core/crypto/aead: Initial import

core/crypto/aead/aead.odin

@@ -0,0 +1,36 @@
+package aead
+
+// seal_oneshot encrypts the plaintext and authenticates the aad and ciphertext,
+// with the provided algorithm, key, and iv, stores the output in dst and tag.
+//
+// dst and plaintext MUST alias exactly or not at all.
+seal_oneshot :: proc(algo: Algorithm, dst, tag, key, iv, aad, plaintext: []byte, impl: Implementation = nil) {
+	ctx: Context
+	init(&ctx, algo, key, impl)
+	defer reset(&ctx)
+	seal_ctx(&ctx, dst, tag, iv, aad, plaintext)
+}
+
+// open authenticates the aad and ciphertext, and decrypts the ciphertext,
+// with the provided algorithm, key, iv, and tag, and stores the output in dst,
+// returning true iff the authentication was successful.  If authentication
+// fails, the destination buffer will be zeroed.
+//
+// dst and plaintext MUST alias exactly or not at all.
+@(require_results)
+open_oneshot :: proc(algo: Algorithm, dst, key, iv, aad, ciphertext, tag: []byte, impl: Implementation = nil) -> bool {
+	ctx: Context
+	init(&ctx, algo, key, impl)
+	defer reset(&ctx)
+	return open_ctx(&ctx, dst, iv, aad, ciphertext, tag)
+}
+
+seal :: proc {
+	seal_ctx,
+	seal_oneshot,
+}
+
+open :: proc {
+	open_ctx,
+	open_oneshot,
+}

core/crypto/aead/doc.odin

@@ -0,0 +1,58 @@
+/*
+package aead provides a generic interface to the supported Authenticated
+Encryption with Associated Data algorithms.
+
+Both a one-shot and context based interface are provided, with similar
+usage.  If multiple messages are to be sealed/opened via the same key,
+the context based interface may be more efficient, depending on the
+algorithm.
+
+WARNING: Reusing the same key + iv to seal (encrypt) multiple messages
+results in catastrophic loss of security for most algorithms.
+
+```odin
+package aead_example
+
+import "core:bytes"
+import "core:crypto"
+import "core:crypto/aead"
+
+main :: proc() {
+	algo := aead.Algorithm.XCHACHA20POLY1305
+
+	// The example added associated data, and plaintext.
+	aad_str := "Get your ass in gear boys."
+	pt_str := "They're immanetizing the Eschaton."
+
+	aad := transmute([]byte)aad_str
+	plaintext := transmute([]byte)pt_str
+	pt_len := len(plaintext)
+
+	// Generate a random key for the purposes of illustration.
+	key := make([]byte, aead.KEY_SIZES[algo])
+	defer delete(key)
+	crypto.rand_bytes(key)
+
+	// `ciphertext || tag`, is a common way data is transmitted, so
+	// demonstrate that.
+	buf := make([]byte, pt_len + aead.TAG_SIZES[algo])
+	defer delete(buf)
+	ciphertext, tag := buf[:pt_len], buf[pt_len:]
+
+	// Seal the AAD + Plaintext.
+	iv := make([]byte, aead.IV_SIZES[algo])
+	defer delete(iv)
+	crypto.rand_bytes(iv) // Random IVs are safe with XChaCha20-Poly1305.
+	aead.seal(algo, ciphertext, tag, key, iv, aad, plaintext)
+
+	// Open the AAD + Ciphertext.
+	opened_pt := buf[:pt_len]
+	if ok := aead.open(algo, opened_pt, key, iv, aad, ciphertext, tag); !ok {
+		panic("aead example: failed to open")
+	}
+
+	assert(bytes.equal(opened_pt, plaintext))
+}
+```
+*/
+package aead

