delocation: large memory model support.

Large memory models on x86-64 allow the code/data of a shared object /
executable to be larger than 2GiB. This is typically impossible because
x86-64 code frequently uses int32 offsets from RIP.

Consider the following program:

    int getpid();

    int main() {
        return getpid();
    }

This is turned into the following assembly under a large memory model:

.L0$pb:
	leaq	.L0$pb(%rip), %rax
	movabsq	$_GLOBAL_OFFSET_TABLE_-.L0$pb, %rcx
	addq	%rax, %rcx
	movabsq	$getpid@GOT, %rdx
	xorl	%eax, %eax
	jmpq	*(%rcx,%rdx)            # TAILCALL

And, with relocations:

   0:	48 8d 05 f9 ff ff ff 	lea    -0x7(%rip),%rax        # 0 <main>
   7:	48 b9 00 00 00 00 00 	movabs $0x0,%rcx
   e:	00 00 00
			9: R_X86_64_GOTPC64	_GLOBAL_OFFSET_TABLE_+0x9
  11:	48 01 c1             	add    %rax,%rcx
  14:	48 ba 00 00 00 00 00 	movabs $0x0,%rdx
  1b:	00 00 00
			16: R_X86_64_GOT64	getpid
  1e:	31 c0                	xor    %eax,%eax
  20:	ff 24 11             	jmpq   *(%rcx,%rdx,1)

We can see that, in the large memory model, function calls involve
loading the address of _GLOBAL_OFFSET_TABLE_ (using `movabs`, which
takes a 64-bit immediate) and then indexing into it. Both cause
relocations.

If we link the binary and disassemble we get:

0000000000001120 <main>:
    1120:	48 8d 05 f9 ff ff ff 	lea    -0x7(%rip),%rax        # 1120 <main>
    1127:	48 b9 e0 2e 00 00 00 	movabs $0x2ee0,%rcx
    112e:	00 00 00
    1131:	48 01 c1             	add    %rax,%rcx
    1134:	48 ba d8 ff ff ff ff 	movabs $0xffffffffffffffd8,%rdx
    113b:	ff ff ff
    113e:	31 c0                	xor    %eax,%eax
    1140:	ff 24 11             	jmpq   *(%rcx,%rdx,1)

Thus the _GLOBAL_OFFSET_TABLE_ symbol is at 0x1120+0x2ee0 = 0x4000.
That's the address of the .got.plt section. But the offset “into” the
table is -0x40, putting it at 0x3fd8, in .got:

Idx Name          Size      VMA               LMA               File off  Algn
 18 .got          00000030  0000000000003fd0  0000000000003fd0  00002fd0  2**3
 19 .got.plt      00000018  0000000000004000  0000000000004000  00003000  2**3

And, indeed, there's a dynamic relocation to setup that address:

OFFSET           TYPE              VALUE
0000000000003fd8 R_X86_64_GLOB_DAT  getpid@GLIBC_2.2.5

Accessing data or BSS works the same: the address of the variable is
stored relative to _GLOBAL_OFFSET_TABLE_.

This is a bit of a pain because we want to delocate the module into a
single .text segment so that it moves through linking unaltered. If we
took the obvious path and built our own offset table then it would need
to contain absolute addresses, but they are only available at runtime
and .text segments aren't supposed to be run-time patched. (That's why
.rela.dyn is a separate segment.) If we use a different segment then
we have the same problem as with the original offset table: the offset
to the segment is unknown when compiling the module.

Trying to pattern match this two-step lookup to do extensive rewriting
seems fragile: I'm sure the compilers will move things around and
interleave other work in time, if they don't already.

So, in order to handle movabs trying to load _GLOBAL_OFFSET_TABLE_ we
define a symbol in the same segment, but outside of the hashed region of
the module, that contains the offset from that position to
_GLOBAL_OFFSET_TABLE_:

.boringssl_got_delta:
    .quad _GLOBAL_OFFSET_TABLE_-.boringssl_got_delta

Then a movabs of $_GLOBAL_OFFSET_TABLE_-.Lfoo turns into:

movq .boringssl_got_delta(%rip), %destreg
addq $.boringssl_got_delta-.Lfoo, %destreg

This works because it's calculating
_GLOBAL_OFFSET_TABLE_ - got_delta + (got_delta - .Lfoo)

When that value is added to .Lfoo, as the original code will do, the
correct address results. Also it doesn't need an extra register because
we know that 32-bit offsets are sufficient for offsets within the
module.

As for the offsets within the offset table, we have to load them from
locations outside of the hashed part of the module to get the
relocations out of the way. Again, no extra registers are needed.

Change-Id: I87b19a2f8886bd9f7ac538fd55754e526bcf3097
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/42324
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>

.clang-format

@@ -4,4 +4,8 @@ AllowShortIfStatementsOnASingleLine: false
 AllowShortLoopsOnASingleLine: false
 DerivePointerAlignment: false
 PointerAlignment: Right
+# TODO(davidben): The default for Google style is now Regroup, but the default
+# IncludeCategories does not recognize <openssl/header.h>. We should
+# reconfigure IncludeCategories to match. For now, keep it at Preserve.
+IncludeBlocks: Preserve
 

.gitignore

@@ -1,11 +1,15 @@
 build/
+build32/
+build64/
 ssl/test/runner/runner
+*.pyc
 *.swp
 *.swo
 doc/*.html
 doc/doc.css
 
-util/bot/android_tools
+util/bot/android_ndk
+util/bot/android_sdk/public
 util/bot/cmake-linux64
 util/bot/cmake-linux64.tar.gz
 util/bot/cmake-mac
@@ -14,11 +18,15 @@ util/bot/cmake-win32
 util/bot/cmake-win32.zip
 util/bot/golang
 util/bot/gyp
-util/bot/libFuzzer
+util/bot/libcxx
+util/bot/libcxxabi
 util/bot/llvm-build
+util/bot/nasm-win32.exe
 util/bot/perl-win32
 util/bot/perl-win32.zip
 util/bot/sde-linux64
 util/bot/sde-linux64.tar.bz2
+util/bot/sde-win32
+util/bot/sde-win32.tar.bz2
 util/bot/win_toolchain.json
 util/bot/yasm-win32.exe

API-CONVENTIONS.md

@@ -98,7 +98,10 @@ objects. `bssl::UniquePtr<T>`, like other types, is forward-declared in
 `openssl/base.h`. Code that needs access to the free functions, such as code
 which destroys a `bssl::UniquePtr`, must include the corresponding module's
 header. (This matches `std::unique_ptr`'s relationship with forward
-declarations.)
+declarations.) Note, despite the name, `bssl::UniquePtr` is also used with
+reference-counted types. It owns a single reference to the object. To take an
+additional reference, use the `bssl::UpRef` function, which will return a
+separate `bssl::UniquePtr`.
 
 
 ### Stack-allocated types
@@ -175,6 +178,67 @@ These are usually for low-level cryptographic operations. These types may be
 used freely without special cleanup conventions.
 
 
+### Ownership and lifetime
+
+When working with allocated objects, it is important to think about *ownership*
+of each object, or what code is responsible for releasing it. This matches the
+corresponding notion in higher-level languages like C++ and Rust.
+
+Ownership applies to both uniquely-owned types and reference-counted types. For
+the latter, ownership means the code is responsible for releasing one
+reference. Note a *reference* in BoringSSL refers to an increment (and eventual
+decrement) of an object's reference count, not `T&` in C++. Thus, to "take a
+reference" means to increment the reference count and take ownership of
+decrementing it.
+
+As BoringSSL's APIs are primarily in C, ownership and lifetime obligations are
+not rigorously annotated in the type signatures or checked at compile-time.
+Instead, they are described in
+[API documentation](https://commondatastorage.googleapis.com/chromium-boringssl-docs/headers.html).
+This section describes some conventions.
+
+Unless otherwise documented, functions do not take ownership of pointer
+arguments. The pointer typically must remain valid for the duration of the
+function call. The function may internally copy information from the argument or
+take a reference, but the caller is free to release its copy or reference at any
+point after the call completes.
+
+A function may instead be documented to *take* or *transfer* ownership of a
+pointer. The caller must own the object before the function call and, after
+transfer, no longer owns it. As a corollary, the caller may no longer reference
+the object without a separate guarantee on the lifetime. The function may even
+release the object before returning. Callers that wish to independently retain a
+transfered object must therefore take a reference or make a copy before
+transferring. Callers should also take note of whether the function is
+documented to transfer pointers unconditionally or only on success. Unlike C++
+and Rust, functions in BoringSSL typically only transfer on success.
+
+Likewise, output pointers may be owning or non-owning. Unless otherwise
+documented, functions output non-owning pointers. The caller is not responsible
+for releasing the output pointer, but it must not use the pointer beyond its
+lifetime. The pointer may be released when the parent object is released or even
+sooner on state change in the parent object.
+
+If documented to output a *newly-allocated* object or a *reference* or *copy* of
+one, the caller is responsible for releasing the object when it is done.
+
+By convention, functions named `get0` return non-owning pointers. Functions
+named `new` or `get1` return owning pointers. Functions named `set0` take
+ownership of arguments. Functions named `set1` do not. They typically take a
+reference or make a copy internally. These names originally referred to the
+effect on a reference count, but the convention applies equally to
+non-reference-counted types.
+
+API documentation may also describe more complex obligations. For instance, an
+object may borrow a pointer for longer than the duration of a single function
+call, in which case the caller must ensure the lifetime extends accordingly.
+
+Memory errors are one of the most common and dangerous bugs in C and C++, so
+callers are encouraged to make use of tools such as
+[AddressSanitizer](https://clang.llvm.org/docs/AddressSanitizer.html) and
+higher-level languages.
+
+
 ## Thread safety
 
 BoringSSL is internally aware of the platform threading library and calls into

BREAKING-CHANGES.md

@@ -0,0 +1,88 @@
+# How to change BoringSSL's API
+
+BoringSSL has more flexibility in changing things than many other library projects because we have a reasonable idea of who our users are. Still, breaking changes require some care. We depend on tight feedback loops with our consumers so that we can learn about mistakes and fix them. For that to work, updating BoringSSL must be smooth.
+
+Ultimately, the strategy for each breaking change is decided on a case-by-case basis. This document provides guidelines and techniques to help with a smooth transition.
+
+## Breakage risk
+
+Traditionally, breaking changes are defined in terms of API or ABI surface. Exposed symbols and type signatures cannot change, etc. But this is a poor approximation of the true impact. Removing an API may not a breaking change if no one is using it. Conversely, [Hyrum's Law](http://www.hyrumslaw.com/) applies. Fixing a bug may be a breaking change for some consumer which was depending on that bug.
+
+Thus, we do not think about whether a change is formally a breaking change, but about the *risk* of it breaking someone.
+
+Some changes, such as internal cleanups or bug-fixes, are low risk and do not need special measures. Any problems can be handled when the affected consumer updates BoringSSL and notices.
+
+Other changes, such as removing an API, forbidding some edge case, or adjusting some behavior, are more likely to break things. To help the consumer triage any resulting failures, include some text in the commit message, prefixed by `Update-Note: `. This can include what this change may break and instructions on how to fix the issue.
+
+## Code Search
+
+The vast majority of BoringSSL consumers are conveniently indexed in various Code Search instances. This can predict the impact of a risky change and identify code to fix ahead of time. The document “How to Code Search” in the (Google-only) [go/boringssl-folder](https://goto.google.com/boringssl-folder) includes notes on this.
+
+## Evaluate a change's cost
+
+If some change has high cost (from having to fix consumers) and relatively little benefit to BoringSSL, it may not be worth the trouble. For instance, it is likely not worth removing a small compatibility function in the corner of the library that is easily dropped by the static linker.
+
+Conversely, a change that leads to a major improvement to all BoringSSL consumers, at the cost of fixing one or two consumers, is typically worth it.
+
+## Fixing consumers
+
+If code search reveals call sites that are definitely going to break, prefer to handle these before making the change. While unexpected breakage is always possible, we generally consider it the responsibility of the developer or group making a change to handle impact of that change. Teams are generally unhappy to be surprised by new migration work but happy to have migration work done for them.
+
+In most cases, this is straightforward:
+
+1. Add the replacement API.
+2. As the replacement API enters each consuming repository, migrate callers to it.
+3. Remove the original API once all consumers have been migrated.
+
+The removal should still include an `Update-Note` tag, in case some were missed.
+
+In some cases, this kind of staged approach is not feasible: perhaps the same code cannot simultaneously work before and after the change, or perhaps there are too many different versions in play. For instance, [Conscrypt](https://github.com/google/conscrypt) feeds into three different repositories. The GitHub repository consumes BoringSSL's `master` branch directly. It is pushed into Android, where it consumes Android's `external/boringssl`. Yet another copy is pushed into the internal repository, where it consumes that copy of BoringSSL. As each of these Conscrypts are updated independently from their corresponding BoringSSLs, Conscrypt upstream cannot rely on a new BoringSSL API until it is present in all copies of BoringSSL its downstreams rely on.
+
+In that case, a multi-sided change may be more appropriate:
+
+1. Upload the breaking change to Gerrit, but do not submit it yet. Increment the `BORINGSSL_API_VERSION` symbol.
+2. Update the consuming repository with `#if BORINGSSL_API_VERSION < N` preprocessor logic. Leave a comment to remove this later, linking to your BoringSSL change.
+3. When the `BORINGSSL_API_VERSION` check has propagated to relevant copies of the consuming repository, submit the BoringSSL change.
+4. When the BoringSSL change has propagated to relevant copies of BoringSSL, remove the staging logic from the consumer.
+
+Finally, in some cases, the consumer's change may be committed atomically with the BoringSSL update. This can only be done for code which only consumes one instance of BoringSSL (so the Conscrypt example above is not eligible). Check with that project's maintainer first or, better, be that project's maintainer.
+
+If more complex changes are needed in some consumer, communicate with the relevant maintainers to plan the transition.
+
+## Fail early, fail closed
+
+When breaking changes do occur, they should fail as early and as detectably as possible.
+
+Ideally, problematic consumers fail to compile. Prefer to remove functions completely over leaving an always failing stub function. Sometimes this is not possible due to other consumers, particularly bindings libraries. Alternatively, if a stub function can be reasonably justified as still satisfying the API constraints, consider adding one to improve compatibility. For example, BoringSSL has many no-op stubs corresponding to OpenSSL's many initialization functions.
+
+If some parameter now must be `NULL`, change the type to an opaque struct pointer. Consumers passing non-`NULL` pointers will then fail to compile.
+
+If breaking the compile is not feasible, break at runtime, in the hope that consumers have some amount of test coverage. When doing so, try to fail on the common case. In particular, do not rely on consumers adequately testing or even checking for failure cases. One strategy is to bring the object into a &ldquo;poison&rdquo; state: if an illegal operation occurs, set a flag to fail all subsequent ones.
+
+In other functions, it may be appropriate to simply call `abort()`.
+
+## Unexpected breakage
+
+While we try to avoid breaking things, sometimes things unexpectedly break. Depending on the impact, we may fix the consumer, make a small fix to BoringSSL, or revert the change to either try again later or revise the approach.
+
+If we do not ultimately fix the consumer, add a test in BoringSSL to capture the unexpected API contract, so future regressions are caught quickly.
+
+## Canary changes and bake time
+
+When planning a large project that depends on a breaking change, prefer to make the breaking change first&mdash;before committing larger changes. Or, when changing toolchain or language requirements, add a small instance of the dependency somewhere first then wait a couple of weeks for the change to appear in consumers. This ensures that reverting the change is still feasible if necessary.
+
+While we rely on a tight feedback loop with our consumers, there are a few consumers which update less frequently. For extremely risky changes, such as introducing C++ to a target, it may be prudent to wait much longer.
+
+## Third-party code
+
+In many cases, we are interested in changing behavior which came from OpenSSL. OpenSSL's API surface is huge, but only a small subset is actually used. So we can and occasionally do change these behaviors. This is more complex than changing BoringSSL-only behavior due to third-party code.
+
+We use BoringSSL with many third-party projects that normally use OpenSSL. Generally, we consider this our burden to make this work and do not encourage external projects to depend on BoringSSL. While we can and do maintain patches for this as necessary, it has overhead and so the cost of breaking third-party code is higher.
+
+We lean fairly strongly towards making changes to BoringSSL over patching third-party code, unless the third-party change fixes a security problem.
+
+Additionally, changing an OpenSSL API will not only affect third-party code we use today, but also any third-party code we use in the future. Thus Code Search is less useful as an absolute predictor, and the various other considerations in this document are more important.
+
+If the patch to support a BoringSSL change can be generally useful to the third-party project, send it upstream. For instance, it may use the APIs better, clean up code, or help support newer versions of OpenSSL. In general, we try to target compatibility with &ldquo;most&rdquo; &ldquo;well-behaved&rdquo; OpenSSL consumers.
+
+Finally, if some particular OpenSSL API or pattern is problematic to BoringSSL, it is likely problematic to OpenSSL too. Consider filing a bug with them to suggest a change, either in new code going forward or for the next API break. OpenSSL's release cycles and feedback loops are much longer than BoringSSL's, so this is usually not immediately useful, but it keeps the ecosystem moving in the right direction.

BUILDING.md

@@ -2,9 +2,17 @@
 
 ## Build Prerequisites
 
-  * [CMake](https://cmake.org/download/) 2.8.11 or later is required.
+The standalone CMake build is primarily intended for developers. If embedding
+BoringSSL into another project with a pre-existing build system, see
+[INCORPORATING.md](/INCORPORATING.md).
 
-  * Perl 5.6.1 or later is required. On Windows,
+Unless otherwise noted, build tools must at most five years old, matching
+[Abseil guidelines](https://abseil.io/about/compatibility). If in doubt, use the
+most recent stable version of each tool.
+
+  * [CMake](https://cmake.org/download/) 3.0 or later is required.
+
+  * A recent version of Perl is required. On Windows,
     [Active State Perl](http://www.activestate.com/activeperl/) has been
     reported to work, as has MSYS Perl.
     [Strawberry Perl](http://strawberryperl.com/) also works but it adds GCC
@@ -13,27 +21,27 @@
     If Perl is not found by CMake, it may be configured explicitly by setting
     `PERL_EXECUTABLE`.
 
-  * On Windows you currently must use [Ninja](https://ninja-build.org/)
-    to build; on other platforms, it is not required, but recommended, because
-    it makes builds faster.
+  * Building with [Ninja](https://ninja-build.org/) instead of Make is
+    recommended, because it makes builds faster. On Windows, CMake's Visual
+    Studio generator may also work, but it not tested regularly and requires
+    recent versions of CMake for assembly support.
 
-  * If you need to build Ninja from source, then a recent version of
-    [Python](https://www.python.org/downloads/) is required (Python 2.7.5 works).
-
-  * On Windows only, [Yasm](http://yasm.tortall.net/) is required. If not found
+  * On Windows only, [NASM](https://www.nasm.us/) is required. If not found
     by CMake, it may be configured explicitly by setting
     `CMAKE_ASM_NASM_COMPILER`.
 
-  * A C compiler is required. On Windows, MSVC 14 (Visual Studio 2015) or later
-    with Platform SDK 8.1 or later are supported. Recent versions of GCC (4.8+)
-    and Clang should work on non-Windows platforms, and maybe on Windows too.
-    To build the tests, you also need a C++ compiler with C++11 support.
+  * C and C++ compilers with C++11 support are required. On Windows, MSVC 14
+    (Visual Studio 2015) or later with Platform SDK 8.1 or later are supported.
+    Recent versions of GCC (4.8+) and Clang should work on non-Windows
+    platforms, and maybe on Windows too.
 
-  * [Go](https://golang.org/dl/) is required. If not found by CMake, the go
-    executable may be configured explicitly by setting `GO_EXECUTABLE`.
+  * The most recent stable version of [Go](https://golang.org/dl/) is required.
+    Note Go is exempt from the five year support window. If not found by CMake,
+    the go executable may be configured explicitly by setting `GO_EXECUTABLE`.
 
-  * To build the x86 and x86\_64 assembly, your assembler must support AVX2
-    instructions and MOVBE. If using GNU binutils, you must have 2.22 or later
+  * On x86_64 Linux, the tests have an optional
+    [libunwind](https://www.nongnu.org/libunwind/) dependency to test the
+    assembly more thoroughly.
 
 ## Building
 
@@ -79,14 +87,15 @@ for other variables which may be used to configure the build.
 
 ### Building for Android
 
-It's possible to build BoringSSL with the Android NDK using CMake. This has
-been tested with version 10d of the NDK.
+It's possible to build BoringSSL with the Android NDK using CMake. Recent
+versions of the NDK include a CMake toolchain file which works with CMake 3.6.0
+or later. This has been tested with version r16b of the NDK.
 
 Unpack the Android NDK somewhere and export `ANDROID_NDK` to point to the
 directory. Then make a build directory as above and run CMake like this:
 
     cmake -DANDROID_ABI=armeabi-v7a \
-          -DCMAKE_TOOLCHAIN_FILE=../third_party/android-cmake/android.toolchain.cmake \
+          -DCMAKE_TOOLCHAIN_FILE=${ANDROID_NDK}/build/cmake/android.toolchain.cmake \
           -DANDROID_NATIVE_API_LEVEL=16 \
           -GNinja ..
 
@@ -94,7 +103,22 @@ Once you've run that, Ninja should produce Android-compatible binaries.  You
 can replace `armeabi-v7a` in the above with `arm64-v8a` and use API level 21 or
 higher to build aarch64 binaries.
 
-For other options, see [android-cmake's documentation](./third_party/android-cmake/README.md).
+For other options, see the documentation in the toolchain file.
+
+To debug the resulting binaries on an Android device with `gdb`, run the
+commands below. Replace `ARCH` with the architecture of the target device, e.g.
+`arm` or `arm64`.
+
+    adb push ${ANDROID_NDK}/prebuilt/android-ARCH/gdbserver/gdbserver \
+        /data/local/tmp
+    adb forward tcp:5039 tcp:5039
+    adb shell /data/local/tmp/gdbserver :5039 /path/on/device/to/binary
+
+Then run the following in a separate shell. Replace `HOST` with the OS and
+architecture of the host machine, e.g. `linux-x86_64`.
+
+    ${ANDROID_NDK}/prebuilt/HOST/bin/gdb
+    target remote :5039  # in gdb
 
 ### Building for iOS
 
@@ -105,6 +129,32 @@ architecture, matching values used in the `-arch` flag in Apple's toolchain.
 Passing multiple architectures for a multiple-architecture build is not
 supported.
 
+### Building with Prefixed Symbols
+
+BoringSSL's build system has experimental support for adding a custom prefix to
+all symbols. This can be useful when linking multiple versions of BoringSSL in
+the same project to avoid symbol conflicts.
+
+In order to build with prefixed symbols, the `BORINGSSL_PREFIX` CMake variable
+should specify the prefix to add to all symbols, and the
+`BORINGSSL_PREFIX_SYMBOLS` CMake variable should specify the path to a file
+which contains a list of symbols which should be prefixed (one per line;
+comments are supported with `#`). In other words, `cmake ..
+-DBORINGSSL_PREFIX=MY_CUSTOM_PREFIX
+-DBORINGSSL_PREFIX_SYMBOLS=/path/to/symbols.txt` will configure the build to add
+the prefix `MY_CUSTOM_PREFIX` to all of the symbols listed in
+`/path/to/symbols.txt`.
+
+It is currently the caller's responsibility to create and maintain the list of
+symbols to be prefixed. Alternatively, `util/read_symbols.go` reads the list of
+exported symbols from a `.a` file, and can be used in a build script to generate
+the symbol list on the fly (by building without prefixing, using
+`read_symbols.go` to construct a symbol list, and then building again with
+prefixing).
+
+This mechanism is under development and may change over time. Please contact the
+BoringSSL maintainers if making use of it.
+
 ## Known Limitations on Windows
 
   * Versions of CMake since 3.0.2 have a bug in its Ninja generator that causes
@@ -145,19 +195,14 @@ corresponding ARM feature.
 Note that if a feature is enabled in this way, but not actually supported at
 run-time, BoringSSL will likely crash.
 
-## Assembling ARMv8 with Clang
+## Binary Size
 
-In order to support the ARMv8 crypto instructions, Clang requires that the
-architecture be `armv8-a+crypto`. However, setting that as a general build flag
-would allow the compiler to assume that crypto instructions are *always*
-supported, even without testing for them.
+The implementations of some algorithms require a trade-off between binary size
+and performance. For instance, BoringSSL's fastest P-256 implementation uses a
+148 KiB pre-computed table. To optimize instead for binary size, pass
+`-DOPENSSL_SMALL=1` to CMake or define the `OPENSSL_SMALL` preprocessor symbol.
 
-It's possible to set the architecture in an assembly file using the `.arch`
-directive, but only very recent versions of Clang support this. If
-`BORINGSSL_CLANG_SUPPORTS_DOT_ARCH` is defined then `.arch` directives will be
-used with Clang, otherwise you may need to craft acceptable assembler flags.
-
-# Running tests
+# Running Tests
 
 There are two sets of tests: the C/C++ tests and the blackbox tests. For former
 are built by Ninja and can be run from the top-level directory with `go run

CMakeLists.txt

@@ -1,7 +1,7 @@
-cmake_minimum_required (VERSION 2.8.11)
+cmake_minimum_required(VERSION 3.3)
 
 # Defer enabling C and CXX languages.
-project (BoringSSL NONE)
+project(BoringSSL NONE)
 
 if(WIN32)
   # On Windows, prefer cl over gcc if both are available. By default most of
@@ -14,6 +14,11 @@ include(sources.cmake)
 enable_language(C)
 enable_language(CXX)
 
+# This is a dummy target which all other targets depend on (manually - see other
+# CMakeLists.txt files). This gives us a hook to add any targets which need to
+# run before all other targets.
+add_custom_target(global_target)
+
 if(ANDROID)
   # Android-NDK CMake files reconfigure the path and so Go and Perl won't be
   # found. However, ninja will still find them in $PATH if we just name them.
@@ -28,28 +33,133 @@ else()
   find_program(GO_EXECUTABLE go)
 endif()
 
-if (NOT GO_EXECUTABLE)
+if(CMAKE_SYSTEM_NAME STREQUAL "Linux" AND NOT CMAKE_CROSSCOMPILING)
+  find_package(PkgConfig QUIET)
+  if (PkgConfig_FOUND)
+    pkg_check_modules(LIBUNWIND libunwind-generic)
+    if(LIBUNWIND_FOUND)
+      add_definitions(-DBORINGSSL_HAVE_LIBUNWIND)
+    else()
+      message("libunwind not found. Disabling unwind tests.")
+    endif()
+  else()
+    message("pkgconfig not found. Disabling unwind tests.")
+  endif()
+endif()
+
+if(NOT GO_EXECUTABLE)
   message(FATAL_ERROR "Could not find Go")
 endif()
 
-if (BORINGSSL_ALLOW_CXX_RUNTIME)
+if(USE_CUSTOM_LIBCXX)
+  set(BORINGSSL_ALLOW_CXX_RUNTIME 1)
+endif()
+
+if(BORINGSSL_ALLOW_CXX_RUNTIME)
   add_definitions(-DBORINGSSL_ALLOW_CXX_RUNTIME)
 endif()
 
