aws · ttunglee · Oct 14, 2025 · Oct 15, 2025 · Oct 15, 2025 · Oct 15, 2025
@@ -22,6 +22,7 @@
 #include <openssl/aead.h>
 #include <openssl/cipher.h>
 #include <openssl/err.h>
+#include <openssl/digest.h>
 
 #include "../fipsmodule/cipher/internal.h"
 #include "../internal.h"
@@ -91,6 +92,9 @@ static const struct KnownAEAD kAEADs[] = {
 
     {"AES_256_GCM", EVP_aead_aes_256_gcm, "aes_256_gcm_tests.txt",
      kCanTruncateTags | kVariableNonce},
+
+    {"XAES_256_GCM", EVP_aead_xaes_256_gcm, "xaes_256_gcm_tests.txt",
+     kCanTruncateTags | kVariableNonce}, 
 
     {"AES_256_GCM_NIST", EVP_aead_aes_256_gcm, "nist_cavp/aes_256_gcm.txt",
      kCanTruncateTags | kVariableNonce},
@@ -1437,6 +1441,8 @@ static const EvpAeadCtxSerdeTestParams kEvpAeadCtxSerde[] = {
      17},
     {"EVP_aead_aes_256_gcm", EVP_aead_aes_256_gcm(), kEvpAeadCtxKey, 32, 16,
      18},
+     {"EVP_aead_xaes_256_gcm", EVP_aead_xaes_256_gcm(), kEvpAeadCtxKey, 32, 16,
+     29},
     {"EVP_aead_chacha20_poly1305", EVP_aead_chacha20_poly1305(), kEvpAeadCtxKey,
      32, 16, 5},
     {"EVP_aead_xchacha20_poly1305", EVP_aead_xchacha20_poly1305(),
@@ -1603,3 +1609,102 @@ TEST(EvpAeadCtxSerdeTest, ID) {
     ASSERT_TRUE(identifiers[id]);
   }
 }
+
+TEST(CipherTest, XAES_256_GCM_EVP_AEAD) {
+    // Test invalid nonce sizes and key length
+    {
+        std::vector<uint8_t> key(32), nonce(24), plaintext(1), ciphertext(20);
+        const size_t tag_size = 16;
+        bssl::ScopedEVP_AEAD_CTX ctx;
+        // Invalid key length
+        int key_len = 24; 
+        ASSERT_FALSE(EVP_AEAD_CTX_init(ctx.get(), EVP_aead_xaes_256_gcm(), key.data(), key_len, tag_size, nullptr));
+        // Use 256-bit key length
+        key_len = 32;
+        // Encryption
+        ASSERT_TRUE(EVP_AEAD_CTX_init(ctx.get(), EVP_aead_xaes_256_gcm(), key.data(), key_len, tag_size, nullptr));
+
+        int nonce_len = 24;
+        size_t plaintext_len = 0, ciphertext_len = 0;
+        // Invalid nonce and nonce size
+        ASSERT_FALSE(EVP_AEAD_CTX_seal(ctx.get(), ciphertext.data(), &ciphertext_len,
+                                plaintext_len +  EVP_AEAD_max_overhead(EVP_aead_xaes_256_gcm()), 
+                                nullptr, nonce_len, plaintext.data(), plaintext_len, nullptr, 0)); 
+        nonce_len = 19;
+        ASSERT_FALSE(EVP_AEAD_CTX_seal(ctx.get(), ciphertext.data(), &ciphertext_len,
+                                plaintext_len +  EVP_AEAD_max_overhead(EVP_aead_xaes_256_gcm()), 
+                                nonce.data(), nonce_len, plaintext.data(), plaintext_len, nullptr, 0));
+        nonce_len = 25;
+        ASSERT_FALSE(EVP_AEAD_CTX_seal(ctx.get(), ciphertext.data(), &ciphertext_len,
+                                plaintext_len +  EVP_AEAD_max_overhead(EVP_aead_xaes_256_gcm()), 
+                                nonce.data(), nonce_len, plaintext.data(), plaintext_len, nullptr, 0));
+
+        nonce_len = 24;
+        // Invalid max output size
+        ASSERT_FALSE(EVP_AEAD_CTX_seal(ctx.get(), ciphertext.data(), &ciphertext_len,
+                                plaintext_len, nonce.data(), nonce_len, plaintext.data(), 
+                                plaintext_len, nullptr, 0));
+
+        // Decryption   
+        bssl::ScopedEVP_AEAD_CTX dctx;
+        ASSERT_TRUE(EVP_AEAD_CTX_init(dctx.get(), EVP_aead_xaes_256_gcm(), key.data(), key_len, tag_size, nullptr));
+        // Invalid nonce and nonce size
+        nonce_len = 24;
+        ASSERT_FALSE(EVP_AEAD_CTX_open(dctx.get(), plaintext.data(), &plaintext_len, ciphertext.size() - tag_size,
+                                nullptr, nonce_len, ciphertext.data(), ciphertext.size(), nullptr, 0));
+        nonce_len = 19;
+        ASSERT_FALSE(EVP_AEAD_CTX_open(dctx.get(), plaintext.data(), &plaintext_len, ciphertext.size() - tag_size,