core/crypto/aead/low_level.odin

@@ -0,0 +1,187 @@
+package aead
+
+import "core:crypto/aes"
+import "core:crypto/chacha20"
+import "core:crypto/chacha20poly1305"
+import "core:reflect"
+
+// Implementation is an AEAD implementation.  Most callers will not need
+// to use this as the package will automatically select the most performant
+// implementation available.
+Implementation :: union {
+	aes.Implementation,
+	chacha20.Implementation,
+}
+
+// MAX_TAG_SIZE is the maximum size tag that can be returned by any of the
+// Algorithms supported via this package.
+MAX_TAG_SIZE :: 16
+
+// Algorithm is the algorithm identifier associated with a given Context.
+Algorithm :: enum {
+	Invalid,
+	AES_GCM_128,
+	AES_GCM_192,
+	AES_GCM_256,
+	CHACHA20POLY1305,
+	XCHACHA20POLY1305,
+}
+
+// ALGORITM_NAMES is the Agorithm to algorithm name string.
+ALGORITHM_NAMES := [Algorithm]string {
+	.Invalid           = "Invalid",
+	.AES_GCM_128       = "AES-GCM-128",
+	.AES_GCM_192       = "AES-GCM-192",
+	.AES_GCM_256       = "AES-GCM-256",
+	.CHACHA20POLY1305  = "chacha20poly1305",
+	.XCHACHA20POLY1305 = "xchacha20poly1305",
+}
+
+// TAG_SIZES is the Algorithm to tag size in bytes.
+TAG_SIZES := [Algorithm]int {
+	.Invalid           = 0,
+	.AES_GCM_128       = aes.GCM_TAG_SIZE,
+	.AES_GCM_192       = aes.GCM_TAG_SIZE,
+	.AES_GCM_256       = aes.GCM_TAG_SIZE,
+	.CHACHA20POLY1305  = chacha20poly1305.TAG_SIZE,
+	.XCHACHA20POLY1305 = chacha20poly1305.TAG_SIZE,
+}
+
+// KEY_SIZES is the Algorithm to key size in bytes.
+KEY_SIZES := [Algorithm]int {
+	.Invalid           = 0,
+	.AES_GCM_128       = aes.KEY_SIZE_128,
+	.AES_GCM_192       = aes.KEY_SIZE_192,
+	.AES_GCM_256       = aes.KEY_SIZE_256,
+	.CHACHA20POLY1305  = chacha20poly1305.KEY_SIZE,
+	.XCHACHA20POLY1305 = chacha20poly1305.KEY_SIZE,
+}
+
+// IV_SIZES is the Algorithm to initialization vector size in bytes.
+//
+// Note: Some algorithms (such as AES-GCM) support variable IV sizes.
+IV_SIZES := [Algorithm]int {
+	.Invalid           = 0,
+	.AES_GCM_128       = aes.GCM_IV_SIZE,
+	.AES_GCM_192       = aes.GCM_IV_SIZE,
+	.AES_GCM_256       = aes.GCM_IV_SIZE,
+	.CHACHA20POLY1305  = chacha20poly1305.IV_SIZE,
+	.XCHACHA20POLY1305 = chacha20poly1305.XIV_SIZE,
+}
+
+// Context is a concrete instantiation of a specific AEAD algorithm.
+Context :: struct {
+	_algo: Algorithm,
+	_impl: union {
+		aes.Context_GCM,
+		chacha20poly1305.Context,
+	},
+}
+
+@(private)
+_IMPL_IDS := [Algorithm]typeid {
+	.Invalid           = nil,
+	.AES_GCM_128       = typeid_of(aes.Context_GCM),
+	.AES_GCM_192       = typeid_of(aes.Context_GCM),
+	.AES_GCM_256       = typeid_of(aes.Context_GCM),
+	.CHACHA20POLY1305  = typeid_of(chacha20poly1305.Context),
+	.XCHACHA20POLY1305 = typeid_of(chacha20poly1305.Context),
+}
+
+// init initializes a Context with a specific AEAD Algorithm.
+init :: proc(ctx: ^Context, algorithm: Algorithm, key: []byte, impl: Implementation = nil) {
+	if ctx._impl != nil {
+		reset(ctx)
+	}
+
+	if len(key) != KEY_SIZES[algorithm] {
+		panic("crypto/aead: invalid key size")
+	}
+
+	// Directly specialize the union by setting the type ID (save a copy).
+	reflect.set_union_variant_typeid(
+		ctx._impl,
+		_IMPL_IDS[algorithm],
+	)
+	switch algorithm {
+	case .AES_GCM_128, .AES_GCM_192, .AES_GCM_256:
+		impl_ := impl != nil ? impl.(aes.Implementation) : aes.DEFAULT_IMPLEMENTATION
+		aes.init_gcm(&ctx._impl.(aes.Context_GCM), key, impl_)
+	case .CHACHA20POLY1305:
+		impl_ := impl != nil ? impl.(chacha20.Implementation) : chacha20.DEFAULT_IMPLEMENTATION
+		chacha20poly1305.init(&ctx._impl.(chacha20poly1305.Context), key, impl_)
+	case .XCHACHA20POLY1305:
+		impl_ := impl != nil ? impl.(chacha20.Implementation) : chacha20.DEFAULT_IMPLEMENTATION
+		chacha20poly1305.init_xchacha(&ctx._impl.(chacha20poly1305.Context), key, impl_)
+	case .Invalid:
+		panic("crypto/aead: uninitialized algorithm")
+	case:
+		panic("crypto/aead: invalid algorithm")
+	}
+
+	ctx._algo = algorithm
+}
+
+// seal_ctx encrypts the plaintext and authenticates the aad and ciphertext,
+// with the provided Context and iv, stores the output in dst and tag.
+//
+// dst and plaintext MUST alias exactly or not at all.
+seal_ctx :: proc(ctx: ^Context, dst, tag, iv, aad, plaintext: []byte) {
+	switch &impl in ctx._impl {
+	case aes.Context_GCM:
+		aes.seal_gcm(&impl, dst, tag, iv, aad, plaintext)
+	case chacha20poly1305.Context:
+		chacha20poly1305.seal(&impl, dst, tag, iv, aad, plaintext)
+	case:
+		panic("crypto/aead: uninitialized algorithm")
+	}
+}
+
+// open_ctx authenticates the aad and ciphertext, and decrypts the ciphertext,
+// with the provided Context, iv, and tag, and stores the output in dst,
+// returning true iff the authentication was successful.  If authentication
+// fails, the destination buffer will be zeroed.
+//
+// dst and plaintext MUST alias exactly or not at all.
+@(require_results)
+open_ctx :: proc(ctx: ^Context, dst, iv, aad, ciphertext, tag: []byte) -> bool {
+	switch &impl in ctx._impl {
+	case aes.Context_GCM:
+		return aes.open_gcm(&impl, dst, iv, aad, ciphertext, tag)
+	case chacha20poly1305.Context:
+		return chacha20poly1305.open(&impl, dst, iv, aad, ciphertext, tag)
+	case:
+		panic("crypto/aead: uninitialized algorithm")
+	}
+}
+
+// reset sanitizes the Context.  The Context must be re-initialized to
+// be used again.
+reset :: proc(ctx: ^Context) {
+	switch &impl in ctx._impl {
+	case aes.Context_GCM:
+		aes.reset_gcm(&impl)
+	case chacha20poly1305.Context:
+		chacha20poly1305.reset(&impl)
+	case:
+		// Calling reset repeatedly is fine.
+	}
+
+	ctx._algo = .Invalid
+	ctx._impl = nil
+}
+
+// algorithm returns the Algorithm used by a Context instance.
+algorithm :: proc(ctx: ^Context) -> Algorithm {
+	return ctx._algo
+}
+
+// iv_size returns the IV size of a Context instance in bytes.
+iv_size :: proc(ctx: ^Context) -> int {
+	return IV_SIZES[ctx._algo]
+}
+
+// tag_size returns the tag size of a Context instance in bytes.
+tag_size :: proc(ctx: ^Context) -> int {
+	return TAG_SIZES[ctx._algo]
+}

core/crypto/aes/aes_ctr.odin

@@ -20,7 +20,7 @@ Context_CTR :: struct {
 }
 
 // init_ctr initializes a Context_CTR with the provided key and IV.
-init_ctr :: proc(ctx: ^Context_CTR, key, iv: []byte, impl := Implementation.Hardware) {
+init_ctr :: proc(ctx: ^Context_CTR, key, iv: []byte, impl := DEFAULT_IMPLEMENTATION) {
 	if len(iv) != CTR_IV_SIZE {
 		panic("crypto/aes: invalid CTR IV size")
 	}

core/crypto/aes/aes_ecb.odin

@@ -12,7 +12,7 @@ Context_ECB :: struct {
 }
 
 // init_ecb initializes a Context_ECB with the provided key.
-init_ecb :: proc(ctx: ^Context_ECB, key: []byte, impl := Implementation.Hardware) {
+init_ecb :: proc(ctx: ^Context_ECB, key: []byte, impl := DEFAULT_IMPLEMENTATION) {
 	init_impl(&ctx._impl, key, impl)
 	ctx._is_initialized = true
 }

core/crypto/aes/aes_gcm.odin

@@ -26,7 +26,7 @@ Context_GCM :: struct {
 }
 
 // init_gcm initializes a Context_GCM with the provided key.
-init_gcm :: proc(ctx: ^Context_GCM, key: []byte, impl := Implementation.Hardware) {
+init_gcm :: proc(ctx: ^Context_GCM, key: []byte, impl := DEFAULT_IMPLEMENTATION) {
 	init_impl(&ctx._impl, key, impl)
 	ctx._is_initialized = true
 }

core/crypto/aes/aes_impl.odin

@@ -10,6 +10,10 @@ Context_Impl :: union {
 	Context_Impl_Hardware,
 }
 
+// DEFAULT_IMPLEMENTATION is the implementation that will be used by
+// default if possible.
+DEFAULT_IMPLEMENTATION :: Implementation.Hardware
+
 // Implementation is an AES implementation.  Most callers will not need
 // to use this as the package will automatically select the most performant
 // implementation available (See `is_hardware_accelerated()`).

