+GOST_cipher grasshopper_ctr_acpkm_cipher = {
+ .nid = NID_kuznyechik_ctr_acpkm,
+ .template = &grasshopper_template_cipher,
+ .block_size = 1,
+ .iv_len = 8,
+ .flags = EVP_CIPH_CTR_MODE |
+ EVP_CIPH_NO_PADDING |
+ EVP_CIPH_CUSTOM_IV,
+ .init = gost_grasshopper_cipher_init_ctracpkm,
+ .do_cipher = gost_grasshopper_cipher_do_ctracpkm,
+ .ctx_size = sizeof(gost_grasshopper_cipher_ctx_ctr),
+};
+
+GOST_cipher grasshopper_ctr_acpkm_omac_cipher = {
+ .nid = NID_kuznyechik_ctr_acpkm_omac,
+ .template = &grasshopper_template_cipher,
+ .block_size = 1,
+ .iv_len = 8,
+ .flags = EVP_CIPH_CTR_MODE |
+ EVP_CIPH_NO_PADDING |
+ EVP_CIPH_CUSTOM_IV |
+ EVP_CIPH_FLAG_CUSTOM_CIPHER |
+ EVP_CIPH_FLAG_CIPHER_WITH_MAC |
+ EVP_CIPH_CUSTOM_COPY,
+ .init = gost_grasshopper_cipher_init_ctracpkm_omac,
+ .do_cipher = gost_grasshopper_cipher_do_ctracpkm_omac,
+ .ctx_size = sizeof(gost_grasshopper_cipher_ctx_ctr),
+};
+
+GOST_cipher grasshopper_mgm_cipher = {
+ .nid = NID_undef,
+ .template = &grasshopper_template_cipher,
+ .block_size = 1,
+ .iv_len = 16,
+ .flags = EVP_CIPH_NO_PADDING |
+ EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER |
+ EVP_CIPH_CTRL_INIT | EVP_CIPH_FLAG_AEAD_CIPHER,
+ .cleanup = gost_grasshopper_mgm_cleanup,
+ .ctrl = gost_grasshopper_mgm_ctrl,
+ .init = gost_grasshopper_cipher_init_mgm,
+ .do_cipher = gost_grasshopper_cipher_do_mgm,
+ .ctx_size = sizeof(gost_mgm_ctx)
+};
+
+static void kuznyechik_NID_callback (int nid)
+{
+ grasshopper_mgm_cipher.nid = nid;
+}
+
+GOST_NID_JOB kuznyechik_mgm_NID = {
+ .sn = SN_kuznyechik_mgm,
+ .ln = SN_kuznyechik_mgm,
+ .callback = kuznyechik_NID_callback,
+};
+
+/* first 256 bit of D from draft-irtf-cfrg-re-keying-12 */
+static const unsigned char ACPKM_D_2018[] = {
+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, /* 64 bit */
+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f, /* 128 bit */
+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f, /* 256 bit */
+};
+
+static void acpkm_next(gost_grasshopper_cipher_ctx * c)
+{
+ unsigned char newkey[GRASSHOPPER_KEY_SIZE];
+ const int J = GRASSHOPPER_KEY_SIZE / GRASSHOPPER_BLOCK_SIZE;
+ int n;
+
+ for (n = 0; n < J; n++) {
+ const unsigned char *D_n = &ACPKM_D_2018[n * GRASSHOPPER_BLOCK_SIZE];
+
+ grasshopper_encrypt_block(&c->encrypt_round_keys,
+ (grasshopper_w128_t *) D_n,
+ (grasshopper_w128_t *) & newkey[n *
+ GRASSHOPPER_BLOCK_SIZE],
+ &c->buffer);
+ }
+ gost_grasshopper_cipher_key(c, newkey);
+}
+