+                                nonce.data(), nonce_len, ciphertext.data(), ciphertext.size(), nullptr, 0));
+        nonce_len = 25;
+        ASSERT_FALSE(EVP_AEAD_CTX_open(dctx.get(), plaintext.data(), &plaintext_len, ciphertext.size() - tag_size,
+                                nonce.data(), nonce_len, ciphertext.data(), ciphertext.size(), nullptr, 0));
+    }
+
+    // Source of multi-loop tests: 
+    // https://github.com/C2SP/C2SP/blob/main/XAES-256-GCM/go/XAES-256-GCM_test.go 
+    const auto test = [](int n, const char *output) {
+        bssl::ScopedEVP_MD_CTX s;        
+        ASSERT_TRUE(EVP_DigestInit(s.get(), EVP_shake128()));
+        bssl::ScopedEVP_MD_CTX d;        
+        ASSERT_TRUE(EVP_DigestInit(d.get(), EVP_shake128()));
+
+        std::vector<uint8_t> key(32), nonce(24), plaintext_len(1), plaintext(256);
+        std::vector<uint8_t> aad_len(1), aad(256), ciphertext(272), decrypted(256);
+        int key_len = 32, nonce_len = 24, tag_size = 16;
+
+        for(int i = 0; i < n; ++i) {    
+            ASSERT_TRUE(EVP_DigestSqueeze(s.get(), key.data(), key_len));
+            ASSERT_TRUE(EVP_DigestSqueeze(s.get(), nonce.data(), nonce_len));
+            ASSERT_TRUE(EVP_DigestSqueeze(s.get(), plaintext_len.data(), 1));
+            ASSERT_TRUE(EVP_DigestSqueeze(s.get(), plaintext.data(), plaintext_len[0]));
+            ASSERT_TRUE(EVP_DigestSqueeze(s.get(), aad_len.data(), 1));
+            ASSERT_TRUE(EVP_DigestSqueeze(s.get(), aad.data(), aad_len[0]));
+
+            // XAES-256-GCM Encryption
+            bssl::ScopedEVP_AEAD_CTX ctx;
+            ASSERT_TRUE(EVP_AEAD_CTX_init(ctx.get(), EVP_aead_xaes_256_gcm(), key.data(), key_len, tag_size, nullptr));
+
+            size_t ciphertext_len = 0;
+            ASSERT_TRUE(EVP_AEAD_CTX_seal(ctx.get(), ciphertext.data(), &ciphertext_len,
+                                    plaintext_len[0] +  EVP_AEAD_max_overhead(EVP_aead_xaes_256_gcm()), 
+                                    nonce.data(), nonce_len, plaintext.data(), plaintext_len[0], aad.data(), aad_len[0]));
+            ASSERT_TRUE(EVP_DigestUpdate(d.get(), ciphertext.data(), ciphertext_len));
+
+            // XAES-256-GCM Decryption
+            bssl::ScopedEVP_AEAD_CTX dctx;
+            ASSERT_TRUE(EVP_AEAD_CTX_init(dctx.get(), EVP_aead_xaes_256_gcm(), key.data(), 32, tag_size, nullptr));
+            size_t len = 0;
+            ASSERT_TRUE(EVP_AEAD_CTX_open(dctx.get(), decrypted.data(), &len, ciphertext_len - tag_size,
+                                    nonce.data(), nonce_len, ciphertext.data(), ciphertext_len, aad.data(), aad_len[0]));
+            ASSERT_EQ(Bytes(decrypted.data(), len), Bytes(plaintext.data(), plaintext_len[0]));
+        }
+        std::vector<uint8_t> expected;
+        ConvertToBytes(&expected, output);
+        uint8_t got[32] = {0};
+        ASSERT_TRUE(EVP_DigestFinalXOF(d.get(), got, 32));
+        ASSERT_EQ(Bytes(got, 32), Bytes(expected)); 
+    };
+
+    test(10000, "e6b9edf2df6cec60c8cbd864e2211b597fb69a529160cd040d56c0c210081939");
+    test(1000000, "2163ae1445985a30b60585ee67daa55674df06901b890593e824b8a7c885ab15");
+}
@@ -89,6 +89,7 @@ static const struct {
     {NID_aes_256_ctr, "aes-256-ctr", EVP_aes_256_ctr},
     {NID_aes_256_ecb, "aes-256-ecb", EVP_aes_256_ecb},
     {NID_aes_256_gcm, "aes-256-gcm", EVP_aes_256_gcm},
+    {NID_xaes_256_gcm, "xaes-256-gcm", EVP_xaes_256_gcm},
     {NID_aes_256_ofb128, "aes-256-ofb", EVP_aes_256_ofb},
     {NID_aes_256_xts, "aes-256-xts", EVP_aes_256_xts},
     {NID_chacha20_poly1305, "chacha20-poly1305", EVP_chacha20_poly1305},
@@ -114,7 +115,8 @@ static const struct {
     {"aes128", "aes-128-cbc"},
     {"id-aes128-gcm", "aes-128-gcm"},
     {"id-aes192-gcm", "aes-192-gcm"},
-    {"id-aes256-gcm", "aes-256-gcm"}
+    {"id-aes256-gcm", "aes-256-gcm"},
+    {"id-xaes256-gcm", "xaes-256-gcm"}
 };
 