core/crypto/chacha20/chacha20.odin

@@ -26,7 +26,7 @@ Context :: struct {
 
 // init inititializes a Context for ChaCha20 or XChaCha20 with the provided
 // key and iv.
-init :: proc(ctx: ^Context, key, iv: []byte, impl := Implementation.Simd256) {
+init :: proc(ctx: ^Context, key, iv: []byte, impl := DEFAULT_IMPLEMENTATION) {
 	if len(key) != KEY_SIZE {
 		panic("crypto/chacha20: invalid (X)ChaCha20 key size")
 	}

core/crypto/chacha20/chacha20_impl.odin

@@ -5,6 +5,10 @@ import "core:crypto/_chacha20/ref"
 import "core:crypto/_chacha20/simd128"
 import "core:crypto/_chacha20/simd256"
 
+// DEFAULT_IMPLEMENTATION is the implementation that will be used by
+// default if possible.
+DEFAULT_IMPLEMENTATION :: Implementation.Simd256
+
 // Implementation is a ChaCha20 implementation.  Most callers will not need
 // to use this as the package will automatically select the most performant
 // implementation available.

core/crypto/chacha20poly1305/chacha20poly1305.odin

@@ -70,7 +70,7 @@ Context :: struct {
 }
 
 // init initializes a Context with the provided key, for AEAD_CHACHA20_POLY1305.
-init :: proc(ctx: ^Context, key: []byte, impl := chacha20.Implementation.Simd256) {
+init :: proc(ctx: ^Context, key: []byte, impl := chacha20.DEFAULT_IMPLEMENTATION) {
 	if len(key) != KEY_SIZE {
 		panic("crypto/chacha20poly1305: invalid key size")
 	}
@@ -86,7 +86,7 @@ init :: proc(ctx: ^Context, key: []byte, impl := chacha20.Implementation.Simd256
 //
 // Note: While there are multiple definitions of XChaCha20-Poly1305
 // this sticks to the IETF draft and uses a 32-bit counter.
-init_xchacha :: proc(ctx: ^Context, key: []byte, impl := chacha20.Implementation.Simd256) {
+init_xchacha :: proc(ctx: ^Context, key: []byte, impl := chacha20.DEFAULT_IMPLEMENTATION) {
 	init(ctx, key, impl)
 	ctx._is_xchacha = true
 }

examples/all/all_main.odin

@@ -25,6 +25,7 @@ import rbtree           "core:container/rbtree"
 import topological_sort "core:container/topological_sort"
 
 import crypto           "core:crypto"
+import aead             "core:crypto/aead"
 import aes              "core:crypto/aes"
 import blake2b          "core:crypto/blake2b"
 import blake2s          "core:crypto/blake2s"
@@ -164,6 +165,7 @@ _ :: rbtree
 _ :: topological_sort
 _ :: crypto
 _ :: crypto_hash
+_ :: aead
 _ :: aes
 _ :: blake2b
 _ :: blake2s

tests/core/crypto/test_core_crypto.odin

@@ -22,18 +22,24 @@ import "core:crypto"
 import chacha_simd128 "core:crypto/_chacha20/simd128"
 import chacha_simd256 "core:crypto/_chacha20/simd256"
 import "core:crypto/chacha20"
-import "core:crypto/chacha20poly1305"
 import "core:crypto/sha2"
 
-@(private = "file")
+@(private)
 _PLAINTEXT_SUNSCREEN_STR := "Ladies and Gentlemen of the class of '99: If I could offer you only one tip for the future, sunscreen would be it."
 
 @(test)
 test_chacha20 :: proc(t: ^testing.T) {
 	runtime.DEFAULT_TEMP_ALLOCATOR_TEMP_GUARD()
 
-	impls := make([dynamic]chacha20.Implementation, 0, 3)
-	defer delete(impls)
+	impls := supported_chacha_impls()
+
+	for impl in impls {
+		test_chacha20_stream(t, impl)
+	}
+}
+
+supported_chacha_impls :: proc() -> [dynamic]chacha20.Implementation {
+	impls := make([dynamic]chacha20.Implementation, 0, 3, context.temp_allocator)
 	append(&impls, chacha20.Implementation.Portable)
 	if chacha_simd128.is_performant() {
 		append(&impls, chacha20.Implementation.Simd128)
@@ -42,11 +48,7 @@ test_chacha20 :: proc(t: ^testing.T) {
 		append(&impls, chacha20.Implementation.Simd256)
 	}
 
-	for impl in impls {
-		test_chacha20_stream(t, impl)
-		test_chacha20poly1305(t, impl)
-		test_xchacha20poly1305(t, impl)
-	}
+	return impls
 }
 
 test_chacha20_stream :: proc(t: ^testing.T, impl: chacha20.Implementation) {
@@ -180,171 +182,6 @@ test_chacha20_stream :: proc(t: ^testing.T, impl: chacha20.Implementation) {
 	)
 }
 
