Implement field_{mul,sqr} in p224-64.c with p224_felems.

This is in preparation for representing field elements with
stack-allocated types in the generic code. While there is likely little
benefit in threading all the turned field arithmetic through all the
generic code, and the P-224 logic, in particular, does not have a tight
enough abstraction for this, the current implementations depend on
BN_div, which is not compatible with stack-allocating things and avoiding
malloc.

This also speeds things up slightly, now that benchmarks cover point
validation.

Before:
Did 82786 ECDH P-224 operations in 10024326us (8258.5 ops/sec)
After:
Did 89991 ECDH P-224 operations in 10012429us (8987.9 ops/sec)

Change-Id: I468483b49f5dc69187aebd62834365ce5caab795
Reviewed-on: https://boringssl-review.googlesource.com/26971
Reviewed-by: Adam Langley <agl@google.com>

crypto/fipsmodule/ec/internal.h

@@ -249,10 +249,6 @@ int ec_GFp_simple_cmp(const EC_GROUP *, const EC_POINT *a, const EC_POINT *b,
 int ec_GFp_simple_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *);
 int ec_GFp_simple_points_make_affine(const EC_GROUP *, size_t num,
                                      EC_POINT * [], BN_CTX *);
-int ec_GFp_simple_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
-                            const BIGNUM *b, BN_CTX *);
-int ec_GFp_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
-                            BN_CTX *);
 
 // method functions in montgomery.c
 int ec_GFp_mont_group_init(EC_GROUP *);

crypto/fipsmodule/ec/p224-64.c

@@ -1087,6 +1087,34 @@ static int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r,
   return 1;
 }
 
+static int ec_GFp_nistp224_field_mul(const EC_GROUP *group, BIGNUM *r,
+                                     const BIGNUM *a, const BIGNUM *b,
+                                     BN_CTX *ctx) {
+  p224_felem felem1, felem2;
+  p224_widefelem wide;
+  if (!p224_BN_to_felem(felem1, a) ||
+      !p224_BN_to_felem(felem2, b)) {
+    return 0;
+  }
+  p224_felem_mul(wide, felem1, felem2);
+  p224_felem_reduce(felem1, wide);
+  p224_felem_contract(felem1, felem1);
+  return p224_felem_to_BN(r, felem1) != NULL;
+}
+
+static int ec_GFp_nistp224_field_sqr(const EC_GROUP *group, BIGNUM *r,
+                                     const BIGNUM *a, BN_CTX *ctx) {
+  p224_felem felem;
+  if (!p224_BN_to_felem(felem, a)) {
+    return 0;
+  }
+  p224_widefelem wide;
+  p224_felem_square(wide, felem);
+  p224_felem_reduce(felem, wide);
+  p224_felem_contract(felem, felem);
+  return p224_felem_to_BN(r, felem) != NULL;
+}
+
 DEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_nistp224_method) {
   out->group_init = ec_GFp_simple_group_init;
   out->group_finish = ec_GFp_simple_group_finish;
@@ -1095,8 +1123,8 @@ DEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_nistp224_method) {
       ec_GFp_nistp224_point_get_affine_coordinates;
   out->mul = ec_GFp_nistp224_points_mul;
   out->mul_public = ec_GFp_nistp224_points_mul;
-  out->field_mul = ec_GFp_simple_field_mul;
-  out->field_sqr = ec_GFp_simple_field_sqr;
+  out->field_mul = ec_GFp_nistp224_field_mul;
+  out->field_sqr = ec_GFp_nistp224_field_sqr;
   out->field_encode = NULL;
   out->field_decode = NULL;
 };

crypto/fipsmodule/ec/simple.c

@@ -1034,13 +1034,3 @@ err:
 
   return ret;
 }
-
-int ec_GFp_simple_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
-                            const BIGNUM *b, BN_CTX *ctx) {
-  return BN_mod_mul(r, a, b, &group->field, ctx);
-}
-
-int ec_GFp_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
-                            BN_CTX *ctx) {
-  return BN_mod_sqr(r, a, &group->field, ctx);
-}