gcm_test.go

     1  // Copyright 2013 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package cipher_test
     6  
     7  import (
     8  	"bytes"
     9  	"crypto/aes"
    10  	"crypto/cipher"
    11  	"crypto/internal/boring"
    12  	"crypto/internal/cryptotest"
    13  	"crypto/internal/fips140"
    14  	fipsaes "crypto/internal/fips140/aes"
    15  	"crypto/internal/fips140/aes/gcm"
    16  	"crypto/rand"
    17  	"encoding/hex"
    18  	"errors"
    19  	"fmt"
    20  	"internal/testenv"
    21  	"io"
    22  	"reflect"
    23  	"testing"
    24  )
    25  
    26  var _ cipher.Block = (*wrapper)(nil)
    27  
    28  type wrapper struct {
    29  	block cipher.Block
    30  }
    31  
    32  func (w *wrapper) BlockSize() int          { return w.block.BlockSize() }
    33  func (w *wrapper) Encrypt(dst, src []byte) { w.block.Encrypt(dst, src) }
    34  func (w *wrapper) Decrypt(dst, src []byte) { w.block.Decrypt(dst, src) }
    35  
    36  // wrap wraps the Block so that it does not type-asserts to *aes.Block.
    37  func wrap(b cipher.Block) cipher.Block {
    38  	return &wrapper{b}
    39  }
    40  
    41  func testAllImplementations(t *testing.T, f func(*testing.T, func([]byte) cipher.Block)) {
    42  	cryptotest.TestAllImplementations(t, "gcm", func(t *testing.T) {
    43  		f(t, func(b []byte) cipher.Block {
    44  			c, err := aes.NewCipher(b)
    45  			if err != nil {
    46  				t.Fatal(err)
    47  			}
    48  			return c
    49  		})
    50  	})
    51  	t.Run("Fallback", func(t *testing.T) {
    52  		f(t, func(b []byte) cipher.Block {
    53  			c, err := aes.NewCipher(b)
    54  			if err != nil {
    55  				t.Fatal(err)
    56  			}
    57  			return wrap(c)
    58  		})
    59  	})
    60  }
    61  
    62  var aesGCMTests = []struct {
    63  	key, nonce, plaintext, ad, result string
    64  }{
    65  	{ // key=16, plaintext=null
    66  		"11754cd72aec309bf52f7687212e8957",
    67  		"3c819d9a9bed087615030b65",
    68  		"",
    69  		"",
    70  		"250327c674aaf477aef2675748cf6971",
    71  	},
    72  	{ // key=24, plaintext=null
    73  		"e2e001a36c60d2bf40d69ff5b2b1161ea218db263be16a4e",
    74  		"3c819d9a9bed087615030b65",
    75  		"",
    76  		"",
    77  		"c7b8da1fe2e3dccc4071ba92a0a57ba8",
    78  	},
    79  	{ // key=32, plaintext=null
    80  		"5394e890d37ba55ec9d5f327f15680f6a63ef5279c79331643ad0af6d2623525",
    81  		"3c819d9a9bed087615030b65",
    82  		"",
    83  		"",
    84  		"d9b260d4bc4630733ffb642f5ce45726",
    85  	},
    86  	{
    87  		"ca47248ac0b6f8372a97ac43508308ed",
    88  		"ffd2b598feabc9019262d2be",
    89  		"",
    90  		"",
    91  		"60d20404af527d248d893ae495707d1a",
    92  	},
    93  	{
    94  		"fbe3467cc254f81be8e78d765a2e6333",
    95  		"c6697351ff4aec29cdbaabf2",
    96  		"",
    97  		"67",
    98  		"3659cdc25288bf499ac736c03bfc1159",
    99  	},
   100  	{
   101  		"8a7f9d80d08ad0bd5a20fb689c88f9fc",
   102  		"88b7b27d800937fda4f47301",
   103  		"",
   104  		"50edd0503e0d7b8c91608eb5a1",
   105  		"ed6f65322a4740011f91d2aae22dd44e",
   106  	},
   107  	{
   108  		"051758e95ed4abb2cdc69bb454110e82",
   109  		"c99a66320db73158a35a255d",
   110  		"",
   111  		"67c6697351ff4aec29cdbaabf2fbe3467cc254f81be8e78d765a2e63339f",
   112  		"6ce77f1a5616c505b6aec09420234036",
   113  	},
   114  	{
   115  		"77be63708971c4e240d1cb79e8d77feb",
   116  		"e0e00f19fed7ba0136a797f3",
   117  		"",
   118  		"7a43ec1d9c0a5a78a0b16533a6213cab",
   119  		"209fcc8d3675ed938e9c7166709dd946",
   120  	},
   121  	{
   122  		"7680c5d3ca6154758e510f4d25b98820",
   123  		"f8f105f9c3df4965780321f8",
   124  		"",
   125  		"c94c410194c765e3dcc7964379758ed3",
   126  		"94dca8edfcf90bb74b153c8d48a17930",
   127  	},
   128  
   129  	{ // key=16, plaintext=16
   130  		"7fddb57453c241d03efbed3ac44e371c",
   131  		"ee283a3fc75575e33efd4887",
   132  		"d5de42b461646c255c87bd2962d3b9a2",
   133  		"",
   134  		"2ccda4a5415cb91e135c2a0f78c9b2fdb36d1df9b9d5e596f83e8b7f52971cb3",
   135  	},
   136  	{
   137  		"ab72c77b97cb5fe9a382d9fe81ffdbed",
   138  		"54cc7dc2c37ec006bcc6d1da",
   139  		"007c5e5b3e59df24a7c355584fc1518d",
   140  		"",
   141  		"0e1bde206a07a9c2c1b65300f8c649972b4401346697138c7a4891ee59867d0c",
   142  	},
   143  	{ // key=24, plaintext=16
   144  		"feffe9928665731c6d6a8f9467308308feffe9928665731c",
   145  		"54cc7dc2c37ec006bcc6d1da",
   146  		"007c5e5b3e59df24a7c355584fc1518d",
   147  		"",
   148  		"7bd53594c28b6c6596feb240199cad4c9badb907fd65bde541b8df3bd444d3a8",
   149  	},
   150  	{ // key=32, plaintext=16
   151  		"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308",
   152  		"54cc7dc2c37ec006bcc6d1da",
   153  		"007c5e5b3e59df24a7c355584fc1518d",
   154  		"",
   155  		"d50b9e252b70945d4240d351677eb10f937cdaef6f2822b6a3191654ba41b197",
   156  	},
   157  	{ // key=16, plaintext=23
   158  		"ab72c77b97cb5fe9a382d9fe81ffdbed",
   159  		"54cc7dc2c37ec006bcc6d1da",
   160  		"007c5e5b3e59df24a7c355584fc1518dabcdefab",
   161  		"",
   162  		"0e1bde206a07a9c2c1b65300f8c64997b73381a6ff6bc24c5146fbd73361f4fe",
   163  	},
   164  	{ // key=24, plaintext=23
   165  		"feffe9928665731c6d6a8f9467308308feffe9928665731c",
   166  		"54cc7dc2c37ec006bcc6d1da",
   167  		"007c5e5b3e59df24a7c355584fc1518dabcdefab",
   168  		"",
   169  		"7bd53594c28b6c6596feb240199cad4c23b86a96d423cffa929e68541dc16b28",
   170  	},
   171  	{ // key=32, plaintext=23
   172  		"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308",
   173  		"54cc7dc2c37ec006bcc6d1da",
   174  		"007c5e5b3e59df24a7c355584fc1518dabcdefab",
   175  		"",
   176  		"d50b9e252b70945d4240d351677eb10f27fd385388ad3b72b96a2d5dea1240ae",
   177  	},
   178  
   179  	{ // key=16, plaintext=51
   180  		"fe47fcce5fc32665d2ae399e4eec72ba",
   181  		"5adb9609dbaeb58cbd6e7275",
   182  		"7c0e88c88899a779228465074797cd4c2e1498d259b54390b85e3eef1c02df60e743f1b840382c4bccaf3bafb4ca8429bea063",
   183  		"88319d6e1d3ffa5f987199166c8a9b56c2aeba5a",
   184  		"98f4826f05a265e6dd2be82db241c0fbbbf9ffb1c173aa83964b7cf5393043736365253ddbc5db8778371495da76d269e5db3e291ef1982e4defedaa2249f898556b47",
   185  	},
   186  	{
   187  		"ec0c2ba17aa95cd6afffe949da9cc3a8",
   188  		"296bce5b50b7d66096d627ef",
   189  		"b85b3753535b825cbe5f632c0b843c741351f18aa484281aebec2f45bb9eea2d79d987b764b9611f6c0f8641843d5d58f3a242",
   190  		"f8d00f05d22bf68599bcdeb131292ad6e2df5d14",