-test_chacha20poly1305 :: proc(t: ^testing.T, impl: chacha20.Implementation) {
-	plaintext := transmute([]byte)(_PLAINTEXT_SUNSCREEN_STR)
-	plaintext_str := string(hex.encode(plaintext, context.temp_allocator))
-
-	aad := [12]byte {
-		0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3,
-		0xc4, 0xc5, 0xc6, 0xc7,
-	}
-
-	key := [chacha20poly1305.KEY_SIZE]byte {
-		0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
-		0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
-		0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
-		0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f,
-	}
-
-	nonce := [chacha20poly1305.IV_SIZE]byte {
-		0x07, 0x00, 0x00, 0x00, 0x40, 0x41, 0x42, 0x43,
-		0x44, 0x45, 0x46, 0x47,
-	}
-
-	ciphertext := [114]byte {
-		0xd3, 0x1a, 0x8d, 0x34, 0x64, 0x8e, 0x60, 0xdb,
-		0x7b, 0x86, 0xaf, 0xbc, 0x53, 0xef, 0x7e, 0xc2,
-		0xa4, 0xad, 0xed, 0x51, 0x29, 0x6e, 0x08, 0xfe,
-		0xa9, 0xe2, 0xb5, 0xa7, 0x36, 0xee, 0x62, 0xd6,
-		0x3d, 0xbe, 0xa4, 0x5e, 0x8c, 0xa9, 0x67, 0x12,
-		0x82, 0xfa, 0xfb, 0x69, 0xda, 0x92, 0x72, 0x8b,
-		0x1a, 0x71, 0xde, 0x0a, 0x9e, 0x06, 0x0b, 0x29,
-		0x05, 0xd6, 0xa5, 0xb6, 0x7e, 0xcd, 0x3b, 0x36,
-		0x92, 0xdd, 0xbd, 0x7f, 0x2d, 0x77, 0x8b, 0x8c,
-		0x98, 0x03, 0xae, 0xe3, 0x28, 0x09, 0x1b, 0x58,
-		0xfa, 0xb3, 0x24, 0xe4, 0xfa, 0xd6, 0x75, 0x94,
-		0x55, 0x85, 0x80, 0x8b, 0x48, 0x31, 0xd7, 0xbc,
-		0x3f, 0xf4, 0xde, 0xf0, 0x8e, 0x4b, 0x7a, 0x9d,
-		0xe5, 0x76, 0xd2, 0x65, 0x86, 0xce, 0xc6, 0x4b,
-		0x61, 0x16,
-	}
-	ciphertext_str := string(hex.encode(ciphertext[:], context.temp_allocator))
-
-	tag := [chacha20poly1305.TAG_SIZE]byte {
-		0x1a, 0xe1, 0x0b, 0x59, 0x4f, 0x09, 0xe2, 0x6a,
-		0x7e, 0x90, 0x2e, 0xcb, 0xd0, 0x60, 0x06, 0x91,
-	}
-	tag_str := string(hex.encode(tag[:], context.temp_allocator))
-
-	tag_ := make([]byte, chacha20poly1305.TAG_SIZE, context.temp_allocator)
-	dst := make([]byte, len(ciphertext), context.temp_allocator)
-
-	ctx: chacha20poly1305.Context
-	chacha20poly1305.init(&ctx, key[:])
-
-	chacha20poly1305.seal(&ctx, dst, tag_, nonce[:], aad[:], plaintext)
-	dst_str := string(hex.encode(dst, context.temp_allocator))
-	tag_str_ := string(hex.encode(tag_, context.temp_allocator))
-
-	testing.expectf(
-		t,
-		dst_str == ciphertext_str && tag_str_ == tag_str,
-		"chacha20poly1305/%v: Expected: (%s, %s) for seal(%x, %x, %x, %x), but got (%s, %s) instead",
-		impl,
-		ciphertext_str,
-		tag_str,
-		key,
-		nonce,
-		aad,
-		plaintext,
-		dst_str,
-		tag_str_,
-	)
-
-	ok := chacha20poly1305.open(&ctx, dst, nonce[:], aad[:], ciphertext[:], tag[:])
-	dst_str = string(hex.encode(dst, context.temp_allocator))
-
-	testing.expectf(
-		t,
-		ok && dst_str == plaintext_str,
-		"chacha20poly1305/%v: Expected: (%s, true) for open(%x, %x, %x, %x, %s), but got (%s, %v) instead",
-		impl,
-		plaintext_str,
-		key,
-		nonce,
-		aad,
-		ciphertext,
-		tag_str,
-		dst_str,
-		ok,
-	)
-
-	copy(dst, ciphertext[:])
-	tag_[0] ~= 0xa5
-	ok = chacha20poly1305.open(&ctx, dst, nonce[:], aad[:], dst[:], tag_)
-	testing.expectf(t, !ok, "chacha20poly1305/%v: Expected false for open(bad_tag, aad, ciphertext)", impl)
-
-	dst[0] ~= 0xa5
-	ok = chacha20poly1305.open(&ctx, dst, nonce[:], aad[:], dst[:], tag[:])
-	testing.expectf(t, !ok, "chacha20poly1305/%v: Expected false for open(tag, aad, bad_ciphertext)", impl)
-
-	copy(dst, ciphertext[:])
-	aad[0] ~= 0xa5
-	ok = chacha20poly1305.open(&ctx, dst, nonce[:], aad[:], dst[:], tag[:])
-	testing.expectf(t, !ok, "chacha20poly1305/%v: Expected false for open(tag, bad_aad, ciphertext)", impl)
-}
-
-test_xchacha20poly1305 :: proc(t: ^testing.T, impl: chacha20.Implementation) {
-	// Test case taken from:
-	// - https://datatracker.ietf.org/doc/html/draft-arciszewski-xchacha-03
-	key_str := "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f"
-	iv_str := "404142434445464748494a4b4c4d4e4f5051525354555657"
-	aad_str := "50515253c0c1c2c3c4c5c6c7"
-	plaintext_str := "4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73637265656e20776f756c642062652069742e"
-	ciphertext_str := "bd6d179d3e83d43b9576579493c0e939572a1700252bfaccbed2902c21396cbb731c7f1b0b4aa6440bf3a82f4eda7e39ae64c6708c54c216cb96b72e1213b4522f8c9ba40db5d945b11b69b982c1bb9e3f3fac2bc369488f76b2383565d3fff921f9664c97637da9768812f615c68b13b52e"
-	tag_str := "c0875924c1c7987947deafd8780acf49"
-
-	key, _ := hex.decode(transmute([]byte)(key_str), context.temp_allocator)
-	iv, _ := hex.decode(transmute([]byte)(iv_str), context.temp_allocator)
-	aad, _ := hex.decode(transmute([]byte)(aad_str), context.temp_allocator)
-	plaintext, _ := hex.decode(transmute([]byte)(plaintext_str), context.temp_allocator)
-	ciphertext, _ := hex.decode(transmute([]byte)(ciphertext_str), context.temp_allocator)
-	tag, _ := hex.decode(transmute([]byte)(tag_str), context.temp_allocator)
-
-	tag_ := make([]byte, len(tag), context.temp_allocator)
-	dst := make([]byte, len(ciphertext), context.temp_allocator)
-
-	ctx: chacha20poly1305.Context
-	chacha20poly1305.init_xchacha(&ctx, key, impl)
-
-	chacha20poly1305.seal(&ctx, dst, tag_, iv, aad, plaintext)
-	dst_str := string(hex.encode(dst, context.temp_allocator))
-	tag_str_ := string(hex.encode(tag_, context.temp_allocator))
-
-	testing.expectf(
-		t,
-		dst_str == ciphertext_str && tag_str_ == tag_str,
-		"xchacha20poly1305/%v: Expected: (%s, %s) for seal(%s, %s, %s, %s), but got (%s, %s) instead",
-		impl,
-		ciphertext_str,
-		tag_str,
-		key_str,
-		iv_str,
-		aad_str,
-		plaintext_str,
-		dst_str,
-		tag_str_,
-	)
-
-	ok := chacha20poly1305.open(&ctx, dst, iv, aad, ciphertext, tag)
-	dst_str = string(hex.encode(dst, context.temp_allocator))
-
-	testing.expectf(
-		t,
-		ok && dst_str == plaintext_str,
-		"xchacha20poly1305/%v: Expected: (%s, true) for open(%s, %s, %s, %s, %s), but got (%s, %v) instead",
-		impl,
-		plaintext_str,
-		key_str,
-		iv_str,
-		aad_str,
-		ciphertext_str,
-		tag_str,
-		dst_str,
-		ok,
-	)
-}
-
 @(test)
 test_rand_bytes :: proc(t: ^testing.T) {
 	if !crypto.HAS_RAND_BYTES {