 const EVP_CIPHER *EVP_get_cipherbynid(int nid) {

@@ -68,6 +68,7 @@
 #include <openssl/rand.h>
 #include <openssl/sha.h>
 #include <openssl/span.h>
+#include <openssl/digest.h>
 
 #include "../internal.h"
 #include "../test/file_test.h"
@@ -127,6 +128,8 @@ static const EVP_CIPHER *GetCipher(const std::string &name) {
     return EVP_aes_192_ccm();
   } else if (name == "AES-256-CCM") {
     return EVP_aes_256_ccm();
+  } else if (name == "XAES-256-GCM") {
+    return EVP_xaes_256_gcm();
   }
   return nullptr;
 }
@@ -1080,6 +1083,7 @@ TEST(CipherTest, GetCipher) {
   test_get_cipher(NID_aes_256_ctr, "aes-256-ctr");
   test_get_cipher(NID_aes_256_ecb, "aes-256-ecb");
   test_get_cipher(NID_aes_256_gcm, "aes-256-gcm");
+  test_get_cipher(NID_xaes_256_gcm, "xaes-256-gcm");
   test_get_cipher(NID_aes_256_ofb128, "aes-256-ofb");
   test_get_cipher(NID_aes_256_xts, "aes-256-xts");
   test_get_cipher(NID_chacha20_poly1305, "chacha20-poly1305");
@@ -1102,6 +1106,7 @@ TEST(CipherTest, GetCipher) {
   test_get_cipher(NID_aes_128_gcm, "id-aes128-gcm");
   test_get_cipher(NID_aes_192_gcm, "id-aes192-gcm");
   test_get_cipher(NID_aes_256_gcm, "id-aes256-gcm");
+  test_get_cipher(NID_xaes_256_gcm, "id-xaes256-gcm");
 
