Add an optimized 32-bit implementation of the NIST P-256 elliptic curve.

mozilla/security/nss/lib/freebl/ecl/ecl.c

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "mpi.h"
 #include "mplogic.h"
 #include "ecl.h"
 #include "ecl-priv.h"
 #include "ec2.h"
 #include "ecp.h"
@@ skipping 197 matching lines @@
 
         /* determine number of bits */
         bits = mpl_significant_bits(&irr) - 1;
         if (bits < MP_OKAY) {
                 res = bits;
                 goto CLEANUP;
         }
 
         /* determine which optimizations (if any) to use */
         if (params->field == ECField_GFp) {
+            switch (name) {
 #ifdef NSS_ECC_MORE_THAN_SUITE_B
-            switch (name) {
 #ifdef ECL_USE_FP
                 case ECCurve_SECG_PRIME_160R1:
                         group =
                                 ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny,
                                                                 &order, params->cofactor);
                         if (group == NULL) { res = MP_UNDEF; goto CLEANUP; }
                         MP_CHECKOK(ec_group_set_secp160r1_fp(group));
                         break;
 #endif
                 case ECCurve_SECG_PRIME_192R1:
@@ skipping 19 matching lines @@
                         if (group == NULL) { res = MP_UNDEF; goto CLEANUP; }
                         MP_CHECKOK(ec_group_set_nistp224_fp(group));
 #else
                         group =
                                 ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny,
                                                                 &order, params->cofactor);
                         if (group == NULL) { res = MP_UNDEF; goto CLEANUP; }
                         MP_CHECKOK(ec_group_set_gfp224(group, name));
 #endif
                         break;
-                case ECCurve_SECG_PRIME_256R1:
-                        group =
-                                ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny,
-                                                                &order, params->cofactor);
-                        if (group == NULL) { res = MP_UNDEF; goto CLEANUP; }
-                        MP_CHECKOK(ec_group_set_gfp256(group, name));
-                        break;
                 case ECCurve_SECG_PRIME_521R1:
                         group =
                                 ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny,
                                                                 &order, params->cofactor);
                         if (group == NULL) { res = MP_UNDEF; goto CLEANUP; }
                         MP_CHECKOK(ec_group_set_gfp521(group, name));
                         break;
+#endif /* NSS_ECC_MORE_THAN_SUITE_B */

[wtc, 2013/01/25 02:32:49]

I added a comment after this #endif to indicate the
matching #ifdef.

+                case ECCurve_SECG_PRIME_256R1:
+                        group =
+                                ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny,
+                                                                &order, params->cofactor);
+                        if (group == NULL) { res = MP_UNDEF; goto CLEANUP; }
+                        MP_CHECKOK(ec_group_set_gfp256(group, name));
+                        break;

[Ryan Sleevi, 2013/01/25 03:50:36]

Why move this out of the MORE_THAN_SUITE_B? Is that going to be an issue for Red
Hat?

[agl, 2013/01/25 16:04:03]

P-256 is part of Suite B, no? I'm not sure why it was classified as "more than
Suite B" in the first place.

If the use of the previously disabled code in ecp_256.c is a problem then it's
quite possible to do without it.

[wtc, 2013/01/27 00:11:17]

In patch set 2, I eliminated the need for ecp_256.c.

We still need to use ECGroup_consGFp instead of ECGroup_consGFp_mont,
which NSS is currently using by default (see line 277).

I found that ECGroup_consGFp differs from ECGroup_consGFp_mont in
only three methods: field_mul, field_sqr, and field_div:

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/freebl/e...

(field_enc and field_dec are just the necessary encoding
and decoding functions for the Montgomery form.)

The implementations of those three methods in ECGroup_consGFp
simply call MPI functions:
http://mxr.mozilla.org/security/ident?i=ec_GFp_mul
http://mxr.mozilla.org/security/ident?i=ec_GFp_sqr
http://mxr.mozilla.org/security/ident?i=ec_GFp_div

So it should be fine to use ECGroup_consGFp when
NSS_ECC_MORE_THAN_SUITE_B is not defined.

                 default:
                         /* use generic arithmetic */
-#endif
                         group =
                                 ECGroup_consGFp_mont(&irr, &curvea, &curveb, &genx, &geny,
                                                                          &order, params->cofactor);
                         if (group == NULL) { res = MP_UNDEF; goto CLEANUP; }
+                }
 #ifdef NSS_ECC_MORE_THAN_SUITE_B
-                }
         } else if (params->field == ECField_GF2m) {
                 group = ECGroup_consGF2m(&irr, NULL, &curvea, &curveb, &genx, &geny, &order, params->cofactor);
                 if (group == NULL) { res = MP_UNDEF; goto CLEANUP; }
                 if ((name == ECCurve_NIST_K163) ||
                     (name == ECCurve_NIST_B163) ||
                     (name == ECCurve_SECG_CHAR2_163R1)) {
                         MP_CHECKOK(ec_group_set_gf2m163(group, name));
                 } else if ((name == ECCurve_SECG_CHAR2_193R1) ||
                            (name == ECCurve_SECG_CHAR2_193R2)) {
                         MP_CHECKOK(ec_group_set_gf2m193(group, name));
@@ skipping 94 matching lines @@
         mp_clear(&group->curveb);
         mp_clear(&group->genx);
         mp_clear(&group->geny);
         mp_clear(&group->order);
         if (group->text != NULL)
                 free(group->text);
         if (group->extra_free != NULL)
                 group->extra_free(group);
         free(group);
 }