,11 @@ static const ec_list_element curve_list[] = { 
	{ NID_X9_62_prime239v1, &_EC_X9_62_PRIME_239V1.h, 0, "X9.62 curve over a 239 bit prime field" },

	{ NID_X9_62_prime239v2, &_EC_X9_62_PRIME_239V2.h, 0, "X9.62 curve over a 239 bit prime field" },

	{ NID_X9_62_prime239v3, &_EC_X9_62_PRIME_239V3.h, 0, "X9.62 curve over a 239 bit prime field" },

#ifdef EC_NISTP_64_GCC_128

	{ NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, EC_GFp_nistp256_method, "X9.62/SECG curve over a 256 bit prime field" },

#else

	{ NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, 0, "X9.62/SECG curve over a 256 bit prime field" },

#endif

#ifndef OPENSSL_NO_EC2M

	/* characteristic two field curves */

	/* NIST/SECG curves */

crypto/ec/ec_err.c

+9 −1
Original line number Diff line number Diff line 
/* crypto/ec/ec_err.c */

/* ====================================================================

 * Copyright (c) 1999-2010 The OpenSSL Project.  All rights reserved.

 * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.

 *

 * Redistribution and use in source and binary forms, with or without

 * modification, are permitted provided that the following conditions
@@ -116,6 +116,12 @@ static ERR_STRING_DATA EC_str_functs[]= 
{ERR_FUNC(EC_F_EC_GFP_NISTP224_GROUP_SET_CURVE),	"ec_GFp_nistp224_group_set_curve"},

{ERR_FUNC(EC_F_EC_GFP_NISTP224_POINTS_MUL),	"ec_GFp_nistp224_points_mul"},

{ERR_FUNC(EC_F_EC_GFP_NISTP224_POINT_GET_AFFINE_COORDINATES),	"ec_GFp_nistp224_point_get_affine_coordinates"},

{ERR_FUNC(EC_F_EC_GFP_NISTP256_GROUP_SET_CURVE),	"ec_GFp_nistp256_group_set_curve"},

{ERR_FUNC(EC_F_EC_GFP_NISTP256_POINTS_MUL),	"ec_GFp_nistp256_points_mul"},

{ERR_FUNC(EC_F_EC_GFP_NISTP256_POINT_GET_AFFINE_COORDINATES),	"ec_GFp_nistp256_point_get_affine_coordinates"},

{ERR_FUNC(EC_F_EC_GFP_NISTP521_GROUP_SET_CURVE),	"ec_GFp_nistp521_group_set_curve"},

{ERR_FUNC(EC_F_EC_GFP_NISTP521_POINTS_MUL),	"ec_GFp_nistp521_points_mul"},

{ERR_FUNC(EC_F_EC_GFP_NISTP521_POINT_GET_AFFINE_COORDINATES),	"ec_GFp_nistp521_point_get_affine_coordinates"},

{ERR_FUNC(EC_F_EC_GFP_NIST_FIELD_MUL),	"ec_GFp_nist_field_mul"},

{ERR_FUNC(EC_F_EC_GFP_NIST_FIELD_SQR),	"ec_GFp_nist_field_sqr"},

{ERR_FUNC(EC_F_EC_GFP_NIST_GROUP_SET_CURVE),	"ec_GFp_nist_group_set_curve"},
@@ -190,6 +196,8 @@ static ERR_STRING_DATA EC_str_functs[]= 
{ERR_FUNC(EC_F_I2D_ECPRIVATEKEY),	"i2d_ECPrivateKey"},

{ERR_FUNC(EC_F_I2O_ECPUBLICKEY),	"i2o_ECPublicKey"},

{ERR_FUNC(EC_F_NISTP224_PRE_COMP_NEW),	"NISTP224_PRE_COMP_NEW"},

{ERR_FUNC(EC_F_NISTP256_PRE_COMP_NEW),	"NISTP256_PRE_COMP_NEW"},

{ERR_FUNC(EC_F_NISTP521_PRE_COMP_NEW),	"NISTP521_PRE_COMP_NEW"},

{ERR_FUNC(EC_F_O2I_ECPUBLICKEY),	"o2i_ECPublicKey"},

{ERR_FUNC(EC_F_OLD_EC_PRIV_DECODE),	"OLD_EC_PRIV_DECODE"},

{ERR_FUNC(EC_F_PKEY_EC_CTRL),	"PKEY_EC_CTRL"},