-if(CMAKE_COMPILER_IS_GNUCXX OR CMAKE_CXX_COMPILER_ID MATCHES "Clang")
-  set(C_CXX_FLAGS "-Wall -Werror -Wformat=2 -Wsign-compare -Wmissing-field-initializers -Wwrite-strings -ggdb -fvisibility=hidden -fno-common")
-  if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+string(TOLOWER "${CMAKE_BUILD_TYPE}" CMAKE_BUILD_TYPE_LOWER)
+if(NOT FIPS)
+  if(CMAKE_BUILD_TYPE_LOWER STREQUAL "relwithassert" OR
+     NOT CMAKE_BUILD_TYPE_LOWER MATCHES "rel")
+    add_definitions(-DBORINGSSL_DISPATCH_TEST)
+    # CMake automatically connects include_directories to the NASM
+    # command-line, but not add_definitions.
+    set(CMAKE_ASM_NASM_FLAGS "${CMAKE_ASM_NASM_FLAGS} -DBORINGSSL_DISPATCH_TEST")
+  endif()
+endif()
+
+# Add a RelWithAsserts build configuration. It is the same as Release, except it
+# does not define NDEBUG, so asserts run.
+foreach(VAR CMAKE_C_FLAGS CMAKE_CXX_FLAGS CMAKE_ASM_FLAGS)
+  string(REGEX REPLACE "(^| )[/-]DNDEBUG( |$)" " " "${VAR}_RELWITHASSERTS"
+         "${${VAR}_RELEASE}")
+endforeach()
+
+if(BORINGSSL_PREFIX AND BORINGSSL_PREFIX_SYMBOLS)
+  add_definitions(-DBORINGSSL_PREFIX=${BORINGSSL_PREFIX})
+  # CMake automatically connects include_directories to the NASM command-line,
+  # but not add_definitions.
+  set(CMAKE_ASM_NASM_FLAGS "${CMAKE_ASM_NASM_FLAGS} -DBORINGSSL_PREFIX=${BORINGSSL_PREFIX}")
+
+  # Use "symbol_prefix_include" to store generated header files
+  include_directories(${CMAKE_CURRENT_BINARY_DIR}/symbol_prefix_include)
+  add_custom_command(
+    OUTPUT symbol_prefix_include/boringssl_prefix_symbols.h
+           symbol_prefix_include/boringssl_prefix_symbols_asm.h
+           symbol_prefix_include/boringssl_prefix_symbols_nasm.inc
+    COMMAND ${CMAKE_COMMAND} -E make_directory ${CMAKE_CURRENT_BINARY_DIR}/symbol_prefix_include
+    COMMAND ${GO_EXECUTABLE} run ${CMAKE_CURRENT_SOURCE_DIR}/util/make_prefix_headers.go -out ${CMAKE_CURRENT_BINARY_DIR}/symbol_prefix_include ${BORINGSSL_PREFIX_SYMBOLS}
+    DEPENDS util/make_prefix_headers.go
+            ${CMAKE_BINARY_DIR}/${BORINGSSL_PREFIX_SYMBOLS})
+
+  # add_dependencies needs a target, not a file, so we add an intermediate
+  # target.
+  add_custom_target(
+    boringssl_prefix_symbols
+    DEPENDS symbol_prefix_include/boringssl_prefix_symbols.h
+            symbol_prefix_include/boringssl_prefix_symbols_asm.h
+            symbol_prefix_include/boringssl_prefix_symbols_nasm.inc)
+  add_dependencies(global_target boringssl_prefix_symbols)
+elseif(BORINGSSL_PREFIX OR BORINGSSL_PREFIX_SYMBOLS)
+  message(FATAL_ERROR "Must specify both or neither of BORINGSSL_PREFIX and BORINGSSL_PREFIX_SYMBOLS")
+endif()
+
+if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+  set(CLANG 1)
+endif()
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Emscripten")
+  set(EMSCRIPTEN 1)
+endif()
+
+if(CMAKE_COMPILER_IS_GNUCXX OR CLANG)
+  # Note clang-cl is odd and sets both CLANG and MSVC. We base our configuration
+  # primarily on our normal Clang one.
+  set(C_CXX_FLAGS "-Werror -Wformat=2 -Wsign-compare -Wmissing-field-initializers -Wwrite-strings -Wvla")
+  if(MSVC)
+    # clang-cl sets different default warnings than clang. It also treats -Wall
+    # as -Weverything, to match MSVC. Instead -W3 is the alias for -Wall.
+    # See http://llvm.org/viewvc/llvm-project?view=revision&revision=319116
+    set(C_CXX_FLAGS "${C_CXX_FLAGS} -W3 -Wno-unused-parameter -fmsc-version=1900")
+    # googletest suppresses warning C4996 via a pragma, but clang-cl does not
+    # honor it. Suppress it here to compensate. See https://crbug.com/772117.
+    set(C_CXX_FLAGS "${C_CXX_FLAGS} -Wno-deprecated-declarations")
+  else()
+    if(EMSCRIPTEN)
+      # emscripten's emcc/clang does not accept the "-ggdb" flag.
+      set(C_CXX_FLAGS "${C_CXX_FLAGS} -g")
+    else()
+      set(C_CXX_FLAGS "${C_CXX_FLAGS} -ggdb")
+    endif()
+
+    set(C_CXX_FLAGS "${C_CXX_FLAGS} -Wall -fvisibility=hidden -fno-common")
+  endif()
+
+  if(CLANG)
     set(C_CXX_FLAGS "${C_CXX_FLAGS} -Wnewline-eof -fcolor-diagnostics")
   else()
     # GCC (at least 4.8.4) has a bug where it'll find unreachable free() calls
     # and declare that the code is trying to free a stack pointer.
     set(C_CXX_FLAGS "${C_CXX_FLAGS} -Wno-free-nonheap-object")
   endif()
-  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${C_CXX_FLAGS} -Wmissing-prototypes -Wold-style-definition -Wstrict-prototypes")
-  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -std=c++11 ${C_CXX_FLAGS} -Wmissing-declarations")
 
-  if(NOT BORINGSSL_ALLOW_CXX_RUNTIME)
-    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fno-exceptions -fno-rtti")
+  if(CLANG OR NOT "7.0.0" VERSION_GREATER CMAKE_C_COMPILER_VERSION)
+    set(C_CXX_FLAGS "${C_CXX_FLAGS} -Wimplicit-fallthrough")
+  endif()
+
+  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${C_CXX_FLAGS} -Wmissing-prototypes -Wold-style-definition -Wstrict-prototypes")
+  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${C_CXX_FLAGS} -Wmissing-declarations")
+
+  if(NOT MSVC)
+    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -std=c++11")
+    if(APPLE)
+      set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -stdlib=libc++")
+    endif()
+    if(NOT BORINGSSL_ALLOW_CXX_RUNTIME)
+      set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fno-exceptions -fno-rtti")
+    endif()
   endif()
 
   # In GCC, -Wmissing-declarations is the C++ spelling of -Wmissing-prototypes
@@ -59,9 +169,14 @@ if(CMAKE_COMPILER_IS_GNUCXX OR CMAKE_CXX_COMPILER_ID MATCHES "Clang")
   # https://gcc.gnu.org/onlinedocs/gcc-7.1.0/gcc/Warning-Options.html#Warning-Options
   # https://clang.llvm.org/docs/DiagnosticsReference.html#wmissing-prototypes
   # https://clang.llvm.org/docs/DiagnosticsReference.html#wmissing-declarations
-  if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
-    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wmissing-prototypes -Wimplicit-fallthrough")
+  if(CLANG)
+    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wmissing-prototypes")
   endif()
+
+  if(CMAKE_COMPILER_IS_GNUCXX AND "4.8" VERSION_GREATER CMAKE_C_COMPILER_VERSION)
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-array-bounds")
+  endif()
+
 elseif(MSVC)
   set(MSVC_DISABLED_WARNINGS_LIST
       "C4061" # enumerator 'identifier' in switch of enum 'enumeration' is not
@@ -78,8 +193,6 @@ elseif(MSVC)
               # possible loss of data
       "C4244" # 'function' : conversion from 'int' to 'uint8_t',
               # possible loss of data
-      "C4245" # 'initializing' : conversion from 'long' to
-              # 'unsigned long', signed/unsigned mismatch
       "C4267" # conversion from 'size_t' to 'int', possible loss of data
       "C4371" # layout of class may have changed from a previous version of the
               # compiler due to better packing of member '...'
@@ -102,6 +215,7 @@ elseif(MSVC)
               # copy constructor is inaccessible or deleted
       "C4626" # assignment operator could not be generated because a base class
               # assignment operator is inaccessible or deleted
+      "C4628" # digraphs not supported with -Ze
       "C4668" # 'symbol' is not defined as a preprocessor macro, replacing with
               # '0' for 'directives'
               # Disable this because GTest uses it everywhere.
@@ -113,6 +227,8 @@ elseif(MSVC)
       "C4820" # 'bytes' bytes padding added after construct 'member_name'
       "C5026" # move constructor was implicitly defined as deleted
       "C5027" # move assignment operator was implicitly defined as deleted
+      "C5045" # Compiler will insert Spectre mitigation for memory load if
+              # /Qspectre switch specified
       )
   set(MSVC_LEVEL4_WARNINGS_LIST
       # See https://connect.microsoft.com/VisualStudio/feedback/details/1217660/warning-c4265-when-using-functional-header
@@ -122,9 +238,8 @@ elseif(MSVC)
                             ${MSVC_DISABLED_WARNINGS_LIST})
   string(REPLACE "C" " -w4" MSVC_LEVEL4_WARNINGS_STR
                             ${MSVC_LEVEL4_WARNINGS_LIST})
-  set(CMAKE_C_FLAGS   "-Wall -WX ${MSVC_DISABLED_WARNINGS_STR} ${MSVC_LEVEL4_WARNINGS_STR}")
-  set(CMAKE_CXX_FLAGS "-Wall -WX ${MSVC_DISABLED_WARNINGS_STR} ${MSVC_LEVEL4_WARNINGS_STR}")
-  set(CMAKE_ASM_NASM_FLAGS "-g cv8")
+  set(CMAKE_C_FLAGS   "-utf-8 -Wall -WX ${MSVC_DISABLED_WARNINGS_STR} ${MSVC_LEVEL4_WARNINGS_STR}")
+  set(CMAKE_CXX_FLAGS "-utf-8 -Wall -WX ${MSVC_DISABLED_WARNINGS_STR} ${MSVC_LEVEL4_WARNINGS_STR}")
 endif()
 
 if(WIN32)
@@ -134,18 +249,19 @@ if(WIN32)
   # Allow use of fopen.
   add_definitions(-D_CRT_SECURE_NO_WARNINGS)
   # VS 2017 and higher supports STL-only warning suppressions.
+  # A bug in CMake < 3.13.0 may cause the space in this value to
+  # cause issues when building with NASM. In that case, update CMake.
   add_definitions("-D_STL_EXTRA_DISABLED_WARNINGS=4774 4987")
 endif()
 
 if((CMAKE_COMPILER_IS_GNUCXX AND CMAKE_C_COMPILER_VERSION VERSION_GREATER "4.7.99") OR
-   CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+   CLANG)
   set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wshadow")
   set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wshadow")
 endif()
 
 if(CMAKE_COMPILER_IS_GNUCXX)
-  if ((CMAKE_C_COMPILER_VERSION VERSION_GREATER "4.8.99") OR
-      CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+  if((CMAKE_C_COMPILER_VERSION VERSION_GREATER "4.8.99") OR CLANG)
     set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=c11")
   else()
     set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=c99")
@@ -158,10 +274,14 @@ if(NOT WIN32)
 endif()
 
 if(FUZZ)
-  if(NOT CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+  if(NOT CLANG)
     message(FATAL_ERROR "You need to build with Clang for fuzzing to work")
   endif()
 
+  if(CMAKE_C_COMPILER_VERSION VERSION_LESS "6.0.0")
+    message(FATAL_ERROR "You need Clang ≥ 6.0.0")
+  endif()
+
   add_definitions(-DBORINGSSL_UNSAFE_DETERMINISTIC_MODE)
   set(RUNNER_ARGS "-deterministic")
 
@@ -170,46 +290,86 @@ if(FUZZ)
     set(RUNNER_ARGS ${RUNNER_ARGS} "-fuzzer" "-shim-config" "fuzzer_mode.json")
   endif()
 
-  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=address -fsanitize-coverage=edge,indirect-calls,trace-pc-guard")
-  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=address -fsanitize-coverage=edge,indirect-calls,trace-pc-guard")
-  set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_C_FLAGS} -fsanitize=address")
-  link_directories(.)
+  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=address,fuzzer-no-link -fsanitize-coverage=edge,indirect-calls")
+  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=address,fuzzer-no-link -fsanitize-coverage=edge,indirect-calls")
 endif()
 
 add_definitions(-DBORINGSSL_IMPLEMENTATION)
 
-if (BUILD_SHARED_LIBS)
+if(BUILD_SHARED_LIBS)
   add_definitions(-DBORINGSSL_SHARED_LIBRARY)
   # Enable position-independent code globally. This is needed because
   # some library targets are OBJECT libraries.
   set(CMAKE_POSITION_INDEPENDENT_CODE TRUE)
 endif()
 
-if (MSAN)
-  if(NOT CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+if(MSAN)
+  if(NOT CLANG)
     message(FATAL_ERROR "Cannot enable MSAN unless using Clang")
   endif()
 
-  if (ASAN)
+  if(ASAN)
     message(FATAL_ERROR "ASAN and MSAN are mutually exclusive")
   endif()
 
   set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=memory -fsanitize-memory-track-origins -fno-omit-frame-pointer")
   set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=memory -fsanitize-memory-track-origins -fno-omit-frame-pointer")
-  set(OPENSSL_NO_ASM "1")
+  set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} -fsanitize=memory -fsanitize-memory-track-origins -fno-omit-frame-pointer")
 endif()
 
-if (ASAN)
-  if(NOT CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+if(ASAN)
+  if(NOT CLANG)
     message(FATAL_ERROR "Cannot enable ASAN unless using Clang")
   endif()
 
   set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=address -fsanitize-address-use-after-scope -fno-omit-frame-pointer")
   set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=address -fsanitize-address-use-after-scope -fno-omit-frame-pointer")
+endif()
+
+if(CFI)
+  if(NOT CLANG)
+    message(FATAL_ERROR "Cannot enable CFI unless using Clang")
+  endif()
+
+  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=cfi -fno-sanitize-trap=cfi -flto=thin")
+  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=cfi -fno-sanitize-trap=cfi -flto=thin")
+  # We use Chromium's copy of clang, which requires -fuse-ld=lld if building
+  # with -flto. That, in turn, can't handle -ggdb.
+  set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -fuse-ld=lld")
+  string(REPLACE "-ggdb" "-g" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}")
+  string(REPLACE "-ggdb" "-g" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}")
+  # -flto causes object files to contain LLVM bitcode. Mixing those with
+  # assembly output in the same static library breaks the linker.
   set(OPENSSL_NO_ASM "1")
 endif()
 
-if (GCOV)
+if(TSAN)
+  if(NOT CLANG)
+    message(FATAL_ERROR "Cannot enable TSAN unless using Clang")
+  endif()
+
+  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=thread")
+  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=thread")
+  set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -fsanitize=thread")
+endif()
+
+if(UBSAN)
+  if(NOT CLANG)
+    message(FATAL_ERROR "Cannot enable UBSAN unless using Clang")
+  endif()
+
+  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=undefined")
+  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=undefined")
+  set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -fsanitize=undefined")
+
+  if(NOT UBSAN_RECOVER)
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fno-sanitize-recover=undefined")
+    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fno-sanitize-recover=undefined")
+    set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -fno-sanitize-recover=undefined")
+  endif()
+endif()
+
+if(GCOV)
   set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fprofile-arcs -ftest-coverage")
   set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fprofile-arcs -ftest-coverage")
 endif()
@@ -219,79 +379,193 @@ if(FIPS)
   if(FIPS_BREAK_TEST)
     add_definitions("-DBORINGSSL_FIPS_BREAK_${FIPS_BREAK_TEST}=1")
   endif()
-  # Delocate does not work for ASan and MSan builds.
+  # The FIPS integrity check does not work for ASan and MSan builds.
   if(NOT ASAN AND NOT MSAN)
-    set(FIPS_DELOCATE "1")
+    if(BUILD_SHARED_LIBS)
+      set(FIPS_SHARED "1")
+    else()
+      set(FIPS_DELOCATE "1")
+    endif()
+  endif()
+  if(FIPS_SHARED)
+    # The Android CMake files set -ffunction-sections and -fdata-sections,
+    # which is incompatible with FIPS_SHARED.
+    set(CMAKE_C_FLAGS
+        "${CMAKE_C_FLAGS} -fno-function-sections -fno-data-sections")
+    set(CMAKE_CXX_FLAGS
+        "${CMAKE_CXX_FLAGS} -fno-function-sections -fno-data-sections")
   endif()
 endif()
 
+if(OPENSSL_SMALL)
+  add_definitions(-DOPENSSL_SMALL)
+endif()
+
+if(CONSTANT_TIME_VALIDATION)
+  add_definitions(-DBORINGSSL_CONSTANT_TIME_VALIDATION)
+  # Asserts will often test secret data.
+  add_definitions(-DNDEBUG)
+endif()
+
+function(go_executable dest package)
+  set(godeps "${CMAKE_SOURCE_DIR}/util/godeps.go")
+  if(${CMAKE_VERSION} VERSION_LESS "3.7" OR
+     NOT ${CMAKE_GENERATOR} STREQUAL "Ninja")
+    # The DEPFILE parameter to add_custom_command is new as of CMake 3.7 and
+    # only works with Ninja. Query the sources at configure time. Additionally,
+    # everything depends on go.mod. That affects what external packages to use.
+    execute_process(COMMAND ${GO_EXECUTABLE} run ${godeps} -format cmake
+                            -pkg ${package}
+                    WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}
+                    OUTPUT_VARIABLE sources
+                    RESULT_VARIABLE godeps_result)
+    add_custom_command(OUTPUT ${dest}
+                       COMMAND ${GO_EXECUTABLE} build
+                               -o ${CMAKE_CURRENT_BINARY_DIR}/${dest} ${package}
+                       WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}
+                       DEPENDS ${sources} ${CMAKE_SOURCE_DIR}/go.mod)
+  else()
+    # Ninja expects the target in the depfile to match the output. This is a
+    # relative path from the build directory.
+    string(LENGTH "${CMAKE_BINARY_DIR}" root_dir_length)
+    math(EXPR root_dir_length "${root_dir_length} + 1")
+    string(SUBSTRING "${CMAKE_CURRENT_BINARY_DIR}" ${root_dir_length} -1 target)
+    set(target "${target}/${dest}")
+
+    set(depfile "${CMAKE_CURRENT_BINARY_DIR}/${dest}.d")
+    add_custom_command(OUTPUT ${dest}
+                       COMMAND ${GO_EXECUTABLE} build
+                               -o ${CMAKE_CURRENT_BINARY_DIR}/${dest} ${package}
+                       COMMAND ${GO_EXECUTABLE} run ${godeps} -format depfile
+                               -target ${target} -pkg ${package} -out ${depfile}
+                       WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}
+                       DEPENDS ${godeps} ${CMAKE_SOURCE_DIR}/go.mod
+                       DEPFILE ${depfile})
+  endif()
+endfunction()
+
 # CMake's iOS support uses Apple's multiple-architecture toolchain. It takes an
 # architecture list from CMAKE_OSX_ARCHITECTURES, leaves CMAKE_SYSTEM_PROCESSOR
 # alone, and expects all architecture-specific logic to be conditioned within
 # the source files rather than the build. This does not work for our assembly
 # files, so we fix CMAKE_SYSTEM_PROCESSOR and only support single-architecture
 # builds.
-if (NOT OPENSSL_NO_ASM AND CMAKE_OSX_ARCHITECTURES)
+if(NOT OPENSSL_NO_ASM AND CMAKE_OSX_ARCHITECTURES)
   list(LENGTH CMAKE_OSX_ARCHITECTURES NUM_ARCHES)
-  if (NOT ${NUM_ARCHES} EQUAL 1)
+  if(NOT ${NUM_ARCHES} EQUAL 1)
     message(FATAL_ERROR "Universal binaries not supported.")
   endif()
   list(GET CMAKE_OSX_ARCHITECTURES 0 CMAKE_SYSTEM_PROCESSOR)
 endif()
 
-if (OPENSSL_NO_ASM)
+if(OPENSSL_NO_SSE2_FOR_TESTING)
+  add_definitions(-DOPENSSL_NO_SSE2_FOR_TESTING)
+endif()
+
+if(OPENSSL_NO_ASM)
   add_definitions(-DOPENSSL_NO_ASM)
   set(ARCH "generic")
-elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "x86_64")
+elseif(${CMAKE_SYSTEM_PROCESSOR} STREQUAL "x86_64")
   set(ARCH "x86_64")
-elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "amd64")
+elseif(${CMAKE_SYSTEM_PROCESSOR} STREQUAL "amd64")
   set(ARCH "x86_64")
-elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "AMD64")
+elseif(${CMAKE_SYSTEM_PROCESSOR} STREQUAL "AMD64")
   # cmake reports AMD64 on Windows, but we might be building for 32-bit.
-  if (CMAKE_CL_64)
+  if(CMAKE_SIZEOF_VOID_P EQUAL 8)
     set(ARCH "x86_64")
   else()
     set(ARCH "x86")
   endif()
-elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "x86")
+elseif(${CMAKE_SYSTEM_PROCESSOR} STREQUAL "x86")
   set(ARCH "x86")
-elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "i386")
+elseif(${CMAKE_SYSTEM_PROCESSOR} STREQUAL "i386")
   set(ARCH "x86")
-elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "i686")
+elseif(${CMAKE_SYSTEM_PROCESSOR} STREQUAL "i686")
   set(ARCH "x86")
-elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "aarch64")
+elseif(${CMAKE_SYSTEM_PROCESSOR} STREQUAL "aarch64")
   set(ARCH "aarch64")
-elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "arm64")
+elseif(${CMAKE_SYSTEM_PROCESSOR} STREQUAL "arm64")
   set(ARCH "aarch64")
-elseif (${CMAKE_SYSTEM_PROCESSOR} MATCHES "^arm*")
+# Apple A12 Bionic chipset which is added in iPhone XS/XS Max/XR uses arm64e architecture.
+elseif(${CMAKE_SYSTEM_PROCESSOR} STREQUAL "arm64e")
+  set(ARCH "aarch64")
+elseif(${CMAKE_SYSTEM_PROCESSOR} MATCHES "^arm*")
   set(ARCH "arm")
-elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "mips")
+elseif(${CMAKE_SYSTEM_PROCESSOR} STREQUAL "mips")
   # Just to avoid the “unknown processor” error.
   set(ARCH "generic")
-elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "ppc64le")
+elseif(${CMAKE_SYSTEM_PROCESSOR} STREQUAL "ppc64le")
   set(ARCH "ppc64le")
 else()
   message(FATAL_ERROR "Unknown processor:" ${CMAKE_SYSTEM_PROCESSOR})
 endif()
 
-if (ANDROID AND ${ARCH} STREQUAL "arm")
-  # The Android-NDK CMake files somehow fail to set the -march flag for
-  # assembly files. Without this flag, the compiler believes that it's
+if(ANDROID AND NOT ANDROID_NDK_REVISION AND ${ARCH} STREQUAL "arm")
+  # The third-party Android-NDK CMake files somehow fail to set the -march flag
+  # for assembly files. Without this flag, the compiler believes that it's
   # building for ARMv5.
-  set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} -march=${CMAKE_SYSTEM_PROCESSOR}")
+  set(CMAKE_ASM_FLAGS "-march=${CMAKE_SYSTEM_PROCESSOR} ${CMAKE_ASM_FLAGS}")
 endif()
 
-if (${ARCH} STREQUAL "x86" AND APPLE)
-  # With CMake 2.8.x, ${CMAKE_SYSTEM_PROCESSOR} evalutes to i386 on OS X,
-  # but clang defaults to 64-bit builds on OS X unless otherwise told.
-  # Set ARCH to x86_64 so clang and CMake agree. This is fixed in CMake 3.
-  set(ARCH "x86_64")
+if(USE_CUSTOM_LIBCXX)
+  if(NOT CLANG)
+    message(FATAL_ERROR "USE_CUSTOM_LIBCXX only supported with Clang")
+  endif()
+
+  # CMAKE_CXX_FLAGS ends up in the linker flags as well, so use
+  # add_compile_options. There does not appear to be a way to set
+  # language-specific compile-only flags.
+  add_compile_options("-nostdinc++")
+  set(CMAKE_CXX_LINK_FLAGS "${CMAKE_CXX_LINK_FLAGS} -nostdlib++")
+  include_directories(
+    SYSTEM
+    util/bot/libcxx/include
+    util/bot/libcxxabi/include
+  )
+
+  # This is patterned after buildtools/third_party/libc++/BUILD.gn and
+  # buildtools/third_party/libc++abi/BUILD.gn in Chromium.
+
+  file(GLOB LIBCXX_SOURCES "util/bot/libcxx/src/*.cpp")
+  file(GLOB LIBCXXABI_SOURCES "util/bot/libcxxabi/src/*.cpp")
+
+  # This file is meant for exception-less builds.
+  list(REMOVE_ITEM LIBCXXABI_SOURCES "trunk/src/cxa_noexception.cpp")
+  # libc++ also defines new and delete.
+  list(REMOVE_ITEM LIBCXXABI_SOURCES "trunk/src/stdlib_new_delete.cpp")
+  if(TSAN)
+    # ThreadSanitizer tries to intercept these symbols. Skip them to avoid
+    # symbol conflicts.
+    list(REMOVE_ITEM LIBCXXABI_SOURCES "trunk/src/cxa_guard.cpp")
+  endif()
+
+  add_library(libcxxabi ${LIBCXXABI_SOURCES})
+  target_compile_definitions(
+    libcxxabi PRIVATE
+    -D_LIBCPP_ENABLE_CXX17_REMOVED_UNEXPECTED_FUNCTIONS
+  )
+  set_target_properties(libcxxabi PROPERTIES COMPILE_FLAGS "-Wno-missing-prototypes -Wno-implicit-fallthrough")
+
+  add_library(libcxx ${LIBCXX_SOURCES})
+  if(ASAN OR MSAN OR TSAN)
+    # Sanitizers try to intercept new and delete.
+    target_compile_definitions(
+      libcxx PRIVATE
+      -D_LIBCPP_DISABLE_NEW_DELETE_DEFINITIONS
+    )
+  endif()
+  target_compile_definitions(
+    libcxx PRIVATE
+    -D_LIBCPP_BUILDING_LIBRARY
+    -DLIBCXX_BUILDING_LIBCXXABI
+  )
+  target_link_libraries(libcxx libcxxabi)
 endif()
 
 # Add minimal googletest targets. The provided one has many side-effects, and
 # googletest has a very straightforward build.
-add_library(gtest third_party/googletest/src/gtest-all.cc)
-target_include_directories(gtest PRIVATE third_party/googletest)
+add_library(boringssl_gtest third_party/googletest/src/gtest-all.cc)
+target_include_directories(boringssl_gtest PRIVATE third_party/googletest)
 
 include_directories(third_party/googletest/include)
 
@@ -299,10 +573,21 @@ include_directories(third_party/googletest/include)
 # themselves as dependencies next to the target definition.
 add_custom_target(all_tests)
 
+# On Windows, CRYPTO_TEST_DATA is too long to fit in command-line limits.
+# TODO(davidben): CMake 3.12 has a list(JOIN) command. Use that when we've
+# updated the minimum version.
+set(EMBED_TEST_DATA_ARGS "")
+foreach(arg ${CRYPTO_TEST_DATA})
+  set(EMBED_TEST_DATA_ARGS "${EMBED_TEST_DATA_ARGS}${arg}\n")
+endforeach()
+file(WRITE "${CMAKE_CURRENT_BINARY_DIR}/embed_test_data_args.txt"
+     "${EMBED_TEST_DATA_ARGS}")
+
 add_custom_command(
   OUTPUT crypto_test_data.cc
-  COMMAND ${GO_EXECUTABLE} run util/embed_test_data.go ${CRYPTO_TEST_DATA} >
-  ${CMAKE_CURRENT_BINARY_DIR}/crypto_test_data.cc
+  COMMAND ${GO_EXECUTABLE} run util/embed_test_data.go -file-list
+          "${CMAKE_CURRENT_BINARY_DIR}/embed_test_data_args.txt" >
+          "${CMAKE_CURRENT_BINARY_DIR}/crypto_test_data.cc"
   DEPENDS util/embed_test_data.go ${CRYPTO_TEST_DATA}
   WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR})
 
@@ -311,8 +596,9 @@ add_library(crypto_test_data OBJECT crypto_test_data.cc)
 add_subdirectory(crypto)
 add_subdirectory(ssl)
 add_subdirectory(ssl/test)
-add_subdirectory(fipstools)
 add_subdirectory(tool)
+add_subdirectory(util/fipstools/cavp)
+add_subdirectory(util/fipstools/acvp/modulewrapper)
 add_subdirectory(decrepit)
 
 if(FUZZ)
@@ -327,9 +613,8 @@ if(FUZZ)
   add_subdirectory(fuzz)
 endif()
 
-if (NOT ${CMAKE_VERSION} VERSION_LESS "3.2")
-  # USES_TERMINAL is only available in CMake 3.2 or later.
-  set(MAYBE_USES_TERMINAL USES_TERMINAL)
+if(UNIX AND NOT APPLE AND NOT ANDROID)
+  set(HANDSHAKER_ARGS "-handshaker-path" $<TARGET_FILE:handshaker>)
 endif()
 
 add_custom_target(
@@ -338,7 +623,7 @@ add_custom_target(
             ${CMAKE_BINARY_DIR}
     COMMAND cd ssl/test/runner &&
             ${GO_EXECUTABLE} test -shim-path $<TARGET_FILE:bssl_shim>
-              ${RUNNER_ARGS}
+              ${HANDSHAKER_ARGS} ${RUNNER_ARGS}
     WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}
-    DEPENDS all_tests bssl_shim
-    ${MAYBE_USES_TERMINAL})
+    DEPENDS all_tests bssl_shim handshaker
+    USES_TERMINAL)

FUZZING.md

@@ -2,23 +2,17 @@
 
 Modern fuzz testers are very effective and we wish to use them to ensure that no silly bugs creep into BoringSSL.
 
-We primarily use Clang's [libFuzzer](http://llvm.org/docs/LibFuzzer.html) for fuzz testing and there are a number of fuzz testing functions in `fuzz/`. They are not built by default because they require libFuzzer at build time.
+We use Clang's [libFuzzer](http://llvm.org/docs/LibFuzzer.html) for fuzz testing and there are a number of fuzz testing functions in `fuzz/`. They are not built by default because they require that the rest of BoringSSL be built with some changes that make fuzzing much more effective, but are completely unsafe for real use.
 
-In order to build the fuzz tests you will need at least Clang 3.7. Pass `-DFUZZ=1` on the CMake command line to enable building BoringSSL with coverage and AddressSanitizer, and to build the fuzz test binaries. You'll probably need to set the `CC` and `CXX` environment variables too, like this:
+In order to build the fuzz tests you will need at least Clang 6.0. Pass `-DFUZZ=1` on the CMake command line to enable building BoringSSL with coverage and AddressSanitizer, and to build the fuzz test binaries. You'll probably need to set the `CC` and `CXX` environment variables too, like this:
 
 ```
+mkdir build
+cd build
 CC=clang CXX=clang++ cmake -GNinja -DFUZZ=1 ..
+ninja
 ```
 
-In order for the fuzz tests to link, the linker needs to find libFuzzer. This is not commonly provided and you may need to download the [Clang source code](http://llvm.org/releases/download.html) and do the following:
-
-```
-svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer
-clang++ -c -g -O2 -std=c++11 Fuzzer/*.cpp -IFuzzer
-ar ruv libFuzzer.a Fuzzer*.o
-```
-
-Then copy `libFuzzer.a` to the top-level of your BoringSSL source directory.
 
 From the `build/` directory, you can then run the fuzzers. For example:
 
@@ -32,6 +26,8 @@ The recommended values of `max_len` for each test are:
 
 | Test          | `max_len` value |
 |---------------|-----------------|
+| `bn_div`      | 384             |
+| `bn_mod_exp`  | 4096            |
 | `cert`        | 10000           |
 | `client`      | 20000           |
 | `pkcs8`       | 2048            |

INCORPORATING.md

@@ -37,7 +37,7 @@ updating things more complex.
 
