Allow group methods to customize initialization for speed

This commit also adds an implementation for P256 that avoids some
expensive initialization of Montgomery arithmetic structures in favor
of precomputation. Since ECC groups are not always cached by higher
layers this brings significant savings to TLS handshakes.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22746)

1 files changed, 42 insertions, 0 deletions

diff --git a/crypto/bn/bn_mont.c b/crypto/bn/bn_mont.c
index 8b4c7900ad..7cd16c66ee 100644
--- a/crypto/bn/bn_mont.c
+++ b/crypto/bn/bn_mont.c
@@ -465,3 +465,45 @@ BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, CRYPTO_RWLOCK *lock,
     CRYPTO_THREAD_unlock(lock);
     return ret;
 }
+
+int ossl_bn_mont_ctx_set(BN_MONT_CTX *ctx, const BIGNUM *modulus, int ri, const unsigned char *rr,
+                         size_t rrlen, uint32_t nlo, uint32_t nhi)
+{
+    if (BN_copy(&ctx->N, modulus) == NULL)
+        return 0;
+    if (BN_bin2bn(rr, rrlen, &ctx->RR) == NULL)
+        return 0;
+    ctx->ri = ri;
+#if (BN_BITS2 <= 32) && defined(OPENSSL_BN_ASM_MONT)
+    ctx->n0[0] = nlo;
+    ctx->n0[1] = nhi;
+#elif BN_BITS2 <= 32
+    ctx->n0[0] = nlo;
+    ctx->n0[1] = 0;
+#else
+    ctx->n0[0] = ((BN_ULONG)nhi << 32)| nlo;
+    ctx->n0[1] = 0;
+#endif
+
+    return 1;
+}
+
+int ossl_bn_mont_ctx_eq(const BN_MONT_CTX *m1, const BN_MONT_CTX *m2)
+{
+    if (m1->ri != m2->ri)
+        return 0;
+    if (BN_cmp(&m1->RR, &m2->RR) != 0)
+        return 0;
+    if (m1->flags != m2->flags)
+        return 0;
+#ifdef MONT_WORD
+    if (m1->n0[0] != m2->n0[0])
+        return 0;
+    if (m1->n0[1] != m2->n0[1])
+        return 0;
+#else
+    if (BN_cmp(&m1->Ni, &m2->Ni) != 0)
+        return 0;
+#endif
+    return 1;
+}