   191  		"a7443d31c26bdf2a1c945e29ee4bd344a99cfaf3aa71f8b3f191f83c2adfc7a07162995506fde6309ffc19e716eddf1a828c5a890147971946b627c40016da1ecf3e77",
   192  	},
   193  	{
   194  		"2c1f21cf0f6fb3661943155c3e3d8492",
   195  		"23cb5ff362e22426984d1907",
   196  		"42f758836986954db44bf37c6ef5e4ac0adaf38f27252a1b82d02ea949c8a1a2dbc0d68b5615ba7c1220ff6510e259f06655d8",
   197  		"5d3624879d35e46849953e45a32a624d6a6c536ed9857c613b572b0333e701557a713e3f010ecdf9a6bd6c9e3e44b065208645aff4aabee611b391528514170084ccf587177f4488f33cfb5e979e42b6e1cfc0a60238982a7aec",
   198  		"81824f0e0d523db30d3da369fdc0d60894c7a0a20646dd015073ad2732bd989b14a222b6ad57af43e1895df9dca2a5344a62cc57a3ee28136e94c74838997ae9823f3a",
   199  	},
   200  	{
   201  		"d9f7d2411091f947b4d6f1e2d1f0fb2e",
   202  		"e1934f5db57cc983e6b180e7",
   203  		"73ed042327f70fe9c572a61545eda8b2a0c6e1d6c291ef19248e973aee6c312012f490c2c6f6166f4a59431e182663fcaea05a",
   204  		"0a8a18a7150e940c3d87b38e73baee9a5c049ee21795663e264b694a949822b639092d0e67015e86363583fcf0ca645af9f43375f05fdb4ce84f411dcbca73c2220dea03a20115d2e51398344b16bee1ed7c499b353d6c597af8",
   205  		"aaadbd5c92e9151ce3db7210b8714126b73e43436d242677afa50384f2149b831f1d573c7891c2a91fbc48db29967ec9542b2321b51ca862cb637cdd03b99a0f93b134",
   206  	},
   207  	{ //key=24 plaintext=51
   208  		"feffe9928665731c6d6a8f9467308308feffe9928665731c",
   209  		"e1934f5db57cc983e6b180e7",
   210  		"73ed042327f70fe9c572a61545eda8b2a0c6e1d6c291ef19248e973aee6c312012f490c2c6f6166f4a59431e182663fcaea05a",
   211  		"0a8a18a7150e940c3d87b38e73baee9a5c049ee21795663e264b694a949822b639092d0e67015e86363583fcf0ca645af9f43375f05fdb4ce84f411dcbca73c2220dea03a20115d2e51398344b16bee1ed7c499b353d6c597af8",
   212  		"0736378955001d50773305975b3a534a4cd3614dd7300916301ae508cb7b45aa16e79435ca16b5557bcad5991bc52b971806863b15dc0b055748919b8ee91bc8477f68",
   213  	},
   214  	{ //key-32 plaintext=51
   215  		"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308",
   216  		"e1934f5db57cc983e6b180e7",
   217  		"73ed042327f70fe9c572a61545eda8b2a0c6e1d6c291ef19248e973aee6c312012f490c2c6f6166f4a59431e182663fcaea05a",
   218  		"0a8a18a7150e940c3d87b38e73baee9a5c049ee21795663e264b694a949822b639092d0e67015e86363583fcf0ca645af9f43375f05fdb4ce84f411dcbca73c2220dea03a20115d2e51398344b16bee1ed7c499b353d6c597af8",
   219  		"fc1ae2b5dcd2c4176c3f538b4c3cc21197f79e608cc3730167936382e4b1e5a7b75ae1678bcebd876705477eb0e0fdbbcda92fb9a0dc58c8d8f84fb590e0422e6077ef",
   220  	},
   221  	{ //key=16 plaintext=138
   222  		"d9f7d2411091f947b4d6f1e2d1f0fb2e",
   223  		"e1934f5db57cc983e6b180e7",
   224  		"67c6697351ff4aec29cdbaabf2fbe3467cc254f81be8e78d765a2e63339fc99a66320db73158a35a255d051758e95ed4abb2cdc69bb454110e827441213ddc8770e93ea141e1fc673e017e97eadc6b968f385c2aecb03bfb32af3c54ec18db5c021afe43fbfaaa3afb29d1e6053c7c9475d8be6189f95cbba8990f95b1ebf1b3aabbccddee",
   225  		"0a8a18a7150e940c3d87b38e73baee9a5c049ee21795663e264b694a949822b639092d0e67015e86363583fcf0ca645af9f43375f05fdb4ce84f411dcbca73c2220dea03a20115d2e51398344b16bee1ed7c499b353d6c597af8",
   226  		"be86d00ce4e150190f646eae0f670ad26b3af66db45d2ee3fd71badd2fe763396bdbca498f3f779c70b80ed2695943e15139b406e5147b3855a1441dfb7bd64954b581e3db0ddf26b1c759e2276a4c18a8e4ad4b890f473e61c78e60074bd0633961e87e66d0a1be77c51ab6b9bb3318ccdd43794ffc18a03a83c1d368eeea590a13407c7ef48efc66e26047f3ab9deed0412ce89e",
   227  	},
   228  	{ //key=24 plaintext=138
   229  		"feffe9928665731c6d6a8f9467308308feffe9928665731c",
   230  		"e1934f5db57cc983e6b180e7",
   231  		"67c6697351ff4aec29cdbaabf2fbe3467cc254f81be8e78d765a2e63339fc99a66320db73158a35a255d051758e95ed4abb2cdc69bb454110e827441213ddc8770e93ea141e1fc673e017e97eadc6b968f385c2aecb03bfb32af3c54ec18db5c021afe43fbfaaa3afb29d1e6053c7c9475d8be6189f95cbba8990f95b1ebf1b3aabbccddee",
   232  		"0a8a18a7150e940c3d87b38e73baee9a5c049ee21795663e264b694a949822b639092d0e67015e86363583fcf0ca645af9f43375f05fdb4ce84f411dcbca73c2220dea03a20115d2e51398344b16bee1ed7c499b353d6c597af8",
   233  		"131d5ad9230858559b8c1929ec2c18be90d7d4630e49018262ce5c511688bd10622109403db8006014ce93905b0a16bf1d1411acc9e14edf09518bd5967ff4bc202805d4c2810810a093e996a0f56c9a3e3e593c783f68528c1a282ff6f4925902bb2b3d4cdd04b873663bf5fd9dd53b5df462e0424d038f249b10a99c0523200f8c92c3e8a178a25ee8e23b71308c88ec2cfe047e",
   234  	},
   235  	{ //key-32 plaintext=138
   236  		"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308",
   237  		"e1934f5db57cc983e6b180e7",
   238  		"67c6697351ff4aec29cdbaabf2fbe3467cc254f81be8e78d765a2e63339fc99a66320db73158a35a255d051758e95ed4abb2cdc69bb454110e827441213ddc8770e93ea141e1fc673e017e97eadc6b968f385c2aecb03bfb32af3c54ec18db5c021afe43fbfaaa3afb29d1e6053c7c9475d8be6189f95cbba8990f95b1ebf1b3aabbccddee",
   239  		"0a8a18a7150e940c3d87b38e73baee9a5c049ee21795663e264b694a949822b639092d0e67015e86363583fcf0ca645af9f43375f05fdb4ce84f411dcbca73c2220dea03a20115d2e51398344b16bee1ed7c499b353d6c597af8",
   240  		"e8318fe5aada811280804f35fb2a89e54bf32b4e55ba7b953547dadb39421d1dc39c7c127c6008b208010177f02fc093c8bbb8b3834d0e060d96dda96ba386c7c01224a4cac1edebffda4f9a64692bfbffb9f7c2999069fab84205224978a10d815d5ab8fa31e4e11630ba01c3b6cb99bef5772357ce86b83b4fb45ea7146402d560b6ad07de635b9366865e788a6bcdb132dcd079",
   241  	},
   242  	{ // key=16, plaintext=13
   243  		"fe9bb47deb3a61e423c2231841cfd1fb",
   244  		"4d328eb776f500a2f7fb47aa",
   245  		"f1cc3818e421876bb6b8bbd6c9",
   246  		"",
   247  		"b88c5c1977b35b517b0aeae96743fd4727fe5cdb4b5b42818dea7ef8c9",
   248  	},
   249  	{ // key=16, plaintext=13
   250  		"6703df3701a7f54911ca72e24dca046a",
   251  		"12823ab601c350ea4bc2488c",
   252  		"793cd125b0b84a043e3ac67717",
   253  		"",
   254  		"b2051c80014f42f08735a7b0cd38e6bcd29962e5f2c13626b85a877101",
   255  	},
   256  	{ // key=24, plaintext=13
   257  		"feffe9928665731c6d6a8f9467308308feffe9928665731c",
   258  		"12823ab601c350ea4bc2488c",
   259  		"793cd125b0b84a043e3ac67717",
   260  		"",
   261  		"e888c2f438caedd4189d26c59f53439b8a7caec29e98c33ebf7e5712d6",
   262  	},
   263  	{ // key=32, plaintext=13
   264  		"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308",
   265  		"12823ab601c350ea4bc2488c",
   266  		"793cd125b0b84a043e3ac67717",
   267  		"",
   268  		"e796c39074c7783a38193e3f8d46b355adacca7198d16d879fbfeac6e3",
   269  	},
   270  
   271  	// These cases test non-standard nonce sizes.
