From f4078e53da769ade0d92e80ad9093040e7f71d58 Mon Sep 17 00:00:00 2001
From: Sergey Matveev <stargrave@stargrave.org>
Date: Wed, 7 Oct 2020 15:09:49 +0300
Subject: [PATCH] Do not alter ukm in gost3410.KEK*

---
 gogost.go                |  2 +-
 gost3410/vko.go          |  6 +++---
 gost3410/vko2001_test.go | 21 +++++++++++++++++++++
 news.texi                |  5 +++++
 4 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/gogost.go b/gogost.go
index 90c3bb7..1d798a9 100644
--- a/gogost.go
+++ b/gogost.go
@@ -1,4 +1,4 @@
 // Pure Go GOST cryptographic functions library.
 package gogost
 
-const Version = "5.0.2"
+const Version = "5.1.0"
diff --git a/gost3410/vko.go b/gost3410/vko.go
index fdf3a2f..a6df7f4 100644
--- a/gost3410/vko.go
+++ b/gost3410/vko.go
@@ -24,9 +24,9 @@ func (prv *PrivateKey) KEK(pub *PublicKey, ukm *big.Int) ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
-	ukm = ukm.Mul(ukm, prv.C.Co)
-	if ukm.Cmp(bigInt1) != 0 {
-		keyX, keyY, err = prv.C.Exp(ukm, keyX, keyY)
+	u := big.NewInt(0).Set(ukm).Mul(ukm, prv.C.Co)
+	if u.Cmp(bigInt1) != 0 {
+		keyX, keyY, err = prv.C.Exp(u, keyX, keyY)
 		if err != nil {
 			return nil, err
 		}
diff --git a/gost3410/vko2001_test.go b/gost3410/vko2001_test.go
index 3f80733..80e30ad 100644
--- a/gost3410/vko2001_test.go
+++ b/gost3410/vko2001_test.go
@@ -18,6 +18,7 @@ package gost3410
 import (
 	"bytes"
 	"encoding/hex"
+	"math/big"
 	"testing"
 	"testing/quick"
 )
@@ -43,6 +44,26 @@ func TestVKO2001(t *testing.T) {
 	}
 }
 
+func TestVKOUKMAltering(t *testing.T) {
+	c := CurveIdtc26gost34102012256paramSetA()
+	ukm := big.NewInt(1)
+	prv, err := NewPrivateKey(c, bytes.Repeat([]byte{0x12}, 32))
+	if err != nil {
+		panic(err)
+	}
+	pub, err := prv.PublicKey()
+	if err != nil {
+		panic(err)
+	}
+	_, err = prv.KEK(pub, ukm)
+	if err != nil {
+		panic(err)
+	}
+	if ukm.Cmp(big.NewInt(1)) != 0 {
+		t.FailNow()
+	}
+}
+
 func TestRandomVKO2001(t *testing.T) {
 	c := CurveIdGostR34102001TestParamSet()
 	f := func(prvRaw1 [32]byte, prvRaw2 [32]byte, ukmRaw [8]byte) bool {
diff --git a/news.texi b/news.texi
index 350ac07..5db2e91 100644
--- a/news.texi
+++ b/news.texi
@@ -3,6 +3,11 @@
 
 @table @strong
 
+@anchor{Release 5.1.0}
+@item 5.1.0
+    @code{gost3410/KEK*} functions do not alter @code{ukm} argument.
+    It is safe to reuse now.
+
 @anchor{Release 5.0.0}
 @item 5.0.0
     Backward incompatible remove of excess misleading @code{gost3410.Mode}
-- 
2.44.0