Add EVP_CIPHER API for XAES-256-GCM with Key Commitment

[ttungle96]

1. Add XAES-256-GCM, which is extended AES-256-GCM with a derived key mode proposed by Filippo Valsorda in 2023, followed by a specification released in 2024. The key commitment extension follows https://eprint.iacr.org/2025/758.pdf#page=6.
2. This implementation supports EVP_CIPHER API and uses an optimized CMAC dedicated to the specific use case of XAES-256-GCM from XAES-256-GCM #2652 to derive subkeys and key commitments.
3. Support varying nonce sizes: 20 ≤ b ≤ 24 based on the extension: https://eprint.iacr.org/2025/758.pdf#page=24

Description of Changes

1. Implementation for API EVP_CIPHER of XAES-256-GCM with Key Commitment is appended to e_aes.c
2. The tests are appended to cipher_tests.txt.
3. TestCipherAPI (https://github.com/ttungle96/aws-lc/blob/xaes-256-gcm/crypto/cipher_extra/cipher_test.cc#L184) and TestCipher (https://github.com/ttungle96/aws-lc/blob/xaes-256-gcm/crypto/cipher_extra/cipher_test.cc#L473) in cipher_test.cc is added a parameter named kc at the end with default value to support testing cipher with key commitment without disrupting legacy code.

Testing

Reuse the test vectors in #2750 with our own added key commitment values.

Evaluation

Performance evaluation with speedtool on c6i.2xlarge (8 vCPUs and 16 GB RAM):

./crypto_test --gtest_filter='CipherTest.*'

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

[github-actions]

clang-tidy made some suggestions

[github-actions]

warning: unknown type name 'uint8_t' [clang-diagnostic-error]

static const uint8_t kObjectData[] = {
             ^

[github-actions]

warning: unknown type name 'ASN1_OBJECT' [clang-diagnostic-error]

static const ASN1_OBJECT kObjects[NUM_NID] = {
             ^

[codecov-commenter]

Codecov Report

❌ Patch coverage is 93.33333% with 7 lines in your changes missing coverage. Please review.
✅ Project coverage is 78.32%. Comparing base (92b4227) to head (bfc193c).

Files with missing lines	Patch %	Lines
crypto/fipsmodule/cipher/e_aes.c	91.78%	6 Missing ⚠️
crypto/cipher_extra/cipher_test.cc	96.87%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@               Coverage Diff                @@
##           xaes-256-gcm    #2826      +/-   ##
================================================
+ Coverage         78.30%   78.32%   +0.01%     
================================================
  Files               683      683              
  Lines            117484   117572      +88     
  Branches          16489    16499      +10     
================================================
+ Hits              92000    92086      +86     
- Misses            24602    24604       +2     
  Partials            882      882              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[nebeid]

I will review cipher_test.cc

[nebeid]

I doubt we need these alignment requirements in addition to those of the gcm ctx. Can we try removing them here and on line 1858? Otherwise, do you know what would drive our need for them?

[ttungle96]

It will lead to many CI tests failed. I tried that. You can see the failed tests below. However, when I created and run with a docker, all tests still passed.

[nebeid]

I think it's more prudent to check that ptr is not NULL.
I see that there are no checks in aes_gcm_ctrl, but it's good to verify here and we should probably change there as well wherever it's used. It's sometimes intentionally NULL as in the INIT case in

aws-lc/crypto/fipsmodule/cipher/cipher.c

Line 185 in 88aec89

if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL)) {

[ttungle96]

Yes. I'll add checking ptr for two new added ctrl commands.

[nebeid]

Is it possible to use the same set of tests as the ones without KC and the test harness just ignores it when it's plain XAES?

[ttungle96]

Does that mean I should remove all changes that were made to cipher_test.cc to support key commitment verification?

[nebeid]

No, sorry, what I meant is if you were to unify the 2 sets of test vectors in this file (i.e. delete the ones above of XAES-256-GCM because they're superseded by the KC one), would they then work with both XAES and XAES-KC? It seems to me that XAES may not be tested in CipherFileTest because it needs its own "Cipher" string. So you can ignore the suggestion.

[ttungle96]

Yes. It needs to have "Cipher = XAES-256-GCM-KC" to specify the cipher.

[nebeid]

In my previous comment, I meant keeping this alignment in aes_gcm_from_cipher_ctx and try and remove them from the ones below, but maybe it doesn't make sense because it's the same pointer to ctx->cipher_data and it would be different if you're not doing the same operations to get it.

[ttungle96]

Yeah. Since aes_gcm_from_cipher_ctx() is called in other places like aes_gcm_cipher(), aes_gcm_ctrl(), and aes_gcm_init_key(), it needs to be consistent everywhere.

[nebeid]

You can use

aws-lc/crypto/internal.h

Line 1447 in 88aec89

#define GUARD_PTR(ptr) __AWS_LC_ENSURE((ptr) != NULL, OPENSSL_PUT_ERROR(CRYPTO, ERR_R_PASSED_NULL_PARAMETER); \

and no need to introduce a new error.

[ttungle96]

Thank you! I replaced that directive in my update and deleted CIPHER_R_BUFFER_INVALID.

[nebeid]

No, sorry, what I meant is if you were to unify the 2 sets of test vectors in this file (i.e. delete the ones above of XAES-256-GCM because they're superseded by the KC one), would they then work with both XAES and XAES-KC? It seems to me that XAES may not be tested in CipherFileTest because it needs its own "Cipher" string. So you can ignore the suggestion.

[nebeid]

Can the negative tests that were added for XAES (e.g. shorter nonces) be modified to also test XAES-KC?

[ttungle96]

I made changes in cipher_test.cc to test negative cases with invalid key/nonce, and shorter nonce for both evp-xaes-256-gcm and evp-xaes-256-gcm-kc.