   272  	{ // key=16, plaintext=0
   273  		"1672c3537afa82004c6b8a46f6f0d026",
   274  		"05",
   275  		"",
   276  		"",
   277  		"8e2ad721f9455f74d8b53d3141f27e8e",
   278  	},
   279  	{ //key=16, plaintext=32
   280  		"9a4fea86a621a91ab371e492457796c0",
   281  		"75",
   282  		"ca6131faf0ff210e4e693d6c31c109fc5b6f54224eb120f37de31dc59ec669b6",
   283  		"4f6e2585c161f05a9ae1f2f894e9f0ab52b45d0f",
   284  		"5698c0a384241d30004290aac56bb3ece6fe8eacc5c4be98954deb9c3ff6aebf5d50e1af100509e1fba2a5e8a0af9670",
   285  	},
   286  	{ //key=24, plaintext=32
   287  		"feffe9928665731c6d6a8f9467308308feffe9928665731c",
   288  		"75",
   289  		"ca6131faf0ff210e4e693d6c31c109fc5b6f54224eb120f37de31dc59ec669b6",
   290  		"4f6e2585c161f05a9ae1f2f894e9f0ab52b45d0f",
   291  		"2709b357ec8334a074dbd5c4c352b216cfd1c8bd66343c5d43bfc6bd3b2b6cd0e3a82315d56ea5e4961c9ef3bc7e4042",
   292  	},
   293  	{ //key=32, plaintext=32
   294  		"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308",
   295  		"75",
   296  		"ca6131faf0ff210e4e693d6c31c109fc5b6f54224eb120f37de31dc59ec669b6",
   297  		"4f6e2585c161f05a9ae1f2f894e9f0ab52b45d0f",
   298  		"d73bebe722c5e312fe910ba71d5a6a063a4297203f819103dfa885a8076d095545a999affde3dbac2b5be6be39195ed0",
   299  	},
   300  	{ // key=16, plaintext=0
   301  		"d0f1f4defa1e8c08b4b26d576392027c",
   302  		"42b4f01eb9f5a1ea5b1eb73b0fb0baed54f387ecaa0393c7d7dffc6af50146ecc021abf7eb9038d4303d91f8d741a11743166c0860208bcc02c6258fd9511a2fa626f96d60b72fcff773af4e88e7a923506e4916ecbd814651e9f445adef4ad6a6b6c7290cc13b956130eef5b837c939fcac0cbbcc9656cd75b13823ee5acdac",
   303  		"",
   304  		"",
   305  		"7ab49b57ddf5f62c427950111c5c4f0d",
   306  	},
   307  	{ //key=16, plaintext=13
   308  		"4a0c00a3d284dea9d4bf8b8dde86685e",
   309  		"f8cbe82588e784bcacbe092cd9089b51e01527297f635bf294b3aa787d91057ef23869789698ac960707857f163ecb242135a228ad93964f5dc4a4d7f88fd7b3b07dd0a5b37f9768fb05a523639f108c34c661498a56879e501a2321c8a4a94d7e1b89db255ac1f685e185263368e99735ebe62a7f2931b47282be8eb165e4d7",
   310  		"6d4bf87640a6a48a50d28797b7",
   311  		"8d8c7ffc55086d539b5a8f0d1232654c",
   312  		"0d803ec309482f35b8e6226f2b56303239298e06b281c2d51aaba3c125",
   313  	},
   314  	{ //key=16, plaintext=128
   315  		"0e18a844ac5bf38e4cd72d9b0942e506",
   316  		"0870d4b28a2954489a0abcd5",
   317  		"67c6697351ff4aec29cdbaabf2fbe3467cc254f81be8e78d765a2e63339fc99a66320db73158a35a255d051758e95ed4abb2cdc69bb454110e827441213ddc8770e93ea141e1fc673e017e97eadc6b968f385c2aecb03bfb32af3c54ec18db5c021afe43fbfaaa3afb29d1e6053c7c9475d8be6189f95cbba8990f95b1ebf1b3",
   318  		"05eff700e9a13ae5ca0bcbd0484764bd1f231ea81c7b64c514735ac55e4b79633b706424119e09dcaad4acf21b10af3b33cde3504847155cbb6f2219ba9b7df50be11a1c7f23f829f8a41b13b5ca4ee8983238e0794d3d34bc5f4e77facb6c05ac86212baa1a55a2be70b5733b045cd33694b3afe2f0e49e4f321549fd824ea9",
   319  		"cace28f4976afd72e3c5128167eb788fbf6634dda0a2f53148d00f6fa557f5e9e8f736c12e450894af56cb67f7d99e1027258c8571bd91ee3b7360e0d508aa1f382411a16115f9c05251cc326d4016f62e0eb8151c048465b0c6c8ff12558d43310e18b2cb1889eec91557ce21ba05955cf4c1d4847aadfb1b0a83f3a3b82b7efa62a5f03c5d6eda381a85dd78dbc55c",
   320  	},
   321  	{ //key=24, plaintext=128
   322  		"feffe9928665731c6d6a8f9467308308feffe9928665731c",
   323  		"0870d4b28a2954489a0abcd5",
   324  		"67c6697351ff4aec29cdbaabf2fbe3467cc254f81be8e78d765a2e63339fc99a66320db73158a35a255d051758e95ed4abb2cdc69bb454110e827441213ddc8770e93ea141e1fc673e017e97eadc6b968f385c2aecb03bfb32af3c54ec18db5c021afe43fbfaaa3afb29d1e6053c7c9475d8be6189f95cbba8990f95b1ebf1b3",
   325  		"05eff700e9a13ae5ca0bcbd0484764bd1f231ea81c7b64c514735ac55e4b79633b706424119e09dcaad4acf21b10af3b33cde3504847155cbb6f2219ba9b7df50be11a1c7f23f829f8a41b13b5ca4ee8983238e0794d3d34bc5f4e77facb6c05ac86212baa1a55a2be70b5733b045cd33694b3afe2f0e49e4f321549fd824ea9",
   326  		"303157d398376a8d51e39eabdd397f45b65f81f09acbe51c726ae85867e1675cad178580bb31c7f37c1af3644bd36ac436e9459139a4903d95944f306e415da709134dccde9d2b2d7d196b6740c196d9d10caa45296cf577a6e15d7ddf3576c20c503617d6a9e6b6d2be09ae28410a1210700a463a5b3b8d391abe9dac217e76a6f78306b5ebe759a5986b7d6682db0b",
   327  	},
   328  	{ //key=32, plaintext=128
   329  		"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308",
   330  		"0870d4b28a2954489a0abcd5",
   331  		"67c6697351ff4aec29cdbaabf2fbe3467cc254f81be8e78d765a2e63339fc99a66320db73158a35a255d051758e95ed4abb2cdc69bb454110e827441213ddc8770e93ea141e1fc673e017e97eadc6b968f385c2aecb03bfb32af3c54ec18db5c021afe43fbfaaa3afb29d1e6053c7c9475d8be6189f95cbba8990f95b1ebf1b3",
   332  		"05eff700e9a13ae5ca0bcbd0484764bd1f231ea81c7b64c514735ac55e4b79633b706424119e09dcaad4acf21b10af3b33cde3504847155cbb6f2219ba9b7df50be11a1c7f23f829f8a41b13b5ca4ee8983238e0794d3d34bc5f4e77facb6c05ac86212baa1a55a2be70b5733b045cd33694b3afe2f0e49e4f321549fd824ea9",
   333  		"e4f13934744125b9c35935ed4c5ac7d0c16434d52eadef1da91c6abb62bc757f01e3e42f628f030d750826adceb961f0675b81de48376b181d8781c6a0ccd0f34872ef6901b97ff7c2e152426b3257fb91f6a43f47befaaf7a2136fd0c97de8c48517ce047a5641141092c717b151b44f0794a164b5861f0a77271d1bdbc332e9e43d3b9828ccfdbd4ae338da5baf7a9",
   334  	},
   335  
   336  	{ //key=16, plaintext=512
   337  		"1f6c3a3bc0542aabba4ef8f6c7169e73",
   338  		"f3584606472b260e0dd2ebb2",
   339  		"67c6697351ff4aec29cdbaabf2fbe3467cc254f81be8e78d765a2e63339fc99a66320db73158a35a255d051758e95ed4abb2cdc69bb454110e827441213ddc8770e93ea141e1fc673e017e97eadc6b968f385c2aecb03bfb32af3c54ec18db5c021afe43fbfaaa3afb29d1e6053c7c9475d8be6189f95cbba8990f95b1ebf1b305eff700e9a13ae5ca0bcbd0484764bd1f231ea81c7b64c514735ac55e4b79633b706424119e09dcaad4acf21b10af3b33cde3504847155cbb6f2219ba9b7df50be11a1c7f23f829f8a41b13b5ca4ee8983238e0794d3d34bc5f4e77facb6c05ac86212baa1a55a2be70b5733b045cd33694b3afe2f0e49e4f321549fd824ea90870d4b28a2954489a0abcd50e18a844ac5bf38e4cd72d9b0942e506c433afcda3847f2dadd47647de321cec4ac430f62023856cfbb20704f4ec0bb920ba86c33e05f1ecd96733b79950a3e314d3d934f75ea0f210a8f6059401beb4bc4478fa4969e623d01ada696a7e4c7e5125b34884533a94fb319990325744ee9bbce9e525cf08f5e9e25e5360aad2b2d085fa54d835e8d466826498d9a8877565705a8a3f62802944de7ca5894e5759d351adac869580ec17e485f18c0c66f17cc07cbb22fce466da610b63af62bc83b4692f3affaf271693ac071fb86d11342d8def4f89d4b66335c1c7e4248367d8ed9612ec453902d8e50af89d7709d1a596c1f41f",