 BoringSSL is designed to work with many different build systems. Currently,
 different projects use [GYP](https://gyp.gsrc.io/),
-[GN](https://chromium.googlesource.com/chromium/src/+/master/tools/gn/docs/quick_start.md),
+[GN](https://gn.googlesource.com/gn/+/master/docs/quick_start.md),
 [Bazel](https://bazel.build/) and [Make](https://www.gnu.org/software/make/)  to
 build BoringSSL, without too much pain.
 

LICENSE

@@ -5,8 +5,9 @@ license. This license is reproduced at the bottom of this file.
 Contributors to BoringSSL are required to follow the CLA rules for Chromium:
 https://cla.developers.google.com/clas
 
-Some files from Intel are under yet another license, which is also included
-underneath.
+Files in third_party/ have their own licenses, as described therein. The MIT
+license, for third_party/fiat, which, unlike other third_party directories, is
+compiled into non-test libraries, is included below.
 
 The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the
 OpenSSL License and the original SSLeay license apply to the toolkit. See below
@@ -156,37 +157,95 @@ ISC license used for completely new code in BoringSSL:
  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
 
 
-Some files from Intel carry the following license:
+The code in third_party/fiat carries the MIT license:
 
-# Copyright (c) 2012, Intel Corporation
-#
-# All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#
-# *  Redistributions of source code must retain the above copyright
-#    notice, this list of conditions and the following disclaimer.
-#
-# *  Redistributions in binary form must reproduce the above copyright
-#    notice, this list of conditions and the following disclaimer in the
-#    documentation and/or other materials provided with the
-#    distribution.
-#
-# *  Neither the name of the Intel Corporation nor the names of its
-#    contributors may be used to endorse or promote products derived from
-#    this software without specific prior written permission.
-#
-#
-# THIS SOFTWARE IS PROVIDED BY INTEL CORPORATION ""AS IS"" AND ANY
-# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL INTEL CORPORATION OR
-# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
-# EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
-# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
-# PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
-# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
-# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
-# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+Copyright (c) 2015-2016 the fiat-crypto authors (see
+https://github.com/mit-plv/fiat-crypto/blob/master/AUTHORS).
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+
+Licenses for support code
+-------------------------
+
+Parts of the TLS test suite are under the Go license. This code is not included
+in BoringSSL (i.e. libcrypto and libssl) when compiled, however, so
+distributing code linked against BoringSSL does not trigger this license:
+
+Copyright (c) 2009 The Go Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+BoringSSL uses the Chromium test infrastructure to run a continuous build,
+trybots etc. The scripts which manage this, and the script for generating build
+metadata, are under the Chromium license. Distributing code linked against
+BoringSSL does not trigger this license.
+
+Copyright 2015 The Chromium Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

PORTING.md

@@ -6,17 +6,27 @@ BoringSSL support, provided they do not use removed APIs. In general, see if the
 library compiles and, on failure, consult the documentation in the header files
 and see if problematic features can be removed.
 
-In some cases, BoringSSL-specific code may be necessary. In that case, the
-`OPENSSL_IS_BORINGSSL` preprocessor macro may be used in `#ifdef`s. This macro
-should also be used in lieu of the presence of any particular function to detect
-OpenSSL vs BoringSSL in configure scripts, etc., where those are necessary.
-Before using the preprocessor, however, contact the BoringSSL maintainers about
-the missing APIs. If not an intentionally removed feature, BoringSSL will
-typically add compatibility functions for convenience.
+BoringSSL's `OPENSSL_VERSION_NUMBER` matches the OpenSSL version it targets.
+Version checks for OpenSSL should ideally work as-is in BoringSSL. BoringSSL
+also defines upstream's `OPENSSL_NO_*` feature macros corresponding to removed
+features. If the preprocessor is needed, use these version checks or feature
+macros where possible, especially when patching third-party projects. Such
+patches are more generally useful to OpenSSL consumers and thus more
+appropriate to send upstream.
 
-For convenience, BoringSSL defines upstream's `OPENSSL_NO_*` feature macros
-corresponding to removed features. These may also be used to disable code which
-uses a removed feature.
+In some cases, BoringSSL-specific code may be necessary. Use the
+`OPENSSL_IS_BORINGSSL` preprocessor macro in `#ifdef`s. However, first contact
+the BoringSSL maintainers about the missing APIs. We will typically add
+compatibility functions for convenience. In particular, *contact BoringSSL
+maintainers before working around missing OpenSSL 1.1.0 accessors*. BoringSSL
+was originally derived from OpenSSL 1.0.2 but now targets OpenSSL 1.1.0. Some
+newer APIs may be missing but can be added on request. (Not all projects have
+been ported to OpenSSL 1.1.0, so BoringSSL also remains largely compatible with
+OpenSSL 1.0.2.)
+
+The `OPENSSL_IS_BORINGSSL` macro may also be used to distinguish OpenSSL from
+BoringSSL in configure scripts. Do not use the presence or absence of particular
+symbols to detect BoringSSL.
 
 Note: BoringSSL does *not* have a stable API or ABI. It must be updated with its
 consumers. It is not suitable for, say, a system library in a traditional Linux
@@ -39,15 +49,19 @@ code, particularly to avoid compiler warnings.
 Most notably, the `STACK_OF(T)` types have all been converted to use `size_t`
 instead of `int` for indices and lengths.
 
-### Reference counts
+### Reference counts and opaque types
 
 Some external consumers increment reference counts directly by calling
-`CRYPTO_add` with the corresponding `CRYPTO_LOCK_*` value.
+`CRYPTO_add` with the corresponding `CRYPTO_LOCK_*` value. These APIs no longer
+exist in BoringSSL. Instead, code which increments reference counts should call
+the corresponding `FOO_up_ref` function, such as `EVP_PKEY_up_ref`.
 
-These APIs no longer exist in BoringSSL. Instead, code which increments
-reference counts should call the corresponding `FOO_up_ref` function, such as
-`EVP_PKEY_up_ref`. Note that not all of these APIs are present in OpenSSL and
-may require `#ifdef`s.
+BoringSSL also hides some structs which were previously exposed in OpenSSL
+1.0.2, particularly in libssl. Use the relevant accessors instead.
+
+Note that some of these APIs were added in OpenSSL 1.1.0, so projects which do
+not yet support 1.1.0 may need additional `#ifdef`s. Projects supporting OpenSSL
+1.1.0 should not require modification.
 
 ### Error codes
 
@@ -109,7 +123,7 @@ feature, so BoringSSL rejects peer renegotiations by default.
 
 To enable renegotiation, call `SSL_set_renegotiate_mode` and set it to
 `ssl_renegotiate_once` or `ssl_renegotiate_freely`. Renegotiation is only
-supported as a client in SSL3/TLS and the HelloRequest must be received at a
+supported as a client in TLS and the HelloRequest must be received at a
 quiet point in the application protocol. This is sufficient to support the
 common use of requesting a new client certificate between an HTTP request and
 response in (unpipelined) HTTP/1.1.
@@ -165,6 +179,17 @@ recommended to avoid the `out` parameter completely and always pass in `NULL`.
 Note that less error-prone APIs are available for BoringSSL-specific code (see
 below).
 
+### Memory allocation
+
+OpenSSL provides wrappers `OPENSSL_malloc` and `OPENSSL_free` over the standard
+`malloc` and `free`. Memory allocated by OpenSSL should be released with
+`OPENSSL_free`, not the standard `free`. However, by default, they are
+implemented directly using `malloc` and `free`, so code which mixes them up
+usually works.
+
+In BoringSSL, these functions maintain additional book-keeping to zero memory
+on `OPENSSL_free`, so any mixups must be fixed.
+
 ## Optional BoringSSL-specific simplifications
 
 BoringSSL makes some changes to OpenSSL which simplify the API but remain
@@ -185,7 +210,7 @@ strings and loading algorithms, etc. All of these functions still exist in
 BoringSSL for convenience, but they do nothing and are not necessary.
 
 The one exception is `CRYPTO_library_init`. In `BORINGSSL_NO_STATIC_INITIALIZER`
-builds, it must be called to query CPU capabitilies before the rest of the
+builds, it must be called to query CPU capabilities before the rest of the
 library. In the default configuration, this is done with a static initializer
 and is also unnecessary.
 

README.md

@@ -21,6 +21,13 @@ these patches in multiple places was growing steadily.
 Currently BoringSSL is the SSL library in Chrome/Chromium, Android (but it's
 not part of the NDK) and a number of other apps/programs.
 
+Project links:
+
+  * [API documentation](https://commondatastorage.googleapis.com/chromium-boringssl-docs/headers.html)
+  * [Bug tracker](https://bugs.chromium.org/p/boringssl/issues/list)
+  * [CI](https://ci.chromium.org/p/boringssl/g/main/console)
+  * [Code review](https://boringssl-review.googlesource.com)
+
 There are other files in this directory which might be helpful:
 
   * [PORTING.md](/PORTING.md): how to port OpenSSL-using code to BoringSSL.
@@ -31,3 +38,5 @@ There are other files in this directory which might be helpful:
   * include/openssl: public headers with API documentation in comments. Also [available online](https://commondatastorage.googleapis.com/chromium-boringssl-docs/headers.html).
   * [FUZZING.md](/FUZZING.md): information about fuzzing BoringSSL.
   * [CONTRIBUTING.md](/CONTRIBUTING.md): how to contribute to BoringSSL.
+  * [BREAKING-CHANGES.md](/BREAKING-CHANGES.md): notes on potentially-breaking changes.
+  * [SANDBOXING.md](/SANDBOXING.md): notes on using BoringSSL in a sandboxed environment.

SANDBOXING.md

@@ -0,0 +1,138 @@
+# Using BoringSSL in a Sandbox
+
+Sandboxes are a valuable tool for securing applications, so BoringSSL aims to
+support them. However, it is difficult to make concrete API guarantees with
+sandboxes. Sandboxes remove low-level OS resources and system calls, which
+breaks platform abstractions. A syscall-filtering sandbox may, for instance, be
+sensitive to otherwise non-breaking changes to use newer syscalls
+in either BoringSSL or the C library.
+
+Some functions in BoringSSL, such as `BIO_new_file`, inherently need OS
+resources like the filesystem. We assume that sandboxed consumers either avoid
+those functions or make necessary resources available. Other functions like
+`RSA_sign` are purely computational, but still have some baseline OS
+dependencies.
+
+Sandboxes which drop privileges partway through a process's lifetime are
+additionally sensitive to OS resources retained across the transitions. For
+instance, if a library function internally opened and retained a handle to the
+user's home directory, and then the application called `chroot`, that handle
+would be a sandbox escape.
+
+This document attempts to describe these baseline OS dependencies and long-lived
+internal resources. These dependencies may change over time, but we aim to
+[work with sandboxed consumers](/BREAKING-CHANGES.md) when they do. However,
+each sandbox imposes different constraints, so, above all, sandboxed consumers
+must have ample test coverage to detect issues as they arise.
+
+## Baseline dependencies
+
+Callers must assume that any BoringSSL function may perform one of the following
+operations:
+
+### Memory allocation
+
+Any BoringSSL function may allocate memory via `malloc` and related functions.
+
+### Thread synchronization
+
+Any BoringSSL function may call into the platform's thread synchronization
+primitives, including read/write locks and the equivalent of `pthread_once`.
+These must succeed, or BoringSSL will abort the process. Callers, however, can
+assume that BoringSSL functions will not spawn internal threads, unless
+otherwise documented.
+
+Syscall-filtering sandboxes should note that BoringSSL uses `pthread_rwlock_t`
+on POSIX systems, which is less common and may not be part of other libraries'
+syscall surface. Additionally, thread synchronization primitives usually have an
+atomics-based fast path. If a sandbox blocks a necessary pthreads syscall, it
+may not show up in testing without lock contention.
+
+### Standard error
+
+Any BoringSSL function may write to `stderr` or file descriptor
+`STDERR_FILENO` (2), either via `FILE` APIs or low-level functions like `write`.
+Writes to `stderr` may fail, but there must some file at `STDERR_FILENO` which
+will tolerate error messages from BoringSSL. (The file descriptor must be
+allocated so calls to `open` do not accidentally open something else there.)
+
+Note some C standard library implementations also log to `stderr`, so callers
+should ensure this regardless.
+
+### Entropy
+
+Any BoringSSL function may draw entropy from the OS. On Windows, this uses
+`RtlGenRandom` and, on POSIX systems, this uses `getrandom`, `getentropy`, or a
+`read` from a file descriptor to `/dev/urandom`. These operations must succeed
+or BoringSSL will abort the process. BoringSSL only probes for `getrandom`
+support once and assumes support is consistent for the lifetime of the address
+space (and any copies made via `fork`). If a syscall-filtering sandbox is
+enabled partway through this lifetime and changes whether `getrandom` works,
+BoringSSL may abort the process. Sandboxes are recommended to allow
+`getrandom`.
+
+Note even deterministic algorithms may require OS entropy. For example,
+RSASSA-PKCS1-v1_5 is deterministic, but BoringSSL draws entropy to implement
+RSA blinding.
+
+Entropy gathering additionally has some initialization dependencies described in
+the following section.
+
+## Initialization
+
+BoringSSL has some uncommon OS dependencies which are only used once to
+initialize some state. Sandboxes which drop privileges after some setup work may
+use `CRYPTO_pre_sandbox_init` to initialize this state ahead of time. Otherwise,
+callers must assume any BoringSSL function may depend on these resources, in
+addition to the operations above.
+
+### CPU capabilities
+
+On Linux ARM platforms, BoringSSL depends on OS APIs to query CPU capabilities.
+32-bit and 64-bit ARM both depend on the `getauxval` function. 32-bit ARM, to
+work around bugs in older Android devices, may additionally read `/proc/cpuinfo`
+and `/proc/self/auxv`.
+
+If querying CPU capabilities fails, BoringSSL will still function, but may not
+perform as well.
+
+### Entropy
+
+On Linux systems without a working `getrandom`, drawing entropy from the OS
+additionally requires opening `/dev/urandom`. If this fails, BoringSSL will
+abort the process. BoringSSL retains the resulting file descriptor, even across
+privilege transitions.
+
+### Fork protection
+
+On Linux, BoringSSL allocates a page and calls `madvise` with `MADV_WIPEONFORK`
+to protect single-use state from `fork`. This operation must not crash, but if
+it fails, BoringSSL will use alternate fork-safety strategies, potentially at a
+performance cost. If it succeeds, BoringSSL assumes `MADV_WIPEONFORK` is
+functional and relies on it for fork-safety. Sandboxes must not report success
+if they ignore the `MADV_WIPEONFORK` flag. As of writing, QEMU will ignore
+`madvise` calls and report success, so BoringSSL detects this by calling
+`madvise` with -1. Sandboxes must cleanly report an error instead of crashing.
+
+Once initialized, this mechanism does not require system calls in the steady
+state, though note the configured page will be inherited across privilege
+transitions.
+
+## C and C++ standard library
+
+BoringSSL depends on the C and C++ standard libraries which, themselves, do not
+make any guarantees about sandboxes. If it produces the correct answer and has
+no observable invalid side effects, it is possible, though unreasonable, for
+`memcmp` to create and close a socket.
+
+BoringSSL assumes that functions in the C and C++ library only have the platform
+dependencies which would be "reasonable". For instance, a function in BoringSSL
+which aims not to open files will still freely call any libc memory and
+string functions.
+
+Note some C functions, such as `strerror`, may read files relating to the user's
+locale. BoringSSL may trigger these paths and assumes the sandbox environment
+will tolerate this. BoringSSL additionally cannot make guarantees about which
+system calls are used by standard library's syscall wrappers. In some cases, the
+compiler may add dependencies. (Some C++ language features emit locking code.)
+Syscall-filtering sandboxes may need updates as these dependencies change.

STYLE.md

@@ -31,10 +31,10 @@ Variable declarations in the middle of a function or inside a `for` loop are
 allowed and preferred where possible. Note that the common `goto err` cleanup
 pattern requires lifting some variable declarations.
 
-Comments should be `/* C-style */` for consistency.
+Comments should be `// C99-style` for consistency with C++.
 
-When declaration pointer types, `*` should be placed next to the variable
-name, not the type. So
+When declaring pointer types, `*` should be placed next to the variable name,
+not the type. So
 
     uint8_t *ptr;
 
@@ -60,6 +60,19 @@ constants for flags. If adding values to an existing set of `#define`s,
 continue with `#define`.
 
 
+## libssl
+
+libssl was originally written in C but is being incrementally rewritten in
+C++11. As of writing, much of the style matches our C conventions rather than
+Google C++. Additionally, libssl on Linux currently may not depend on the C++
+runtime. See the C++ utilities in `ssl/internal.h` for replacements for
+problematic C++ constructs. The `util/check_imported_libraries.go` script may be
+used with a shared library build to check if a new construct is okay.
+
+If unsure, match surrounding code. Discrepancies between it and Google C++ style
+will be fixed over time.
+
+
 ## Formatting
 
 Single-statement blocks are not allowed. All conditions and loops must
@@ -185,23 +198,23 @@ behavior of the function. Pay special note to success/failure behaviors
 and caller obligations on object lifetimes. If this sacrifices
 conciseness, consider simplifying the function's behavior.
 
-    /* EVP_DigestVerifyUpdate appends |len| bytes from |data| to the data which
-     * will be verified by |EVP_DigestVerifyFinal|. It returns one on success and
-     * zero otherwise. */
+    // EVP_DigestVerifyUpdate appends |len| bytes from |data| to the data which
+    // will be verified by |EVP_DigestVerifyFinal|. It returns one on success and
+    // zero otherwise.
     OPENSSL_EXPORT int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data,
                                               size_t len);
 
 Explicitly mention any surprising edge cases or deviations from common
 return value patterns in legacy functions.
 
-    /* RSA_private_encrypt encrypts |flen| bytes from |from| with the private key in
-     * |rsa| and writes the encrypted data to |to|. The |to| buffer must have at
-     * least |RSA_size| bytes of space. It returns the number of bytes written, or
-     * -1 on error. The |padding| argument must be one of the |RSA_*_PADDING|
-     * values. If in doubt, |RSA_PKCS1_PADDING| is the most common.
-     *
-     * WARNING: this function is dangerous because it breaks the usual return value
-     * convention. Use |RSA_sign_raw| instead. */
+    // RSA_private_encrypt encrypts |flen| bytes from |from| with the private key in
+    // |rsa| and writes the encrypted data to |to|. The |to| buffer must have at
+    // least |RSA_size| bytes of space. It returns the number of bytes written, or
+    // -1 on error. The |padding| argument must be one of the |RSA_*_PADDING|
+    // values. If in doubt, |RSA_PKCS1_PADDING| is the most common.
+    //
+    // WARNING: this function is dangerous because it breaks the usual return value
+    // convention. Use |RSA_sign_raw| instead.
     OPENSSL_EXPORT int RSA_private_encrypt(int flen, const uint8_t *from,
                                            uint8_t *to, RSA *rsa, int padding);
 

codereview.settings

@@ -1,4 +1,4 @@
-# This file is used by gcl to get repository specific information. 
+# This file is used by "git cl" to get repository specific information.
 GERRIT_HOST: True
 GERRIT_PORT: True
 CODE_REVIEW_SERVER: https://boringssl-review.googlesource.com

crypto/CMakeLists.txt

@@ -2,27 +2,27 @@ include_directories(../include)
 
 if(NOT OPENSSL_NO_ASM)
   if(UNIX)
-    if (${ARCH} STREQUAL "aarch64")
+    if(${ARCH} STREQUAL "aarch64")
       # The "armx" Perl scripts look for "64" in the style argument
       # in order to decide whether to generate 32- or 64-bit asm.
-      if (APPLE)
+      if(APPLE)
         set(PERLASM_STYLE ios64)
       else()
         set(PERLASM_STYLE linux64)
       endif()
-    elseif (${ARCH} STREQUAL "arm")
-      if (APPLE)
+    elseif(${ARCH} STREQUAL "arm")
+      if(APPLE)
         set(PERLASM_STYLE ios32)
       else()
         set(PERLASM_STYLE linux32)
       endif()
-    elseif (${ARCH} STREQUAL "ppc64le")
+    elseif(${ARCH} STREQUAL "ppc64le")
       set(PERLASM_STYLE linux64le)
     else()
-      if (${ARCH} STREQUAL "x86")
+      if(${ARCH} STREQUAL "x86")
         set(PERLASM_FLAGS "-fPIC -DOPENSSL_IA32_SSE2")
       endif()
-      if (APPLE)
+      if(APPLE)
         set(PERLASM_STYLE macosx)
       else()
         set(PERLASM_STYLE elf)
@@ -38,21 +38,22 @@ if(NOT OPENSSL_NO_ASM)
     endif()
 
     # CMake does not add -isysroot and -arch flags to assembly.
-    if (APPLE)
-      if (CMAKE_OSX_SYSROOT)
-        set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} -isysroot ${CMAKE_OSX_SYSROOT}")
+    if(APPLE)
+      if(CMAKE_OSX_SYSROOT)
+        set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} -isysroot \"${CMAKE_OSX_SYSROOT}\"")
       endif()
       foreach(arch ${CMAKE_OSX_ARCHITECTURES})
         set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} -arch ${arch}")
       endforeach()
     endif()
   else()
-    if (${ARCH} STREQUAL "x86_64")
+    if(${ARCH} STREQUAL "x86_64")
       set(PERLASM_STYLE nasm)
     else()
       set(PERLASM_STYLE win32n)
       set(PERLASM_FLAGS "-DOPENSSL_IA32_SSE2")
     endif()
+    set(CMAKE_ASM_NASM_FLAGS "${CMAKE_ASM_NASM_FLAGS} -gcv8")
 
     # On Windows, we use the NASM output, specifically built with Yasm.
     set(ASM_EXT asm)
@@ -61,8 +62,14 @@ if(NOT OPENSSL_NO_ASM)
 endif()
 
 function(perlasm dest src)
+  get_filename_component(dir ${dest} DIRECTORY)
+  if ("${dir}" STREQUAL "")
+    set(dir ".")
+  endif()
+
   add_custom_command(
     OUTPUT ${dest}
+    COMMAND ${CMAKE_COMMAND} -E make_directory ${dir}
     COMMAND ${PERL_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/${src} ${PERLASM_STYLE} ${PERLASM_FLAGS} ${ARGN} ${dest}
     DEPENDS
     ${src}
@@ -77,79 +84,10 @@ function(perlasm dest src)
   )
 endfunction()
 
-# Level 0.1 - depends on nothing outside this set.
-add_subdirectory(stack)
-add_subdirectory(lhash)
-add_subdirectory(err)
-add_subdirectory(buf)
-add_subdirectory(base64)
-add_subdirectory(bytestring)
-add_subdirectory(pool)
-
-# Level 0.2 - depends on nothing but itself
-add_subdirectory(rc4)
-add_subdirectory(conf)
-add_subdirectory(chacha)
-add_subdirectory(poly1305)
-add_subdirectory(curve25519)
-
-# Level 1, depends only on 0.*
-add_subdirectory(digest_extra)
-add_subdirectory(cipher_extra)
-add_subdirectory(rand_extra)
-add_subdirectory(bio)
-add_subdirectory(bn_extra)
-add_subdirectory(obj)
-add_subdirectory(asn1)
-
-# Level 2
-add_subdirectory(engine)
-add_subdirectory(dh)
-add_subdirectory(dsa)
-add_subdirectory(rsa_extra)
-add_subdirectory(ec_extra)
-add_subdirectory(ecdh)
-add_subdirectory(ecdsa_extra)
-
-# Level 3
-add_subdirectory(cmac)
-add_subdirectory(evp)
-add_subdirectory(hkdf)
-add_subdirectory(pem)
-add_subdirectory(x509)
-add_subdirectory(x509v3)
-
-# Level 4
-add_subdirectory(pkcs7)
-add_subdirectory(pkcs8)
-
-# Test support code
+add_subdirectory(fipsmodule)
 add_subdirectory(test)
 
-add_subdirectory(fipsmodule)
-
-add_library(
-  crypto_base
-
-  OBJECT
-
-  cpu-aarch64-linux.c
-  cpu-arm.c
-  cpu-arm-linux.c
-  cpu-intel.c
-  cpu-ppc64le.c
-  crypto.c
-  ex_data.c
-  mem.c
-  refcount_c11.c
-  refcount_lock.c
-  thread.c
-  thread_none.c
-  thread_pthread.c
-  thread_win.c
-)
-
-if(FIPS_DELOCATE)
+if(FIPS_DELOCATE OR FIPS_SHARED)
   SET_SOURCE_FILES_PROPERTIES(fipsmodule/bcm.o PROPERTIES EXTERNAL_OBJECT true)
   SET_SOURCE_FILES_PROPERTIES(fipsmodule/bcm.o PROPERTIES GENERATED true)
 
@@ -160,65 +98,396 @@ if(FIPS_DELOCATE)
   )
 endif()
 
+if(${ARCH} STREQUAL "arm")
+  set(
+    CRYPTO_ARCH_SOURCES
+
+    chacha/chacha-armv4.${ASM_EXT}
+    curve25519/asm/x25519-asm-arm.S
+    poly1305/poly1305_arm_asm.S
+    test/trampoline-armv4.${ASM_EXT}
+  )
+endif()
+
+if(${ARCH} STREQUAL "aarch64")
+  set(
+    CRYPTO_ARCH_SOURCES
+
+    chacha/chacha-armv8.${ASM_EXT}
+    test/trampoline-armv8.${ASM_EXT}
+  )
+endif()
+
+if(${ARCH} STREQUAL "ppc64le")
+  set(
+    CRYPTO_ARCH_SOURCES
+
+    test/trampoline-ppc.${ASM_EXT}
+  )
+endif()
+
+if(${ARCH} STREQUAL "x86")
+  set(
+    CRYPTO_ARCH_SOURCES
+
+    chacha/chacha-x86.${ASM_EXT}
+    test/trampoline-x86.${ASM_EXT}
+  )
+endif()
+
+if(${ARCH} STREQUAL "x86_64")
+  set(
+    CRYPTO_ARCH_SOURCES
+
+    chacha/chacha-x86_64.${ASM_EXT}
+    cipher_extra/aes128gcmsiv-x86_64.${ASM_EXT}
+    cipher_extra/chacha20_poly1305_x86_64.${ASM_EXT}
+    hrss/asm/poly_rq_mul.S
+    test/trampoline-x86_64.${ASM_EXT}
+  )
+endif()
+
+perlasm(chacha/chacha-armv4.${ASM_EXT} chacha/asm/chacha-armv4.pl)
+perlasm(chacha/chacha-armv8.${ASM_EXT} chacha/asm/chacha-armv8.pl)
+perlasm(chacha/chacha-x86.${ASM_EXT} chacha/asm/chacha-x86.pl)
+perlasm(chacha/chacha-x86_64.${ASM_EXT} chacha/asm/chacha-x86_64.pl)
+perlasm(cipher_extra/aes128gcmsiv-x86_64.${ASM_EXT} cipher_extra/asm/aes128gcmsiv-x86_64.pl)
+perlasm(cipher_extra/chacha20_poly1305_x86_64.${ASM_EXT} cipher_extra/asm/chacha20_poly1305_x86_64.pl)
+perlasm(test/trampoline-armv4.${ASM_EXT} test/asm/trampoline-armv4.pl)
+perlasm(test/trampoline-armv8.${ASM_EXT} test/asm/trampoline-armv8.pl)
+perlasm(test/trampoline-ppc.${ASM_EXT} test/asm/trampoline-ppc.pl)
+perlasm(test/trampoline-x86.${ASM_EXT} test/asm/trampoline-x86.pl)
+perlasm(test/trampoline-x86_64.${ASM_EXT} test/asm/trampoline-x86_64.pl)
+
+add_custom_command(
+  OUTPUT err_data.c
+  COMMAND ${GO_EXECUTABLE} run err_data_generate.go > ${CMAKE_CURRENT_BINARY_DIR}/err_data.c
+  DEPENDS
+  err/err_data_generate.go
+  err/asn1.errordata
+  err/bio.errordata
+  err/bn.errordata
+  err/cipher.errordata
+  err/conf.errordata
+  err/dh.errordata
+  err/digest.errordata
+  err/dsa.errordata
+  err/ecdh.errordata
+  err/ecdsa.errordata
+  err/ec.errordata
+  err/engine.errordata
+  err/evp.errordata
+  err/hkdf.errordata
+  err/obj.errordata
+  err/pem.errordata
+  err/pkcs7.errordata
+  err/pkcs8.errordata
+  err/rsa.errordata
+  err/ssl.errordata
+  err/trust_token.errordata
+  err/x509.errordata
+  err/x509v3.errordata
+  WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/err
+)
+
 add_library(
   crypto
 