tests/core/crypto/test_core_crypto_aead.odin

@@ -0,0 +1,339 @@
+package test_core_crypto
+
+import "base:runtime"
+import "core:crypto/aead"
+import "core:encoding/hex"
+import "core:testing"
+
+@(test)
+test_aead :: proc(t: ^testing.T) {
+	runtime.DEFAULT_TEMP_ALLOCATOR_TEMP_GUARD()
+
+	aes_impls := make([dynamic]aead.Implementation, context.temp_allocator)
+	for impl in supported_aes_impls() {
+		append(&aes_impls, impl)
+	}
+	chacha_impls := make([dynamic]aead.Implementation, context.temp_allocator)
+	for impl in supported_chacha_impls() {
+		append(&chacha_impls, impl)
+	}
+	impls := [aead.Algorithm][dynamic]aead.Implementation{
+		.Invalid           = nil,
+		.AES_GCM_128       = aes_impls,
+		.AES_GCM_192       = aes_impls,
+		.AES_GCM_256       = aes_impls,
+		.CHACHA20POLY1305  = chacha_impls,
+		.XCHACHA20POLY1305 = chacha_impls,
+	}
+
+	test_vectors := []struct{
+		algo: aead.Algorithm,
+		key: string,
+		iv: string,
+		aad: string,
+		plaintext: string,
+		ciphertext: string,
+		tag: string,
+	} {
+		// AES-GCM
+		// - https://csrc.nist.rip/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf
+		//
+		// Note: NIST did a reorg of their site, so the source of the test vectors
+		// is only available from an archive.
+		{
+			.AES_GCM_128,
+			"00000000000000000000000000000000",
+			"000000000000000000000000",
+			"",
+			"",
+			"",
+			"58e2fccefa7e3061367f1d57a4e7455a",
+		},
+		{
+			.AES_GCM_128,
+			"00000000000000000000000000000000",
+			"000000000000000000000000",
+			"",
+			"00000000000000000000000000000000",
+			"0388dace60b6a392f328c2b971b2fe78",
+			"ab6e47d42cec13bdf53a67b21257bddf",
+		},
+		{
+			.AES_GCM_128,
+			"feffe9928665731c6d6a8f9467308308",
+			"cafebabefacedbaddecaf888",
+			"",
+			"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255",
+			"42831ec2217774244b7221b784d0d49ce3aa212f2c02a4e035c17e2329aca12e21d514b25466931c7d8f6a5aac84aa051ba30b396a0aac973d58e091473f5985",
+			"4d5c2af327cd64a62cf35abd2ba6fab4",
+		},
+		{
+			.AES_GCM_128,
+			"feffe9928665731c6d6a8f9467308308",
+			"cafebabefacedbaddecaf888",
+			"feedfacedeadbeeffeedfacedeadbeefabaddad2",
+			"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39",
+			"42831ec2217774244b7221b784d0d49ce3aa212f2c02a4e035c17e2329aca12e21d514b25466931c7d8f6a5aac84aa051ba30b396a0aac973d58e091",
+			"5bc94fbc3221a5db94fae95ae7121a47",
+		},
+		{
+			.AES_GCM_128,
+			"feffe9928665731c6d6a8f9467308308",
+			"cafebabefacedbad",
+			"feedfacedeadbeeffeedfacedeadbeefabaddad2",
+			"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39",
+			"61353b4c2806934a777ff51fa22a4755699b2a714fcdc6f83766e5f97b6c742373806900e49f24b22b097544d4896b424989b5e1ebac0f07c23f4598",
+			"3612d2e79e3b0785561be14aaca2fccb",
+		},
+		{
+			.AES_GCM_128,
+			"feffe9928665731c6d6a8f9467308308",
+			"9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b",
+			"feedfacedeadbeeffeedfacedeadbeefabaddad2",
+			"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39",
+			"8ce24998625615b603a033aca13fb894be9112a5c3a211a8ba262a3cca7e2ca701e4a9a4fba43c90ccdcb281d48c7c6fd62875d2aca417034c34aee5",
+			"619cc5aefffe0bfa462af43c1699d050",
+		},
+		{
+			.AES_GCM_192,
+			"000000000000000000000000000000000000000000000000",
+			"000000000000000000000000",
+			"",
+			"",
+			"",
+			"cd33b28ac773f74ba00ed1f312572435",
+		},
+		{
+			.AES_GCM_192,
+			"000000000000000000000000000000000000000000000000",
+			"000000000000000000000000",
+			"",
+			"00000000000000000000000000000000",
+			"98e7247c07f0fe411c267e4384b0f600",
+			"2ff58d80033927ab8ef4d4587514f0fb",
+		},
+		{
+			.AES_GCM_192,
+			"feffe9928665731c6d6a8f9467308308feffe9928665731c",
+			"cafebabefacedbaddecaf888",
+			"",
+			"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255",
+			"3980ca0b3c00e841eb06fac4872a2757859e1ceaa6efd984628593b40ca1e19c7d773d00c144c525ac619d18c84a3f4718e2448b2fe324d9ccda2710acade256",
+			"9924a7c8587336bfb118024db8674a14",
+		},
+		{
+			.AES_GCM_192,
+			"feffe9928665731c6d6a8f9467308308feffe9928665731c",
+			"cafebabefacedbaddecaf888",
+			"feedfacedeadbeeffeedfacedeadbeefabaddad2",
+			"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39",
+			"3980ca0b3c00e841eb06fac4872a2757859e1ceaa6efd984628593b40ca1e19c7d773d00c144c525ac619d18c84a3f4718e2448b2fe324d9ccda2710",
+			"2519498e80f1478f37ba55bd6d27618c",
+		},
+		{
+			.AES_GCM_192,
+			"feffe9928665731c6d6a8f9467308308feffe9928665731c",
+			"cafebabefacedbad",
+			"feedfacedeadbeeffeedfacedeadbeefabaddad2",
+			"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39",
+			"0f10f599ae14a154ed24b36e25324db8c566632ef2bbb34f8347280fc4507057fddc29df9a471f75c66541d4d4dad1c9e93a19a58e8b473fa0f062f7",
+			"65dcc57fcf623a24094fcca40d3533f8",
+		},
+		{
+			.AES_GCM_192,
+			"feffe9928665731c6d6a8f9467308308feffe9928665731c",
+			"9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b",
+			"feedfacedeadbeeffeedfacedeadbeefabaddad2",
+			"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39",
+			"d27e88681ce3243c4830165a8fdcf9ff1de9a1d8e6b447ef6ef7b79828666e4581e79012af34ddd9e2f037589b292db3e67c036745fa22e7e9b7373b",
+			"dcf566ff291c25bbb8568fc3d376a6d9",
+		},
+		{
+			.AES_GCM_256,
+			"0000000000000000000000000000000000000000000000000000000000000000",
+			"000000000000000000000000",
+			"",
+			"",
+			"",
+			"530f8afbc74536b9a963b4f1c4cb738b",
+		},
+		{
+			.AES_GCM_256,
+			"0000000000000000000000000000000000000000000000000000000000000000",
+			"000000000000000000000000",
+			"",
+			"00000000000000000000000000000000",
+			"cea7403d4d606b6e074ec5d3baf39d18",
+			"d0d1c8a799996bf0265b98b5d48ab919",
+		},
+		{
+			.AES_GCM_256,
+			"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308",
+			"cafebabefacedbaddecaf888",
+			"",
+			"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255",
+			"522dc1f099567d07f47f37a32a84427d643a8cdcbfe5c0c97598a2bd2555d1aa8cb08e48590dbb3da7b08b1056828838c5f61e6393ba7a0abcc9f662898015ad",