   // error case
   EXPECT_FALSE(EVP_get_cipherbyname(nullptr));
@@ -1454,3 +1459,96 @@ TEST(CipherTest, Empty_EVP_CIPHER_CTX_V1187459157) {
   CHECK_ERROR(EVP_DecryptUpdate(ctx.get(), out_vec.data(), &out_len, in_vec.data(), in_len), ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
   CHECK_ERROR(EVP_DecryptFinal(ctx.get(), out_vec.data(), &out_len), ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
 }
+
+TEST(CipherTest, XAES_256_GCM_EVP_CIPHER) {
+    // Test invalid nonce sizes and key length
+    {
+        std::vector<uint8_t> key(32), nonce(24);
+
+        // XAES-256-GCM Encryption  
+        bssl::UniquePtr<EVP_CIPHER_CTX> ctx(EVP_CIPHER_CTX_new());
+        ASSERT_TRUE(ctx);
+        ASSERT_TRUE(EVP_CipherInit_ex(ctx.get(), EVP_xaes_256_gcm(), NULL, NULL, NULL, 1));
+
+        // Valid nonce size: 20 bytes <= |N| <= 24 bytes 
+        // Test invalid nonce size 
+        ASSERT_TRUE(EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_AEAD_SET_IVLEN, 19, NULL));
+        ASSERT_FALSE(EVP_CipherInit_ex(ctx.get(), NULL, NULL, key.data(), nonce.data(), -1));
+        ASSERT_TRUE(EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_AEAD_SET_IVLEN, 25, NULL));
+        ASSERT_FALSE(EVP_CipherInit_ex(ctx.get(), NULL, NULL, key.data(), nonce.data(), -1));
+        ASSERT_TRUE(EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_AEAD_SET_IVLEN, 24, NULL));
+
+        // Valid key length: 32 bytes 
+        // Test invalid key length 
+        ctx.get()->key_len = 24;
+        ASSERT_FALSE(EVP_CipherInit_ex(ctx.get(), NULL, NULL, key.data(), nonce.data(), -1));
+    }
+
+    // Source of multi-loop tests: 
+    // https://github.com/C2SP/C2SP/blob/main/XAES-256-GCM/go/XAES-256-GCM_test.go 
+    const auto test = [](int n, const char *output) {
+        bssl::ScopedEVP_MD_CTX s;        
+        ASSERT_TRUE(EVP_DigestInit(s.get(), EVP_shake128()));
+        bssl::ScopedEVP_MD_CTX d;        
+        ASSERT_TRUE(EVP_DigestInit(d.get(), EVP_shake128()));
+
+        bssl::UniquePtr<EVP_CIPHER_CTX> ctx(EVP_CIPHER_CTX_new());
+        ASSERT_TRUE(ctx);
+        ASSERT_TRUE(EVP_CipherInit_ex(ctx.get(), EVP_xaes_256_gcm(), NULL, NULL, NULL, 1));
+        ASSERT_TRUE(EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_AEAD_SET_IVLEN, 24, NULL));
+
+        bssl::UniquePtr<EVP_CIPHER_CTX> dctx(EVP_CIPHER_CTX_new());
+        ASSERT_TRUE(dctx);
+        ASSERT_TRUE(EVP_DecryptInit_ex(dctx.get(), EVP_xaes_256_gcm(), NULL, NULL, NULL));
+        ASSERT_TRUE(EVP_CIPHER_CTX_ctrl(dctx.get(), EVP_CTRL_AEAD_SET_IVLEN, 24, NULL));
+
+        std::vector<uint8_t> key(32), nonce(24), plaintext_len(1), plaintext(256);
+        std::vector<uint8_t> aad_len(1), aad(256), ciphertext(256), tag(16);
+        int tag_size = 16;
+
+        for(int i = 0; i < n; ++i) {    
+            ASSERT_TRUE(EVP_DigestSqueeze(s.get(), key.data(), 32));
+            ASSERT_TRUE(EVP_DigestSqueeze(s.get(), nonce.data(), 24));
+            ASSERT_TRUE(EVP_DigestSqueeze(s.get(), plaintext_len.data(), 1));
+            ASSERT_TRUE(EVP_DigestSqueeze(s.get(), plaintext.data(), plaintext_len[0]));
+            ASSERT_TRUE(EVP_DigestSqueeze(s.get(), aad_len.data(), 1));
+            ASSERT_TRUE(EVP_DigestSqueeze(s.get(), aad.data(), aad_len[0]));
+
+            // XAES-256-GCM Encryption
+            ASSERT_TRUE(EVP_CipherInit_ex(ctx.get(), NULL, NULL, key.data(), nonce.data(), -1));
+            ASSERT_EQ(aad_len[0], EVP_Cipher(ctx.get(), NULL, aad.data(), aad_len[0]));
+            int ciphertext_len = 0;
+            ASSERT_TRUE(EVP_CipherUpdate(ctx.get(), ciphertext.data(), &ciphertext_len, 
+                        plaintext.data(), plaintext_len[0]));
+
+            int len = 0;
+            ASSERT_TRUE(EVP_CipherFinal_ex(ctx.get(), ciphertext.data() + ciphertext_len, &len));
+            ciphertext_len += len;
+            ASSERT_TRUE(EVP_DigestUpdate(d.get(), ciphertext.data(), ciphertext_len));
+
+            ASSERT_TRUE(EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_AEAD_GET_TAG, tag_size, tag.data()));
+            ASSERT_TRUE(EVP_DigestUpdate(d.get(), tag.data(), tag_size));
+
+            // XAES-256-GCM Decryption
+            ASSERT_TRUE(EVP_DecryptInit_ex(dctx.get(), NULL, NULL, key.data(), nonce.data()));
+            ASSERT_TRUE(EVP_CIPHER_CTX_ctrl(dctx.get(), EVP_CTRL_AEAD_SET_TAG, tag_size, tag.data()));
+
+            std::vector<uint8_t> decrypted;
+            decrypted.resize(plaintext_len[0]);
+            len = 0;
+            EVP_DecryptUpdate(dctx.get(), NULL, &len, aad.data(), aad_len[0]);
+            ASSERT_TRUE(EVP_DecryptUpdate(dctx.get(), (uint8_t*)decrypted.data(), &len, ciphertext.data(), ciphertext_len));
+            ASSERT_TRUE(EVP_DecryptFinal(dctx.get(), (uint8_t*)decrypted.data() + len, &len));
+
+            ASSERT_EQ(Bytes(decrypted), Bytes(plaintext.data(), plaintext_len[0]));
+        }
+        std::vector<uint8_t> expected;
+        ASSERT_TRUE(ConvertToBytes(&expected, output));
+        uint8_t got[32] = {0};
+        ASSERT_TRUE(EVP_DigestFinalXOF(d.get(), got, 32));
+        ASSERT_EQ(Bytes(got, 32), Bytes(expected)); 
+    };
+
+    test(10000, "e6b9edf2df6cec60c8cbd864e2211b597fb69a529160cd040d56c0c210081939");
+    test(1000000, "2163ae1445985a30b60585ee67daa55674df06901b890593e824b8a7c885ab15");
+}
@@ -506,6 +506,32 @@ AAD = feedfacedeadbeeffeedfacedeadbeefabaddad2
 Tag = a44a8266ee1c8eb0c8b5d4cf5ae9f19b
 Operation = InvalidDecrypt
 