-  $<TARGET_OBJECTS:crypto_base>
-  $<TARGET_OBJECTS:stack>
-  $<TARGET_OBJECTS:lhash>
-  $<TARGET_OBJECTS:err>
-  $<TARGET_OBJECTS:base64>
-  $<TARGET_OBJECTS:bytestring>
-  $<TARGET_OBJECTS:pool>
-  $<TARGET_OBJECTS:fipsmodule>
-  $<TARGET_OBJECTS:digest_extra>
-  $<TARGET_OBJECTS:cipher_extra>
-  $<TARGET_OBJECTS:rc4>
-  $<TARGET_OBJECTS:conf>
-  $<TARGET_OBJECTS:chacha>
-  $<TARGET_OBJECTS:poly1305>
-  $<TARGET_OBJECTS:curve25519>
-  $<TARGET_OBJECTS:buf>
-  $<TARGET_OBJECTS:bn_extra>
-  $<TARGET_OBJECTS:bio>
-  $<TARGET_OBJECTS:rand_extra>
-  $<TARGET_OBJECTS:obj>
-  $<TARGET_OBJECTS:asn1>
-  $<TARGET_OBJECTS:engine>
-  $<TARGET_OBJECTS:dh>
-  $<TARGET_OBJECTS:dsa>
-  $<TARGET_OBJECTS:rsa_extra>
-  $<TARGET_OBJECTS:ec_extra>
-  $<TARGET_OBJECTS:ecdh>
-  $<TARGET_OBJECTS:ecdsa_extra>
-  $<TARGET_OBJECTS:cmac>
-  $<TARGET_OBJECTS:evp>
-  $<TARGET_OBJECTS:hkdf>
-  $<TARGET_OBJECTS:pem>
-  $<TARGET_OBJECTS:x509>
-  $<TARGET_OBJECTS:x509v3>
-  $<TARGET_OBJECTS:pkcs7>
-  $<TARGET_OBJECTS:pkcs8_lib>
+  asn1/a_bitstr.c
+  asn1/a_bool.c
+  asn1/a_d2i_fp.c
+  asn1/a_dup.c
+  asn1/a_enum.c
+  asn1/a_gentm.c
+  asn1/a_i2d_fp.c
+  asn1/a_int.c
+  asn1/a_mbstr.c
+  asn1/a_object.c
+  asn1/a_octet.c
+  asn1/a_print.c
+  asn1/a_strnid.c
+  asn1/a_time.c
+  asn1/a_type.c
+  asn1/a_utctm.c
+  asn1/a_utf8.c
+  asn1/asn1_lib.c
+  asn1/asn1_par.c
+  asn1/asn_pack.c
+  asn1/f_enum.c
+  asn1/f_int.c
+  asn1/f_string.c
+  asn1/tasn_dec.c
+  asn1/tasn_enc.c
+  asn1/tasn_fre.c
+  asn1/tasn_new.c
+  asn1/tasn_typ.c
+  asn1/tasn_utl.c
+  asn1/time_support.c
+  base64/base64.c
+  bio/bio.c
+  bio/bio_mem.c
+  bio/connect.c
+  bio/fd.c
+  bio/file.c
+  bio/hexdump.c
+  bio/pair.c
+  bio/printf.c
+  bio/socket.c
+  bio/socket_helper.c
+  bn_extra/bn_asn1.c
+  bn_extra/convert.c
+  buf/buf.c
+  bytestring/asn1_compat.c
+  bytestring/ber.c
+  bytestring/cbb.c
+  bytestring/cbs.c
+  bytestring/unicode.c
+  chacha/chacha.c
+  cipher_extra/cipher_extra.c
+  cipher_extra/derive_key.c
+  cipher_extra/e_aesccm.c
+  cipher_extra/e_aesctrhmac.c
+  cipher_extra/e_aesgcmsiv.c
+  cipher_extra/e_chacha20poly1305.c
+  cipher_extra/e_null.c
+  cipher_extra/e_rc2.c
+  cipher_extra/e_rc4.c
+  cipher_extra/e_tls.c
+  cipher_extra/tls_cbc.c
+  cmac/cmac.c
+  conf/conf.c
+  cpu-aarch64-fuchsia.c
+  cpu-aarch64-linux.c
+  cpu-arm-linux.c
+  cpu-arm.c
+  cpu-intel.c
+  cpu-ppc64le.c
+  crypto.c
+  curve25519/curve25519.c
+  curve25519/spake25519.c
+  dh/dh.c
+  dh/params.c
+  dh/check.c
+  dh/dh_asn1.c
+  digest_extra/digest_extra.c
+  dsa/dsa.c
+  dsa/dsa_asn1.c
+  ecdh_extra/ecdh_extra.c
+  ecdsa_extra/ecdsa_asn1.c
+  ec_extra/ec_asn1.c
+  ec_extra/ec_derive.c
+  ec_extra/hash_to_curve.c
+  err/err.c
+  err_data.c
+  engine/engine.c
+  evp/digestsign.c
+  evp/evp.c
+  evp/evp_asn1.c
+  evp/evp_ctx.c
+  evp/p_dsa_asn1.c
+  evp/p_ec.c
+  evp/p_ec_asn1.c
+  evp/p_ed25519.c
+  evp/p_ed25519_asn1.c
+  evp/p_rsa.c
+  evp/p_rsa_asn1.c
+  evp/p_x25519.c
+  evp/p_x25519_asn1.c
+  evp/pbkdf.c
+  evp/print.c
+  evp/scrypt.c
+  evp/sign.c
+  ex_data.c
+  hkdf/hkdf.c
+  hpke/hpke.c
+  hrss/hrss.c
+  lhash/lhash.c
+  mem.c
+  obj/obj.c
+  obj/obj_xref.c
+  pem/pem_all.c
+  pem/pem_info.c
+  pem/pem_lib.c
+  pem/pem_oth.c
+  pem/pem_pk8.c
+  pem/pem_pkey.c
+  pem/pem_x509.c
+  pem/pem_xaux.c
+  pkcs7/pkcs7.c
+  pkcs7/pkcs7_x509.c
+  pkcs8/pkcs8.c
+  pkcs8/pkcs8_x509.c
+  pkcs8/p5_pbev2.c
+  poly1305/poly1305.c
+  poly1305/poly1305_arm.c
+  poly1305/poly1305_vec.c
+  pool/pool.c
+  rand_extra/deterministic.c
+  rand_extra/forkunsafe.c
+  rand_extra/fuchsia.c
+  rand_extra/rand_extra.c
+  rand_extra/windows.c
+  rc4/rc4.c
+  refcount_c11.c
+  refcount_lock.c
+  rsa_extra/rsa_asn1.c
+  rsa_extra/rsa_print.c
+  stack/stack.c
+  siphash/siphash.c
+  thread.c
+  thread_none.c
+  thread_pthread.c
+  thread_win.c
+  trust_token/pmbtoken.c
+  trust_token/trust_token.c
+  x509/a_digest.c
+  x509/a_sign.c
+  x509/a_strex.c
+  x509/a_verify.c
+  x509/algorithm.c
+  x509/asn1_gen.c
+  x509/by_dir.c
+  x509/by_file.c
+  x509/i2d_pr.c
+  x509/rsa_pss.c
+  x509/t_crl.c
+  x509/t_req.c
+  x509/t_x509.c
+  x509/t_x509a.c
+  x509/x509.c
+  x509/x509_att.c
+  x509/x509_cmp.c
+  x509/x509_d2.c
+  x509/x509_def.c
+  x509/x509_ext.c
+  x509/x509_lu.c
+  x509/x509_obj.c
+  x509/x509_r2x.c
+  x509/x509_req.c
+  x509/x509_set.c
+  x509/x509_trs.c
+  x509/x509_txt.c
+  x509/x509_v3.c
+  x509/x509_vfy.c
+  x509/x509_vpm.c
+  x509/x509cset.c
+  x509/x509name.c
+  x509/x509rset.c
+  x509/x509spki.c
+  x509/x_algor.c
+  x509/x_all.c
+  x509/x_attrib.c
+  x509/x_crl.c
+  x509/x_exten.c
+  x509/x_info.c
+  x509/x_name.c
+  x509/x_pkey.c
+  x509/x_pubkey.c
+  x509/x_req.c
+  x509/x_sig.c
+  x509/x_spki.c
+  x509/x_val.c
+  x509/x_x509.c
+  x509/x_x509a.c
+  x509v3/pcy_cache.c
+  x509v3/pcy_data.c
+  x509v3/pcy_lib.c
+  x509v3/pcy_map.c
+  x509v3/pcy_node.c
+  x509v3/pcy_tree.c
+  x509v3/v3_akey.c
+  x509v3/v3_akeya.c
+  x509v3/v3_alt.c
+  x509v3/v3_bcons.c
+  x509v3/v3_bitst.c
+  x509v3/v3_conf.c
+  x509v3/v3_cpols.c
+  x509v3/v3_crld.c
+  x509v3/v3_enum.c
+  x509v3/v3_extku.c
+  x509v3/v3_genn.c
+  x509v3/v3_ia5.c
+  x509v3/v3_info.c
+  x509v3/v3_int.c
+  x509v3/v3_lib.c
+  x509v3/v3_ncons.c
+  x509v3/v3_ocsp.c
+  x509v3/v3_pci.c
+  x509v3/v3_pcia.c
+  x509v3/v3_pcons.c
+  x509v3/v3_pku.c
+  x509v3/v3_pmaps.c
+  x509v3/v3_prn.c
+  x509v3/v3_purp.c
+  x509v3/v3_skey.c
+  x509v3/v3_sxnet.c
+  x509v3/v3_utl.c
 
+  $<TARGET_OBJECTS:fipsmodule>
+
+  ${CRYPTO_ARCH_SOURCES}
   ${CRYPTO_FIPS_OBJECTS}
 )
 
-if(FIPS_DELOCATE)
+if(FIPS_SHARED)
+  set(EXTRA_INJECT_HASH_ARGS)
+  if(ANDROID)
+    set(EXTRA_INJECT_HASH_ARGS "-sha256")
+  endif()
+  # Rewrite libcrypto.so to inject the correct module hash value. This assumes
+  # UNIX-style library naming, but we only support FIPS mode on Linux anyway.
+  add_custom_command(
+    TARGET crypto POST_BUILD
+    COMMAND ${GO_EXECUTABLE} run
+    ${CMAKE_CURRENT_SOURCE_DIR}/../util/fipstools/inject_hash/inject_hash.go
+    -o libcrypto.so -in-object libcrypto.so ${EXTRA_INJECT_HASH_ARGS}
+    # The DEPENDS argument to a POST_BUILD rule appears to be ignored. Thus
+    # go_executable isn't used (as it doesn't get built), but we list this
+    # dependency anyway in case it starts working in some CMake version.
+    DEPENDS ../util/fipstools/inject_hash/inject_hash.go
+    WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
+  )
+endif()
+
+add_dependencies(crypto global_target)
+
+if(FIPS_DELOCATE OR FIPS_SHARED)
   add_dependencies(crypto bcm_o_target)
 endif()
 
 SET_TARGET_PROPERTIES(crypto PROPERTIES LINKER_LANGUAGE C)
 
-if(NOT MSVC AND NOT ANDROID)
+if(NOT WIN32 AND NOT ANDROID)
   target_link_libraries(crypto pthread)
 endif()
 
-# TODO(davidben): Convert the remaining tests to GTest.
+# Every target depends on crypto, so we add libcxx as a dependency here to
+# simplify injecting it everywhere.
+if(USE_CUSTOM_LIBCXX)
+  target_link_libraries(crypto libcxx)
+endif()
+
+# urandom_test is a separate binary because it needs to be able to observe the
+# PRNG initialisation, which means that it can't have other tests running before
+# it does.
+add_executable(
+  urandom_test
+
+  fipsmodule/rand/urandom_test.cc
+)
+
+target_link_libraries(urandom_test test_support_lib boringssl_gtest crypto)
+
+add_dependencies(urandom_test global_target)
+add_dependencies(all_tests urandom_test)
+
 add_executable(
   crypto_test
 
+  abi_self_test.cc
   asn1/asn1_test.cc
   base64/base64_test.cc
+  buf/buf_test.cc
   bio/bio_test.cc
   bytestring/bytestring_test.cc
   chacha/chacha_test.cc
@@ -227,10 +496,11 @@ add_executable(
   cmac/cmac_test.cc
   compiler_test.cc
   constant_time_test.cc
+  cpu-arm-linux_test.cc
   curve25519/ed25519_test.cc
   curve25519/spake25519_test.cc
   curve25519/x25519_test.cc
-  ecdh/ecdh_test.cc
+  ecdh_extra/ecdh_test.cc
   dh/dh_test.cc
   digest_extra/digest_test.cc
   dsa/dsa_test.cc
@@ -244,32 +514,46 @@ add_executable(
   fipsmodule/ec/ec_test.cc
   fipsmodule/ec/p256-x86_64_test.cc
   fipsmodule/ecdsa/ecdsa_test.cc
+  fipsmodule/md5/md5_test.cc
   fipsmodule/modes/gcm_test.cc
   fipsmodule/rand/ctrdrbg_test.cc
+  fipsmodule/rand/fork_detect_test.cc
+  fipsmodule/sha/sha_test.cc
   hkdf/hkdf_test.cc
+  hpke/hpke_test.cc
   hmac_extra/hmac_test.cc
+  hrss/hrss_test.cc
+  impl_dispatch_test.cc
   lhash/lhash_test.cc
   obj/obj_test.cc
+  pem/pem_test.cc
   pkcs7/pkcs7_test.cc
   pkcs8/pkcs8_test.cc
   pkcs8/pkcs12_test.cc
   poly1305/poly1305_test.cc
   pool/pool_test.cc
+  rand_extra/rand_test.cc
   refcount_test.cc
   rsa_extra/rsa_test.cc
+  self_test.cc
+  stack/stack_test.cc
+  siphash/siphash_test.cc
   test/file_test_gtest.cc
   thread_test.cc
+  trust_token/trust_token_test.cc
   x509/x509_test.cc
+  x509/x509_time_test.cc
   x509v3/tab_test.cc
   x509v3/v3name_test.cc
 
   $<TARGET_OBJECTS:crypto_test_data>
-  $<TARGET_OBJECTS:gtest_main>
-  $<TARGET_OBJECTS:test_support>
+  $<TARGET_OBJECTS:boringssl_gtest_main>
 )
 
-target_link_libraries(crypto_test crypto gtest)
-if (WIN32)
+add_dependencies(crypto_test global_target)
+
+target_link_libraries(crypto_test test_support_lib boringssl_gtest crypto)
+if(WIN32)
   target_link_libraries(crypto_test ws2_32)
 endif()
 add_dependencies(all_tests crypto_test)

crypto/abi_self_test.cc

@@ -0,0 +1,808 @@
+/* Copyright (c) 2018, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <gtest/gtest.h>
+#include <gtest/gtest-spi.h>
+
+#include <openssl/rand.h>
+
+#include "test/abi_test.h"
+
+
+static bool test_function_ok;
+static int TestFunction(int a1, int a2, int a3, int a4, int a5, int a6, int a7,
+                        int a8) {
+  test_function_ok = a1 == 1 || a2 == 2 || a3 == 3 || a4 == 4 || a5 == 5 ||
+                     a6 == 6 || a7 == 7 || a8 == 8;
+  return 42;
+}
+
+TEST(ABITest, SanityCheck) {
+  EXPECT_NE(0, CHECK_ABI_NO_UNWIND(strcmp, "hello", "world"));
+
+  test_function_ok = false;
+  EXPECT_EQ(42, CHECK_ABI_SEH(TestFunction, 1, 2, 3, 4, 5, 6, 7, 8));
+  EXPECT_TRUE(test_function_ok);
+
+#if defined(SUPPORTS_ABI_TEST)
+  abi_test::internal::CallerState state;
+  RAND_bytes(reinterpret_cast<uint8_t *>(&state), sizeof(state));
+  crypto_word_t argv[] = {
+      1, 2, 3, 4, 5, 6, 7, 8,
+  };
+  CHECK_ABI_SEH(abi_test_trampoline,
+                reinterpret_cast<crypto_word_t>(TestFunction), &state, argv, 8,
+                0 /* no breakpoint */);
+
+#if defined(OPENSSL_X86_64)
+  if (abi_test::UnwindTestsEnabled()) {
+    EXPECT_NONFATAL_FAILURE(CHECK_ABI_SEH(abi_test_bad_unwind_wrong_register),
+                            "was not recovered");
+    EXPECT_NONFATAL_FAILURE(CHECK_ABI_SEH(abi_test_bad_unwind_temporary),
+                            "was not recovered");
+
+    CHECK_ABI_NO_UNWIND(abi_test_bad_unwind_wrong_register);
+    CHECK_ABI_NO_UNWIND(abi_test_bad_unwind_temporary);
+
+#if defined(OPENSSL_WINDOWS)
+    // The invalid epilog makes Windows believe the epilog starts later than it
+    // actually does. As a result, immediately after the popq, it does not
+    // realize the stack has been unwound and repeats the work.
+    EXPECT_NONFATAL_FAILURE(CHECK_ABI_SEH(abi_test_bad_unwind_epilog),
+                            "unwound past starting frame");
+    CHECK_ABI_NO_UNWIND(abi_test_bad_unwind_epilog);
+#endif  // OPENSSL_WINDOWS
+  }
+#endif  // OPENSSL_X86_64
+#endif  // SUPPORTS_ABI_TEST
+}
+
+#if defined(OPENSSL_X86_64) && defined(SUPPORTS_ABI_TEST)
+extern "C" {
+void abi_test_clobber_rax(void);
+void abi_test_clobber_rbx(void);
+void abi_test_clobber_rcx(void);
+void abi_test_clobber_rdx(void);
+void abi_test_clobber_rsi(void);
+void abi_test_clobber_rdi(void);
+void abi_test_clobber_rbp(void);
+void abi_test_clobber_r8(void);
+void abi_test_clobber_r9(void);
+void abi_test_clobber_r10(void);
+void abi_test_clobber_r11(void);
+void abi_test_clobber_r12(void);
+void abi_test_clobber_r13(void);
+void abi_test_clobber_r14(void);
+void abi_test_clobber_r15(void);
+void abi_test_clobber_xmm0(void);
+void abi_test_clobber_xmm1(void);
+void abi_test_clobber_xmm2(void);
+void abi_test_clobber_xmm3(void);
+void abi_test_clobber_xmm4(void);
+void abi_test_clobber_xmm5(void);
+void abi_test_clobber_xmm6(void);
+void abi_test_clobber_xmm7(void);
+void abi_test_clobber_xmm8(void);
+void abi_test_clobber_xmm9(void);
+void abi_test_clobber_xmm10(void);
+void abi_test_clobber_xmm11(void);
+void abi_test_clobber_xmm12(void);
+void abi_test_clobber_xmm13(void);
+void abi_test_clobber_xmm14(void);
+void abi_test_clobber_xmm15(void);
+}  // extern "C"
+
+TEST(ABITest, X86_64) {
+  // abi_test_trampoline hides unsaved registers from the caller, so we can
+  // safely call the abi_test_clobber_* functions below.
+  abi_test::internal::CallerState state;
+  RAND_bytes(reinterpret_cast<uint8_t *>(&state), sizeof(state));
+  CHECK_ABI_NO_UNWIND(abi_test_trampoline,
+                      reinterpret_cast<crypto_word_t>(abi_test_clobber_rbx),
+                      &state, nullptr, 0, 0 /* no breakpoint */);
+
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_rax);
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_rbx),
+                          "rbx was not restored after return");
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_rcx);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_rdx);
+#if defined(OPENSSL_WINDOWS)
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_rdi),
+                          "rdi was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_rsi),
+                          "rsi was not restored after return");
+#else
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_rdi);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_rsi);
+#endif
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_rbp),
+                          "rbp was not restored after return");
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_r8);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_r9);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_r10);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_r11);
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_r12),
+                          "r12 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_r13),
+                          "r13 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_r14),
+                          "r14 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_r15),
+                          "r15 was not restored after return");
+
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_xmm0);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_xmm1);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_xmm2);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_xmm3);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_xmm4);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_xmm5);
+#if defined(OPENSSL_WINDOWS)
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_xmm6),
+                          "xmm6 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_xmm7),
+                          "xmm7 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_xmm8),
+                          "xmm8 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_xmm9),
+                          "xmm9 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_xmm10),
+                          "xmm10 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_xmm11),
+                          "xmm11 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_xmm12),
+                          "xmm12 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_xmm13),
+                          "xmm13 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_xmm14),
+                          "xmm14 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_xmm15),
+                          "xmm15 was not restored after return");
+#else
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_xmm6);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_xmm7);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_xmm8);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_xmm9);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_xmm10);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_xmm11);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_xmm12);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_xmm13);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_xmm14);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_xmm15);
+#endif
+
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_set_direction_flag),
+                          "Direction flag set after return");
+  EXPECT_EQ(0, abi_test_get_and_clear_direction_flag())
+      << "CHECK_ABI did not insulate the caller from direction flag errors";
+}
+#endif   // OPENSSL_X86_64 && SUPPORTS_ABI_TEST
+
+#if defined(OPENSSL_X86) && defined(SUPPORTS_ABI_TEST)
+extern "C" {
+void abi_test_clobber_eax(void);
+void abi_test_clobber_ebx(void);
+void abi_test_clobber_ecx(void);
+void abi_test_clobber_edx(void);
+void abi_test_clobber_esi(void);
+void abi_test_clobber_edi(void);
+void abi_test_clobber_ebp(void);
+void abi_test_clobber_xmm0(void);
+void abi_test_clobber_xmm1(void);
+void abi_test_clobber_xmm2(void);
+void abi_test_clobber_xmm3(void);
+void abi_test_clobber_xmm4(void);
+void abi_test_clobber_xmm5(void);
+void abi_test_clobber_xmm6(void);
+void abi_test_clobber_xmm7(void);
+}  // extern "C"
+
+TEST(ABITest, X86) {
+  // abi_test_trampoline hides unsaved registers from the caller, so we can
+  // safely call the abi_test_clobber_* functions below.
+  abi_test::internal::CallerState state;
+  RAND_bytes(reinterpret_cast<uint8_t *>(&state), sizeof(state));
+  CHECK_ABI_NO_UNWIND(abi_test_trampoline,
+                      reinterpret_cast<crypto_word_t>(abi_test_clobber_ebx),
+                      &state, nullptr, 0, 0 /* no breakpoint */);
+
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_eax);
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_ebx),
+                          "ebx was not restored after return");
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_ecx);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_edx);
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_edi),
+                          "edi was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_esi),
+                          "esi was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_ebp),
+                          "ebp was not restored after return");
+
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_xmm0);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_xmm1);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_xmm2);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_xmm3);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_xmm4);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_xmm5);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_xmm6);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_xmm7);
+
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_set_direction_flag),
+                          "Direction flag set after return");
+  EXPECT_EQ(0, abi_test_get_and_clear_direction_flag())
+      << "CHECK_ABI did not insulate the caller from direction flag errors";
+}
+#endif   // OPENSSL_X86 && SUPPORTS_ABI_TEST
+
+#if defined(OPENSSL_ARM) && defined(SUPPORTS_ABI_TEST)
+extern "C" {
+void abi_test_clobber_r0(void);
+void abi_test_clobber_r1(void);
+void abi_test_clobber_r2(void);
+void abi_test_clobber_r3(void);
+void abi_test_clobber_r4(void);
+void abi_test_clobber_r5(void);
+void abi_test_clobber_r6(void);
+void abi_test_clobber_r7(void);
+void abi_test_clobber_r8(void);
+void abi_test_clobber_r9(void);
+void abi_test_clobber_r10(void);
+void abi_test_clobber_r11(void);
+void abi_test_clobber_r12(void);
+// r13, r14, and r15, are sp, lr, and pc, respectively.
+
+void abi_test_clobber_d0(void);
+void abi_test_clobber_d1(void);
+void abi_test_clobber_d2(void);
+void abi_test_clobber_d3(void);
+void abi_test_clobber_d4(void);
+void abi_test_clobber_d5(void);
+void abi_test_clobber_d6(void);
+void abi_test_clobber_d7(void);
+void abi_test_clobber_d8(void);
+void abi_test_clobber_d9(void);
+void abi_test_clobber_d10(void);
+void abi_test_clobber_d11(void);
+void abi_test_clobber_d12(void);
+void abi_test_clobber_d13(void);
+void abi_test_clobber_d14(void);
+void abi_test_clobber_d15(void);
+}  // extern "C"
+
+TEST(ABITest, ARM) {
+  // abi_test_trampoline hides unsaved registers from the caller, so we can
+  // safely call the abi_test_clobber_* functions below.
+  abi_test::internal::CallerState state;
+  RAND_bytes(reinterpret_cast<uint8_t *>(&state), sizeof(state));
+  CHECK_ABI_NO_UNWIND(abi_test_trampoline,
+                      reinterpret_cast<crypto_word_t>(abi_test_clobber_r4),
+                      &state, nullptr, 0, 0 /* no breakpoint */);
+
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_r0);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_r1);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_r2);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_r3);
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_r4),
+                          "r4 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_r5),
+                          "r5 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_r6),
+                          "r6 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_r7),
+                          "r7 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_r8),
+                          "r8 was not restored after return");
+#if defined(OPENSSL_APPLE)
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_r9);
+#else
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_r9),
+                          "r9 was not restored after return");
+#endif
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_r10),
+                          "r10 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_r11),
+                          "r11 was not restored after return");
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_r12);
+
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_d0);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_d1);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_d2);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_d3);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_d4);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_d5);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_d6);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_d7);
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_d8),
+                          "d8 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_d9),
+                          "d9 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_d10),
+                          "d10 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_d11),
+                          "d11 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_d12),
+                          "d12 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_d13),
+                          "d13 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_d14),
+                          "d14 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_d15),
+                          "d15 was not restored after return");
+}
+#endif   // OPENSSL_ARM && SUPPORTS_ABI_TEST
+
+#if defined(OPENSSL_AARCH64) && defined(SUPPORTS_ABI_TEST)
+extern "C" {
+void abi_test_clobber_x0(void);
+void abi_test_clobber_x1(void);
+void abi_test_clobber_x2(void);
+void abi_test_clobber_x3(void);
+void abi_test_clobber_x4(void);
+void abi_test_clobber_x5(void);
+void abi_test_clobber_x6(void);
+void abi_test_clobber_x7(void);
+void abi_test_clobber_x8(void);
+void abi_test_clobber_x9(void);
+void abi_test_clobber_x10(void);
+void abi_test_clobber_x11(void);
+void abi_test_clobber_x12(void);
+void abi_test_clobber_x13(void);
+void abi_test_clobber_x14(void);
+void abi_test_clobber_x15(void);
+void abi_test_clobber_x16(void);
+void abi_test_clobber_x17(void);
+// x18 is the platform register and off limits.
+void abi_test_clobber_x19(void);
+void abi_test_clobber_x20(void);
+void abi_test_clobber_x21(void);
+void abi_test_clobber_x22(void);
+void abi_test_clobber_x23(void);
+void abi_test_clobber_x24(void);
+void abi_test_clobber_x25(void);
+void abi_test_clobber_x26(void);
+void abi_test_clobber_x27(void);
+void abi_test_clobber_x28(void);
+void abi_test_clobber_x29(void);
+
+void abi_test_clobber_d0(void);
+void abi_test_clobber_d1(void);
+void abi_test_clobber_d2(void);
+void abi_test_clobber_d3(void);
+void abi_test_clobber_d4(void);
+void abi_test_clobber_d5(void);
+void abi_test_clobber_d6(void);
+void abi_test_clobber_d7(void);
+void abi_test_clobber_d8(void);
+void abi_test_clobber_d9(void);
+void abi_test_clobber_d10(void);
+void abi_test_clobber_d11(void);
+void abi_test_clobber_d12(void);
+void abi_test_clobber_d13(void);
+void abi_test_clobber_d14(void);
+void abi_test_clobber_d15(void);
+void abi_test_clobber_d16(void);
+void abi_test_clobber_d17(void);
+void abi_test_clobber_d18(void);
+void abi_test_clobber_d19(void);
+void abi_test_clobber_d20(void);
+void abi_test_clobber_d21(void);
+void abi_test_clobber_d22(void);
+void abi_test_clobber_d23(void);
+void abi_test_clobber_d24(void);
+void abi_test_clobber_d25(void);
+void abi_test_clobber_d26(void);
+void abi_test_clobber_d27(void);
+void abi_test_clobber_d28(void);
+void abi_test_clobber_d29(void);
+void abi_test_clobber_d30(void);
+void abi_test_clobber_d31(void);
+
+void abi_test_clobber_v8_upper(void);
+void abi_test_clobber_v9_upper(void);
+void abi_test_clobber_v10_upper(void);
+void abi_test_clobber_v11_upper(void);
+void abi_test_clobber_v12_upper(void);
+void abi_test_clobber_v13_upper(void);
+void abi_test_clobber_v14_upper(void);
+void abi_test_clobber_v15_upper(void);
+}  // extern "C"
+
+TEST(ABITest, AArch64) {
+  // abi_test_trampoline hides unsaved registers from the caller, so we can
+  // safely call the abi_test_clobber_* functions below.
+  abi_test::internal::CallerState state;
+  RAND_bytes(reinterpret_cast<uint8_t *>(&state), sizeof(state));
+  CHECK_ABI_NO_UNWIND(abi_test_trampoline,
+                      reinterpret_cast<crypto_word_t>(abi_test_clobber_x19),
+                      &state, nullptr, 0, 0 /* no breakpoint */);
+
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_x0);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_x1);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_x2);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_x3);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_x4);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_x5);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_x6);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_x7);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_x8);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_x9);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_x10);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_x11);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_x12);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_x13);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_x14);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_x15);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_x16);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_x17);
+
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_x19),
+                          "x19 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_x20),
+                          "x20 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_x21),
+                          "x21 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_x22),
+                          "x22 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_x23),
+                          "x23 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_x24),
+                          "x24 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_x25),
+                          "x25 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_x26),
+                          "x26 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_x27),
+                          "x27 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_x28),
+                          "x28 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_x29),
+                          "x29 was not restored after return");
+
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_d0);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_d1);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_d2);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_d3);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_d4);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_d5);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_d6);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_d7);
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_d8),
+                          "d8 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_d9),
+                          "d9 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_d10),
+                          "d10 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_d11),
+                          "d11 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_d12),
+                          "d12 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_d13),
+                          "d13 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_d14),
+                          "d14 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_d15),
+                          "d15 was not restored after return");
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_d16);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_d18);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_d19);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_d20);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_d21);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_d22);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_d23);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_d24);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_d25);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_d26);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_d27);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_d28);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_d29);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_d30);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_d31);
+
+  // The lower halves of v8-v15 (accessed as d8-d15) must be preserved, but not
+  // the upper halves.
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_v8_upper);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_v9_upper);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_v10_upper);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_v11_upper);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_v12_upper);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_v13_upper);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_v14_upper);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_v15_upper);
+}
+#endif   // OPENSSL_AARCH64 && SUPPORTS_ABI_TEST
+
+#if defined(OPENSSL_PPC64LE) && defined(SUPPORTS_ABI_TEST)
+extern "C" {
+void abi_test_clobber_r0(void);
+// r1 is the stack pointer.
+void abi_test_clobber_r2(void);
+void abi_test_clobber_r3(void);
+void abi_test_clobber_r4(void);
+void abi_test_clobber_r5(void);
+void abi_test_clobber_r6(void);
+void abi_test_clobber_r7(void);
+void abi_test_clobber_r8(void);
+void abi_test_clobber_r9(void);
+void abi_test_clobber_r10(void);
+void abi_test_clobber_r11(void);
+void abi_test_clobber_r12(void);
+// r13 is the thread pointer.
+void abi_test_clobber_r14(void);
+void abi_test_clobber_r15(void);
+void abi_test_clobber_r16(void);
+void abi_test_clobber_r17(void);
+void abi_test_clobber_r18(void);
+void abi_test_clobber_r19(void);
+void abi_test_clobber_r20(void);
+void abi_test_clobber_r21(void);
+void abi_test_clobber_r22(void);
+void abi_test_clobber_r23(void);
+void abi_test_clobber_r24(void);
+void abi_test_clobber_r25(void);
+void abi_test_clobber_r26(void);
+void abi_test_clobber_r27(void);
+void abi_test_clobber_r28(void);
+void abi_test_clobber_r29(void);
+void abi_test_clobber_r30(void);
+void abi_test_clobber_r31(void);
+
+void abi_test_clobber_f0(void);
+void abi_test_clobber_f1(void);
+void abi_test_clobber_f2(void);
+void abi_test_clobber_f3(void);
+void abi_test_clobber_f4(void);
+void abi_test_clobber_f5(void);
+void abi_test_clobber_f6(void);
+void abi_test_clobber_f7(void);
+void abi_test_clobber_f8(void);
+void abi_test_clobber_f9(void);
+void abi_test_clobber_f10(void);
+void abi_test_clobber_f11(void);
+void abi_test_clobber_f12(void);
+void abi_test_clobber_f13(void);
+void abi_test_clobber_f14(void);
+void abi_test_clobber_f15(void);
+void abi_test_clobber_f16(void);
+void abi_test_clobber_f17(void);
+void abi_test_clobber_f18(void);
+void abi_test_clobber_f19(void);
+void abi_test_clobber_f20(void);
+void abi_test_clobber_f21(void);
+void abi_test_clobber_f22(void);
+void abi_test_clobber_f23(void);
+void abi_test_clobber_f24(void);
+void abi_test_clobber_f25(void);
+void abi_test_clobber_f26(void);
+void abi_test_clobber_f27(void);
+void abi_test_clobber_f28(void);
+void abi_test_clobber_f29(void);
+void abi_test_clobber_f30(void);
+void abi_test_clobber_f31(void);
+
+void abi_test_clobber_v0(void);
+void abi_test_clobber_v1(void);
+void abi_test_clobber_v2(void);
+void abi_test_clobber_v3(void);
+void abi_test_clobber_v4(void);
+void abi_test_clobber_v5(void);
+void abi_test_clobber_v6(void);
+void abi_test_clobber_v7(void);
+void abi_test_clobber_v8(void);
+void abi_test_clobber_v9(void);
+void abi_test_clobber_v10(void);
+void abi_test_clobber_v11(void);
+void abi_test_clobber_v12(void);
+void abi_test_clobber_v13(void);
+void abi_test_clobber_v14(void);
+void abi_test_clobber_v15(void);
+void abi_test_clobber_v16(void);
+void abi_test_clobber_v17(void);
+void abi_test_clobber_v18(void);
+void abi_test_clobber_v19(void);
+void abi_test_clobber_v20(void);
+void abi_test_clobber_v21(void);
+void abi_test_clobber_v22(void);
+void abi_test_clobber_v23(void);
+void abi_test_clobber_v24(void);
+void abi_test_clobber_v25(void);
+void abi_test_clobber_v26(void);
+void abi_test_clobber_v27(void);
+void abi_test_clobber_v28(void);
+void abi_test_clobber_v29(void);
+void abi_test_clobber_v30(void);
+void abi_test_clobber_v31(void);
+
+void abi_test_clobber_cr0(void);
+void abi_test_clobber_cr1(void);
+void abi_test_clobber_cr2(void);
+void abi_test_clobber_cr3(void);
+void abi_test_clobber_cr4(void);
+void abi_test_clobber_cr5(void);
+void abi_test_clobber_cr6(void);
+void abi_test_clobber_cr7(void);
+
+void abi_test_clobber_ctr(void);
+void abi_test_clobber_lr(void);
+
+}  // extern "C"
+
+TEST(ABITest, PPC64LE) {
+  // abi_test_trampoline hides unsaved registers from the caller, so we can
+  // safely call the abi_test_clobber_* functions below.
+  abi_test::internal::CallerState state;
+  RAND_bytes(reinterpret_cast<uint8_t *>(&state), sizeof(state));
+  CHECK_ABI_NO_UNWIND(abi_test_trampoline,
+                      reinterpret_cast<crypto_word_t>(abi_test_clobber_r14),
+                      &state, nullptr, 0, 0 /* no breakpoint */);
+
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_r0);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_r2);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_r3);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_r4);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_r5);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_r6);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_r7);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_r8);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_r9);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_r10);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_r11);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_r12);
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_r14),
+                          "r14 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_r15),
+                          "r15 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_r16),
+                          "r16 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_r17),
+                          "r17 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_r18),
+                          "r18 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_r19),
+                          "r19 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_r20),
+                          "r20 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_r21),
+                          "r21 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_r22),
+                          "r22 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_r23),
+                          "r23 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_r24),
+                          "r24 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_r25),
+                          "r25 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_r26),
+                          "r26 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_r27),
+                          "r27 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_r28),
+                          "r28 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_r29),
+                          "r29 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_r30),
+                          "r30 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_r31),
+                          "r31 was not restored after return");
+
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_f0);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_f1);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_f2);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_f3);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_f4);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_f5);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_f6);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_f7);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_f8);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_f9);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_f10);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_f11);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_f12);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_f13);
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_f14),
+                          "f14 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_f15),
+                          "f15 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_f16),
+                          "f16 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_f17),
+                          "f17 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_f18),
+                          "f18 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_f19),
+                          "f19 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_f20),
+                          "f20 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_f21),
+                          "f21 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_f22),
+                          "f22 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_f23),
+                          "f23 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_f24),
+                          "f24 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_f25),
+                          "f25 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_f26),
+                          "f26 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_f27),
+                          "f27 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_f28),
+                          "f28 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_f29),
+                          "f29 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_f30),
+                          "f30 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_f31),
+                          "f31 was not restored after return");
+
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_v0);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_v1);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_v2);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_v3);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_v4);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_v5);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_v6);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_v7);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_v8);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_v9);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_v10);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_v11);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_v12);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_v13);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_v14);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_v15);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_v16);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_v17);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_v18);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_v19);
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_v20),
+                          "v20 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_v21),
+                          "v21 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_v22),
+                          "v22 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_v23),
+                          "v23 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_v24),
+                          "v24 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_v25),
+                          "v25 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_v26),
+                          "v26 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_v27),
+                          "v27 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_v28),
+                          "v28 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_v29),
+                          "v29 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_v30),
+                          "v30 was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_v31),
+                          "v31 was not restored after return");
+
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_cr0);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_cr1);
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_cr2),
+                          "cr was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_cr3),
+                          "cr was not restored after return");
+  EXPECT_NONFATAL_FAILURE(CHECK_ABI_NO_UNWIND(abi_test_clobber_cr4),
+                          "cr was not restored after return");
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_cr5);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_cr6);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_cr7);
+
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_ctr);
+  CHECK_ABI_NO_UNWIND(abi_test_clobber_lr);
+}
+#endif   // OPENSSL_PPC64LE && SUPPORTS_ABI_TEST