+			"b094dac5d93471bdec1a502270e3cc6c",
+		},
+		{
+			.AES_GCM_256,
+			"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308",
+			"cafebabefacedbaddecaf888",
+			"feedfacedeadbeeffeedfacedeadbeefabaddad2",
+			"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39",
+			"522dc1f099567d07f47f37a32a84427d643a8cdcbfe5c0c97598a2bd2555d1aa8cb08e48590dbb3da7b08b1056828838c5f61e6393ba7a0abcc9f662",
+			"76fc6ece0f4e1768cddf8853bb2d551b",
+		},
+		{
+			.AES_GCM_256,
+			"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308",
+			"cafebabefacedbad",
+			"feedfacedeadbeeffeedfacedeadbeefabaddad2",
+			"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39",
+			"c3762df1ca787d32ae47c13bf19844cbaf1ae14d0b976afac52ff7d79bba9de0feb582d33934a4f0954cc2363bc73f7862ac430e64abe499f47c9b1f",
+			"3a337dbf46a792c45e454913fe2ea8f2",
+		},
+		{
+			.AES_GCM_256,
+			"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308",
+			"9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b",
+			"feedfacedeadbeeffeedfacedeadbeefabaddad2",
+			"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39",
+			"5a8def2f0c9e53f1f75d7853659e2a20eeb2b22aafde6419a058ab4f6f746bf40fc0c3b780f244452da3ebf1c5d82cdea2418997200ef82e44ae7e3f",
+			"a44a8266ee1c8eb0c8b5d4cf5ae9f19a",
+		},
+		// Chacha20-Poly1305
+		// https://www.rfc-editor.org/rfc/rfc8439
+		{
+			.CHACHA20POLY1305,
+			"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+			"070000004041424344454647",
+			"50515253c0c1c2c3c4c5c6c7",
+			string(hex.encode(transmute([]byte)(_PLAINTEXT_SUNSCREEN_STR), context.temp_allocator)),
+			"d31a8d34648e60db7b86afbc53ef7ec2a4aded51296e08fea9e2b5a736ee62d63dbea45e8ca9671282fafb69da92728b1a71de0a9e060b2905d6a5b67ecd3b3692ddbd7f2d778b8c9803aee328091b58fab324e4fad675945585808b4831d7bc3ff4def08e4b7a9de576d26586cec64b6116",
+			"1ae10b594f09e26a7e902ecbd0600691",
+		},
+		// XChaCha20-Poly1305-IETF
+		// - https://datatracker.ietf.org/doc/html/draft-arciszewski-xchacha-03
+		{
+			.XCHACHA20POLY1305,
+			"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+			"404142434445464748494a4b4c4d4e4f5051525354555657",
+			"50515253c0c1c2c3c4c5c6c7",
+			"4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73637265656e20776f756c642062652069742e",
+			"bd6d179d3e83d43b9576579493c0e939572a1700252bfaccbed2902c21396cbb731c7f1b0b4aa6440bf3a82f4eda7e39ae64c6708c54c216cb96b72e1213b4522f8c9ba40db5d945b11b69b982c1bb9e3f3fac2bc369488f76b2383565d3fff921f9664c97637da9768812f615c68b13b52e",
+			"c0875924c1c7987947deafd8780acf49",
+		},
+	}
+	for v, _ in test_vectors {
+		algo_name := aead.ALGORITHM_NAMES[v.algo]
+
+		key, _ := hex.decode(transmute([]byte)(v.key), context.temp_allocator)
+		iv, _ := hex.decode(transmute([]byte)(v.iv), context.temp_allocator)
+		aad, _ := hex.decode(transmute([]byte)(v.aad), context.temp_allocator)
+		plaintext, _ := hex.decode(transmute([]byte)(v.plaintext), context.temp_allocator)
+		ciphertext, _ := hex.decode(transmute([]byte)(v.ciphertext), context.temp_allocator)
+		tag, _ := hex.decode(transmute([]byte)(v.tag), context.temp_allocator)
+
+		tag_ := make([]byte, len(tag), context.temp_allocator)
+		dst := make([]byte, len(ciphertext), context.temp_allocator)
+
+		ctx: aead.Context
+		for impl in impls[v.algo] {
+			aead.init(&ctx, v.algo, key, impl)
+
+			aead.seal(&ctx, dst, tag_, iv, aad, plaintext)
+			dst_str := string(hex.encode(dst, context.temp_allocator))
+			tag_str := string(hex.encode(tag_, context.temp_allocator))
+			testing.expectf(
+				t,
+				dst_str == v.ciphertext && tag_str == v.tag,
+				"%s/%v: Expected: (%s, %s) for seal_ctx(%s, %s, %s, %s), but got (%s, %s) instead",
+				algo_name,
+				impl,
+				v.ciphertext,
+				v.tag,
+				v.key,
+				v.iv,
+				v.aad,
+				v.plaintext,
+				dst_str,
+				tag_str,
+			)
+
+			aead.seal(v.algo, dst, tag_, key, iv, aad, plaintext, impl)
+			dst_str = string(hex.encode(dst, context.temp_allocator))
+			tag_str = string(hex.encode(tag_, context.temp_allocator))
+			testing.expectf(
+				t,
+				dst_str == v.ciphertext && tag_str == v.tag,
+				"%s/%v: Expected: (%s, %s) for seal_oneshot(%s, %s, %s, %s), but got (%s, %s) instead",
+				algo_name,
+				impl,
+				v.ciphertext,
+				v.tag,
+				v.key,
+				v.iv,
+				v.aad,
+				v.plaintext,
+				dst_str,
+				tag_str,
+			)
+
+			ok := aead.open(&ctx, dst, iv, aad, ciphertext, tag)
+			dst_str = string(hex.encode(dst, context.temp_allocator))
+			testing.expectf(
+				t,
+				ok && dst_str == v.plaintext,
+				"%s/%v: Expected: (%s, true) for open_ctx(%s, %s, %s, %s, %s), but got (%s, %v) instead",
+				algo_name,
+				impl,
+				v.plaintext,
+				v.key,
+				v.iv,
+				v.aad,
+				v.ciphertext,
+				v.tag,
+				dst_str,
+				ok,
+			)
+
+			ok = aead.open(v.algo, dst, key, iv, aad, ciphertext, tag, impl)
+			dst_str = string(hex.encode(dst, context.temp_allocator))
+			testing.expectf(
+				t,
+				ok && dst_str == v.plaintext,
+				"%s/%v: Expected: (%s, true) for open_oneshot(%s, %s, %s, %s, %s), but got (%s, %v) instead",
+				algo_name,
+				impl,
+				v.plaintext,
+				v.key,
+				v.iv,
+				v.aad,
+				v.ciphertext,
+				v.tag,
+				dst_str,
+				ok,
+			)
+
+			tag_[0] ~= 0xa5
+			ok = aead.open(&ctx, dst, iv, aad, ciphertext, tag_)
+			testing.expectf(t, !ok, "%s/%v: Expected false for open(bad_tag, aad, ciphertext)", algo_name, impl)
+
+			if len(dst) > 0 {
+				copy(dst, ciphertext[:])
+				dst[0] ~= 0xa5
+				ok = aead.open(&ctx, dst, iv, aad, dst, tag)
+				testing.expectf(t, !ok, "%s/%v: Expected false for open(tag, aad, bad_ciphertext)", algo_name, impl)
+			}
+
+			if len(aad) > 0 {
+				aad_ := make([]byte, len(aad), context.temp_allocator)
+				copy(aad_, aad)
+				aad_[0] ~= 0xa5
+				ok = aead.open(&ctx, dst, iv, aad_, ciphertext, tag)
+				testing.expectf(t, !ok, "%s/%v: Expected false for open(tag, bad_aad, ciphertext)", algo_name, impl)
+			}
+		}
+	}
+}

