+ unsigned char iv_full[16], out[48], mac_buf[16];
+ unsigned int mac_len;
+
+ EVP_CIPHER_CTX *ciph = NULL;
+ EVP_MD_CTX *mac = NULL;
+
+ int ret = 0;
+ int len;
+
+ mac_len = (cipher_nid == NID_magma_ctr) ? 8 :
+ (cipher_nid == NID_grasshopper_ctr) ? 16 : 0;
+
+ if (mac_len == 0) {
+ GOSTerr(GOST_F_GOST_KIMP15, GOST_R_INVALID_CIPHER);
+ goto err;
+ }
+
+ /* we expect IV of half length */
+ memset(iv_full, 0, 16);
+ memcpy(iv_full, iv, ivlen);
+
+ ciph = EVP_CIPHER_CTX_new();
+ if (ciph == NULL) {
+ GOSTerr(GOST_F_GOST_KEXP15, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+
+ if (EVP_CipherInit_ex
+ (ciph, EVP_get_cipherbynid(cipher_nid), NULL, NULL, NULL, 0) <= 0
+ || EVP_CipherInit_ex(ciph, NULL, NULL, cipher_key, iv_full, 0) <= 0
+ || EVP_CipherUpdate(ciph, out, &len, expkey, expkeylen) <= 0
+ || EVP_CipherFinal_ex(ciph, out + len, &len) <= 0) {
+ GOSTerr(GOST_F_GOST_KIMP15, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+ /*Now we have shared key and mac in out[] */
+
+ mac = EVP_MD_CTX_new();
+ if (mac == NULL) {
+ GOSTerr(GOST_F_GOST_KEXP15, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+
+ if (EVP_DigestInit_ex(mac, EVP_get_digestbynid(mac_nid), NULL) <= 0
+ || EVP_MD_CTX_ctrl(mac, EVP_MD_CTRL_SET_KEY, 32, mac_key) <= 0
+ || EVP_MD_CTX_ctrl(mac, EVP_MD_CTRL_MAC_LEN, mac_len, NULL) <= 0
+ || EVP_DigestUpdate(mac, iv, ivlen) <= 0
+ || EVP_DigestUpdate(mac, out, shared_len) <= 0
+ /* As we set MAC length directly, we should not allow overwriting it */
+ || EVP_DigestFinal_ex(mac, mac_buf, NULL) <= 0) {
+ GOSTerr(GOST_F_GOST_KIMP15, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+
+ if (CRYPTO_memcmp(mac_buf, out + shared_len, mac_len) != 0) {
+ GOSTerr(GOST_F_GOST_KIMP15, GOST_R_BAD_MAC);
+ goto err;
+ }
+
+ memcpy(shared_key, out, shared_len);
+ ret = 1;
+
+ err:
+ OPENSSL_cleanse(out, sizeof(out));
+ EVP_MD_CTX_free(mac);
+ EVP_CIPHER_CTX_free(ciph);
+ return ret;