crypto/asn1/CMakeLists.txt

@@ -1,38 +0,0 @@
-include_directories(../../include)
-
-add_library(
-  asn1
-
-  OBJECT
-
-  a_bitstr.c
-  a_bool.c
-  a_d2i_fp.c
-  a_dup.c
-  a_enum.c
-  a_gentm.c
-  a_i2d_fp.c
-  a_int.c
-  a_mbstr.c
-  a_object.c
-  a_octet.c
-  a_print.c
-  a_strnid.c
-  a_time.c
-  a_type.c
-  a_utctm.c
-  a_utf8.c
-  asn1_lib.c
-  asn1_par.c
-  asn_pack.c
-  f_enum.c
-  f_int.c
-  f_string.c
-  tasn_dec.c
-  tasn_enc.c
-  tasn_fre.c
-  tasn_new.c
-  tasn_typ.c
-  tasn_utl.c
-  time_support.c
-)

crypto/asn1/a_bitstr.c

@@ -56,6 +56,7 @@
 
 #include <openssl/asn1.h>
 
+#include <limits.h>
 #include <string.h>
 
 #include <openssl/err.h>
@@ -69,7 +70,7 @@ int ASN1_BIT_STRING_set(ASN1_BIT_STRING *x, unsigned char *d, int len)
     return M_ASN1_BIT_STRING_set(x, d, len);
 }
 
-int i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp)
+int i2c_ASN1_BIT_STRING(const ASN1_BIT_STRING *a, unsigned char **pp)
 {
     int ret, j, bits, len;
     unsigned char *p, *d;
@@ -139,6 +140,11 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,
         goto err;
     }
 
+    if (len > INT_MAX) {
+      OPENSSL_PUT_ERROR(ASN1, ASN1_R_STRING_TOO_LONG);
+      goto err;
+    }
+
     if ((a == NULL) || ((*a) == NULL)) {
         if ((ret = M_ASN1_BIT_STRING_new()) == NULL)
             return (NULL);
@@ -211,8 +217,7 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value)
         if (a->data == NULL)
             c = (unsigned char *)OPENSSL_malloc(w + 1);
         else
-            c = (unsigned char *)OPENSSL_realloc_clean(a->data,
-                                                       a->length, w + 1);
+            c = (unsigned char *)OPENSSL_realloc(a->data, w + 1);
         if (c == NULL) {
             OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
             return 0;
@@ -228,7 +233,7 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value)
     return (1);
 }
 
-int ASN1_BIT_STRING_get_bit(ASN1_BIT_STRING *a, int n)
+int ASN1_BIT_STRING_get_bit(const ASN1_BIT_STRING *a, int n)
 {
     int w, v;
 
@@ -245,7 +250,7 @@ int ASN1_BIT_STRING_get_bit(ASN1_BIT_STRING *a, int n)
  * which is not specified in 'flags', 1 otherwise.
  * 'len' is the length of 'flags'.
  */
-int ASN1_BIT_STRING_check(ASN1_BIT_STRING *a,
+int ASN1_BIT_STRING_check(const ASN1_BIT_STRING *a,
                           unsigned char *flags, int flags_len)
 {
     int i, ok;

crypto/asn1/a_bool.c

@@ -62,17 +62,30 @@
 int i2d_ASN1_BOOLEAN(int a, unsigned char **pp)
 {
     int r;
-    unsigned char *p;
+    unsigned char *p, *allocated = NULL;
 
     r = ASN1_object_size(0, 1, V_ASN1_BOOLEAN);
     if (pp == NULL)
         return (r);
-    p = *pp;
+
+    if (*pp == NULL) {
+        if ((p = allocated = OPENSSL_malloc(r)) == NULL) {
+            OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
+            return 0;
+        }
+    } else {
+        p = *pp;
+    }
 
     ASN1_put_object(&p, 0, 1, V_ASN1_BOOLEAN, V_ASN1_UNIVERSAL);
-    *(p++) = (unsigned char)a;
-    *pp = p;
-    return (r);
+    *p = (unsigned char)a;
+
+    /*
+     * If a new buffer was allocated, just return it back.
+     * If not, return the incremented buffer pointer.
+     */
+    *pp = allocated != NULL ? allocated : p + 1;
+    return r;
 }
 
 int d2i_ASN1_BOOLEAN(int *a, const unsigned char **pp, long length)

crypto/asn1/a_d2i_fp.c

@@ -58,240 +58,36 @@
 
 #include <limits.h>
 
-#include <openssl/buf.h>
+#include <openssl/bio.h>
 #include <openssl/err.h>
 #include <openssl/mem.h>
 
-static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb);
-
-#ifndef NO_OLD_ASN1
-# ifndef OPENSSL_NO_FP_API
-
-void *ASN1_d2i_fp(void *(*xnew) (void), d2i_of_void *d2i, FILE *in, void **x)
-{
-    BIO *b;
-    void *ret;
-
-    if ((b = BIO_new(BIO_s_file())) == NULL) {
-        OPENSSL_PUT_ERROR(ASN1, ERR_R_BUF_LIB);
-        return (NULL);
-    }
-    BIO_set_fp(b, in, BIO_NOCLOSE);
-    ret = ASN1_d2i_bio(xnew, d2i, b, x);
-    BIO_free(b);
-    return (ret);
-}
-# endif
-
-void *ASN1_d2i_bio(void *(*xnew) (void), d2i_of_void *d2i, BIO *in, void **x)
-{
-    BUF_MEM *b = NULL;
-    const unsigned char *p;
-    void *ret = NULL;
-    int len;
-
-    len = asn1_d2i_read_bio(in, &b);
-    if (len < 0)
-        goto err;
-
-    p = (unsigned char *)b->data;
-    ret = d2i(x, &p, len);
- err:
-    if (b != NULL)
-        BUF_MEM_free(b);
-    return (ret);
-}
-
-#endif
 
 void *ASN1_item_d2i_bio(const ASN1_ITEM *it, BIO *in, void *x)
 {
-    BUF_MEM *b = NULL;
-    const unsigned char *p;
-    void *ret = NULL;
-    int len;
-
-    len = asn1_d2i_read_bio(in, &b);
-    if (len < 0)
-        goto err;
-
-    p = (const unsigned char *)b->data;
-    ret = ASN1_item_d2i(x, &p, len, it);
- err:
-    if (b != NULL)
-        BUF_MEM_free(b);
-    return (ret);
+    uint8_t *data;
+    size_t len;
+    // Historically, this function did not impose a limit in OpenSSL and is used
+    // to read CRLs, so we leave this without an external bound.
+    if (!BIO_read_asn1(in, &data, &len, INT_MAX)) {
+        return NULL;
+    }
+    const uint8_t *ptr = data;
+    void *ret = ASN1_item_d2i(x, &ptr, len, it);
+    OPENSSL_free(data);
+    return ret;
 }
 
 #ifndef OPENSSL_NO_FP_API
 void *ASN1_item_d2i_fp(const ASN1_ITEM *it, FILE *in, void *x)
 {
-    BIO *b;
-    char *ret;
-
-    if ((b = BIO_new(BIO_s_file())) == NULL) {
+    BIO *b = BIO_new_fp(in, BIO_NOCLOSE);
+    if (b == NULL) {
         OPENSSL_PUT_ERROR(ASN1, ERR_R_BUF_LIB);
-        return (NULL);
+        return NULL;
     }
-    BIO_set_fp(b, in, BIO_NOCLOSE);
-    ret = ASN1_item_d2i_bio(it, b, x);
+    void *ret = ASN1_item_d2i_bio(it, b, x);
     BIO_free(b);
-    return (ret);
+    return ret;
 }
 #endif
-
-typedef struct asn1_const_ctx_st
-    {
-    const unsigned char *p;/* work char pointer */
-    int eos;    /* end of sequence read for indefinite encoding */
-    int error;  /* error code to use when returning an error */
-    int inf;    /* constructed if 0x20, indefinite is 0x21 */
-    int tag;    /* tag from last 'get object' */
-    int xclass; /* class from last 'get object' */
-    long slen;  /* length of last 'get object' */
-    const unsigned char *max; /* largest value of p allowed */
-    const unsigned char *q;/* temporary variable */
-    const unsigned char **pp;/* variable */
-    int line;   /* used in error processing */
-    } ASN1_const_CTX;
-
-#define HEADER_SIZE   8
-#define ASN1_CHUNK_INITIAL_SIZE (16 * 1024)
-static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
-{
-    BUF_MEM *b;
-    unsigned char *p;
-    int i;
-    ASN1_const_CTX c;
-    size_t want = HEADER_SIZE;
-    int eos = 0;
-    size_t off = 0;
-    size_t len = 0;
-
-    b = BUF_MEM_new();
-    if (b == NULL) {
-        OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
-        return -1;
-    }
-
-    ERR_clear_error();
-    for (;;) {
-        if (want >= (len - off)) {
-            want -= (len - off);
-
-            if (len + want < len || !BUF_MEM_grow_clean(b, len + want)) {
-                OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
-                goto err;
-            }
-            i = BIO_read(in, &(b->data[len]), want);
-            if ((i < 0) && ((len - off) == 0)) {
-                OPENSSL_PUT_ERROR(ASN1, ASN1_R_NOT_ENOUGH_DATA);
-                goto err;
-            }
-            if (i > 0) {
-                if (len + i < len) {
-                    OPENSSL_PUT_ERROR(ASN1, ASN1_R_TOO_LONG);
-                    goto err;
-                }
-                len += i;
-            }
-        }
-        /* else data already loaded */
-
-        p = (unsigned char *)&(b->data[off]);
-        c.p = p;
-        c.inf = ASN1_get_object(&(c.p), &(c.slen), &(c.tag), &(c.xclass),
-                                len - off);
-        if (c.inf & 0x80) {
-            uint32_t e;
-
-            e = ERR_GET_REASON(ERR_peek_error());
-            if (e != ASN1_R_TOO_LONG)
-                goto err;
-            else
-                ERR_clear_error(); /* clear error */
-        }
-        i = c.p - p;            /* header length */
-        off += i;               /* end of data */
-
-        if (c.inf & 1) {
-            /* no data body so go round again */
-            eos++;
-            if (eos < 0) {
-                OPENSSL_PUT_ERROR(ASN1, ASN1_R_HEADER_TOO_LONG);
-                goto err;
-            }
-            want = HEADER_SIZE;
-        } else if (eos && (c.slen == 0) && (c.tag == V_ASN1_EOC)) {
-            /* eos value, so go back and read another header */
-            eos--;
-            if (eos <= 0)
-                break;
-            else
-                want = HEADER_SIZE;
-        } else {
-            /* suck in c.slen bytes of data */
-            want = c.slen;
-            if (want > (len - off)) {
-                size_t chunk_max = ASN1_CHUNK_INITIAL_SIZE;
-                want -= (len - off);
-                if (want > INT_MAX /* BIO_read takes an int length */  ||
-                    len + want < len) {
-                    OPENSSL_PUT_ERROR(ASN1, ASN1_R_TOO_LONG);
-                    goto err;
-                }
-                while (want > 0) {
-                    /*
-                     * Read content in chunks of increasing size
-                     * so we can return an error for EOF without
-                     * having to allocate the entire content length
-                     * in one go.
-                     */
-                    size_t chunk = want > chunk_max ? chunk_max : want;
-
-                    if (!BUF_MEM_grow_clean(b, len + chunk)) {
-                        OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
-                        goto err;
-                    }
-                    want -= chunk;
-                    while (chunk > 0) {
-                        i = BIO_read(in, &(b->data[len]), chunk);
-                        if (i <= 0) {
-                            OPENSSL_PUT_ERROR(ASN1, ASN1_R_NOT_ENOUGH_DATA);
-                            goto err;
-                        }
-                        /*
-                         * This can't overflow because |len+want| didn't
-                         * overflow.
-                         */
-                        len += i;
-                        chunk -= i;
-                    }
-                    if (chunk_max < INT_MAX/2)
-                        chunk_max *= 2;
-                }
-            }
-            if (off + c.slen < off) {
-                OPENSSL_PUT_ERROR(ASN1, ASN1_R_TOO_LONG);
-                goto err;
-            }
-            off += c.slen;
-            if (eos <= 0) {
-                break;
-            } else
-                want = HEADER_SIZE;
-        }
-    }
-
-    if (off > INT_MAX) {
-        OPENSSL_PUT_ERROR(ASN1, ASN1_R_TOO_LONG);
-        goto err;
-    }
-
-    *pb = b;
-    return off;
- err:
-    if (b != NULL)
-        BUF_MEM_free(b);
-    return -1;
-}

crypto/asn1/a_dup.c

@@ -59,30 +59,6 @@
 #include <openssl/err.h>
 #include <openssl/mem.h>
 
-void *ASN1_dup(i2d_of_void *i2d, d2i_of_void *d2i, void *x)
-{
-    unsigned char *b, *p;
-    const unsigned char *p2;
-    int i;
-    char *ret;
-
-    if (x == NULL)
-        return (NULL);
-
-    i = i2d(x, NULL);
-    b = OPENSSL_malloc(i + 10);
-    if (b == NULL) {
-        OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
-        return (NULL);
-    }
-    p = b;
-    i = i2d(x, &p);
-    p2 = b;
-    ret = d2i(NULL, &p2, i);
-    OPENSSL_free(b);
-    return (ret);
-}
-
 /*
  * ASN1_ITEM version of dup: this follows the model above except we don't
  * need to allocate the buffer. At some point this could be rewritten to

crypto/asn1/a_enum.c

@@ -56,6 +56,7 @@
 
 #include <openssl/asn1.h>
 
+#include <limits.h>
 #include <string.h>
 
 #include <openssl/err.h>
@@ -107,10 +108,9 @@ int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v)
     return (1);
 }
 
-long ASN1_ENUMERATED_get(ASN1_ENUMERATED *a)
+long ASN1_ENUMERATED_get(const ASN1_ENUMERATED *a)
 {
     int neg = 0, i;
-    long r = 0;
 
     if (a == NULL)
         return (0L);
@@ -120,23 +120,34 @@ long ASN1_ENUMERATED_get(ASN1_ENUMERATED *a)
     else if (i != V_ASN1_ENUMERATED)
         return -1;
 
-    if (a->length > (int)sizeof(long)) {
-        /* hmm... a bit ugly */
-        return (0xffffffffL);
-    }
-    if (a->data == NULL)
-        return 0;
+    OPENSSL_STATIC_ASSERT(sizeof(uint64_t) >= sizeof(long),
+                          "long larger than uint64_t");
 
-    for (i = 0; i < a->length; i++) {
-        r <<= 8;
-        r |= (unsigned char)a->data[i];
+    if (a->length > (int)sizeof(uint64_t)) {
+        /* hmm... a bit ugly */
+        return -1;
     }
+
+    uint64_t r64 = 0;
+    if (a->data != NULL) {
+      for (i = 0; i < a->length; i++) {
+          r64 <<= 8;
+          r64 |= (unsigned char)a->data[i];
+      }
+
+      if (r64 > LONG_MAX) {
+          return -1;
+      }
+    }
+
+    long r = (long) r64;
     if (neg)
         r = -r;
-    return (r);
+
+    return r;
 }
 
-ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(BIGNUM *bn, ASN1_ENUMERATED *ai)
+ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(const BIGNUM *bn, ASN1_ENUMERATED *ai)
 {
     ASN1_ENUMERATED *ret;
     int len, j;
@@ -172,7 +183,7 @@ ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(BIGNUM *bn, ASN1_ENUMERATED *ai)
     return (NULL);
 }
 
-BIGNUM *ASN1_ENUMERATED_to_BN(ASN1_ENUMERATED *ai, BIGNUM *bn)
+BIGNUM *ASN1_ENUMERATED_to_BN(const ASN1_ENUMERATED *ai, BIGNUM *bn)
 {
     BIGNUM *ret;
 

crypto/asn1/a_i2d_fp.c

@@ -56,92 +56,33 @@
 
 #include <openssl/asn1.h>
 
+#include <openssl/bio.h>
 #include <openssl/err.h>
 #include <openssl/mem.h>
 
-int ASN1_i2d_fp(i2d_of_void *i2d, FILE *out, void *x)
-{
-    BIO *b;
-    int ret;
-
-    if ((b = BIO_new(BIO_s_file())) == NULL) {
-        OPENSSL_PUT_ERROR(ASN1, ERR_R_BUF_LIB);
-        return (0);
-    }
-    BIO_set_fp(b, out, BIO_NOCLOSE);
-    ret = ASN1_i2d_bio(i2d, b, x);
-    BIO_free(b);
-    return (ret);
-}
-
-int ASN1_i2d_bio(i2d_of_void *i2d, BIO *out, void *x)
-{
-    char *b;
-    unsigned char *p;
-    int i, j = 0, n, ret = 1;
-
-    n = i2d(x, NULL);
-    b = (char *)OPENSSL_malloc(n);
-    if (b == NULL) {
-        OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
-        return (0);
-    }
-
-    p = (unsigned char *)b;
-    i2d(x, &p);
-
-    for (;;) {
-        i = BIO_write(out, &(b[j]), n);
-        if (i == n)
-            break;
-        if (i <= 0) {
-            ret = 0;
-            break;
-        }
-        j += i;
-        n -= i;
-    }
-    OPENSSL_free(b);
-    return (ret);
-}
 
 int ASN1_item_i2d_fp(const ASN1_ITEM *it, FILE *out, void *x)
 {
-    BIO *b;
-    int ret;
-
-    if ((b = BIO_new(BIO_s_file())) == NULL) {
+    BIO *b = BIO_new_fp(out, BIO_NOCLOSE);
+    if (b == NULL) {
         OPENSSL_PUT_ERROR(ASN1, ERR_R_BUF_LIB);
-        return (0);
+        return 0;
     }
-    BIO_set_fp(b, out, BIO_NOCLOSE);
-    ret = ASN1_item_i2d_bio(it, b, x);
+    int ret = ASN1_item_i2d_bio(it, b, x);
     BIO_free(b);
-    return (ret);
+    return ret;
 }
 
 int ASN1_item_i2d_bio(const ASN1_ITEM *it, BIO *out, void *x)
 {
     unsigned char *b = NULL;
-    int i, j = 0, n, ret = 1;
-
-    n = ASN1_item_i2d(x, &b, it);
+    int n = ASN1_item_i2d(x, &b, it);
     if (b == NULL) {
         OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
-        return (0);
+        return 0;
     }
 
-    for (;;) {
-        i = BIO_write(out, &(b[j]), n);
-        if (i == n)
-            break;
-        if (i <= 0) {
-            ret = 0;
-            break;
-        }
-        j += i;
-        n -= i;
-    }
+    int ret = BIO_write_all(out, b, n);
     OPENSSL_free(b);
-    return (ret);
+    return ret;
 }

crypto/asn1/a_int.c

@@ -57,6 +57,7 @@
 #include <openssl/asn1.h>
 
 #include <string.h>
+#include <limits.h>
 
 #include <openssl/err.h>
 #include <openssl/mem.h>
@@ -114,7 +115,7 @@ int ASN1_INTEGER_cmp(const ASN1_INTEGER *x, const ASN1_INTEGER *y)
  * followed by optional zeros isn't padded.
  */
 
-int i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp)
+int i2c_ASN1_INTEGER(const ASN1_INTEGER *a, unsigned char **pp)
 {
     int pad = 0, ret, i, neg;
     unsigned char *p, *n, pb = 0;
@@ -194,6 +195,16 @@ ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **a, const unsigned char **pp,
     unsigned char *to, *s;
     int i;
 
+    /*
+     * This function can handle lengths up to INT_MAX - 1, but the rest of the
+     * legacy ASN.1 code mixes integer types, so avoid exposing it to
+     * ASN1_INTEGERS with larger lengths.
+     */
+    if (len < 0 || len > INT_MAX / 2) {
+        OPENSSL_PUT_ERROR(ASN1, ASN1_R_TOO_LONG);
+        return NULL;
+    }
+
     if ((a == NULL) || ((*a) == NULL)) {
         if ((ret = M_ASN1_INTEGER_new()) == NULL)
             return (NULL);
@@ -275,117 +286,52 @@ ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **a, const unsigned char **pp,
     return (NULL);
 }
 
