Resolve comments of Sanketh

Author: ttungle96

crypto/fipsmodule/cipher/e_aes.c

@@ -1784,7 +1784,6 @@ Extension to support nonce size less than 24 bytes:
 #define XAES_256_GCM_KEY_COMMIT_SIZE (AES_BLOCK_SIZE * 2)
 #define XAES_256_GCM_MAX_NONCE_SIZE  (AES_GCM_NONCE_LENGTH * 2)
 #define XAES_256_GCM_MIN_NONCE_SIZE  (20)
-
 /* 
 The following function performs the step #2 of CMAC specified in: 
 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38b.pdf#page=14 
@@ -1806,6 +1805,15 @@ do {                                                \
     out[i] = (in[i] << 1) ^ ((0 - carry) & 0x87);   \
 } while(0);
 
+// Reference for nonce size < 24 bytes: 
+// https://eprint.iacr.org/2025/758.pdf#page=24 
+/* When nonce size b < 24 bytes, it uses bytes [b-12:b]
+ * of input nonce as iv for the underlying AES encryption. 
+ * nonce_len is b in the referece, where 20 <= b <= 24 */
+static inline const uint8_t *get_iv_for_aes_gcm(const uint8_t *nonce, const size_t nonce_len) {
+    return nonce + nonce_len - AES_GCM_NONCE_LENGTH;
+}
+
 static int xaes_256_gcm_CMAC_derive_key(AES_KEY *xaes_key, uint8_t *k1, 
                                 const uint8_t* nonce, uint8_t *derived_key) { 
     uint8_t M[AES_BLOCK_SIZE] = {0x00, 0x01, 0x58, 0x00};
@@ -1859,10 +1867,8 @@ static int xaes_256_gcm_set_gcm_key(EVP_CIPHER_CTX *ctx, const uint8_t *nonce, i
     // set the nonce (iv) length to AES_GCM_NONCE_LENGTH.
     gctx->ivlen = AES_GCM_NONCE_LENGTH;
 
-    // For nonce size < 24 bytes
-    // Reference: https://eprint.iacr.org/2025/758.pdf#page=24
-    aes_gcm_init_key(ctx, derived_key, nonce + ivlen - AES_GCM_NONCE_LENGTH, enc);
-
+    aes_gcm_init_key(ctx, derived_key, get_iv_for_aes_gcm(nonce, ivlen), enc);
+    
     // Re-assign the original nonce size of XAES-256-GCM (20 <= |N| <= 24)
     gctx->ivlen = ivlen;
 
@@ -1988,14 +1994,9 @@ static int aead_xaes_256_gcm_seal_scatter(
         return 0;
     }
 
-    // Reference for nonce size < 24 bytes: 
-    // https://eprint.iacr.org/2025/758.pdf#page=24 
-    /* When nonce size b < 24 bytes, it uses bytes [b-12:b]
-     * of input nonce as iv for the underlying AES encryption. 
-     * nonce_len is b in the referece, where 20 <= b <= 24 */
     return aead_aes_gcm_seal_scatter_impl(
         &gcm_ctx, out, out_tag, out_tag_len, max_out_tag_len, 
-        nonce + nonce_len - AES_GCM_NONCE_LENGTH, AES_GCM_NONCE_LENGTH,
+        get_iv_for_aes_gcm(nonce, nonce_len), AES_GCM_NONCE_LENGTH,
         in, in_len, extra_in, extra_in_len, ad, ad_len, ctx->tag_len);
 }
 
@@ -2013,13 +2014,8 @@ static int aead_xaes_256_gcm_open_gather(const EVP_AEAD_CTX *ctx, uint8_t *out,
         return 0;
     }
 
-    // Reference for nonce size < 24 bytes: 
-    // https://eprint.iacr.org/2025/758.pdf#page=24
-    /* When nonce size b < 24 bytes, it uses bytes [b-12:b]
-     * of input nonce as iv for the underlying AES decryption. 
-     * nonce_len is b in the referece, where 20 <= b <= 24 */
     return aead_aes_gcm_open_gather_impl(
-        &gcm_ctx, out, nonce + nonce_len - AES_GCM_NONCE_LENGTH, 
+        &gcm_ctx, out, get_iv_for_aes_gcm(nonce, nonce_len), 
         AES_GCM_NONCE_LENGTH, in, in_len, in_tag, in_tag_len,
         ad, ad_len, ctx->tag_len);
 }

include/openssl/aead.h

@@ -121,6 +121,9 @@ OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_192_gcm(void);
 // parameters, only use 12-byte nonces.
 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_gcm(void);
 
+// EVP_aead_xaes_256_gcm is AES-256 in Galois Counter Mode with CMAC-based KDF
+OPENSSL_EXPORT const EVP_AEAD *EVP_aead_xaes_256_gcm(void);
+
 // EVP_aead_chacha20_poly1305 is the AEAD built from ChaCha20 and
 // Poly1305 as described in RFC 8439.
 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_chacha20_poly1305(void);
@@ -431,9 +434,6 @@ OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_gcm_tls13(void);
 // 1.3 nonce construction.
 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_gcm_tls13(void);
 
-// EVP_aead_xaes_256_gcm is AES-256 in Galois Counter Mode with CMAC-based KDF
-OPENSSL_EXPORT const EVP_AEAD *EVP_aead_xaes_256_gcm(void);
-
 // Obscure functions.
 
 // evp_aead_direction_t denotes the direction of an AEAD operation.

tool/speed.cc

@@ -2950,7 +2950,9 @@ bool Speed(const std::vector<std::string> &args) {
        !SpeedEvpCipherGeneric(EVP_aes_128_gcm(), "EVP-AES-128-GCM", kTLSADLen, selected) ||
        !SpeedEvpCipherGeneric(EVP_aes_192_gcm(), "EVP-AES-192-GCM", kTLSADLen, selected) ||
        !SpeedEvpCipherGeneric(EVP_aes_256_gcm(), "EVP-AES-256-GCM", kTLSADLen, selected) ||
+#if AWSLC_API_VERSION > 34
        !SpeedEvpCipherGeneric(EVP_xaes_256_gcm(), "EVP-XAES-256-GCM", kTLSADLen, selected) ||
+#endif 
        !SpeedEvpCipherGeneric(EVP_aes_128_ctr(), "EVP-AES-128-CTR", kTLSADLen, selected) ||
        !SpeedEvpCipherGeneric(EVP_aes_192_ctr(), "EVP-AES-192-CTR", kTLSADLen, selected) ||
        !SpeedEvpCipherGeneric(EVP_aes_256_ctr(), "EVP-AES-256-CTR", kTLSADLen, selected) ||
@@ -3057,7 +3059,7 @@ bool Speed(const std::vector<std::string> &args) {
        !SpeedAEADOpen(EVP_aead_xaes_256_gcm(), "AEAD-XAES-256-GCM", kTLSADLen, selected) ||
 #endif 
 #if AWSLC_API_VERSION > 31
-       !SpeedDigestSign(selected) || 
+       !SpeedDigestSign(selected) ||
 #endif
        !SpeedAEADSeal(EVP_aead_aes_128_gcm(), "AEAD-AES-128-GCM", kTLSADLen, selected) ||
        !SpeedAEADOpen(EVP_aead_aes_128_gcm(), "AEAD-AES-128-GCM", kTLSADLen, selected) ||