   340  		"95aa82ca6c49ae90cd1668baac7aa6f2b4a8ca99b2c2372acb08cf61c9c3805e6e0328da4cd76a19edd2d3994c798b0022569ad418d1fee4d9cd45a391c601ffc92ad91501432fee150287617c13629e69fc7281cd7165a63eab49cf714bce3a75a74f76ea7e64ff81eb61fdfec39b67bf0de98c7e4e32bdf97c8c6ac75ba43c02f4b2ed7216ecf3014df000108b67cf99505b179f8ed4980a6103d1bca70dbe9bbfab0ed59801d6e5f2d6f67d3ec5168e212e2daf02c6b963c98a1f7097de0c56891a2b211b01070dd8fd8b16c2a1a4e3cfd292d2984b3561d555d16c33ddc2bcf7edde13efe520c7e2abdda44d81881c531aeeeb66244c3b791ea8acfb6a68",
   341  		"55864065117e07650ca650a0f0d9ef4b02aee7c58928462fddb49045bf85355b4653fa26158210a7f3ef5b3ca48612e8b7adf5c025c1b821960af770d935df1c9a1dd25077d6b1c7f937b2e20ce981b07980880214698f3fad72fa370b3b7da257ce1d0cf352bc5304fada3e0f8927bd4e5c1abbffa563bdedcb567daa64faaed748cb361732200ba3506836a3c1c82aafa14c76dc07f6c4277ff2c61325f91fdbd6c1883e745fcaadd5a6d692eeaa5ad56eead6a9d74a595d22757ed89532a4b8831e2b9e2315baea70a9b95d228f09d491a5ed5ab7076766703457e3159bbb9b17b329525669863153079448c68cd2f200c0be9d43061a60639cb59d50993d276c05caaa565db8ce633b2673e4012bebbca02b1a64d779d04066f3e949ece173825885ec816468c819a8129007cc05d8785c48077d09eb1abcba14508dde85a6f16a744bc95faef24888d53a8020515ab20307efaecbdf143a26563c67989bceedc2d6d2bb9699bb6c615d93767e4158c1124e3b6c723aaa47796e59a60d3696cd85adfae9a62f2c02c22009f80ed494bdc587f31dd892c253b5c6d6b7db078fa72d23474ee54f8144d6561182d71c862941dbc0b2cb37a4d4b23cbad5637e6be901cc73f16d5aec39c60dddee631511e57b47520b61ae1892d2d1bd2b486e30faec892f171b6de98d96108016fac805604761f8e74742b3bb7dc8a290a46bf697c3e4446e6e65832cbae7cf1aaad1",
   342  	},
   343  	{ //key=24, plaintext=512
   344  		"feffe9928665731c6d6a8f9467308308feffe9928665731c",
   345  		"f3584606472b260e0dd2ebb2",
   346  		"67c6697351ff4aec29cdbaabf2fbe3467cc254f81be8e78d765a2e63339fc99a66320db73158a35a255d051758e95ed4abb2cdc69bb454110e827441213ddc8770e93ea141e1fc673e017e97eadc6b968f385c2aecb03bfb32af3c54ec18db5c021afe43fbfaaa3afb29d1e6053c7c9475d8be6189f95cbba8990f95b1ebf1b305eff700e9a13ae5ca0bcbd0484764bd1f231ea81c7b64c514735ac55e4b79633b706424119e09dcaad4acf21b10af3b33cde3504847155cbb6f2219ba9b7df50be11a1c7f23f829f8a41b13b5ca4ee8983238e0794d3d34bc5f4e77facb6c05ac86212baa1a55a2be70b5733b045cd33694b3afe2f0e49e4f321549fd824ea90870d4b28a2954489a0abcd50e18a844ac5bf38e4cd72d9b0942e506c433afcda3847f2dadd47647de321cec4ac430f62023856cfbb20704f4ec0bb920ba86c33e05f1ecd96733b79950a3e314d3d934f75ea0f210a8f6059401beb4bc4478fa4969e623d01ada696a7e4c7e5125b34884533a94fb319990325744ee9bbce9e525cf08f5e9e25e5360aad2b2d085fa54d835e8d466826498d9a8877565705a8a3f62802944de7ca5894e5759d351adac869580ec17e485f18c0c66f17cc07cbb22fce466da610b63af62bc83b4692f3affaf271693ac071fb86d11342d8def4f89d4b66335c1c7e4248367d8ed9612ec453902d8e50af89d7709d1a596c1f41f",
   347  		"95aa82ca6c49ae90cd1668baac7aa6f2b4a8ca99b2c2372acb08cf61c9c3805e6e0328da4cd76a19edd2d3994c798b0022569ad418d1fee4d9cd45a391c601ffc92ad91501432fee150287617c13629e69fc7281cd7165a63eab49cf714bce3a75a74f76ea7e64ff81eb61fdfec39b67bf0de98c7e4e32bdf97c8c6ac75ba43c02f4b2ed7216ecf3014df000108b67cf99505b179f8ed4980a6103d1bca70dbe9bbfab0ed59801d6e5f2d6f67d3ec5168e212e2daf02c6b963c98a1f7097de0c56891a2b211b01070dd8fd8b16c2a1a4e3cfd292d2984b3561d555d16c33ddc2bcf7edde13efe520c7e2abdda44d81881c531aeeeb66244c3b791ea8acfb6a68",
   348  		"9daa466c7174dfde72b435fb6041ed7ff8ab8b1b96edb90437c3cc2e7e8a7c2c3629bae3bcaede99ee926ef4c55571e504e1c516975f6c719611c4da74acc23bbc79b3a67491f84d573e0293aa0cf5d775dde93fc466d5babd3e93a6506c0261021ac184f571ab190df83c32b41a67eaaa8dde27c02b08f15cabc75e46d1f9634f32f9233b2cb975386ff3a5e16b6ea2e2e4215cb33beb4de39a861d7f4a02165cd763f8252b2d60ac45d65a70735a8806a8fec3ca9d37c2cdcb21d2bd5c08d350e4bbdfb11dca344b9bee17e71ee0df3449fd9f9581c6b5483843b457534afb4240585f38ac22aa59a68a167fed6f1be0a5b072b2461f16c976b9aa0f5f2f5988818b01faa025ac7788212d92d222f7c14fe6e8f644c8cd117bb8def5a0217dad4f05cbb334ff9ccf819a4a085ed7c19928ddc40edc931b47339f456ccd423b5c0c1cdc96278006b29de945cdceb0737771e14562fff2aba40606f6046da5031647308682060412812317962bb68be3b42876f0905d52da51ec6345677fe86613828f488cc5685a4b973e48babd109a56d1a1effb286133dc2a94b4ada5707d3a7825941fea1a7502693afc7fe5d810bb0050d98aa6b80801e13b563954a35c31f57d5ba1ddb1a2be26426e2fe7bcd13ba183d80ac1c556b7ec2069b01de1450431a1c2e27848e1f5f4af013bce9080aebd2bb0f1de9f7bb460771c266d48ff4cf84a66f82630657db861c032971079",
   349  	},
   350  	{ //key=32, plaintext=512
   351  		"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308",
   352  		"f3584606472b260e0dd2ebb2",
   353  		"67c6697351ff4aec29cdbaabf2fbe3467cc254f81be8e78d765a2e63339fc99a66320db73158a35a255d051758e95ed4abb2cdc69bb454110e827441213ddc8770e93ea141e1fc673e017e97eadc6b968f385c2aecb03bfb32af3c54ec18db5c021afe43fbfaaa3afb29d1e6053c7c9475d8be6189f95cbba8990f95b1ebf1b305eff700e9a13ae5ca0bcbd0484764bd1f231ea81c7b64c514735ac55e4b79633b706424119e09dcaad4acf21b10af3b33cde3504847155cbb6f2219ba9b7df50be11a1c7f23f829f8a41b13b5ca4ee8983238e0794d3d34bc5f4e77facb6c05ac86212baa1a55a2be70b5733b045cd33694b3afe2f0e49e4f321549fd824ea90870d4b28a2954489a0abcd50e18a844ac5bf38e4cd72d9b0942e506c433afcda3847f2dadd47647de321cec4ac430f62023856cfbb20704f4ec0bb920ba86c33e05f1ecd96733b79950a3e314d3d934f75ea0f210a8f6059401beb4bc4478fa4969e623d01ada696a7e4c7e5125b34884533a94fb319990325744ee9bbce9e525cf08f5e9e25e5360aad2b2d085fa54d835e8d466826498d9a8877565705a8a3f62802944de7ca5894e5759d351adac869580ec17e485f18c0c66f17cc07cbb22fce466da610b63af62bc83b4692f3affaf271693ac071fb86d11342d8def4f89d4b66335c1c7e4248367d8ed9612ec453902d8e50af89d7709d1a596c1f41f",