-/*
- * This is a version of d2i_ASN1_INTEGER that ignores the sign bit of ASN1
- * integers: some broken software can encode a positive INTEGER with its MSB
- * set as negative (it doesn't add a padding zero).
- */
-
-ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp,
-                                long length)
-{
-    ASN1_INTEGER *ret = NULL;
-    const unsigned char *p;
-    unsigned char *s;
-    long len;
-    int inf, tag, xclass;
-    int i;
-
-    if ((a == NULL) || ((*a) == NULL)) {
-        if ((ret = M_ASN1_INTEGER_new()) == NULL)
-            return (NULL);
-        ret->type = V_ASN1_INTEGER;
-    } else
-        ret = (*a);
-
-    p = *pp;
-    inf = ASN1_get_object(&p, &len, &tag, &xclass, length);
-    if (inf & 0x80) {
-        i = ASN1_R_BAD_OBJECT_HEADER;
-        goto err;
-    }
-
-    if (tag != V_ASN1_INTEGER) {
-        i = ASN1_R_EXPECTING_AN_INTEGER;
-        goto err;
-    }
-
-    /*
-     * We must OPENSSL_malloc stuff, even for 0 bytes otherwise it signifies
-     * a missing NULL parameter.
-     */
-    s = (unsigned char *)OPENSSL_malloc((int)len + 1);
-    if (s == NULL) {
-        i = ERR_R_MALLOC_FAILURE;
-        goto err;
-    }
-    ret->type = V_ASN1_INTEGER;
-    if (len) {
-        if ((*p == 0) && (len != 1)) {
-            p++;
-            len--;
-        }
-        OPENSSL_memcpy(s, p, (int)len);
-        p += len;
-    }
-
-    if (ret->data != NULL)
-        OPENSSL_free(ret->data);
-    ret->data = s;
-    ret->length = (int)len;
-    if (a != NULL)
-        (*a) = ret;
-    *pp = p;
-    return (ret);
- err:
-    OPENSSL_PUT_ERROR(ASN1, i);
-    if ((ret != NULL) && ((a == NULL) || (*a != ret)))
-        M_ASN1_INTEGER_free(ret);
-    return (NULL);
-}
-
 int ASN1_INTEGER_set(ASN1_INTEGER *a, long v)
 {
-    int j, k;
-    unsigned int i;
-    unsigned char buf[sizeof(long) + 1];
-    long d;
-
-    a->type = V_ASN1_INTEGER;
-    if (a->length < (int)(sizeof(long) + 1)) {
-        if (a->data != NULL)
-            OPENSSL_free(a->data);
-        if ((a->data =
-             (unsigned char *)OPENSSL_malloc(sizeof(long) + 1)) != NULL)
-            OPENSSL_memset((char *)a->data, 0, sizeof(long) + 1);
+    if (v >= 0) {
+        return ASN1_INTEGER_set_uint64(a, (uint64_t) v);
     }
-    if (a->data == NULL) {
+
+    if (!ASN1_INTEGER_set_uint64(a, 0 - (uint64_t) v)) {
+        return 0;
+    }
+
+    a->type = V_ASN1_NEG_INTEGER;
+    return 1;
+}
+
+int ASN1_INTEGER_set_uint64(ASN1_INTEGER *out, uint64_t v)
+{
+    uint8_t *const newdata = OPENSSL_malloc(sizeof(uint64_t));
+    if (newdata == NULL) {
         OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
-        return (0);
-    }
-    d = v;
-    if (d < 0) {
-        d = -d;
-        a->type = V_ASN1_NEG_INTEGER;
+        return 0;
     }
 
-    for (i = 0; i < sizeof(long); i++) {
-        if (d == 0)
+    OPENSSL_free(out->data);
+    out->data = newdata;
+    v = CRYPTO_bswap8(v);
+    memcpy(out->data, &v, sizeof(v));
+
+    out->type = V_ASN1_INTEGER;
+
+    size_t leading_zeros;
+    for (leading_zeros = 0; leading_zeros < sizeof(uint64_t) - 1;
+         leading_zeros++) {
+        if (out->data[leading_zeros] != 0) {
             break;
-        buf[i] = (int)d & 0xff;
-        d >>= 8;
+        }
     }
-    j = 0;
-    for (k = i - 1; k >= 0; k--)
-        a->data[j++] = buf[k];
-    a->length = j;
-    return (1);
+
+    out->length = sizeof(uint64_t) - leading_zeros;
+    OPENSSL_memmove(out->data, out->data + leading_zeros, out->length);
+
+    return 1;
 }
 
 long ASN1_INTEGER_get(const ASN1_INTEGER *a)
 {
     int neg = 0, i;
-    long r = 0;
 
     if (a == NULL)
         return (0L);
@@ -395,20 +341,31 @@ long ASN1_INTEGER_get(const ASN1_INTEGER *a)
     else if (i != V_ASN1_INTEGER)
         return -1;
 
-    if (a->length > (int)sizeof(long)) {
+    OPENSSL_STATIC_ASSERT(sizeof(uint64_t) >= sizeof(long),
+                          "long larger than uint64_t");
+
+    if (a->length > (int)sizeof(uint64_t)) {
         /* hmm... a bit ugly, return all ones */
         return -1;
     }
-    if (a->data == NULL)
-        return 0;
 
-    for (i = 0; i < a->length; i++) {
-        r <<= 8;
-        r |= (unsigned char)a->data[i];
+    uint64_t r64 = 0;
+    if (a->data != NULL) {
+      for (i = 0; i < a->length; i++) {
+          r64 <<= 8;
+          r64 |= (unsigned char)a->data[i];
+      }
+
+      if (r64 > LONG_MAX) {
+          return -1;
+      }
     }
+
+    long r = (long) r64;
     if (neg)
         r = -r;
-    return (r);
+
+    return r;
 }
 
 ASN1_INTEGER *BN_to_ASN1_INTEGER(const BIGNUM *bn, ASN1_INTEGER *ai)

crypto/asn1/a_mbstr.c

@@ -56,22 +56,17 @@
 
 #include <openssl/asn1.h>
 
+#include <limits.h>
 #include <string.h>
 
+#include <openssl/bytestring.h>
 #include <openssl/err.h>
 #include <openssl/mem.h>
 
-static int traverse_string(const unsigned char *p, int len, int inform,
-                           int (*rfunc) (unsigned long value, void *in),
-                           void *arg);
-static int in_utf8(unsigned long value, void *arg);
-static int out_utf8(unsigned long value, void *arg);
-static int type_str(unsigned long value, void *arg);
-static int cpy_asc(unsigned long value, void *arg);
-static int cpy_bmp(unsigned long value, void *arg);
-static int cpy_univ(unsigned long value, void *arg);
-static int cpy_utf8(unsigned long value, void *arg);
-static int is_printable(unsigned long value);
+#include "asn1_locl.h"
+#include "../bytestring/internal.h"
+
+static int is_printable(uint32_t value);
 
 /*
  * These functions take a string in UTF8, ASCII or multibyte form and a mask
@@ -88,55 +83,45 @@ int ASN1_mbstring_copy(ASN1_STRING **out, const unsigned char *in, int len,
     return ASN1_mbstring_ncopy(out, in, len, inform, mask, 0, 0);
 }
 
+OPENSSL_DECLARE_ERROR_REASON(ASN1, INVALID_BMPSTRING)
+OPENSSL_DECLARE_ERROR_REASON(ASN1, INVALID_UNIVERSALSTRING)
+OPENSSL_DECLARE_ERROR_REASON(ASN1, INVALID_UTF8STRING)
+
 int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
                         int inform, unsigned long mask,
                         long minsize, long maxsize)
 {
     int str_type;
-    int ret;
     char free_out;
-    int outform, outlen = 0;
     ASN1_STRING *dest;
-    unsigned char *p;
-    int nchar;
+    size_t nchar = 0;
     char strbuf[32];
-    int (*cpyfunc) (unsigned long, void *) = NULL;
     if (len == -1)
         len = strlen((const char *)in);
     if (!mask)
         mask = DIRSTRING_TYPE;
 
-    /* First do a string check and work out the number of characters */
+    int (*decode_func)(CBS *, uint32_t*);
+    int error;
     switch (inform) {
-
     case MBSTRING_BMP:
-        if (len & 1) {
-            OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_BMPSTRING_LENGTH);
-            return -1;
-        }
-        nchar = len >> 1;
+        decode_func = cbs_get_ucs2_be;
+        error = ASN1_R_INVALID_BMPSTRING;
         break;
 
     case MBSTRING_UNIV:
-        if (len & 3) {
-            OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_UNIVERSALSTRING_LENGTH);
-            return -1;
-        }
-        nchar = len >> 2;
+        decode_func = cbs_get_utf32_be;
+        error = ASN1_R_INVALID_UNIVERSALSTRING;
         break;
 
     case MBSTRING_UTF8:
-        nchar = 0;
-        /* This counts the characters and does utf8 syntax checking */
-        ret = traverse_string(in, len, MBSTRING_UTF8, in_utf8, &nchar);
-        if (ret < 0) {
-            OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_UTF8STRING);
-            return -1;
-        }
+        decode_func = cbs_get_utf8;
+        error = ASN1_R_INVALID_UTF8STRING;
         break;
 
     case MBSTRING_ASC:
-        nchar = len;
+        decode_func = cbs_get_latin1;
+        error = ERR_R_INTERNAL_ERROR;  // Latin-1 inputs are never invalid.
         break;
 
     default:
@@ -144,44 +129,92 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
         return -1;
     }
 
-    if ((minsize > 0) && (nchar < minsize)) {
+    /* Check |minsize| and |maxsize| and work out the minimal type, if any. */
+    CBS cbs;
+    CBS_init(&cbs, in, len);
+    size_t utf8_len = 0;
+    while (CBS_len(&cbs) != 0) {
+        uint32_t c;
+        if (!decode_func(&cbs, &c)) {
+            OPENSSL_PUT_ERROR(ASN1, error);
+            return -1;
+        }
+        if (nchar == 0 &&
+            (inform == MBSTRING_BMP || inform == MBSTRING_UNIV) &&
+            c == 0xfeff) {
+            /* Reject byte-order mark. We could drop it but that would mean
+             * adding ambiguity around whether a BOM was included or not when
+             * matching strings.
+             *
+             * For a little-endian UCS-2 string, the BOM will appear as 0xfffe
+             * and will be rejected as noncharacter, below. */
+            OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_CHARACTERS);
+            return -1;
+        }
+
+        /* Update which output formats are still possible. */
+        if ((mask & B_ASN1_PRINTABLESTRING) && !is_printable(c)) {
+            mask &= ~B_ASN1_PRINTABLESTRING;
+        }
+        if ((mask & B_ASN1_IA5STRING) && (c > 127)) {
+            mask &= ~B_ASN1_IA5STRING;
+        }
+        if ((mask & B_ASN1_T61STRING) && (c > 0xff)) {
+            mask &= ~B_ASN1_T61STRING;
+        }
+        if ((mask & B_ASN1_BMPSTRING) && (c > 0xffff)) {
+            mask &= ~B_ASN1_BMPSTRING;
+        }
+        if (!mask) {
+            OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_CHARACTERS);
+            return -1;
+        }
+
+        nchar++;
+        utf8_len += cbb_get_utf8_len(c);
+    }
+
+    if (minsize > 0 && nchar < (size_t)minsize) {
         OPENSSL_PUT_ERROR(ASN1, ASN1_R_STRING_TOO_SHORT);
         BIO_snprintf(strbuf, sizeof strbuf, "%ld", minsize);
         ERR_add_error_data(2, "minsize=", strbuf);
         return -1;
     }
 
-    if ((maxsize > 0) && (nchar > maxsize)) {
+    if (maxsize > 0 && nchar > (size_t)maxsize) {
         OPENSSL_PUT_ERROR(ASN1, ASN1_R_STRING_TOO_LONG);
         BIO_snprintf(strbuf, sizeof strbuf, "%ld", maxsize);
         ERR_add_error_data(2, "maxsize=", strbuf);
         return -1;
     }
 
-    /* Now work out minimal type (if any) */
-    if (traverse_string(in, len, inform, type_str, &mask) < 0) {
-        OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_CHARACTERS);
-        return -1;
-    }
-
     /* Now work out output format and string type */
-    outform = MBSTRING_ASC;
-    if (mask & B_ASN1_PRINTABLESTRING)
+    int (*encode_func)(CBB *, uint32_t) = cbb_add_latin1;
+    size_t size_estimate = nchar;
+    int outform = MBSTRING_ASC;
+    if (mask & B_ASN1_PRINTABLESTRING) {
         str_type = V_ASN1_PRINTABLESTRING;
-    else if (mask & B_ASN1_IA5STRING)
+    } else if (mask & B_ASN1_IA5STRING) {
         str_type = V_ASN1_IA5STRING;
-    else if (mask & B_ASN1_T61STRING)
+    } else if (mask & B_ASN1_T61STRING) {
         str_type = V_ASN1_T61STRING;
-    else if (mask & B_ASN1_BMPSTRING) {
+    } else if (mask & B_ASN1_BMPSTRING) {
         str_type = V_ASN1_BMPSTRING;
         outform = MBSTRING_BMP;
+        encode_func = cbb_add_ucs2_be;
+        size_estimate = 2 * nchar;
     } else if (mask & B_ASN1_UNIVERSALSTRING) {
         str_type = V_ASN1_UNIVERSALSTRING;
+        encode_func = cbb_add_utf32_be;
+        size_estimate = 4 * nchar;
         outform = MBSTRING_UNIV;
     } else {
         str_type = V_ASN1_UTF8STRING;
         outform = MBSTRING_UTF8;
+        encode_func = cbb_add_utf8;
+        size_estimate = utf8_len;
     }
+
     if (!out)
         return str_type;
     if (*out) {
@@ -202,6 +235,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
         }
         *out = dest;
     }
+
     /* If both the same type just copy across */
     if (inform == outform) {
         if (!ASN1_STRING_set(dest, in, len)) {
@@ -211,183 +245,45 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
         return str_type;
     }
 
-    /* Work out how much space the destination will need */
-    switch (outform) {
-    case MBSTRING_ASC:
-        outlen = nchar;
-        cpyfunc = cpy_asc;
-        break;
-
-    case MBSTRING_BMP:
-        outlen = nchar << 1;
-        cpyfunc = cpy_bmp;
-        break;
-
-    case MBSTRING_UNIV:
-        outlen = nchar << 2;
-        cpyfunc = cpy_univ;
-        break;
-
-    case MBSTRING_UTF8:
-        outlen = 0;
-        traverse_string(in, len, inform, out_utf8, &outlen);
-        cpyfunc = cpy_utf8;
-        break;
-    }
-    if (!(p = OPENSSL_malloc(outlen + 1))) {
-        if (free_out)
-            ASN1_STRING_free(dest);
+    CBB cbb;
+    if (!CBB_init(&cbb, size_estimate + 1)) {
         OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
-        return -1;
+        goto err;
     }
-    dest->length = outlen;
-    dest->data = p;
-    p[outlen] = 0;
-    traverse_string(in, len, inform, cpyfunc, &p);
+    CBS_init(&cbs, in, len);
+    while (CBS_len(&cbs) != 0) {
+        uint32_t c;
+        if (!decode_func(&cbs, &c) ||
+            !encode_func(&cbb, c)) {
+            OPENSSL_PUT_ERROR(ASN1, ERR_R_INTERNAL_ERROR);
+            goto err;
+        }
+    }
+    uint8_t *data = NULL;
+    size_t data_len;
+    if (/* OpenSSL historically NUL-terminated this value with a single byte,
+         * even for |MBSTRING_BMP| and |MBSTRING_UNIV|. */
+        !CBB_add_u8(&cbb, 0) ||
+        !CBB_finish(&cbb, &data, &data_len) ||
+        data_len < 1 ||
+        data_len > INT_MAX) {
+        OPENSSL_PUT_ERROR(ASN1, ERR_R_INTERNAL_ERROR);
+        OPENSSL_free(data);
+        goto err;
+    }
+    dest->length = (int)(data_len - 1);
+    dest->data = data;
     return str_type;
-}
 
-/*
- * This function traverses a string and passes the value of each character to
- * an optional function along with a void * argument.
- */
-
-static int traverse_string(const unsigned char *p, int len, int inform,
-                           int (*rfunc) (unsigned long value, void *in),
-                           void *arg)
-{
-    unsigned long value;
-    int ret;
-    while (len) {
-        if (inform == MBSTRING_ASC) {
-            value = *p++;
-            len--;
-        } else if (inform == MBSTRING_BMP) {
-            value = *p++ << 8;
-            value |= *p++;
-            len -= 2;
-        } else if (inform == MBSTRING_UNIV) {
-            value = ((unsigned long)*p++) << 24;
-            value |= ((unsigned long)*p++) << 16;
-            value |= *p++ << 8;
-            value |= *p++;
-            len -= 4;
-        } else {
-            ret = UTF8_getc(p, len, &value);
-            if (ret < 0)
-                return -1;
-            len -= ret;
-            p += ret;
-        }
-        if (rfunc) {
-            ret = rfunc(value, arg);
-            if (ret <= 0)
-                return ret;
-        }
-    }
-    return 1;
-}
-
-/* Various utility functions for traverse_string */
-
-/* Just count number of characters */
-
-static int in_utf8(unsigned long value, void *arg)
-{
-    int *nchar;
-    nchar = arg;
-    (*nchar)++;
-    return 1;
-}
-
-/* Determine size of output as a UTF8 String */
-
-static int out_utf8(unsigned long value, void *arg)
-{
-    int *outlen;
-    outlen = arg;
-    *outlen += UTF8_putc(NULL, -1, value);
-    return 1;
-}
-
-/*
- * Determine the "type" of a string: check each character against a supplied
- * "mask".
- */
-
-static int type_str(unsigned long value, void *arg)
-{
-    unsigned long types;
-    types = *((unsigned long *)arg);
-    if ((types & B_ASN1_PRINTABLESTRING) && !is_printable(value))
-        types &= ~B_ASN1_PRINTABLESTRING;
-    if ((types & B_ASN1_IA5STRING) && (value > 127))
-        types &= ~B_ASN1_IA5STRING;
-    if ((types & B_ASN1_T61STRING) && (value > 0xff))
-        types &= ~B_ASN1_T61STRING;
-    if ((types & B_ASN1_BMPSTRING) && (value > 0xffff))
-        types &= ~B_ASN1_BMPSTRING;
-    if (!types)
-        return -1;
-    *((unsigned long *)arg) = types;
-    return 1;
-}
-
-/* Copy one byte per character ASCII like strings */
-
-static int cpy_asc(unsigned long value, void *arg)
-{
-    unsigned char **p, *q;
-    p = arg;
-    q = *p;
-    *q = (unsigned char)value;
-    (*p)++;
-    return 1;
-}
-
-/* Copy two byte per character BMPStrings */
-
-static int cpy_bmp(unsigned long value, void *arg)
-{
-    unsigned char **p, *q;
-    p = arg;
-    q = *p;
-    *q++ = (unsigned char)((value >> 8) & 0xff);
-    *q = (unsigned char)(value & 0xff);
-    *p += 2;
-    return 1;
-}
-
-/* Copy four byte per character UniversalStrings */
-
-static int cpy_univ(unsigned long value, void *arg)
-{
-    unsigned char **p, *q;
-    p = arg;
-    q = *p;
-    *q++ = (unsigned char)((value >> 24) & 0xff);
-    *q++ = (unsigned char)((value >> 16) & 0xff);
-    *q++ = (unsigned char)((value >> 8) & 0xff);
-    *q = (unsigned char)(value & 0xff);
-    *p += 4;
-    return 1;
-}
-
-/* Copy to a UTF8String */
-
-static int cpy_utf8(unsigned long value, void *arg)
-{
-    unsigned char **p;
-    int ret;
-    p = arg;
-    /* We already know there is enough room so pass 0xff as the length */
-    ret = UTF8_putc(*p, 0xff, value);
-    *p += ret;
-    return 1;
+ err:
+    if (free_out)
+        ASN1_STRING_free(dest);
+    CBB_cleanup(&cbb);
+    return -1;
 }
 
 /* Return 1 if the character is permitted in a PrintableString */
-static int is_printable(unsigned long value)
+static int is_printable(uint32_t value)
 {
     int ch;
     if (value > 0x7f)

crypto/asn1/a_object.c

@@ -66,9 +66,9 @@
 #include "../internal.h"
 
 
-int i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp)
+int i2d_ASN1_OBJECT(const ASN1_OBJECT *a, unsigned char **pp)
 {
-    unsigned char *p;
+    unsigned char *p, *allocated = NULL;
     int objsize;
 
     if ((a == NULL) || (a->data == NULL))
@@ -78,149 +78,32 @@ int i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp)
     if (pp == NULL || objsize == -1)
         return objsize;
 
-    p = *pp;
+    if (*pp == NULL) {
+        if ((p = allocated = OPENSSL_malloc(objsize)) == NULL) {
+            OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
+            return 0;
+        }
+    } else {
+        p = *pp;
+    }
+
     ASN1_put_object(&p, 0, a->length, V_ASN1_OBJECT, V_ASN1_UNIVERSAL);
     OPENSSL_memcpy(p, a->data, a->length);
-    p += a->length;
 
-    *pp = p;
-    return (objsize);
+    /*
+     * If a new buffer was allocated, just return it back.
+     * If not, return the incremented buffer pointer.
+     */
+    *pp = allocated != NULL ? allocated : p + a->length;
+    return objsize;
 }
 
-int a2d_ASN1_OBJECT(unsigned char *out, int olen, const char *buf, int num)
-{
-    int i, first, len = 0, c, use_bn;
-    char ftmp[24], *tmp = ftmp;
-    int tmpsize = sizeof ftmp;
-    const char *p;
-    unsigned long l;
-    BIGNUM *bl = NULL;
-
-    if (num == 0)
-        return (0);
-    else if (num == -1)
-        num = strlen(buf);
-
-    p = buf;
-    c = *(p++);
-    num--;
-    if ((c >= '0') && (c <= '2')) {
-        first = c - '0';
-    } else {
-        OPENSSL_PUT_ERROR(ASN1, ASN1_R_FIRST_NUM_TOO_LARGE);
-        goto err;
-    }
-
-    if (num <= 0) {
-        OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_SECOND_NUMBER);
-        goto err;
-    }
-    c = *(p++);
-    num--;
-    for (;;) {
-        if (num <= 0)
-            break;
-        if ((c != '.') && (c != ' ')) {
-            OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_SEPARATOR);
-            goto err;
-        }
-        l = 0;
-        use_bn = 0;
-        for (;;) {
-            if (num <= 0)
-                break;
-            num--;
-            c = *(p++);
-            if ((c == ' ') || (c == '.'))
-                break;
-            if ((c < '0') || (c > '9')) {
-                OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_DIGIT);
-                goto err;
-            }
-            if (!use_bn && l >= ((ULONG_MAX - 80) / 10L)) {
-                use_bn = 1;
-                if (!bl)
-                    bl = BN_new();
-                if (!bl || !BN_set_word(bl, l))
-                    goto err;
-            }
-            if (use_bn) {
-                if (!BN_mul_word(bl, 10L)
-                    || !BN_add_word(bl, c - '0'))
-                    goto err;
-            } else
-                l = l * 10L + (long)(c - '0');
-        }
-        if (len == 0) {
-            if ((first < 2) && (l >= 40)) {
-                OPENSSL_PUT_ERROR(ASN1, ASN1_R_SECOND_NUMBER_TOO_LARGE);
-                goto err;
-            }
-            if (use_bn) {
-                if (!BN_add_word(bl, first * 40))
-                    goto err;
-            } else
-                l += (long)first *40;
-        }
-        i = 0;
-        if (use_bn) {
-            int blsize;
-            blsize = BN_num_bits(bl);
-            blsize = (blsize + 6) / 7;
-            if (blsize > tmpsize) {
-                if (tmp != ftmp)
-                    OPENSSL_free(tmp);
-                tmpsize = blsize + 32;
-                tmp = OPENSSL_malloc(tmpsize);
-                if (!tmp)
-                    goto err;
-            }
-            while (blsize--) {
-                BN_ULONG t = BN_div_word(bl, 0x80L);
-                if (t == (BN_ULONG)-1)
-                    goto err;
-                tmp[i++] = (unsigned char)t;
-            }
-        } else {
-
-            for (;;) {
-                tmp[i++] = (unsigned char)l & 0x7f;
-                l >>= 7L;
-                if (l == 0L)
-                    break;
-            }
-
-        }
-        if (out != NULL) {
-            if (len + i > olen) {
-                OPENSSL_PUT_ERROR(ASN1, ASN1_R_BUFFER_TOO_SMALL);
-                goto err;
-            }
-            while (--i > 0)
-                out[len++] = tmp[i] | 0x80;
-            out[len++] = tmp[0];
-        } else
-            len += i;
-    }
-    if (tmp != ftmp)
-        OPENSSL_free(tmp);
-    if (bl)
-        BN_free(bl);
-    return (len);
- err:
-    if (tmp != ftmp)
-        OPENSSL_free(tmp);
-    if (bl)
-        BN_free(bl);
-    return (0);
-}
-
-int i2t_ASN1_OBJECT(char *buf, int buf_len, ASN1_OBJECT *a)
+int i2t_ASN1_OBJECT(char *buf, int buf_len, const ASN1_OBJECT *a)
 {
     return OBJ_obj2txt(buf, buf_len, a, 0);
 }
 
-int i2a_ASN1_OBJECT(BIO *bp, ASN1_OBJECT *a)
+int i2a_ASN1_OBJECT(BIO *bp, const ASN1_OBJECT *a)
 {
     char buf[80], *p = buf;
     int i;

crypto/asn1/a_strnid.c

@@ -223,6 +223,7 @@ ASN1_STRING_TABLE *ASN1_STRING_TABLE_get(int nid)
         return ttmp;
     if (!stable)
         return NULL;
+    sk_ASN1_STRING_TABLE_sort(stable);
     found = sk_ASN1_STRING_TABLE_find(stable, &idx, &fnd);
     if (!found)
         return NULL;

crypto/asn1/a_time.c

@@ -60,7 +60,6 @@
 #include <time.h>
 
 #include <openssl/asn1t.h>
-#include <openssl/buf.h>
 #include <openssl/err.h>
 #include <openssl/mem.h>
 
@@ -101,7 +100,7 @@ ASN1_TIME *ASN1_TIME_adj(ASN1_TIME *s, time_t t,
     return ASN1_GENERALIZEDTIME_adj(s, t, offset_day, offset_sec);
 }
 
-int ASN1_TIME_check(ASN1_TIME *t)
+int ASN1_TIME_check(const ASN1_TIME *t)
 {
     if (t->type == V_ASN1_GENERALIZEDTIME)
         return ASN1_GENERALIZEDTIME_check(t);
@@ -111,7 +110,7 @@ int ASN1_TIME_check(ASN1_TIME *t)
 }
 
 /* Convert an ASN1_TIME structure to GeneralizedTime */
-ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t,
+ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(const ASN1_TIME *t,
                                                    ASN1_GENERALIZEDTIME **out)
 {
     ASN1_GENERALIZEDTIME *ret = NULL;
@@ -143,11 +142,11 @@ ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t,
     str = (char *)ret->data;
     /* Work out the century and prepend */
     if (t->data[0] >= '5')
-        BUF_strlcpy(str, "19", newlen);
+        OPENSSL_strlcpy(str, "19", newlen);
     else
-        BUF_strlcpy(str, "20", newlen);
+        OPENSSL_strlcpy(str, "20", newlen);
 
-    BUF_strlcat(str, (char *)t->data, newlen);
+    OPENSSL_strlcat(str, (char *)t->data, newlen);
 
  done:
    if (out != NULL && *out == NULL)

crypto/asn1/a_type.c

@@ -61,7 +61,7 @@
 #include <openssl/mem.h>
 #include <openssl/obj.h>
 
-int ASN1_TYPE_get(ASN1_TYPE *a)
+int ASN1_TYPE_get(const ASN1_TYPE *a)
 {
     if ((a->value.ptr != NULL) || (a->type == V_ASN1_NULL))
         return (a->type);

crypto/asn1/a_utf8.c

@@ -59,6 +59,8 @@
 #include <openssl/err.h>
 #include <openssl/mem.h>
 
+#include "asn1_locl.h"
+
 /* UTF8 utilities */
 
 /*
@@ -70,10 +72,10 @@
  * incorrectly (not minimal length).
  */
 
-int UTF8_getc(const unsigned char *str, int len, unsigned long *val)
+int UTF8_getc(const unsigned char *str, int len, uint32_t *val)
 {
     const unsigned char *p;
-    unsigned long value;
+    uint32_t value;
     int ret;
     if (len <= 0)
         return 0;
@@ -112,7 +114,7 @@ int UTF8_getc(const unsigned char *str, int len, unsigned long *val)
             || ((p[2] & 0xc0) != 0x80)
             || ((p[3] & 0xc0) != 0x80))
             return -3;
-        value = ((unsigned long)(*p++ & 0x7)) << 18;
+        value = ((uint32_t)(*p++ & 0x7)) << 18;
         value |= (*p++ & 0x3f) << 12;
         value |= (*p++ & 0x3f) << 6;
         value |= *p++ & 0x3f;
@@ -127,9 +129,9 @@ int UTF8_getc(const unsigned char *str, int len, unsigned long *val)
             || ((p[3] & 0xc0) != 0x80)
             || ((p[4] & 0xc0) != 0x80))
             return -3;
-        value = ((unsigned long)(*p++ & 0x3)) << 24;
-        value |= ((unsigned long)(*p++ & 0x3f)) << 18;
-        value |= ((unsigned long)(*p++ & 0x3f)) << 12;
+        value = ((uint32_t)(*p++ & 0x3)) << 24;
+        value |= ((uint32_t)(*p++ & 0x3f)) << 18;
+        value |= ((uint32_t)(*p++ & 0x3f)) << 12;
         value |= (*p++ & 0x3f) << 6;
         value |= *p++ & 0x3f;
         if (value < 0x200000)
@@ -144,10 +146,10 @@ int UTF8_getc(const unsigned char *str, int len, unsigned long *val)
             || ((p[4] & 0xc0) != 0x80)
             || ((p[5] & 0xc0) != 0x80))
             return -3;
-        value = ((unsigned long)(*p++ & 0x1)) << 30;
-        value |= ((unsigned long)(*p++ & 0x3f)) << 24;
-        value |= ((unsigned long)(*p++ & 0x3f)) << 18;
-        value |= ((unsigned long)(*p++ & 0x3f)) << 12;
+        value = ((uint32_t)(*p++ & 0x1)) << 30;
+        value |= ((uint32_t)(*p++ & 0x3f)) << 24;
+        value |= ((uint32_t)(*p++ & 0x3f)) << 18;
+        value |= ((uint32_t)(*p++ & 0x3f)) << 12;
         value |= (*p++ & 0x3f) << 6;
         value |= *p++ & 0x3f;
         if (value < 0x4000000)
@@ -167,7 +169,7 @@ int UTF8_getc(const unsigned char *str, int len, unsigned long *val)
  * most 6 characters.
  */
 
