- Y = BN_CTX_get(ctx);
- EC_GROUP_get_order(EC_KEY_get0_group(priv_key), order, ctx);
- EC_GROUP_get_cofactor(EC_KEY_get0_group(priv_key), cofactor, ctx);
- BN_mod_mul(UKM, UKM, cofactor, order, ctx);
- BN_mod_mul(p, key, UKM, order, ctx);
- if (!EC_POINT_mul(EC_KEY_get0_group(priv_key), pnt, NULL, pub_key, p, ctx)) {
+
+ if ((Y = BN_CTX_get(ctx)) == NULL
+ || (pnt = EC_POINT_new(grp)) == NULL
+ || BN_lebin2bn(ukm, ukm_size, scalar) == NULL
+ || !BN_mod_mul(scalar, scalar, EC_KEY_get0_private_key(priv_key),
+ EC_GROUP_get0_order(grp), ctx))
+ goto err;
+
+ /* these two curves have cofactor 4; the rest have cofactor 1 */
+ switch (EC_GROUP_get_curve_name(grp)) {
+ case NID_id_tc26_gost_3410_2012_256_paramSetA:
+ case NID_id_tc26_gost_3410_2012_512_paramSetC:
+ if (!BN_lshift(scalar, scalar, 2))
+ goto err;
+ break;
+ }
+
+ if (!gost_ec_point_mul(grp, pnt, NULL, pub_key, scalar, ctx)) {