   354  		"95aa82ca6c49ae90cd1668baac7aa6f2b4a8ca99b2c2372acb08cf61c9c3805e6e0328da4cd76a19edd2d3994c798b0022569ad418d1fee4d9cd45a391c601ffc92ad91501432fee150287617c13629e69fc7281cd7165a63eab49cf714bce3a75a74f76ea7e64ff81eb61fdfec39b67bf0de98c7e4e32bdf97c8c6ac75ba43c02f4b2ed7216ecf3014df000108b67cf99505b179f8ed4980a6103d1bca70dbe9bbfab0ed59801d6e5f2d6f67d3ec5168e212e2daf02c6b963c98a1f7097de0c56891a2b211b01070dd8fd8b16c2a1a4e3cfd292d2984b3561d555d16c33ddc2bcf7edde13efe520c7e2abdda44d81881c531aeeeb66244c3b791ea8acfb6a68",
   355  		"793d34afb982ab70b0e204e1e7243314a19e987d9ab7662f58c3dc6064c9be35667ad53b115c610cfc229f4e5b3e8aae7aac97ce66d1d20b92da3860701b5006dd1385e173e3af7a5a9bb7da85c0434cd55a40fb9c482a0b36f0782846a7f16d05b40a08f0ad9a633f9a1e99e69e6b8039a0f2a91be40f193f4ce3bed1886dab1b0a6112f91503684c1e5afb938b9497166a7147badd1cc19c73e8b9f22e0dcbd18996868d7ad47755e677ee6e6ec87094cab7ee35feb96017c474261ba7391b18a72451e6daa7f38e162358c5d84788c974e614acc362b887c56b756df5aeacdda09b11d35a1f97daaceb5ca1b40a78b6058f7e1d26ad945be6ef74a8e72729f9ab2e3e7dda88d8f803e26e84a34ac07a7cecf5b6be23a4aa1ac6897f23169d894d53369b27673cf2438af9c6b53a2fa412c74dc075c617029e571f4c2951b1cdd63d33765af9d9d20e12430a83784c2bca8603f11521fa97f2e45398b4a385176701c6f416720ca0816bf51a3e0b4c7a28a89f0616a296423760f0f2f471e1def8a2f43956f79790a6b64dfdbb8159236ebd7fe1049e8e005e231e5f1936bfdccbda8cf0cb5116af758dfd6732dfa77ac3e6faf0996c13473292da363f01ddcb6a524dbf1d5d608f57c146173a9b169f979e101fe581f749764fd87119ae301958c8e9a9bfd16249e564ffbb304bc2ca4c34713a20fb858b47c83ce768e04f149884504c0515345631401f829e3259",
   356  	},
   357  
   358  	{ //key=16, plaintext=293
   359  		"0795d80bc7f40f4d41c280271a2e4f7f",
   360  		"ff824c906594aff365d3cb1f",
   361  		"1ad4e74d127f935beee57cff920665babe7ce56227377afe570ba786193ded3412d4812453157f42fafc418c02a746c1232c234a639d49baa8f041c12e2ef540027764568ce49886e0d913e28059a3a485c6eee96337a30b28e4cd5612c2961539fa6bc5de034cbedc5fa15db844013e0bef276e27ca7a4faf47a5c1093bd643354108144454d221b3737e6cb87faac36ed131959babe44af2890cfcc4e23ffa24470e689ce0894f5407bb0c8665cff536008ad2ac6f1c9ef8289abd0bd9b72f21c597bda5210cf928c805af2dd4a464d52e36819d521f967bba5386930ab5b4cf4c71746d7e6e964673457348e9d71d170d9eb560bd4bdb779e610ba816bf776231ebd0af5966f5cdab6815944032ab4dd060ad8dab880549e910f1ffcf6862005432afad",
   362  		"98a47a430d8fd74dc1829a91e3481f8ed024d8ba34c9b903321b04864db333e558ae28653dffb2",
   363  		"3b8f91443480e647473a0a0b03d571c622b7e70e4309a02c9bb7980053010d865e6aec161354dc9f481b2cd5213e09432b57ec4e58fbd0a8549dd15c8c4e74a6529f75fad0ce5a9e20e2beeb2f91eb638bf88999968de438d2f1cedbfb0a1c81f9e8e7362c738e0fddd963692a4f4df9276b7f040979ce874cf6fa3de26da0713784bdb25e4efcb840554ef5b38b5fe8380549a496bd8e423a7456df6f4ae78a07ebe2276a8e22fc2243ec4f78abe0c99c733fd67c8c492699fa5ee2289cdd0a8d469bf883520ee74efb854bfadc7366a49ee65ca4e894e3335e2b672618d362eee12a577dd8dc2ba55c49c1fc3ad68180e9b112d0234d4aa28f5661f1e036450ca6f18be0166676bd80f8a4890c6ddea306fabb7ff3cb2860aa32a827e3a312912a2dfa70f6bc1c07de238448f2d751bd0cf15bf7",
   364  	},
   365  	{ //key=24, plaintext=293
   366  		"e2e001a36c60d2bf40d69ff5b2b1161ea218db263be16a4e",
   367  		"84230643130d05425826641e",
   368  		"adb034f3f4a7ca45e2993812d113a9821d50df151af978bccc6d3bc113e15bc0918fb385377dca1916022ce816d56a332649484043c0fc0f2d37d040182b00a9bbb42ef231f80b48fb3730110d9a4433e38c73264c703579a705b9c031b969ec6d98de9f90e9e78b21179c2eb1e061946cd4bbb844f031ecf6eaac27a4151311adf1b03eda97c9fbae66295f468af4b35faf6ba39f9d8f95873bbc2b51cf3dfec0ed3c9b850696336cc093b24a8765a936d14dd56edc6bf518272169f75e67b74ba452d0aae90416a997c8f31e2e9d54ffea296dc69462debc8347b3e1af6a2d53bdfdfda601134f98db42b609df0a08c9347590c8d86e845bb6373d65a26ab85f67b50569c85401a396b8ad76c2b53ff62bcfbf033e435ef47b9b591d05117c6dc681d68e",
   369  		"d5d7316b8fdee152942148bff007c22e4b2022c6bc7be3c18c5f2e52e004e0b5dc12206bf002bd",
   370  		"f2c39423ee630dfe961da81909159dba018ce09b1073a12a477108316af5b7a31f86be6a0548b572d604bd115ea737dde899e0bd7f7ac9b23e38910dc457551ecc15c814a9f46d8432a1a36097dc1afe2712d1ba0838fa88cb55d9f65a2e9bece0dbf8999562503989041a2c87d7eb80ef649769d2f4978ce5cf9664f2bd0849646aa81cb976e45e1ade2f17a8126219e917aadbb4bae5e2c4b3f57bbc7f13fcc807df7842d9727a1b389e0b749e5191482adacabd812627c6eae2c7a30caf0844ad2a22e08f39edddf0ae10413e47db433dfe3febbb5a5cec9ade21fbba1e548247579395880b747669a8eb7e2ec0c1bff7fed2defdb92b07a14edf07b1bde29c31ab052ff1214e6b5ebbefcb8f21b5d6f8f6e07ee57ad6e14d4e142cb3f51bb465ab3a28a2a12f01b7514ad0463f2bde0d71d221",
   371  	},
   372  	{ //key=32, plaintext=293
   373  		"5394e890d37ba55ec9d5f327f15680f6a63ef5279c79331643ad0af6d2623525",
   374  		"815e840b7aca7af3b324583f",
   375  		"8e63067cd15359f796b43c68f093f55fdf3589fc5f2fdfad5f9d156668a617f7091d73da71cdd207810e6f71a165d0809a597df9885ca6e8f9bb4e616166586b83cc45f49917fc1a256b8bc7d05c476ab5c4633e20092619c4747b26dad3915e9fd65238ee4e5213badeda8a3a22f5efe6582d0762532026c89b4ca26fdd000eb45347a2a199b55b7790e6b1b2dba19833ce9f9522c0bcea5b088ccae68dd99ae0203c81b9f1dd3181c3e2339e83ccd1526b67742b235e872bea5111772aab574ae7d904d9b6355a79178e179b5ae8edc54f61f172bf789ea9c9af21f45b783e4251421b077776808f04972a5e801723cf781442378ce0e0568f014aea7a882dcbcb48d342be53d1c2ebfb206b12443a8a587cc1e55ca23beca385d61d0d03e9d84cbc1b0a",
   376  		"0feccdfae8ed65fa31a0858a1c466f79e8aa658c2f3ba93c3f92158b4e30955e1c62580450beff",
   377  		"b69a7e17bb5af688883274550a4ded0d1aff49a0b18343f4b382f745c163f7f714c9206a32a1ff012427e19431951edd0a755e5f491b0eedfd7df68bbc6085dd2888607a2f998c3e881eb1694109250db28291e71f4ad344a125624fb92e16ea9815047cd1111cabfdc9cb8c3b4b0f40aa91d31774009781231400789ed545404af6c3f76d07ddc984a7bd8f52728159782832e298cc4d529be96d17be898efd83e44dc7b0e2efc645849fd2bba61fef0ae7be0dcab233cc4e2b7ba4e887de9c64b97f2a1818aa54371a8d629dae37975f7784e5e3cc77055ed6e975b1e5f55e6bbacdc9f295ce4ada2c16113cd5b323cf78b7dde39f4a87aa8c141a31174e3584ccbd380cf5ec6d1dba539928b084fa9683e9c0953acf47cc3ac384a2c38914f1da01fb2cfd78905c2b58d36b2574b9df15535d82",
   378  	},
   379  	// These cases test non-standard tag sizes.