-int UTF8_putc(unsigned char *str, int len, unsigned long value)
+int UTF8_putc(unsigned char *str, int len, uint32_t value)
 {
     if (!str)
         len = 6;                /* Maximum we will need */

crypto/asn1/asn1_lib.c

@@ -205,7 +205,11 @@ static int asn1_get_length(const unsigned char **pp, int *inf, long *rl,
         } else
             ret = i;
     }
-    if (ret > LONG_MAX)
+    /*
+     * Bound the length to comfortably fit in an int. Lengths in this module
+     * often switch between int and long without overflow checks.
+     */
+    if (ret > INT_MAX / 2)
         return 0;
     *pp = p;
     *rl = (long)ret;
@@ -426,7 +430,7 @@ void ASN1_STRING_length_set(ASN1_STRING *x, int len)
     return;
 }
 
-int ASN1_STRING_type(ASN1_STRING *x)
+int ASN1_STRING_type(const ASN1_STRING *x)
 {
     return M_ASN1_STRING_type(x);
 }
@@ -435,3 +439,8 @@ unsigned char *ASN1_STRING_data(ASN1_STRING *x)
 {
     return M_ASN1_STRING_data(x);
 }
+
+const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x)
+{
+    return x->data;
+}

crypto/asn1/asn1_locl.h

@@ -90,6 +90,12 @@ int OPENSSL_gmtime_diff(int *out_days, int *out_secs, const struct tm *from,
 int asn1_utctime_to_tm(struct tm *tm, const ASN1_UTCTIME *d);
 int asn1_generalizedtime_to_tm(struct tm *tm, const ASN1_GENERALIZEDTIME *d);
 
+void asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it,
+                            int combine);
+
+int UTF8_getc(const unsigned char *str, int len, uint32_t *val);
+int UTF8_putc(unsigned char *str, int len, uint32_t value);
+
 
 #if defined(__cplusplus)
 }  /* extern C */

crypto/asn1/asn1_test.cc

@@ -12,12 +12,20 @@
  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
 
+#include <limits.h>
 #include <stdio.h>
 
+#include <vector>
+
 #include <gtest/gtest.h>
 
 #include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/bytestring.h>
 #include <openssl/err.h>
+#include <openssl/mem.h>
+#include <openssl/obj.h>
+#include <openssl/span.h>
 
 #include "../test/test_util.h"
 
@@ -60,3 +68,119 @@ TEST(ASN1Test, LargeTags) {
   EXPECT_EQ(Bytes(&kZero, 1), Bytes(obj->value.asn1_string->data,
                                     obj->value.asn1_string->length));
 }
+
+TEST(ASN1Test, IntegerSetting) {
+  bssl::UniquePtr<ASN1_INTEGER> by_bn(M_ASN1_INTEGER_new());
+  bssl::UniquePtr<ASN1_INTEGER> by_long(M_ASN1_INTEGER_new());
+  bssl::UniquePtr<ASN1_INTEGER> by_uint64(M_ASN1_INTEGER_new());
+  bssl::UniquePtr<BIGNUM> bn(BN_new());
+
+  const std::vector<int64_t> kValues = {
+      LONG_MIN, -2, -1, 0, 1, 2, 0xff, 0x100, 0xffff, 0x10000, LONG_MAX,
+  };
+  for (const auto &i : kValues) {
+    SCOPED_TRACE(i);
+
+    ASSERT_EQ(1, ASN1_INTEGER_set(by_long.get(), i));
+    const uint64_t abs = i < 0 ? (0 - (uint64_t) i) : i;
+    ASSERT_TRUE(BN_set_u64(bn.get(), abs));
+    BN_set_negative(bn.get(), i < 0);
+    ASSERT_TRUE(BN_to_ASN1_INTEGER(bn.get(), by_bn.get()));
+
+    EXPECT_EQ(0, ASN1_INTEGER_cmp(by_bn.get(), by_long.get()));
+
+    if (i >= 0) {
+      ASSERT_EQ(1, ASN1_INTEGER_set_uint64(by_uint64.get(), i));
+      EXPECT_EQ(0, ASN1_INTEGER_cmp(by_bn.get(), by_uint64.get()));
+    }
+  }
+}
+
+typedef struct asn1_linked_list_st {
+  struct asn1_linked_list_st *next;
+} ASN1_LINKED_LIST;
+
+DECLARE_ASN1_ITEM(ASN1_LINKED_LIST)
+DECLARE_ASN1_FUNCTIONS(ASN1_LINKED_LIST)
+
+ASN1_SEQUENCE(ASN1_LINKED_LIST) = {
+  ASN1_OPT(ASN1_LINKED_LIST, next, ASN1_LINKED_LIST),
+} ASN1_SEQUENCE_END(ASN1_LINKED_LIST)
+
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_LINKED_LIST)
+
+static bool MakeLinkedList(bssl::UniquePtr<uint8_t> *out, size_t *out_len,
+                           size_t count) {
+  bssl::ScopedCBB cbb;
+  std::vector<CBB> cbbs(count);
+  if (!CBB_init(cbb.get(), 2 * count) ||
+      !CBB_add_asn1(cbb.get(), &cbbs[0], CBS_ASN1_SEQUENCE)) {
+    return false;
+  }
+  for (size_t i = 1; i < count; i++) {
+    if (!CBB_add_asn1(&cbbs[i - 1], &cbbs[i], CBS_ASN1_SEQUENCE)) {
+      return false;
+    }
+  }
+  uint8_t *ptr;
+  if (!CBB_finish(cbb.get(), &ptr, out_len)) {
+    return false;
+  }
+  out->reset(ptr);
+  return true;
+}
+
+TEST(ASN1Test, Recursive) {
+  bssl::UniquePtr<uint8_t> data;
+  size_t len;
+
+  // Sanity-check that MakeLinkedList can be parsed.
+  ASSERT_TRUE(MakeLinkedList(&data, &len, 5));
+  const uint8_t *ptr = data.get();
+  ASN1_LINKED_LIST *list = d2i_ASN1_LINKED_LIST(nullptr, &ptr, len);
+  EXPECT_TRUE(list);
+  ASN1_LINKED_LIST_free(list);
+
+  // Excessively deep structures are rejected.
+  ASSERT_TRUE(MakeLinkedList(&data, &len, 100));
+  ptr = data.get();
+  list = d2i_ASN1_LINKED_LIST(nullptr, &ptr, len);
+  EXPECT_FALSE(list);
+  // Note checking the error queue here does not work. The error "stack trace"
+  // is too deep, so the |ASN1_R_NESTED_TOO_DEEP| entry drops off the queue.
+  ASN1_LINKED_LIST_free(list);
+}
+
+template <typename T>
+void TestSerialize(T obj, int (*i2d_func)(T a, uint8_t **pp),
+                   bssl::Span<const uint8_t> expected) {
+  int len = static_cast<int>(expected.size());
+  ASSERT_EQ(i2d_func(obj, nullptr), len);
+
+  std::vector<uint8_t> buf(expected.size());
+  uint8_t *ptr = buf.data();
+  ASSERT_EQ(i2d_func(obj, &ptr), len);
+  EXPECT_EQ(ptr, buf.data() + buf.size());
+  EXPECT_EQ(Bytes(expected), Bytes(buf));
+
+  // Test the allocating version.
+  ptr = nullptr;
+  ASSERT_EQ(i2d_func(obj, &ptr), len);
+  EXPECT_EQ(Bytes(expected), Bytes(ptr, expected.size()));
+  OPENSSL_free(ptr);
+}
+
+TEST(ASN1Test, SerializeObject) {
+  static const uint8_t kDER[] = {0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
+                                 0xf7, 0x0d, 0x01, 0x01, 0x01};
+  const ASN1_OBJECT *obj = OBJ_nid2obj(NID_rsaEncryption);
+  TestSerialize(obj, i2d_ASN1_OBJECT, kDER);
+}
+
+TEST(ASN1Test, SerializeBoolean) {
+  static const uint8_t kTrue[] = {0x01, 0x01, 0xff};
+  TestSerialize(0xff, i2d_ASN1_BOOLEAN, kTrue);
+
+  static const uint8_t kFalse[] = {0x01, 0x01, 0x00};
+  TestSerialize(0x00, i2d_ASN1_BOOLEAN, kFalse);
+}

crypto/asn1/asn_pack.c

@@ -93,7 +93,7 @@ ASN1_STRING *ASN1_item_pack(void *obj, const ASN1_ITEM *it, ASN1_STRING **oct)
 
 /* Extract an ASN1 object from an ASN1_STRING */
 
-void *ASN1_item_unpack(ASN1_STRING *oct, const ASN1_ITEM *it)
+void *ASN1_item_unpack(const ASN1_STRING *oct, const ASN1_ITEM *it)
 {
     const unsigned char *p;
     void *ret;

crypto/asn1/f_enum.c

@@ -60,7 +60,7 @@
 
 /* Based on a_int.c: equivalent ENUMERATED functions */
 
-int i2a_ASN1_ENUMERATED(BIO *bp, ASN1_ENUMERATED *a)
+int i2a_ASN1_ENUMERATED(BIO *bp, const ASN1_ENUMERATED *a)
 {
     int i, n = 0;
     static const char *h = "0123456789ABCDEF";

crypto/asn1/f_int.c

@@ -58,7 +58,7 @@
 
 #include <openssl/bio.h>
 
-int i2a_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *a)
+int i2a_ASN1_INTEGER(BIO *bp, const ASN1_INTEGER *a)
 {
     int i, n = 0;
     static const char *h = "0123456789ABCDEF";

crypto/asn1/f_string.c

@@ -58,7 +58,7 @@
 
 #include <openssl/bio.h>
 
-int i2a_ASN1_STRING(BIO *bp, ASN1_STRING *a, int type)
+int i2a_ASN1_STRING(BIO *bp, const ASN1_STRING *a, int type)
 {
     int i, n = 0;
     static const char *h = "0123456789ABCDEF";

crypto/asn1/tasn_dec.c

@@ -56,6 +56,7 @@
 
 #include <openssl/asn1.h>
 
+#include <limits.h>
 #include <string.h>
 
 #include <openssl/asn1t.h>
@@ -65,6 +66,14 @@
 
 #include "../internal.h"
 
+/*
+ * Constructed types with a recursive definition (such as can be found in PKCS7)
+ * could eventually exceed the stack given malicious input with excessive
+ * recursion. Therefore we limit the stack depth. This is the maximum number of
+ * recursive invocations of asn1_item_embed_d2i().
+ */
+#define ASN1_MAX_CONSTRUCTED_NEST 30
+
 static int asn1_check_eoc(const unsigned char **in, long len);
 static int asn1_find_end(const unsigned char **in, long len, char inf);
 
@@ -81,11 +90,11 @@ static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass,
 static int asn1_template_ex_d2i(ASN1_VALUE **pval,
                                 const unsigned char **in, long len,
                                 const ASN1_TEMPLATE *tt, char opt,
-                                ASN1_TLC *ctx);
+                                ASN1_TLC *ctx, int depth);
 static int asn1_template_noexp_d2i(ASN1_VALUE **val,
                                    const unsigned char **in, long len,
                                    const ASN1_TEMPLATE *tt, char opt,
-                                   ASN1_TLC *ctx);
+                                   ASN1_TLC *ctx, int depth);
 static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
                                  const unsigned char **in, long len,
                                  const ASN1_ITEM *it,
@@ -147,23 +156,14 @@ ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval,
     return NULL;
 }
 
-int ASN1_template_d2i(ASN1_VALUE **pval,
-                      const unsigned char **in, long len,
-                      const ASN1_TEMPLATE *tt)
-{
-    ASN1_TLC c;
-    asn1_tlc_clear_nc(&c);
-    return asn1_template_ex_d2i(pval, in, len, tt, 0, &c);
-}
-
 /*
  * Decode an item, taking care of IMPLICIT tagging, if any. If 'opt' set and
  * tag mismatch return -1 to handle OPTIONAL
  */
 
-int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
-                     const ASN1_ITEM *it,
-                     int tag, int aclass, char opt, ASN1_TLC *ctx)
+static int asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in,
+                            long len, const ASN1_ITEM *it, int tag, int aclass,
+                            char opt, ASN1_TLC *ctx, int depth)
 {
     const ASN1_TEMPLATE *tt, *errtt = NULL;
     const ASN1_COMPAT_FUNCS *cf;
@@ -188,6 +188,19 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
     else
         asn1_cb = 0;
 
+    /*
+     * Bound |len| to comfortably fit in an int. Lengths in this module often
+     * switch between int and long without overflow checks.
+     */
+    if (len > INT_MAX/2) {
+        len = INT_MAX/2;
+    }
+
+    if (++depth > ASN1_MAX_CONSTRUCTED_NEST) {
+        OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_TOO_DEEP);
+        goto err;
+    }
+
     switch (it->itype) {
     case ASN1_ITYPE_PRIMITIVE:
         if (it->templates) {
@@ -203,7 +216,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
                 goto err;
             }
             return asn1_template_ex_d2i(pval, in, len,
-                                        it->templates, opt, ctx);
+                                        it->templates, opt, ctx, depth);
         }
         return asn1_d2i_ex_primitive(pval, in, len, it,
                                      tag, aclass, opt, ctx);
@@ -326,7 +339,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
             /*
              * We mark field as OPTIONAL so its absence can be recognised.
              */
-            ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx);
+            ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx, depth);
             /* If field not present, try the next one */
             if (ret == -1)
                 continue;
@@ -444,7 +457,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
              * attempt to read in field, allowing each to be OPTIONAL
              */
 
-            ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx);
+            ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx,
+                                       depth);
             if (!ret) {
                 errtt = seqtt;
                 goto err;
@@ -514,6 +528,13 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
     return 0;
 }
 
+int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
+                     const ASN1_ITEM *it,
+                     int tag, int aclass, char opt, ASN1_TLC *ctx)
+{
+    return asn1_item_ex_d2i(pval, in, len, it, tag, aclass, opt, ctx, 0);
+}
+
 /*
  * Templates are handled with two separate functions. One handles any
  * EXPLICIT tag and the other handles the rest.
@@ -522,7 +543,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
 static int asn1_template_ex_d2i(ASN1_VALUE **val,
                                 const unsigned char **in, long inlen,
                                 const ASN1_TEMPLATE *tt, char opt,
-                                ASN1_TLC *ctx)
+                                ASN1_TLC *ctx, int depth)
 {
     int flags, aclass;
     int ret;
@@ -556,7 +577,7 @@ static int asn1_template_ex_d2i(ASN1_VALUE **val,
             return 0;
         }
         /* We've found the field so it can't be OPTIONAL now */
-        ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx);
+        ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx, depth);
         if (!ret) {
             OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
             return 0;
@@ -579,7 +600,7 @@ static int asn1_template_ex_d2i(ASN1_VALUE **val,
             }
         }
     } else
-        return asn1_template_noexp_d2i(val, in, inlen, tt, opt, ctx);
+        return asn1_template_noexp_d2i(val, in, inlen, tt, opt, ctx, depth);
 
     *in = p;
     return 1;
@@ -592,7 +613,7 @@ static int asn1_template_ex_d2i(ASN1_VALUE **val,
 static int asn1_template_noexp_d2i(ASN1_VALUE **val,
                                    const unsigned char **in, long len,
                                    const ASN1_TEMPLATE *tt, char opt,
-                                   ASN1_TLC *ctx)
+                                   ASN1_TLC *ctx, int depth)
 {
     int flags, aclass;
     int ret;
@@ -661,8 +682,8 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
                 break;
             }
             skfield = NULL;
-            if (!ASN1_item_ex_d2i(&skfield, &p, len,
-                                  ASN1_ITEM_ptr(tt->item), -1, 0, 0, ctx)) {
+             if (!asn1_item_ex_d2i(&skfield, &p, len, ASN1_ITEM_ptr(tt->item),
+                                   -1, 0, 0, ctx, depth)) {
                 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
                 goto err;
             }
@@ -679,9 +700,8 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
         }
     } else if (flags & ASN1_TFLG_IMPTAG) {
         /* IMPLICIT tagging */
-        ret = ASN1_item_ex_d2i(val, &p, len,
-                               ASN1_ITEM_ptr(tt->item), tt->tag, aclass, opt,
-                               ctx);
+        ret = asn1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), tt->tag,
+                               aclass, opt, ctx, depth);
         if (!ret) {
             OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
             goto err;
@@ -689,8 +709,9 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
             return -1;
     } else {
         /* Nothing special */
-        ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
-                               -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
+        ret = asn1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
+                               -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx,
+                               depth);
         if (!ret) {
             OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
             goto err;

crypto/asn1/tasn_enc.c

@@ -192,7 +192,7 @@ int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
         /* Use indefinite length constructed if requested */
         if (aclass & ASN1_TFLG_NDEF)
             ndef = 2;
-        /* fall through */
+        OPENSSL_FALLTHROUGH;
 
     case ASN1_ITYPE_SEQUENCE:
         i = asn1_enc_restore(&seqcontlen, out, pval, it);
@@ -256,12 +256,6 @@ int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
     return 0;
 }
 
-int ASN1_template_i2d(ASN1_VALUE **pval, unsigned char **out,
-                      const ASN1_TEMPLATE *tt)
-{
-    return asn1_template_ex_i2d(pval, out, tt, -1, 0);
-}
-
 static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
                                 const ASN1_TEMPLATE *tt, int tag, int iclass)
 {
@@ -589,6 +583,8 @@ int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype,
         otmp = (ASN1_OBJECT *)*pval;
         cont = otmp->data;
         len = otmp->length;
+        if (cont == NULL || len == 0)
+            return -1;
         break;
 
     case V_ASN1_NULL:

crypto/asn1/tasn_fre.c

@@ -59,8 +59,7 @@
 #include <openssl/asn1t.h>
 #include <openssl/mem.h>
 
-static void asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it,
-                                   int combine);
+#include "asn1_locl.h"
 
 /* Free up an ASN1 structure */
 
@@ -74,8 +73,7 @@ void ASN1_item_ex_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
     asn1_item_combine_free(pval, it, 0);
 }
 
-static void asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it,
-                                   int combine)
+void asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it, int combine)
 {
     const ASN1_TEMPLATE *tt = NULL, *seqtt;
     const ASN1_EXTERN_FUNCS *ef;

crypto/asn1/tasn_new.c

@@ -63,6 +63,7 @@
 #include <openssl/mem.h>
 #include <openssl/obj.h>
 
+#include "asn1_locl.h"
 #include "../internal.h"
 
 
@@ -201,7 +202,7 @@ static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it,
     return 1;
 
  memerr2:
-    ASN1_item_ex_free(pval, it);
+    asn1_item_combine_free(pval, it, combine);
  memerr:
     OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
 #ifdef CRYPTO_MDEBUG
@@ -211,7 +212,7 @@ static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it,
     return 0;
 
  auxerr2:
-    ASN1_item_ex_free(pval, it);
+    asn1_item_combine_free(pval, it, combine);
  auxerr:
     OPENSSL_PUT_ERROR(ASN1, ASN1_R_AUX_ERROR);
 #ifdef CRYPTO_MDEBUG

crypto/base64/CMakeLists.txt

@@ -1,9 +0,0 @@
-include_directories(../../include)
-
-add_library(
-  base64
-
-  OBJECT
-
-  base64.c
-)

crypto/base64/base64.c

@@ -98,8 +98,8 @@ static uint8_t conv_bin2ascii(uint8_t a) {
   return ret;
 }
 
-OPENSSL_COMPILE_ASSERT(sizeof(((EVP_ENCODE_CTX *)(NULL))->data) % 3 == 0,
-                       data_length_must_be_multiple_of_base64_chunk_size);
+OPENSSL_STATIC_ASSERT(sizeof(((EVP_ENCODE_CTX *)(NULL))->data) % 3 == 0,
+                      "data length must be a multiple of base64 chunk size");
 
 int EVP_EncodedLength(size_t *out_len, size_t len) {
   if (len + 2 < len) {

crypto/base64/base64_test.cc

@@ -39,14 +39,14 @@ enum encoding_relation {
   invalid,
 };
 
-struct TestVector {
+struct Base64TestVector {
   enum encoding_relation relation;
   const char *decoded;
   const char *encoded;
 };
 
 // Test vectors from RFC 4648.
-static const TestVector kTestVectors[] = {
+static const Base64TestVector kTestVectors[] = {
     {canonical, "", ""},
     {canonical, "f", "Zg==\n"},
     {canonical, "fo", "Zm8=\n"},
@@ -103,9 +103,9 @@ static const TestVector kTestVectors[] = {
      "=======\n"},
 };
 
-class Base64Test : public testing::TestWithParam<TestVector> {};
+class Base64Test : public testing::TestWithParam<Base64TestVector> {};
 
-INSTANTIATE_TEST_CASE_P(, Base64Test, testing::ValuesIn(kTestVectors));
+INSTANTIATE_TEST_SUITE_P(All, Base64Test, testing::ValuesIn(kTestVectors));
 
 // RemoveNewlines returns a copy of |in| with all '\n' characters removed.
 static std::string RemoveNewlines(const char *in) {
@@ -122,7 +122,7 @@ static std::string RemoveNewlines(const char *in) {
 }
 
 TEST_P(Base64Test, EncodeBlock) {
-  const TestVector &t = GetParam();
+  const Base64TestVector &t = GetParam();
   if (t.relation != canonical) {
     return;
   }
@@ -140,7 +140,7 @@ TEST_P(Base64Test, EncodeBlock) {
 }
 
 TEST_P(Base64Test, DecodeBase64) {
-  const TestVector &t = GetParam();
+  const Base64TestVector &t = GetParam();
   if (t.relation == valid) {
     // The non-canonical encodings will generally have odd whitespace etc
     // that |EVP_DecodeBase64| will reject.
@@ -164,7 +164,7 @@ TEST_P(Base64Test, DecodeBase64) {
 }
 
 TEST_P(Base64Test, DecodeBlock) {
-  const TestVector &t = GetParam();
+  const Base64TestVector &t = GetParam();
   if (t.relation != canonical) {
     return;
   }
@@ -188,7 +188,7 @@ TEST_P(Base64Test, DecodeBlock) {
 }
 
 TEST_P(Base64Test, EncodeDecode) {
-  const TestVector &t = GetParam();
+  const Base64TestVector &t = GetParam();
 
   EVP_ENCODE_CTX ctx;
   const size_t decoded_len = strlen(t.decoded);
@@ -246,7 +246,7 @@ TEST_P(Base64Test, EncodeDecode) {
 }
 
 TEST_P(Base64Test, DecodeUpdateStreaming) {
-  const TestVector &t = GetParam();
+  const Base64TestVector &t = GetParam();
   if (t.relation == invalid) {
     return;
   }

crypto/bio/CMakeLists.txt

@@ -1,18 +0,0 @@
-include_directories(../../include)
-
-add_library(
-  bio
-
-  OBJECT
-
-  bio.c
-  bio_mem.c
-  connect.c
-  fd.c
-  file.c
-  hexdump.c
-  pair.c
-  printf.c
-  socket.c
-  socket_helper.c
-)

crypto/bio/bio.c

@@ -61,6 +61,7 @@
 #include <limits.h>
 #include <string.h>
 
+#include <openssl/asn1.h>
 #include <openssl/err.h>
 #include <openssl/mem.h>
 #include <openssl/thread.h>
@@ -177,6 +178,19 @@ int BIO_write(BIO *bio, const void *in, int inl) {
   return ret;
 }
 
+int BIO_write_all(BIO *bio, const void *data, size_t len) {
+  const uint8_t *data_u8 = data;
+  while (len > 0) {
+    int ret = BIO_write(bio, data_u8, len > INT_MAX ? INT_MAX : (int)len);
+    if (ret <= 0) {
+      return 0;
+    }
+    data_u8 += ret;
+    len -= ret;
+  }
+  return 1;
+}
+
 int BIO_puts(BIO *bio, const char *in) {
   return BIO_write(bio, in, strlen(in));
 }
@@ -468,11 +482,52 @@ static int bio_read_all(BIO *bio, uint8_t **out, size_t *out_len,
   }
 }
 
+// bio_read_full reads |len| bytes |bio| and writes them into |out|. It
+// tolerates partial reads from |bio| and returns one on success or zero if a
+// read fails before |len| bytes are read. On failure, it additionally sets
+// |*out_eof_on_first_read| to whether the error was due to |bio| returning zero
+// on the first read. |out_eof_on_first_read| may be NULL to discard the value.
+static int bio_read_full(BIO *bio, uint8_t *out, int *out_eof_on_first_read,
+                         size_t len) {
+  int first_read = 1;
+  while (len > 0) {
+    int todo = len <= INT_MAX ? (int)len : INT_MAX;
+    int ret = BIO_read(bio, out, todo);
+    if (ret <= 0) {
+      if (out_eof_on_first_read != NULL) {
+        *out_eof_on_first_read = first_read && ret == 0;
+      }
+      return 0;
+    }
+    out += ret;
+    len -= (size_t)ret;
+    first_read = 0;
+  }
+
+  return 1;
+}
+
+// For compatibility with existing |d2i_*_bio| callers, |BIO_read_asn1| uses
+// |ERR_LIB_ASN1| errors.
+OPENSSL_DECLARE_ERROR_REASON(ASN1, ASN1_R_DECODE_ERROR)
+OPENSSL_DECLARE_ERROR_REASON(ASN1, ASN1_R_HEADER_TOO_LONG)
+OPENSSL_DECLARE_ERROR_REASON(ASN1, ASN1_R_NOT_ENOUGH_DATA)
+OPENSSL_DECLARE_ERROR_REASON(ASN1, ASN1_R_TOO_LONG)
+
 int BIO_read_asn1(BIO *bio, uint8_t **out, size_t *out_len, size_t max_len) {
   uint8_t header[6];
 
   static const size_t kInitialHeaderLen = 2;
-  if (BIO_read(bio, header, kInitialHeaderLen) != (int) kInitialHeaderLen) {
+  int eof_on_first_read;
+  if (!bio_read_full(bio, header, &eof_on_first_read, kInitialHeaderLen)) {
+    if (eof_on_first_read) {
+      // Historically, OpenSSL returned |ASN1_R_HEADER_TOO_LONG| when
+      // |d2i_*_bio| could not read anything. CPython conditions on this to
+      // determine if |bio| was empty.
+      OPENSSL_PUT_ERROR(ASN1, ASN1_R_HEADER_TOO_LONG);
+    } else {
+      OPENSSL_PUT_ERROR(ASN1, ASN1_R_NOT_ENOUGH_DATA);
+    }
     return 0;
   }
 
@@ -481,6 +536,7 @@ int BIO_read_asn1(BIO *bio, uint8_t **out, size_t *out_len, size_t max_len) {
 
   if ((tag & 0x1f) == 0x1f) {
     // Long form tags are not supported.
+    OPENSSL_PUT_ERROR(ASN1, ASN1_R_DECODE_ERROR);
     return 0;
   }
 
@@ -494,34 +550,40 @@ int BIO_read_asn1(BIO *bio, uint8_t **out, size_t *out_len, size_t max_len) {
 
     if ((tag & 0x20 /* constructed */) != 0 && num_bytes == 0) {
       // indefinite length.
-      return bio_read_all(bio, out, out_len, header, kInitialHeaderLen,
-                          max_len);
+      if (!bio_read_all(bio, out, out_len, header, kInitialHeaderLen,
+                        max_len)) {
+        OPENSSL_PUT_ERROR(ASN1, ASN1_R_NOT_ENOUGH_DATA);
+        return 0;
+      }
+      return 1;
     }
 
     if (num_bytes == 0 || num_bytes > 4) {
+      OPENSSL_PUT_ERROR(ASN1, ASN1_R_DECODE_ERROR);
       return 0;
     }
 
-    if (BIO_read(bio, header + kInitialHeaderLen, num_bytes) !=
-        (int)num_bytes) {
+    if (!bio_read_full(bio, header + kInitialHeaderLen, NULL, num_bytes)) {
+      OPENSSL_PUT_ERROR(ASN1, ASN1_R_NOT_ENOUGH_DATA);
       return 0;
     }
     header_len = kInitialHeaderLen + num_bytes;
 
     uint32_t len32 = 0;
-    unsigned i;
-    for (i = 0; i < num_bytes; i++) {
+    for (unsigned i = 0; i < num_bytes; i++) {
       len32 <<= 8;
       len32 |= header[kInitialHeaderLen + i];
     }
 
     if (len32 < 128) {
       // Length should have used short-form encoding.
+      OPENSSL_PUT_ERROR(ASN1, ASN1_R_DECODE_ERROR);
       return 0;
     }
 
     if ((len32 >> ((num_bytes-1)*8)) == 0) {
       // Length should have been at least one byte shorter.
+      OPENSSL_PUT_ERROR(ASN1, ASN1_R_DECODE_ERROR);
       return 0;
     }
 
@@ -531,6 +593,7 @@ int BIO_read_asn1(BIO *bio, uint8_t **out, size_t *out_len, size_t max_len) {
   if (len + header_len < len ||
       len + header_len > max_len ||
       len > INT_MAX) {
+    OPENSSL_PUT_ERROR(ASN1, ASN1_R_TOO_LONG);
     return 0;
   }
   len += header_len;
@@ -538,11 +601,12 @@ int BIO_read_asn1(BIO *bio, uint8_t **out, size_t *out_len, size_t max_len) {
 