tests/core/crypto/test_core_crypto_aes.odin

@@ -12,20 +12,24 @@ import "core:crypto/sha2"
 test_aes :: proc(t: ^testing.T) {
 	runtime.DEFAULT_TEMP_ALLOCATOR_TEMP_GUARD()
 
-	impls := make([dynamic]aes.Implementation, 0, 2)
-	defer delete(impls)
-	append(&impls, aes.Implementation.Portable)
-	if aes.is_hardware_accelerated() {
-		append(&impls, aes.Implementation.Hardware)
-	}
+	impls := supported_aes_impls()
 
 	for impl in impls {
 		test_aes_ecb(t, impl)
 		test_aes_ctr(t, impl)
-		test_aes_gcm(t, impl)
 	}
 }
 
+supported_aes_impls :: proc() -> [dynamic]aes.Implementation {
+	impls := make([dynamic]aes.Implementation, 0, 2, context.temp_allocator)
+	append(&impls, aes.Implementation.Portable)
+	if aes.is_hardware_accelerated() {
+		append(&impls, aes.Implementation.Hardware)
+	}
+
+	return impls
+}
+
 test_aes_ecb :: proc(t: ^testing.T, impl: aes.Implementation) {
 	log.debugf("Testing AES-ECB/%v", impl)
 