   380  	{
   381  		"89c54b0d3bc3c397d5039058c220685f",
   382  		"bc7f45c00868758d62d4bb4d",
   383  		"582670b0baf5540a3775b6615605bd05",
   384  		"48d16cda0337105a50e2ed76fd18e114",
   385  		"fc2d4c4eee2209ddbba6663c02765e6955e783b00156f5da0446e2970b877f",
   386  	},
   387  	{
   388  		"bad6049678bf75c9087b3e3ae7e72c13",
   389  		"a0a017b83a67d8f1b883e561",
   390  		"a1be93012f05a1958440f74a5311f4a1",
   391  		"f7c27b51d5367161dc2ff1e9e3edc6f2",
   392  		"36f032f7e3dc3275ca22aedcdc68436b99a2227f8bb69d45ea5d8842cd08",
   393  	},
   394  	{
   395  		"66a3c722ccf9709525650973ecc100a9",
   396  		"1621d42d3a6d42a2d2bf9494",
   397  		"61fa9dbbed2190fbc2ffabf5d2ea4ff8",
   398  		"d7a9b6523b8827068a6354a6d166c6b9",
   399  		"fef3b20f40e08a49637cc82f4c89b8603fd5c0132acfab97b5fff651c4",
   400  	},
   401  	{
   402  		"562ae8aadb8d23e0f271a99a7d1bd4d1",
   403  		"f7a5e2399413b89b6ad31aff",
   404  		"bbdc3504d803682aa08a773cde5f231a",
   405  		"2b9680b886b3efb7c6354b38c63b5373",
   406  		"e2b7e5ed5ff27fc8664148f5a628a46dcbf2015184fffb82f2651c36",
   407  	},
   408  	{
   409  		"11754cd72aec309bf52f7687212e8957",
   410  		"",
   411  		"",
   412  		"",
   413  		"250327c674aaf477aef2675748cf6971",
   414  	},
   415  }
   416  
   417  func TestAESGCM(t *testing.T) {
   418  	testAllImplementations(t, testAESGCM)
   419  }
   420  
   421  func testAESGCM(t *testing.T, newCipher func(key []byte) cipher.Block) {
   422  	for i, test := range aesGCMTests {
   423  		key, _ := hex.DecodeString(test.key)
   424  		aes := newCipher(key)
   425  
   426  		nonce, _ := hex.DecodeString(test.nonce)
   427  		plaintext, _ := hex.DecodeString(test.plaintext)
   428  		ad, _ := hex.DecodeString(test.ad)
   429  		tagSize := (len(test.result) - len(test.plaintext)) / 2
   430  
   431  		var err error
   432  		var aesgcm cipher.AEAD
   433  		switch {
   434  		// Handle non-standard tag sizes
   435  		case tagSize != 16:
   436  			aesgcm, err = cipher.NewGCMWithTagSize(aes, tagSize)
   437  			if err != nil {
   438  				t.Fatal(err)
   439  			}
   440  
   441  		// Handle 0 nonce size (expect error and continue)
   442  		case len(nonce) == 0:
   443  			aesgcm, err = cipher.NewGCMWithNonceSize(aes, 0)
   444  			if err == nil {
   445  				t.Fatal("expected error for zero nonce size")
   446  			}
   447  			continue
   448  
   449  		// Handle non-standard nonce sizes
   450  		case len(nonce) != 12:
   451  			aesgcm, err = cipher.NewGCMWithNonceSize(aes, len(nonce))
   452  			if err != nil {
   453  				t.Fatal(err)
   454  			}
   455  
   456  		default:
   457  			aesgcm, err = cipher.NewGCM(aes)
   458  			if err != nil {
   459  				t.Fatal(err)
   460  			}
   461  		}
   462  
   463  		ct := aesgcm.Seal(nil, nonce, plaintext, ad)
   464  		if ctHex := hex.EncodeToString(ct); ctHex != test.result {
   465  			t.Errorf("#%d: got %s, want %s", i, ctHex, test.result)
   466  			continue
   467  		}
   468  
   469  		plaintext2, err := aesgcm.Open(nil, nonce, ct, ad)
   470  		if err != nil {
   471  			t.Errorf("#%d: Open failed", i)
   472  			continue
   473  		}
   474  
   475  		if !bytes.Equal(plaintext, plaintext2) {
   476  			t.Errorf("#%d: plaintext's don't match: got %x vs %x", i, plaintext2, plaintext)
   477  			continue
   478  		}
   479  
   480  		if len(ad) > 0 {
   481  			ad[0] ^= 0x80
   482  			if _, err := aesgcm.Open(nil, nonce, ct, ad); err == nil {
   483  				t.Errorf("#%d: Open was successful after altering additional data", i)
   484  			}
   485  			ad[0] ^= 0x80
   486  		}
   487  
   488  		nonce[0] ^= 0x80
   489  		if _, err := aesgcm.Open(nil, nonce, ct, ad); err == nil {
   490  			t.Errorf("#%d: Open was successful after altering nonce", i)
   491  		}
   492  		nonce[0] ^= 0x80
   493  
   494  		ct[0] ^= 0x80
   495  		if _, err := aesgcm.Open(nil, nonce, ct, ad); err == nil {
   496  			t.Errorf("#%d: Open was successful after altering ciphertext", i)
   497  		}
   498  		ct[0] ^= 0x80
   499  	}
   500  }
   501  
   502  func TestGCMInvalidTagSize(t *testing.T) {
   503  	testAllImplementations(t, testGCMInvalidTagSize)
   504  }
   505  
   506  func testGCMInvalidTagSize(t *testing.T, newCipher func(key []byte) cipher.Block) {
   507  	key, _ := hex.DecodeString("ab72c77b97cb5fe9a382d9fe81ffdbed")
   508  	aes := newCipher(key)
   509  
   510  	for _, tagSize := range []int{0, 1, aes.BlockSize() + 1} {
   511  		aesgcm, err := cipher.NewGCMWithTagSize(aes, tagSize)
   512  		if aesgcm != nil || err == nil {
   513  			t.Fatalf("NewGCMWithTagSize was successful with an invalid %d-byte tag size", tagSize)
   514  		}
   515  	}
   516  }
   517  
   518  func TestTagFailureOverwrite(t *testing.T) {
   519  	testAllImplementations(t, testTagFailureOverwrite)
   520  }
   521  
   522  func testTagFailureOverwrite(t *testing.T, newCipher func(key []byte) cipher.Block) {
   523  	// The AESNI GCM code decrypts and authenticates concurrently and so
   524  	// overwrites the output buffer before checking the authentication tag.
