Add an optimized 32-bit implementation of the NIST P-256 elliptic curve.

mozilla/security/nss/lib/freebl/ecl/ecl.c

Index: mozilla/security/nss/lib/freebl/ecl/ecl.c
===================================================================
--- mozilla/security/nss/lib/freebl/ecl/ecl.c	(revision 177437)
+++ mozilla/security/nss/lib/freebl/ecl/ecl.c	(working copy)
@@ -215,8 +215,8 @@
 
 	/* determine which optimizations (if any) to use */
 	if (params->field == ECField_GFp) {
+	    switch (name) {
 #ifdef NSS_ECC_MORE_THAN_SUITE_B
-	    switch (name) {
 #ifdef ECL_USE_FP
 		case ECCurve_SECG_PRIME_160R1:
 			group =
@@ -256,29 +256,29 @@
 			MP_CHECKOK(ec_group_set_gfp224(group, name));
 #endif
 			break;
-		case ECCurve_SECG_PRIME_256R1:
+		case ECCurve_SECG_PRIME_521R1:
 			group =
 				ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny,
 								&order, params->cofactor);
 			if (group == NULL) { res = MP_UNDEF; goto CLEANUP; }
-			MP_CHECKOK(ec_group_set_gfp256(group, name));
+			MP_CHECKOK(ec_group_set_gfp521(group, name));
 			break;
-		case ECCurve_SECG_PRIME_521R1:
+#endif /* NSS_ECC_MORE_THAN_SUITE_B */

[wtc, 2013/01/25 02:32:49]

I added a comment after this #endif to indicate the
matching #ifdef.

+		case ECCurve_SECG_PRIME_256R1:
 			group =
 				ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny,
 								&order, params->cofactor);
 			if (group == NULL) { res = MP_UNDEF; goto CLEANUP; }
-			MP_CHECKOK(ec_group_set_gfp521(group, name));
+			MP_CHECKOK(ec_group_set_gfp256(group, name));
 			break;

[Ryan Sleevi, 2013/01/25 03:50:36]

Why move this out of the MORE_THAN_SUITE_B? Is that going to be an issue for Red
Hat?

[agl, 2013/01/25 16:04:03]

P-256 is part of Suite B, no? I'm not sure why it was classified as "more than
Suite B" in the first place.

If the use of the previously disabled code in ecp_256.c is a problem then it's
quite possible to do without it.

[wtc, 2013/01/27 00:11:17]

In patch set 2, I eliminated the need for ecp_256.c.

We still need to use ECGroup_consGFp instead of ECGroup_consGFp_mont,
which NSS is currently using by default (see line 277).

I found that ECGroup_consGFp differs from ECGroup_consGFp_mont in
only three methods: field_mul, field_sqr, and field_div:

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/freebl/e...

(field_enc and field_dec are just the necessary encoding
and decoding functions for the Montgomery form.)

The implementations of those three methods in ECGroup_consGFp
simply call MPI functions:
http://mxr.mozilla.org/security/ident?i=ec_GFp_mul
http://mxr.mozilla.org/security/ident?i=ec_GFp_sqr
http://mxr.mozilla.org/security/ident?i=ec_GFp_div

So it should be fine to use ECGroup_consGFp when
NSS_ECC_MORE_THAN_SUITE_B is not defined.

 		default:
 			/* use generic arithmetic */
-#endif
 			group =
 				ECGroup_consGFp_mont(&irr, &curvea, &curveb, &genx, &geny,
 									 &order, params->cofactor);
 			if (group == NULL) { res = MP_UNDEF; goto CLEANUP; }
+		}
 #ifdef NSS_ECC_MORE_THAN_SUITE_B
-		}
 	} else if (params->field == ECField_GF2m) {
 		group = ECGroup_consGF2m(&irr, NULL, &curvea, &curveb, &genx, &geny, &order, params->cofactor);
 		if (group == NULL) { res = MP_UNDEF; goto CLEANUP; }