@@ -222,216 +226,3 @@ test_aes_ctr :: proc(t: ^testing.T, impl: aes.Implementation) {
 		digest_str,
 	)
 }
-
-test_aes_gcm :: proc(t: ^testing.T, impl: aes.Implementation) {
-	log.debugf("Testing AES-GCM/%v", impl)
-
-	// NIST did a reorg of their site, so the source of the test vectors
-	// is only available from an archive.
-	//
-	// https://csrc.nist.rip/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf
-	test_vectors := []struct {
-		key: string,
-		iv: string,
-		aad: string,
-		plaintext: string,
-		ciphertext: string,
-		tag: string,
-	} {
-		{
-			"00000000000000000000000000000000",
-			"000000000000000000000000",
-			"",
-			"",
-			"",
-			"58e2fccefa7e3061367f1d57a4e7455a",
-		},
-		{
-			"00000000000000000000000000000000",
-			"000000000000000000000000",
-			"",
-			"00000000000000000000000000000000",
-			"0388dace60b6a392f328c2b971b2fe78",
-			"ab6e47d42cec13bdf53a67b21257bddf",
-		},
-		{
-			"feffe9928665731c6d6a8f9467308308",
-			"cafebabefacedbaddecaf888",
-			"",
-			"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255",
-			"42831ec2217774244b7221b784d0d49ce3aa212f2c02a4e035c17e2329aca12e21d514b25466931c7d8f6a5aac84aa051ba30b396a0aac973d58e091473f5985",
-			"4d5c2af327cd64a62cf35abd2ba6fab4",
-		},
-		{
-			"feffe9928665731c6d6a8f9467308308",
-			"cafebabefacedbaddecaf888",
-			"feedfacedeadbeeffeedfacedeadbeefabaddad2",
-			"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39",
-			"42831ec2217774244b7221b784d0d49ce3aa212f2c02a4e035c17e2329aca12e21d514b25466931c7d8f6a5aac84aa051ba30b396a0aac973d58e091",
-			"5bc94fbc3221a5db94fae95ae7121a47",
-		},
-		{
-			"feffe9928665731c6d6a8f9467308308",
-			"cafebabefacedbad",
-			"feedfacedeadbeeffeedfacedeadbeefabaddad2",
-			"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39",
-			"61353b4c2806934a777ff51fa22a4755699b2a714fcdc6f83766e5f97b6c742373806900e49f24b22b097544d4896b424989b5e1ebac0f07c23f4598",
-			"3612d2e79e3b0785561be14aaca2fccb",
-		},
-		{
-			"feffe9928665731c6d6a8f9467308308",
-			"9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b",
-			"feedfacedeadbeeffeedfacedeadbeefabaddad2",
-			"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39",
-			"8ce24998625615b603a033aca13fb894be9112a5c3a211a8ba262a3cca7e2ca701e4a9a4fba43c90ccdcb281d48c7c6fd62875d2aca417034c34aee5",
-			"619cc5aefffe0bfa462af43c1699d050",
-		},
-		{
-			"000000000000000000000000000000000000000000000000",
-			"000000000000000000000000",
-			"",
-			"",
-			"",
-			"cd33b28ac773f74ba00ed1f312572435",
-		},
-		{
-			"000000000000000000000000000000000000000000000000",
-			"000000000000000000000000",
-			"",
-			"00000000000000000000000000000000",
-			"98e7247c07f0fe411c267e4384b0f600",
-			"2ff58d80033927ab8ef4d4587514f0fb",
-		},
-		{
-			"feffe9928665731c6d6a8f9467308308feffe9928665731c",
-			"cafebabefacedbaddecaf888",
-			"",
-			"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255",
-			"3980ca0b3c00e841eb06fac4872a2757859e1ceaa6efd984628593b40ca1e19c7d773d00c144c525ac619d18c84a3f4718e2448b2fe324d9ccda2710acade256",
-			"9924a7c8587336bfb118024db8674a14",
-		},
-		{
-			"feffe9928665731c6d6a8f9467308308feffe9928665731c",
-			"cafebabefacedbaddecaf888",
-			"feedfacedeadbeeffeedfacedeadbeefabaddad2",
-			"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39",
-			"3980ca0b3c00e841eb06fac4872a2757859e1ceaa6efd984628593b40ca1e19c7d773d00c144c525ac619d18c84a3f4718e2448b2fe324d9ccda2710",
-			"2519498e80f1478f37ba55bd6d27618c",
-		},
-		{
-			"feffe9928665731c6d6a8f9467308308feffe9928665731c",
-			"cafebabefacedbad",
-			"feedfacedeadbeeffeedfacedeadbeefabaddad2",
-			"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39",
-			"0f10f599ae14a154ed24b36e25324db8c566632ef2bbb34f8347280fc4507057fddc29df9a471f75c66541d4d4dad1c9e93a19a58e8b473fa0f062f7",
-			"65dcc57fcf623a24094fcca40d3533f8",
-		},
-		{
-			"feffe9928665731c6d6a8f9467308308feffe9928665731c",
-			"9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b",
-			"feedfacedeadbeeffeedfacedeadbeefabaddad2",
-			"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39",
-			"d27e88681ce3243c4830165a8fdcf9ff1de9a1d8e6b447ef6ef7b79828666e4581e79012af34ddd9e2f037589b292db3e67c036745fa22e7e9b7373b",
-			"dcf566ff291c25bbb8568fc3d376a6d9",
-		},
-		{
-			"0000000000000000000000000000000000000000000000000000000000000000",
-			"000000000000000000000000",
-			"",
-			"",
-			"",
-			"530f8afbc74536b9a963b4f1c4cb738b",
-		},
-		{
-			"0000000000000000000000000000000000000000000000000000000000000000",
-			"000000000000000000000000",
-			"",
-			"00000000000000000000000000000000",
-			"cea7403d4d606b6e074ec5d3baf39d18",
-			"d0d1c8a799996bf0265b98b5d48ab919",
-		},
-		{
-			"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308",
-			"cafebabefacedbaddecaf888",
-			"",
-			"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255",
-			"522dc1f099567d07f47f37a32a84427d643a8cdcbfe5c0c97598a2bd2555d1aa8cb08e48590dbb3da7b08b1056828838c5f61e6393ba7a0abcc9f662898015ad",
-			"b094dac5d93471bdec1a502270e3cc6c",
-		},
-		{
-			"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308",
-			"cafebabefacedbaddecaf888",
-			"feedfacedeadbeeffeedfacedeadbeefabaddad2",
-			"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39",
-			"522dc1f099567d07f47f37a32a84427d643a8cdcbfe5c0c97598a2bd2555d1aa8cb08e48590dbb3da7b08b1056828838c5f61e6393ba7a0abcc9f662",
-			"76fc6ece0f4e1768cddf8853bb2d551b",
-		},
-		{
-			"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308",
-			"cafebabefacedbad",
-			"feedfacedeadbeeffeedfacedeadbeefabaddad2",
-			"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39",
-			"c3762df1ca787d32ae47c13bf19844cbaf1ae14d0b976afac52ff7d79bba9de0feb582d33934a4f0954cc2363bc73f7862ac430e64abe499f47c9b1f",
-			"3a337dbf46a792c45e454913fe2ea8f2",
-		},
-		{
-			"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308",
-			"9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b",
-			"feedfacedeadbeeffeedfacedeadbeefabaddad2",
-			"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39",
-			"5a8def2f0c9e53f1f75d7853659e2a20eeb2b22aafde6419a058ab4f6f746bf40fc0c3b780f244452da3ebf1c5d82cdea2418997200ef82e44ae7e3f",
-			"a44a8266ee1c8eb0c8b5d4cf5ae9f19a",
-		},
-	}
-	for v, _ in test_vectors {
-		key, _ := hex.decode(transmute([]byte)(v.key), context.temp_allocator)
-		iv, _ := hex.decode(transmute([]byte)(v.iv), context.temp_allocator)
-		aad, _ := hex.decode(transmute([]byte)(v.aad), context.temp_allocator)
-		plaintext, _ := hex.decode(transmute([]byte)(v.plaintext), context.temp_allocator)
-		ciphertext, _ := hex.decode(transmute([]byte)(v.ciphertext), context.temp_allocator)
-		tag, _ := hex.decode(transmute([]byte)(v.tag), context.temp_allocator)
-
-		tag_ := make([]byte, len(tag), context.temp_allocator)
-		dst := make([]byte, len(ciphertext), context.temp_allocator)
-
-		ctx: aes.Context_GCM
-		aes.init_gcm(&ctx, key, impl)
-
-		aes.seal_gcm(&ctx, dst, tag_, iv, aad, plaintext)
-		dst_str := string(hex.encode(dst, context.temp_allocator))
-		tag_str := string(hex.encode(tag_, context.temp_allocator))
-
-		testing.expectf(
-			t,
-			dst_str == v.ciphertext && tag_str == v.tag,
-			"AES-GCM/%v: Expected: (%s, %s) for seal(%s, %s, %s, %s), but got (%s, %s) instead",
-			impl,
-			v.ciphertext,
-			v.tag,
-			v.key,
-			v.iv,
-			v.aad,
-			v.plaintext,
-			dst_str,
-			tag_str,
-		)
-
-		ok := aes.open_gcm(&ctx, dst, iv, aad, ciphertext, tag)
-		dst_str = string(hex.encode(dst, context.temp_allocator))
-
-		testing.expectf(
-			t,
-			ok && dst_str == v.plaintext,
-			"AES-GCM/%v: Expected: (%s, true) for open(%s, %s, %s, %s, %s), but got (%s, %v) instead",
-			impl,
-			v.plaintext,
-			v.key,
-			v.iv,
-			v.aad,
-			v.ciphertext,
-			v.tag,
-			dst_str,
-			ok,
-		)
-	}
-}