   525  	// In order to be consistent across platforms, all implementations
   526  	// should do this and this test checks that.
   527  
   528  	key, _ := hex.DecodeString("ab72c77b97cb5fe9a382d9fe81ffdbed")
   529  	nonce, _ := hex.DecodeString("54cc7dc2c37ec006bcc6d1db")
   530  	ciphertext, _ := hex.DecodeString("0e1bde206a07a9c2c1b65300f8c649972b4401346697138c7a4891ee59867d0c")
   531  
   532  	aes := newCipher(key)
   533  	aesgcm, _ := cipher.NewGCM(aes)
   534  
   535  	dst := make([]byte, len(ciphertext)-16)
   536  	for i := range dst {
   537  		dst[i] = 42
   538  	}
   539  
   540  	result, err := aesgcm.Open(dst[:0], nonce, ciphertext, nil)
   541  	if err == nil {
   542  		t.Fatal("Bad Open still resulted in nil error.")
   543  	}
   544  
   545  	if result != nil {
   546  		t.Fatal("Failed Open returned non-nil result.")
   547  	}
   548  
   549  	for i := range dst {
   550  		if dst[i] != 0 {
   551  			t.Fatal("Failed Open didn't zero dst buffer")
   552  		}
   553  	}
   554  }
   555  
   556  func TestGCMCounterWrap(t *testing.T) {
   557  	testAllImplementations(t, testGCMCounterWrap)
   558  }
   559  
   560  func testGCMCounterWrap(t *testing.T, newCipher func(key []byte) cipher.Block) {
   561  	// Test that the last 32-bits of the counter wrap correctly.
   562  	tests := []struct {
   563  		nonce, tag string
   564  	}{
   565  		{"0fa72e25", "37e1948cdfff09fbde0c40ad99fee4a7"},   // counter: 7eb59e4d961dad0dfdd75aaffffffff0
   566  		{"afe05cc1", "438f3aa9fee5e54903b1927bca26bbdf"},   // counter: 75d492a7e6e6bfc979ad3a8ffffffff4
   567  		{"9ffecbef", "7b88ca424df9703e9e8611071ec7e16e"},   // counter: c8bb108b0ecdc71747b9d57ffffffff5
   568  		{"ffc3e5b3", "38d49c86e0abe853ac250e66da54c01a"},   // counter: 706414d2de9b36ab3b900a9ffffffff6
   569  		{"cfdd729d", "e08402eaac36a1a402e09b1bd56500e8"},   // counter: cd0b96fe36b04e750584e56ffffffff7
   570  		{"010ae3d486", "5405bb490b1f95d01e2ba735687154bc"}, // counter: e36c18e69406c49722808104fffffff8
   571  		{"01b1107a9d", "939a585f342e01e17844627492d44dbf"}, // counter: e6d56eaf9127912b6d62c6dcffffffff
   572  	}
   573  	key := newCipher(make([]byte, 16))
   574  	plaintext := make([]byte, 16*17+1)
   575  	for i, test := range tests {
   576  		nonce, _ := hex.DecodeString(test.nonce)
   577  		want, _ := hex.DecodeString(test.tag)
   578  		aead, err := cipher.NewGCMWithNonceSize(key, len(nonce))
   579  		if err != nil {
   580  			t.Fatal(err)
   581  		}
   582  		got := aead.Seal(nil, nonce, plaintext, nil)
   583  		if !bytes.Equal(got[len(plaintext):], want) {
   584  			t.Errorf("test[%v]: got: %x, want: %x", i, got[len(plaintext):], want)
   585  		}
   586  		_, err = aead.Open(nil, nonce, got, nil)
   587  		if err != nil {
   588  			t.Errorf("test[%v]: authentication failed", i)
   589  		}
   590  	}
   591  }
   592  
   593  func TestGCMAsm(t *testing.T) {
   594  	// Create a new pair of AEADs, one using the assembly implementation
   595  	// and one using the generic Go implementation.
   596  	newAESGCM := func(key []byte) (asm, generic cipher.AEAD, err error) {
   597  		block, err := aes.NewCipher(key[:])
   598  		if err != nil {
   599  			return nil, nil, err
   600  		}
   601  		asm, err = cipher.NewGCM(block)
   602  		if err != nil {
   603  			return nil, nil, err
   604  		}
   605  		generic, err = cipher.NewGCM(wrap(block))
   606  		if err != nil {
   607  			return nil, nil, err
   608  		}
   609  		return asm, generic, nil
   610  	}
   611  
   612  	// check for assembly implementation
   613  	var key [16]byte
   614  	asm, generic, err := newAESGCM(key[:])
   615  	if err != nil {
   616  		t.Fatal(err)
   617  	}
   618  	if reflect.TypeOf(asm) == reflect.TypeOf(generic) {
   619  		t.Skipf("no assembly implementation of GCM")
   620  	}
   621  
   622  	// generate permutations
   623  	type pair struct{ align, length int }
   624  	lengths := []int{0, 156, 8192, 8193, 8208}
   625  	keySizes := []int{16, 24, 32}
   626  	alignments := []int{0, 1, 2, 3}
   627  	if testing.Short() {
   628  		keySizes = []int{16}
   629  		alignments = []int{1}
   630  	}
   631  	perms := make([]pair, 0)
   632  	for _, l := range lengths {
   633  		for _, a := range alignments {
   634  			if a != 0 && l == 0 {
   635  				continue
   636  			}
   637  			perms = append(perms, pair{align: a, length: l})
   638  		}
   639  	}
   640  
   641  	// run test for all permutations
   642  	test := func(ks int, pt, ad []byte) error {
   643  		key := make([]byte, ks)
   644  		if _, err := io.ReadFull(rand.Reader, key); err != nil {
   645  			return err
   646  		}
   647  		asm, generic, err := newAESGCM(key)
   648  		if err != nil {
   649  			return err
   650  		}
   651  		if _, err := io.ReadFull(rand.Reader, pt); err != nil {
   652  			return err
   653  		}
   654  		if _, err := io.ReadFull(rand.Reader, ad); err != nil {
   655  			return err
   656  		}
   657  		nonce := make([]byte, 12)
   658  		if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
   659  			return err
   660  		}
   661  		want := generic.Seal(nil, nonce, pt, ad)
   662  		got := asm.Seal(nil, nonce, pt, ad)
   663  		if !bytes.Equal(want, got) {
   664  			return errors.New("incorrect Seal output")
   665  		}
   666  		got, err = asm.Open(nil, nonce, want, ad)
   667  		if err != nil {
   668  			return errors.New("authentication failed")
   669  		}
   670  		if !bytes.Equal(pt, got) {
   671  			return errors.New("incorrect Open output")
   672  		}
   673  		return nil
   674  	}
   675  	for _, a := range perms {
   676  		ad := make([]byte, a.align+a.length)
   677  		ad = ad[a.align:]
   678  		for _, p := range perms {
   679  			pt := make([]byte, p.align+p.length)
   680  			pt = pt[p.align:]
   681  			for _, ks := range keySizes {
   682  				if err := test(ks, pt, ad); err != nil {
   683  					t.Error(err)
   684  					t.Errorf("	key size: %v", ks)
   685  					t.Errorf("	plaintext alignment: %v", p.align)
   686  					t.Errorf("	plaintext length: %v", p.length)
   687  					t.Errorf("	additionalData alignment: %v", a.align)
   688  					t.Fatalf("	additionalData length: %v", a.length)
   689  				}
   690  			}
   691  		}
   692  	}
   693  }
   694  
   695  // Test GCM against the general cipher.AEAD interface tester.
   696  func TestGCMAEAD(t *testing.T) {
   697  	testAllImplementations(t, testGCMAEAD)
   698  }
   699  
   700  func testGCMAEAD(t *testing.T, newCipher func(key []byte) cipher.Block) {
   701  	minTagSize := 12
   702  
   703  	for _, keySize := range []int{128, 192, 256} {
   704  		// Use AES as underlying block cipher at different key sizes for GCM.
   705  		t.Run(fmt.Sprintf("AES-%d", keySize), func(t *testing.T) {
   706  			rng := newRandReader(t)
   707  
   708  			key := make([]byte, keySize/8)
   709  			rng.Read(key)
   710  
   711  			block := newCipher(key)
   712  
   713  			// Test GCM with the current AES block with the standard nonce and tag
   714  			// sizes.
   715  			cryptotest.TestAEAD(t, func() (cipher.AEAD, error) { return cipher.NewGCM(block) })
   716  
   717  			// Test non-standard tag sizes.
   718  			t.Run("MinTagSize", func(t *testing.T) {
   719  				cryptotest.TestAEAD(t, func() (cipher.AEAD, error) { return cipher.NewGCMWithTagSize(block, minTagSize) })
   720  			})
   721  
   722  			// Test non-standard nonce sizes.
