168 	const BIGNUM *order = NULL;  in ECDSA_size()  local
178 	if ((order = EC_GROUP_get0_order(group)) == NULL)  in ECDSA_size()
181 	sig.r = (BIGNUM *)order;  in ECDSA_size()
182 	sig.s = (BIGNUM *)order;  in ECDSA_size()
194  * Use the order_bits leftmost bits if it exceeds the group order.
275 	const BIGNUM *order;  in ecdsa_sign_setup()  local
316 	if ((order = EC_GROUP_get0_order(group)) == NULL) {  in ecdsa_sign_setup()
321 	if (BN_cmp(order, BN_value_one()) <= 0) {  in ecdsa_sign_setup()
326 	/* Reject curves with an order that is smaller than 80 bits. */  in ecdsa_sign_setup()
327 	if ((order_bits = BN_num_bits(order)) < 80) {  in ecdsa_sign_setup()
341 		if (!bn_rand_interval(k, 1, order))  in ecdsa_sign_setup()
355 		/* Step 8: r = x (mod order). */  in ecdsa_sign_setup()
356 		if (!BN_nnmod(r, x, order, ctx)) {  in ecdsa_sign_setup()
363 	if (BN_mod_inverse_ct(k, k, order, ctx) == NULL) {  in ecdsa_sign_setup()
399  * FIPS 186-5, section 6.4.1, step 9: compute s = inv(k)(e + xr) mod order.
400  * In order to reduce the possibility of a side-channel attack, the following
401  * is calculated using a random blinding value b in [1, order):
402  * s = inv(b)(be + bxr)inv(k) mod order.
410 	const BIGNUM *order, *priv_key;  in ecdsa_compute_s()  local
423 	if ((order = EC_GROUP_get0_order(group)) == NULL) {  in ecdsa_compute_s()
445 	 * In a valid ECDSA signature, r must be in [1, order). Since r can be  in ecdsa_compute_s()
449 	if (BN_cmp(r, BN_value_one()) < 0 || BN_cmp(r, order) >= 0) {  in ecdsa_compute_s()
454 	if (!bn_rand_interval(b, 1, order)) {  in ecdsa_compute_s()
459 	if (BN_mod_inverse_ct(binv, b, order, ctx) == NULL) {  in ecdsa_compute_s()
464 	if (!BN_mod_mul(bxr, b, priv_key, order, ctx)) {  in ecdsa_compute_s()
468 	if (!BN_mod_mul(bxr, bxr, r, order, ctx)) {  in ecdsa_compute_s()
472 	if (!BN_mod_mul(be, b, e, order, ctx)) {  in ecdsa_compute_s()
476 	if (!BN_mod_add(s, be, bxr, order, ctx)) {  in ecdsa_compute_s()
481 	if (!BN_mod_mul(s, s, kinv, order, ctx)) {  in ecdsa_compute_s()
486 	if (!BN_mod_mul(s, s, binv, order, ctx)) {  in ecdsa_compute_s()
658 	const BIGNUM *order;  in ecdsa_verify_sig()  local
694 	if ((order = EC_GROUP_get0_order(group)) == NULL) {  in ecdsa_verify_sig()
699 	/* Step 1: verify that r and s are in the range [1, order). */  in ecdsa_verify_sig()
700 	if (BN_cmp(sig->r, BN_value_one()) < 0 || BN_cmp(sig->r, order) >= 0) {  in ecdsa_verify_sig()
705 	if (BN_cmp(sig->s, BN_value_one()) < 0 || BN_cmp(sig->s, order) >= 0) {  in ecdsa_verify_sig()
715 	/* Step 4: compute the inverse of s modulo order. */  in ecdsa_verify_sig()
716 	if (BN_mod_inverse_ct(sinv, sig->s, order, ctx) == NULL) {  in ecdsa_verify_sig()
720 	/* Step 5: compute u = s^-1 * e and v = s^-1 * r (modulo order). */  in ecdsa_verify_sig()
721 	if (!BN_mod_mul(u, e, sinv, order, ctx)) {  in ecdsa_verify_sig()
725 	if (!BN_mod_mul(v, sig->r, sinv, order, ctx)) {  in ecdsa_verify_sig()
747 	/* Step 8: convert x to a number in [0, order). */  in ecdsa_verify_sig()
748 	if (!BN_nnmod(x, x, order, ctx)) {  in ecdsa_verify_sig()