Add optimised version of P-224.

This imports the Google-authored P-224 implementation by Emilia Käsper
and Bodo Möller that is also in upstream OpenSSL.

Change-Id: I16005c74a2a3e374fb136d36f3f6569dab9d8919
Reviewed-on: https://boringssl-review.googlesource.com/6145
Reviewed-by: Adam Langley <agl@google.com>

crypto/ec/CMakeLists.txt

@@ -10,6 +10,7 @@ add_library(
   ec_key.c
   ec_montgomery.c
   oct.c
+  p224-64.c
   p256-64.c
   util-64.c
   simple.c

crypto/ec/ec.c

@@ -218,15 +218,25 @@ static const struct curve_data P521 = {
      0xA5, 0xD0, 0x3B, 0xB5, 0xC9, 0xB8, 0x89, 0x9C, 0x47, 0xAE, 0xBB, 0x6F,
      0xB7, 0x1E, 0x91, 0x38, 0x64, 0x09}};
 
+/* MSan appears to have a bug that causes code to be miscompiled in opt mode.
+ * While that is being looked at, don't run the uint128_t code under MSan. */
+#if defined(OPENSSL_64_BIT) && !defined(OPENSSL_WINDOWS) && \
+    !defined(MEMORY_SANITIZER)
+#define BORINGSSL_USE_INT128_CODE
+#endif
+
 const struct built_in_curve OPENSSL_built_in_curves[] = {
-    {NID_secp224r1, &P224, 0},
+    {
+        NID_secp224r1, &P224,
+#if defined(BORINGSSL_USE_INT128_CODE)
+        EC_GFp_nistp224_method,
+#else
+        0,
+#endif
+    },
     {
         NID_X9_62_prime256v1, &P256,
-    /* MSAN appears to have a bug that causes this P-256 code to be miscompiled
-     * in opt mode. While that is being looked at, don't run the uint128_t
-     * P-256 code under MSAN for now. */
-#if defined(OPENSSL_64_BIT) && !defined(OPENSSL_WINDOWS) && \
-    !defined(MEMORY_SANITIZER)
+#if defined(BORINGSSL_USE_INT128_CODE)
         EC_GFp_nistp256_method,
 #else
         0,

crypto/ec/internal.h

@@ -319,6 +319,7 @@ void ec_GFp_nistp_points_make_affine_internal(
 
 void ec_GFp_nistp_recode_scalar_bits(uint8_t *sign, uint8_t *digit, uint8_t in);
 
+const EC_METHOD *EC_GFp_nistp224_method(void);
 const EC_METHOD *EC_GFp_nistp256_method(void);
 
 struct ec_key_st {