   723  			for _, nonceSize := range []int{1, 16, 100} {
   724  				t.Run(fmt.Sprintf("NonceSize-%d", nonceSize), func(t *testing.T) {
   725  					cryptotest.TestAEAD(t, func() (cipher.AEAD, error) { return cipher.NewGCMWithNonceSize(block, nonceSize) })
   726  				})
   727  			}
   728  
   729  			// Test NewGCMWithRandomNonce.
   730  			t.Run("GCMWithRandomNonce", func(t *testing.T) {
   731  				if _, ok := block.(*wrapper); ok || boring.Enabled {
   732  					t.Skip("NewGCMWithRandomNonce requires an AES block cipher")
   733  				}
   734  				cryptotest.TestAEAD(t, func() (cipher.AEAD, error) { return cipher.NewGCMWithRandomNonce(block) })
   735  			})
   736  		})
   737  	}
   738  }
   739  
   740  func TestGCMExtraMethods(t *testing.T) {
   741  	testAllImplementations(t, func(t *testing.T, newCipher func([]byte) cipher.Block) {
   742  		t.Run("NewGCM", func(t *testing.T) {
   743  			a, _ := cipher.NewGCM(newCipher(make([]byte, 16)))
   744  			cryptotest.NoExtraMethods(t, &a)
   745  		})
   746  		t.Run("NewGCMWithTagSize", func(t *testing.T) {
   747  			a, _ := cipher.NewGCMWithTagSize(newCipher(make([]byte, 16)), 12)
   748  			cryptotest.NoExtraMethods(t, &a)
   749  		})
   750  		t.Run("NewGCMWithNonceSize", func(t *testing.T) {
   751  			a, _ := cipher.NewGCMWithNonceSize(newCipher(make([]byte, 16)), 12)
   752  			cryptotest.NoExtraMethods(t, &a)
   753  		})
   754  		t.Run("NewGCMWithRandomNonce", func(t *testing.T) {
   755  			block := newCipher(make([]byte, 16))
   756  			if _, ok := block.(*wrapper); ok || boring.Enabled {
   757  				t.Skip("NewGCMWithRandomNonce requires an AES block cipher")
   758  			}
   759  			a, _ := cipher.NewGCMWithRandomNonce(block)
   760  			cryptotest.NoExtraMethods(t, &a)
   761  		})
   762  	})
   763  }
   764  
   765  func TestGCMNoncesFIPSV1(t *testing.T) {
   766  	cryptotest.MustSupportFIPS140(t)
   767  	if !fips140.Enabled {
   768  		cmd := testenv.Command(t, testenv.Executable(t), "-test.run=^TestGCMNoncesFIPSV1$", "-test.v")
   769  		cmd.Env = append(cmd.Environ(), "GODEBUG=fips140=on")
   770  		out, err := cmd.CombinedOutput()
   771  		t.Logf("running with GODEBUG=fips140=on:\n%s", out)
   772  		if err != nil {
   773  			t.Errorf("fips140=on subprocess failed: %v", err)
   774  		}
   775  		return
   776  	}
   777  
   778  	tryNonce := func(aead cipher.AEAD, nonce []byte) bool {
   779  		fips140.ResetServiceIndicator()
   780  		aead.Seal(nil, nonce, []byte("x"), nil)
   781  		return fips140.ServiceIndicator()
   782  	}
   783  	expectOK := func(t *testing.T, aead cipher.AEAD, nonce []byte) {
   784  		t.Helper()
   785  		if !tryNonce(aead, nonce) {
   786  			t.Errorf("expected service indicator true for %x", nonce)
   787  		}
   788  	}
   789  	expectPanic := func(t *testing.T, aead cipher.AEAD, nonce []byte) {
   790  		t.Helper()
   791  		defer func() {
   792  			t.Helper()
   793  			if recover() == nil {
   794  				t.Errorf("expected panic for %x", nonce)
   795  			}
   796  		}()
   797  		tryNonce(aead, nonce)
   798  	}
   799  
   800  	t.Run("NewGCMWithCounterNonce", func(t *testing.T) {
   801  		newGCM := func() cipher.AEAD {
   802  			key := make([]byte, 16)
   803  			block, _ := fipsaes.New(key)
   804  			aead, _ := gcm.NewGCMWithCounterNonce(block)
   805  			return aead
   806  		}
   807  
   808  		g := newGCM()
   809  		expectOK(t, g, []byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0})
   810  		expectOK(t, g, []byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1})
   811  		expectOK(t, g, []byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 100})
   812  		expectOK(t, g, []byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0})
   813  		expectOK(t, g, []byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0})
   814  		expectOK(t, g, []byte{0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0})
   815  		expectOK(t, g, []byte{0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0})
   816  		expectOK(t, g, []byte{0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0})
   817  		expectOK(t, g, []byte{0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0})
   818  		expectOK(t, g, []byte{0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0})
   819  		// Changed name.
   820  		expectPanic(t, g, []byte{0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0})
   821  
   822  		g = newGCM()
   823  		expectOK(t, g, []byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1})
   824  		// Went down.
   825  		expectPanic(t, g, []byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0})
   826  
   827  		g = newGCM()
   828  		expectOK(t, g, []byte{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12})
   829  		expectOK(t, g, []byte{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13})
   830  		// Did not increment.
   831  		expectPanic(t, g, []byte{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13})
   832  
   833  		g = newGCM()
   834  		expectOK(t, g, []byte{1, 2, 3, 4, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00})
   835  		expectOK(t, g, []byte{1, 2, 3, 4, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff})
   836  		// Wrap is ok as long as we don't run out of values.
   837  		expectOK(t, g, []byte{1, 2, 3, 4, 0, 0, 0, 0, 0, 0, 0, 0})
   838  		expectOK(t, g, []byte{1, 2, 3, 4, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xfe})
   839  		// Run out of counters.
   840  		expectPanic(t, g, []byte{1, 2, 3, 4, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff})
   841  
   842  		g = newGCM()
   843  		expectOK(t, g, []byte{1, 2, 3, 4, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff})
   844  		// Wrap with overflow.
   845  		expectPanic(t, g, []byte{1, 2, 3, 5, 0, 0, 0, 0, 0, 0, 0, 0})
   846  	})
   847  
   848  	t.Run("NewGCMForSSH", func(t *testing.T) {
   849  		newGCM := func() cipher.AEAD {
   850  			key := make([]byte, 16)
   851  			block, _ := fipsaes.New(key)
   852  			aead, _ := gcm.NewGCMForSSH(block)
   853  			return aead
   854  		}
   855  		// incIV from x/crypto/ssh/cipher.go.
   856  		incIV := func(iv []byte) {
   857  			for i := 4 + 7; i >= 4; i-- {
   858  				iv[i]++
   859  				if iv[i] != 0 {
   860  					break
   861  				}
   862  			}
   863  		}
   864  
   865  		aead := newGCM()
   866  		iv := decodeHex(t, "11223344"+"0000000000000000")
   867  		expectOK(t, aead, iv)
   868  		incIV(iv)
   869  		expectOK(t, aead, iv)
   870  		iv = decodeHex(t, "11223344"+"fffffffffffffffe")
   871  		expectOK(t, aead, iv)
   872  		incIV(iv)
   873  		expectPanic(t, aead, iv)
   874  
   875  		// Wrapping is ok as long as we don't run out of values.
   876  		aead = newGCM()
   877  		iv = decodeHex(t, "11223344"+"fffffffffffffffe")
   878  		expectOK(t, aead, iv)
   879  		incIV(iv)
   880  		expectOK(t, aead, iv)
   881  		incIV(iv)
   882  		expectOK(t, aead, iv)
   883  		incIV(iv)
   884  		expectOK(t, aead, iv)
   885  
   886  		aead = newGCM()
   887  		iv = decodeHex(t, "11223344"+"aaaaaaaaaaaaaaaa")
   888  		expectOK(t, aead, iv)
   889  		iv = decodeHex(t, "11223344"+"ffffffffffffffff")
   890  		expectOK(t, aead, iv)
   891  		incIV(iv)
   892  		expectOK(t, aead, iv)
   893  		iv = decodeHex(t, "11223344"+"aaaaaaaaaaaaaaa8")
   894  		expectOK(t, aead, iv)
   895  		incIV(iv)
   896  		expectPanic(t, aead, iv)
   897  		iv = decodeHex(t, "11223344"+"bbbbbbbbbbbbbbbb")
   898  		expectPanic(t, aead, iv)
   899  	})
   900  }
   901  
   902  func decodeHex(t *testing.T, s string) []byte {
   903  	t.Helper()
   904  	b, err := hex.DecodeString(s)
   905  	if err != nil {
   906  		t.Fatal(err)
   907  	}
   908  	return b
   909  }
   910
View as plain text