+# Source of test vectors: 
+# https://github.com/C2SP/C2SP/blob/main/XAES-256-GCM.md 
+Cipher = XAES-256-GCM
+Key = 0101010101010101010101010101010101010101010101010101010101010101
+IV = 424242424242424242424242424242424242424242424242
+Plaintext = 48656c6c6f2c20584145532d3235362d47434d21
+Ciphertext = 01e5f78bc99de880bd2eeff2870d361f0eab5b2f
+AAD = 
+Tag = c55268f34b14045878fe3668db980319
+
+Cipher = XAES-256-GCM
+Key = 0101010101010101010101010101010101010101010101010101010101010101
+IV = 4142434445464748494a4b4c4d4e4f505152535455565758
+Plaintext = 584145532d3235362d47434d
+Ciphertext = ce546ef63c9cc60765923609
+AAD = 
+Tag = b33a9a1974e96e52daf2fcf7075e2271
+
+Cipher = XAES-256-GCM
+Key = 0303030303030303030303030303030303030303030303030303030303030303
+IV = 4142434445464748494a4b4c4d4e4f505152535455565758
+Plaintext = 584145532d3235362d47434d
+Ciphertext = 986ec1832593df5443a17943
+AAD = 633273702e6f72672f584145532d3235362d47434d
+Tag = 7fd083bf3fdb41abd740a21f71eb769d
+
 # local add-ons, primarily streaming ghash tests
 # 128 bytes aad
 Cipher = AES-128-GCM

@@ -0,0 +1,23 @@
+# The XAES-256-GCM test cases from cipher_tests.txt have been merged into this
+# file.
+
+KEY: 0101010101010101010101010101010101010101010101010101010101010101
+NONCE: 424242424242424242424242424242424242424242424242
+IN: 48656c6c6f2c20584145532d3235362d47434d21
+AD:
+CT: 01e5f78bc99de880bd2eeff2870d361f0eab5b2f
+TAG: c55268f34b14045878fe3668db980319
+
+KEY: 0101010101010101010101010101010101010101010101010101010101010101
+NONCE: 4142434445464748494a4b4c4d4e4f505152535455565758
+IN: 584145532d3235362d47434d
+AD: 
+CT: ce546ef63c9cc60765923609
+TAG: b33a9a1974e96e52daf2fcf7075e2271
+
+KEY: 0303030303030303030303030303030303030303030303030303030303030303
+NONCE: 4142434445464748494a4b4c4d4e4f505152535455565758
+IN: 584145532d3235362d47434d
+AD: 633273702e6f72672f584145532d3235362d47434d
+CT: 986ec1832593df5443a17943
+TAG: 7fd083bf3fdb41abd740a21f71eb769d