   *out = OPENSSL_malloc(len);
   if (*out == NULL) {
+    OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
     return 0;
   }
   OPENSSL_memcpy(*out, header, header_len);
-  if (BIO_read(bio, (*out) + header_len, len - header_len) !=
-      (int) (len - header_len)) {
+  if (!bio_read_full(bio, (*out) + header_len, NULL, len - header_len)) {
+    OPENSSL_PUT_ERROR(ASN1, ASN1_R_NOT_ENOUGH_DATA);
     OPENSSL_free(*out);
     return 0;
   }
@@ -555,3 +619,82 @@ void BIO_set_retry_special(BIO *bio) {
 }
 
 int BIO_set_write_buffer_size(BIO *bio, int buffer_size) { return 0; }
+
+static struct CRYPTO_STATIC_MUTEX g_index_lock = CRYPTO_STATIC_MUTEX_INIT;
+static int g_index = BIO_TYPE_START;
+
+int BIO_get_new_index(void) {
+  CRYPTO_STATIC_MUTEX_lock_write(&g_index_lock);
+  // If |g_index| exceeds 255, it will collide with the flags bits.
+  int ret = g_index > 255 ? -1 : g_index++;
+  CRYPTO_STATIC_MUTEX_unlock_write(&g_index_lock);
+  return ret;
+}
+
+BIO_METHOD *BIO_meth_new(int type, const char *name) {
+  BIO_METHOD *method = OPENSSL_malloc(sizeof(BIO_METHOD));
+  if (method == NULL) {
+    return NULL;
+  }
+  OPENSSL_memset(method, 0, sizeof(BIO_METHOD));
+  method->type = type;
+  method->name = name;
+  return method;
+}
+
+void BIO_meth_free(BIO_METHOD *method) {
+  OPENSSL_free(method);
+}
+
+int BIO_meth_set_create(BIO_METHOD *method,
+                        int (*create)(BIO *)) {
+  method->create = create;
+  return 1;
+}
+
+int BIO_meth_set_destroy(BIO_METHOD *method,
+                         int (*destroy)(BIO *)) {
+  method->destroy = destroy;
+  return 1;
+}
+
+int BIO_meth_set_write(BIO_METHOD *method,
+                       int (*write)(BIO *, const char *, int)) {
+  method->bwrite = write;
+  return 1;
+}
+
+int BIO_meth_set_read(BIO_METHOD *method,
+                      int (*read)(BIO *, char *, int)) {
+  method->bread = read;
+  return 1;
+}
+
+int BIO_meth_set_gets(BIO_METHOD *method,
+                      int (*gets)(BIO *, char *, int)) {
+  method->bgets = gets;
+  return 1;
+}
+
+int BIO_meth_set_ctrl(BIO_METHOD *method,
+                      long (*ctrl)(BIO *, int, long, void *)) {
+  method->ctrl = ctrl;
+  return 1;
+}
+
+void BIO_set_data(BIO *bio, void *ptr) { bio->ptr = ptr; }
+
+void *BIO_get_data(BIO *bio) { return bio->ptr; }
+
+void BIO_set_init(BIO *bio, int init) { bio->init = init; }
+
+int BIO_get_init(BIO *bio) { return bio->init; }
+
+void BIO_set_shutdown(BIO *bio, int shutdown) { bio->shutdown = shutdown; }
+
+int BIO_get_shutdown(BIO *bio) { return bio->shutdown; }
+
+int BIO_meth_set_puts(BIO_METHOD *method, int (*puts)(BIO *, const char *)) {
+  // Ignore the parameter. We implement |BIO_puts| using |BIO_write|.
+  return 1;
+}

crypto/bio/bio_test.cc

@@ -12,10 +12,6 @@
  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
 
-#if !defined(_POSIX_C_SOURCE)
-#define _POSIX_C_SOURCE 201410L
-#endif
-
 #include <algorithm>
 #include <string>
 
@@ -31,6 +27,7 @@
 
 #if !defined(OPENSSL_WINDOWS)
 #include <arpa/inet.h>
+#include <errno.h>
 #include <fcntl.h>
 #include <netinet/in.h>
 #include <string.h>
@@ -223,7 +220,7 @@ TEST_P(BIOASN1Test, ReadASN1) {
   }
 }
 
-INSTANTIATE_TEST_CASE_P(, BIOASN1Test, testing::ValuesIn(kASN1TestParams));
+INSTANTIATE_TEST_SUITE_P(All, BIOASN1Test, testing::ValuesIn(kASN1TestParams));
 
 // Run through the tests twice, swapping |bio1| and |bio2|, for symmetry.
 class BIOPairTest : public testing::TestWithParam<bool> {};
@@ -325,4 +322,4 @@ TEST_P(BIOPairTest, TestPair) {
   EXPECT_EQ(Bytes("12345"), Bytes(buf, 5));
 }
 
-INSTANTIATE_TEST_CASE_P(, BIOPairTest, testing::Values(false, true));
+INSTANTIATE_TEST_SUITE_P(All, BIOPairTest, testing::Values(false, true));

crypto/bio/connect.c

@@ -56,6 +56,8 @@
 
 #include <openssl/bio.h>
 
+#if !defined(OPENSSL_TRUSTY)
+
 #include <assert.h>
 #include <errno.h>
 #include <string.h>
@@ -72,7 +74,6 @@ OPENSSL_MSVC_PRAGMA(warning(push, 3))
 OPENSSL_MSVC_PRAGMA(warning(pop))
 #endif
 
-#include <openssl/buf.h>
 #include <openssl/err.h>
 #include <openssl/mem.h>
 
@@ -147,7 +148,7 @@ static int split_host_and_port(char **out_host, char **out_port, const char *nam
     }
   }
 
-  *out_host = BUF_strndup(host, host_len);
+  *out_host = OPENSSL_strndup(host, host_len);
   if (*out_host == NULL) {
     return 0;
   }
@@ -427,13 +428,13 @@ static long conn_ctrl(BIO *bio, int cmd, long num, void *ptr) {
         bio->init = 1;
         if (num == 0) {
           OPENSSL_free(data->param_hostname);
-          data->param_hostname = BUF_strdup(ptr);
+          data->param_hostname = OPENSSL_strdup(ptr);
           if (data->param_hostname == NULL) {
             ret = 0;
           }
         } else if (num == 1) {
           OPENSSL_free(data->param_port);
-          data->param_port = BUF_strdup(ptr);
+          data->param_port = OPENSSL_strdup(ptr);
           if (data->param_port == NULL) {
             ret = 0;
           }
@@ -540,3 +541,5 @@ int BIO_set_nbio(BIO *bio, int on) {
 int BIO_do_connect(BIO *bio) {
   return BIO_ctrl(bio, BIO_C_DO_STATE_MACHINE, 0, NULL);
 }
+
+#endif  // OPENSSL_TRUSTY

crypto/bio/fd.c

@@ -56,6 +56,8 @@
 
 #include <openssl/bio.h>
 
+#if !defined(OPENSSL_TRUSTY)
+
 #include <errno.h>
 #include <string.h>
 
@@ -68,11 +70,11 @@ OPENSSL_MSVC_PRAGMA(warning(push, 3))
 OPENSSL_MSVC_PRAGMA(warning(pop))
 #endif
 
-#include <openssl/buf.h>
 #include <openssl/err.h>
 #include <openssl/mem.h>
 
 #include "internal.h"
+#include "../internal.h"
 
 
 static int bio_fd_non_fatal_error(int err) {
@@ -190,6 +192,7 @@ static long fd_ctrl(BIO *b, int cmd, long num, void *ptr) {
   switch (cmd) {
     case BIO_CTRL_RESET:
       num = 0;
+      OPENSSL_FALLTHROUGH;
     case BIO_C_FILE_SEEK:
       ret = 0;
       if (b->init) {
@@ -272,3 +275,5 @@ int BIO_set_fd(BIO *bio, int fd, int close_flag) {
 int BIO_get_fd(BIO *bio, int *out_fd) {
   return BIO_ctrl(bio, BIO_C_GET_FD, 0, (char *) out_fd);
 }
+
+#endif  // OPENSSL_TRUSTY

crypto/bio/file.c

@@ -73,14 +73,17 @@
 
 #include <openssl/bio.h>
 
+#if !defined(OPENSSL_TRUSTY)
+
 #include <errno.h>
 #include <stdio.h>
 #include <string.h>
 
-#include <openssl/buf.h>
 #include <openssl/err.h>
 #include <openssl/mem.h>
 
+#include "../internal.h"
+
 
 #define BIO_FP_READ 0x02
 #define BIO_FP_WRITE 0x04
@@ -103,13 +106,12 @@ BIO *BIO_new_file(const char *filename, const char *mode) {
     return NULL;
   }
 
-  ret = BIO_new(BIO_s_file());
+  ret = BIO_new_fp(file, BIO_CLOSE);
   if (ret == NULL) {
     fclose(file);
     return NULL;
   }
 
-  BIO_set_fp(ret, file, BIO_CLOSE);
   return ret;
 }
 
@@ -183,6 +185,7 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr) {
   switch (cmd) {
     case BIO_CTRL_RESET:
       num = 0;
+      OPENSSL_FALLTHROUGH;
     case BIO_C_FILE_SEEK:
       ret = (long)fseek(fp, num, 0);
       break;
@@ -204,16 +207,16 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr) {
       b->shutdown = (int)num & BIO_CLOSE;
       if (num & BIO_FP_APPEND) {
         if (num & BIO_FP_READ) {
-          BUF_strlcpy(p, "a+", sizeof(p));
+          OPENSSL_strlcpy(p, "a+", sizeof(p));
         } else {
-          BUF_strlcpy(p, "a", sizeof(p));
+          OPENSSL_strlcpy(p, "a", sizeof(p));
         }
       } else if ((num & BIO_FP_READ) && (num & BIO_FP_WRITE)) {
-        BUF_strlcpy(p, "r+", sizeof(p));
+        OPENSSL_strlcpy(p, "r+", sizeof(p));
       } else if (num & BIO_FP_WRITE) {
-        BUF_strlcpy(p, "w", sizeof(p));
+        OPENSSL_strlcpy(p, "w", sizeof(p));
       } else if (num & BIO_FP_READ) {
-        BUF_strlcpy(p, "r", sizeof(p));
+        OPENSSL_strlcpy(p, "r", sizeof(p));
       } else {
         OPENSSL_PUT_ERROR(BIO, BIO_R_BAD_FOPEN_MODE);
         ret = 0;
@@ -310,3 +313,5 @@ int BIO_rw_filename(BIO *bio, const char *filename) {
   return BIO_ctrl(bio, BIO_C_SET_FILENAME,
                   BIO_CLOSE | BIO_FP_READ | BIO_FP_WRITE, (char *)filename);
 }
+
+#endif  // OPENSSL_TRUSTY

crypto/bio/pair.c

@@ -55,7 +55,6 @@
 #include <assert.h>
 #include <string.h>
 
-#include <openssl/buf.h>
 #include <openssl/err.h>
 #include <openssl/mem.h>
 

crypto/bio/printf.c

@@ -54,10 +54,6 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.] */
 
-#if !defined(_POSIX_C_SOURCE)
-#define _POSIX_C_SOURCE 201410L  // for snprintf, vprintf etc
-#endif
-
 #include <openssl/bio.h>
 
 #include <assert.h>

crypto/bio/socket.c

@@ -57,6 +57,8 @@
 
 #include <openssl/bio.h>
 
+#if !defined(OPENSSL_TRUSTY)
+
 #include <fcntl.h>
 #include <string.h>
 
@@ -200,3 +202,5 @@ BIO *BIO_new_socket(int fd, int close_flag) {
   BIO_set_fd(ret, fd, close_flag);
   return ret;
 }
+
+#endif  // OPENSSL_TRUSTY

crypto/bio/socket_helper.c

@@ -18,6 +18,8 @@
 #include <openssl/bio.h>
 #include <openssl/err.h>
 
+#if !defined(OPENSSL_TRUSTY)
+
 #include <fcntl.h>
 #include <string.h>
 #include <sys/types.h>
@@ -112,3 +114,5 @@ int bio_sock_error(int sock) {
   }
   return error;
 }
+
+#endif  // OPENSSL_TRUSTY

crypto/bn_extra/CMakeLists.txt

@@ -1,10 +0,0 @@
-include_directories(../../include)
-
-add_library(
-  bn_extra
-
-  OBJECT
-
-  bn_asn1.c
-  convert.c
-)

crypto/bn_extra/bn_asn1.c

@@ -42,22 +42,6 @@ int BN_parse_asn1_unsigned(CBS *cbs, BIGNUM *ret) {
   return BN_bin2bn(CBS_data(&child), CBS_len(&child), ret) != NULL;
 }
 
-int BN_parse_asn1_unsigned_buggy(CBS *cbs, BIGNUM *ret) {
-  CBS child;
-  if (!CBS_get_asn1(cbs, &child, CBS_ASN1_INTEGER) ||
-      CBS_len(&child) == 0) {
-    OPENSSL_PUT_ERROR(BN, BN_R_BAD_ENCODING);
-    return 0;
-  }
-
-  // This function intentionally does not reject negative numbers or non-minimal
-  // encodings. Estonian IDs issued between September 2014 to September 2015 are
-  // broken. See https://crbug.com/532048 and https://crbug.com/534766.
-  //
-  // TODO(davidben): Remove this code and callers in March 2016.
-  return BN_bin2bn(CBS_data(&child), CBS_len(&child), ret) != NULL;
-}
-
 int BN_marshal_asn1(CBB *cbb, const BIGNUM *bn) {
   // Negative numbers are unsupported.
   if (BN_is_negative(bn)) {

crypto/bn_extra/convert.c

@@ -77,8 +77,9 @@ int BN_bn2cbb_padded(CBB *out, size_t len, const BIGNUM *in) {
 static const char hextable[] = "0123456789abcdef";
 
 char *BN_bn2hex(const BIGNUM *bn) {
+  int width = bn_minimal_width(bn);
   char *buf = OPENSSL_malloc(1 /* leading '-' */ + 1 /* zero is non-empty */ +
-                             bn->top * BN_BYTES * 2 + 1 /* trailing NUL */);
+                             width * BN_BYTES * 2 + 1 /* trailing NUL */);
   if (buf == NULL) {
     OPENSSL_PUT_ERROR(BN, ERR_R_MALLOC_FAILURE);
     return NULL;
@@ -94,7 +95,7 @@ char *BN_bn2hex(const BIGNUM *bn) {
   }
 
   int z = 0;
-  for (int i = bn->top - 1; i >= 0; i--) {
+  for (int i = width - 1; i >= 0; i--) {
     for (int j = BN_BITS2 - 8; j >= 0; j -= 8) {
       // strip leading zeros
       int v = ((int)(bn->d[i] >> (long)j)) & 0xff;
@@ -153,7 +154,7 @@ static int decode_hex(BIGNUM *bn, const char *in, int in_len) {
     in_len -= todo;
   }
   assert(i <= bn->dmax);
-  bn->top = i;
+  bn->width = i;
   return 1;
 }
 
@@ -222,7 +223,7 @@ static int bn_x2bn(BIGNUM **outp, const char *in, decode_func decode, char_test_
     goto err;
   }
 
-  bn_correct_top(ret);
+  bn_set_minimal_width(ret);
   if (!BN_is_zero(ret)) {
     ret->neg = neg;
   }
@@ -347,7 +348,7 @@ int BN_print(BIO *bp, const BIGNUM *a) {
     goto end;
   }
 
-  for (i = a->top - 1; i >= 0; i--) {
+  for (i = bn_minimal_width(a) - 1; i >= 0; i--) {
     for (j = BN_BITS2 - 4; j >= 0; j -= 4) {
       // strip leading zeros
       v = ((int)(a->d[i] >> (long)j)) & 0x0f;
@@ -366,17 +367,13 @@ end:
 }
 
 int BN_print_fp(FILE *fp, const BIGNUM *a) {
-  BIO *b;
-  int ret;
-
-  b = BIO_new(BIO_s_file());
+  BIO *b = BIO_new_fp(fp, BIO_NOCLOSE);
   if (b == NULL) {
     return 0;
   }
-  BIO_set_fp(b, fp, BIO_NOCLOSE);
-  ret = BN_print(b, a);
-  BIO_free(b);
 
+  int ret = BN_print(b, a);
+  BIO_free(b);
   return ret;
 }
 
@@ -463,3 +460,11 @@ BIGNUM *BN_mpi2bn(const uint8_t *in, size_t len, BIGNUM *out) {
   }
   return out;
 }
+
+int BN_bn2binpad(const BIGNUM *in, uint8_t *out, int len) {
+  if (len < 0 ||
+      !BN_bn2bin_padded(out, (size_t)len, in)) {
+    return -1;
+  }
+  return len;
+}

crypto/buf/CMakeLists.txt

@@ -1,9 +0,0 @@
-include_directories(../../include)
-
-add_library(
-  buf
-
-  OBJECT
-
-  buf.c
-)

crypto/buf/buf.c

@@ -82,15 +82,11 @@ void BUF_MEM_free(BUF_MEM *buf) {
     return;
   }
 
-  if (buf->data != NULL) {
-    OPENSSL_cleanse(buf->data, buf->max);
-    OPENSSL_free(buf->data);
-  }
-
+  OPENSSL_free(buf->data);
   OPENSSL_free(buf);
 }
 
-static int buf_mem_reserve(BUF_MEM *buf, size_t cap, int clean) {
+int BUF_MEM_reserve(BUF_MEM *buf, size_t cap) {
   if (buf->max >= cap) {
     return 1;
   }
@@ -109,17 +105,7 @@ static int buf_mem_reserve(BUF_MEM *buf, size_t cap, int clean) {
     return 0;
   }
 
-  char *new_buf;
-  if (buf->data == NULL) {
-    new_buf = OPENSSL_malloc(alloc_size);
-  } else {
-    if (clean) {
-      new_buf = OPENSSL_realloc_clean(buf->data, buf->max, alloc_size);
-    } else {
-      new_buf = OPENSSL_realloc(buf->data, alloc_size);
-    }
-  }
-
+  char *new_buf = OPENSSL_realloc(buf->data, alloc_size);
   if (new_buf == NULL) {
     OPENSSL_PUT_ERROR(BUF, ERR_R_MALLOC_FAILURE);
     return 0;
@@ -130,12 +116,8 @@ static int buf_mem_reserve(BUF_MEM *buf, size_t cap, int clean) {
   return 1;
 }
 
-int BUF_MEM_reserve(BUF_MEM *buf, size_t cap) {
-  return buf_mem_reserve(buf, cap, 0 /* don't clear old buffer contents. */);
-}
-
-static size_t buf_mem_grow(BUF_MEM *buf, size_t len, int clean) {
-  if (!buf_mem_reserve(buf, len, clean)) {
+size_t BUF_MEM_grow(BUF_MEM *buf, size_t len) {
+  if (!BUF_MEM_reserve(buf, len)) {
     return 0;
   }
   if (buf->length < len) {
@@ -145,95 +127,46 @@ static size_t buf_mem_grow(BUF_MEM *buf, size_t len, int clean) {
   return len;
 }
 
-size_t BUF_MEM_grow(BUF_MEM *buf, size_t len) {
-  return buf_mem_grow(buf, len, 0 /* don't clear old buffer contents. */);
-}
-
 size_t BUF_MEM_grow_clean(BUF_MEM *buf, size_t len) {
-  return buf_mem_grow(buf, len, 1 /* clear old buffer contents. */);
+  return BUF_MEM_grow(buf, len);
 }
 
-char *BUF_strdup(const char *str) {
-  if (str == NULL) {
-    return NULL;
+int BUF_MEM_append(BUF_MEM *buf, const void *in, size_t len) {
+  // Work around a C language bug. See https://crbug.com/1019588.
+  if (len == 0) {
+    return 1;
   }
-
-  return BUF_strndup(str, strlen(str));
+  size_t new_len = buf->length + len;
+  if (new_len < len) {
+    OPENSSL_PUT_ERROR(BUF, ERR_R_OVERFLOW);
+    return 0;
+  }
+  if (!BUF_MEM_reserve(buf, new_len)) {
+    return 0;
+  }
+  OPENSSL_memcpy(buf->data + buf->length, in, len);
+  buf->length = new_len;
+  return 1;
 }
 
+char *BUF_strdup(const char *str) { return OPENSSL_strdup(str); }
+
 size_t BUF_strnlen(const char *str, size_t max_len) {
-  size_t i;
-
-  for (i = 0; i < max_len; i++) {
-    if (str[i] == 0) {
-      break;
-    }
-  }
-
-  return i;
+  return OPENSSL_strnlen(str, max_len);
 }
 
 char *BUF_strndup(const char *str, size_t size) {
-  char *ret;
-  size_t alloc_size;
-
-  if (str == NULL) {
-    return NULL;
-  }
-
-  size = BUF_strnlen(str, size);
-
-  alloc_size = size + 1;
-  if (alloc_size < size) {
-    // overflow
-    OPENSSL_PUT_ERROR(BUF, ERR_R_MALLOC_FAILURE);
-    return NULL;
-  }
-  ret = OPENSSL_malloc(alloc_size);
-  if (ret == NULL) {
-    OPENSSL_PUT_ERROR(BUF, ERR_R_MALLOC_FAILURE);
-    return NULL;
-  }
-
-  OPENSSL_memcpy(ret, str, size);
-  ret[size] = '\0';
-  return ret;
+  return OPENSSL_strndup(str, size);
 }
 
 size_t BUF_strlcpy(char *dst, const char *src, size_t dst_size) {
-  size_t l = 0;
-
-  for (; dst_size > 1 && *src; dst_size--) {
-    *dst++ = *src++;
-    l++;
-  }
-
-  if (dst_size) {
-    *dst = 0;
-  }
-
-  return l + strlen(src);
+  return OPENSSL_strlcpy(dst, src, dst_size);
 }
 
 size_t BUF_strlcat(char *dst, const char *src, size_t dst_size) {
-  size_t l = 0;
-  for (; dst_size > 0 && *dst; dst_size--, dst++) {
-    l++;
-  }
-  return l + BUF_strlcpy(dst, src, dst_size);
+  return OPENSSL_strlcat(dst, src, dst_size);
 }
 
 void *BUF_memdup(const void *data, size_t size) {
-  if (size == 0) {
-    return NULL;
-  }
-
-  void *ret = OPENSSL_malloc(size);
-  if (ret == NULL) {
-    OPENSSL_PUT_ERROR(BUF, ERR_R_MALLOC_FAILURE);
-    return NULL;
-  }
-
-  OPENSSL_memcpy(ret, data, size);
-  return ret;
+  return OPENSSL_memdup(data, size);
 }

crypto/buf/buf_test.cc

@@ -0,0 +1,97 @@
+/* Copyright (c) 2017, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/buf.h>
+
+#include <string.h>
+
+#include <string>
+
+#include <gtest/gtest.h>
+
+
+TEST(BufTest, Basic) {
+  bssl::UniquePtr<BUF_MEM> buf(BUF_MEM_new());
+  ASSERT_TRUE(buf);
+  EXPECT_EQ(0u, buf->length);
+
+  // Use BUF_MEM_reserve to increase buf->max.
+  ASSERT_TRUE(BUF_MEM_reserve(buf.get(), 200));
+  EXPECT_GE(buf->max, 200u);
+  EXPECT_EQ(0u, buf->length);
+
+  // BUF_MEM_reserve with a smaller cap is a no-op.
+  size_t old_max = buf->max;
+  ASSERT_TRUE(BUF_MEM_reserve(buf.get(), 100));
+  EXPECT_EQ(old_max, buf->max);
+  EXPECT_EQ(0u, buf->length);
+
+  // BUF_MEM_grow can increase the length without reallocating.
+  ASSERT_EQ(100u, BUF_MEM_grow(buf.get(), 100));
+  EXPECT_EQ(100u, buf->length);
+  EXPECT_EQ(old_max, buf->max);
+  memset(buf->data, 'A', buf->length);
+
+  // If BUF_MEM_reserve reallocates, it preserves the contents.
+  ASSERT_TRUE(BUF_MEM_reserve(buf.get(), old_max + 1));
+  ASSERT_GE(buf->max, old_max + 1);
+  EXPECT_EQ(100u, buf->length);
+  for (size_t i = 0; i < 100; i++) {
+    EXPECT_EQ('A', buf->data[i]);
+  }
+
+  // BUF_MEM_grow should zero everything beyond buf->length.
+  memset(buf->data, 'B', buf->max);
+  ASSERT_EQ(150u, BUF_MEM_grow(buf.get(), 150));
+  EXPECT_EQ(150u, buf->length);
+  for (size_t i = 0; i < 100; i++) {
+    EXPECT_EQ('B', buf->data[i]);
+  }
+  for (size_t i = 100; i < 150; i++) {
+    EXPECT_EQ(0, buf->data[i]);
+  }
+
+  // BUF_MEM_grow can rellocate if necessary.
+  size_t new_len = buf->max + 1;
+  ASSERT_EQ(new_len, BUF_MEM_grow(buf.get(), new_len));
+  EXPECT_GE(buf->max, new_len);
+  EXPECT_EQ(new_len, buf->length);
+  for (size_t i = 0; i < 100; i++) {
+    EXPECT_EQ('B', buf->data[i]);
+  }
+  for (size_t i = 100; i < new_len; i++) {
+    EXPECT_EQ(0, buf->data[i]);
+  }
+
+  // BUF_MEM_grow can shink.
+  ASSERT_EQ(50u, BUF_MEM_grow(buf.get(), 50));
+  EXPECT_EQ(50u, buf->length);
+  for (size_t i = 0; i < 50; i++) {
+    EXPECT_EQ('B', buf->data[i]);
+  }
+}
+
+TEST(BufTest, Append) {
+  bssl::UniquePtr<BUF_MEM> buf(BUF_MEM_new());
+  ASSERT_TRUE(buf);
+
+  ASSERT_TRUE(BUF_MEM_append(buf.get(), nullptr, 0));
+  ASSERT_TRUE(BUF_MEM_append(buf.get(), "hello ", 6));
+  ASSERT_TRUE(BUF_MEM_append(buf.get(), nullptr, 0));
+  ASSERT_TRUE(BUF_MEM_append(buf.get(), "world", 5));
+  std::string str(128, 'A');
+  ASSERT_TRUE(BUF_MEM_append(buf.get(), str.data(), str.size()));
+
+  EXPECT_EQ("hello world" + str, std::string(buf->data, buf->length));
+}

crypto/bytestring/CMakeLists.txt

@@ -1,12 +0,0 @@
-include_directories(../../include)
-
-add_library(
-  bytestring
-
-  OBJECT
-
-  asn1_compat.c
-  ber.c
-  cbs.c
-  cbb.c
-)

crypto/bytestring/ber.c

@@ -29,10 +29,7 @@ static const unsigned kMaxDepth = 2048;
 // is_string_type returns one if |tag| is a string type and zero otherwise. It
 // ignores the constructed bit.
 static int is_string_type(unsigned tag) {
-  if ((tag & 0xc0) != 0) {
-    return 0;
-  }
-  switch (tag & 0x1f) {
+  switch (tag & ~CBS_ASN1_CONSTRUCTED) {
     case CBS_ASN1_BITSTRING:
     case CBS_ASN1_OCTETSTRING:
     case CBS_ASN1_UTF8STRING:
@@ -192,7 +189,7 @@ static int cbs_convert_ber(CBS *in, CBB *out, unsigned string_tag,
   return looking_for_eoc == 0;
 }
 
-int CBS_asn1_ber_to_der(CBS *in, uint8_t **out, size_t *out_len) {
+int CBS_asn1_ber_to_der(CBS *in, CBS *out, uint8_t **out_storage) {
   CBB cbb;
 
   // First, do a quick walk to find any indefinite-length elements. Most of the
@@ -203,18 +200,22 @@ int CBS_asn1_ber_to_der(CBS *in, uint8_t **out, size_t *out_len) {
   }
 
   if (!conversion_needed) {
-    *out = NULL;
-    *out_len = 0;
+    if (!CBS_get_any_asn1_element(in, out, NULL, NULL)) {
+      return 0;
+    }
+    *out_storage = NULL;
     return 1;
   }
 
+  size_t len;
   if (!CBB_init(&cbb, CBS_len(in)) ||
       !cbs_convert_ber(in, &cbb, 0, 0, 0) ||
-      !CBB_finish(&cbb, out, out_len)) {
+      !CBB_finish(&cbb, out_storage, &len)) {
     CBB_cleanup(&cbb);
     return 0;
   }
 
+  CBS_init(out, *out_storage, len);
   return 1;
 }
 

crypto/bytestring/bytestring_test.cc

@@ -12,10 +12,6 @@
  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
 
-#if !defined(__STDC_CONSTANT_MACROS)
-#define __STDC_CONSTANT_MACROS
-#endif
-
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -46,10 +42,12 @@ TEST(CBSTest, Skip) {
 }
 
 TEST(CBSTest, GetUint) {
-  static const uint8_t kData[] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12};
+  static const uint8_t kData[] = {1,  2,  3,  4,  5,  6,  7,  8,  9,  10,
+                                  11, 12, 13, 14, 15, 16, 17, 18, 19, 20};
   uint8_t u8;
   uint16_t u16;
   uint32_t u32;
+  uint64_t u64;
   CBS data;
 
   CBS_init(&data, kData, sizeof(kData));
@@ -61,12 +59,22 @@ TEST(CBSTest, GetUint) {
   EXPECT_EQ(0x40506u, u32);
   ASSERT_TRUE(CBS_get_u32(&data, &u32));
   EXPECT_EQ(0x708090au, u32);
+  ASSERT_TRUE(CBS_get_u64(&data, &u64));
+  EXPECT_EQ(0xb0c0d0e0f101112u, u64);
   ASSERT_TRUE(CBS_get_last_u8(&data, &u8));
-  EXPECT_EQ(0xcu, u8);
+  EXPECT_EQ(0x14u, u8);
   ASSERT_TRUE(CBS_get_last_u8(&data, &u8));
-  EXPECT_EQ(0xbu, u8);
+  EXPECT_EQ(0x13u, u8);
   EXPECT_FALSE(CBS_get_u8(&data, &u8));
   EXPECT_FALSE(CBS_get_last_u8(&data, &u8));
+
+  CBS_init(&data, kData, sizeof(kData));
+  ASSERT_TRUE(CBS_get_u16le(&data, &u16));
+  EXPECT_EQ(0x0201u, u16);
+  ASSERT_TRUE(CBS_get_u32le(&data, &u32));
+  EXPECT_EQ(0x06050403u, u32);
+  ASSERT_TRUE(CBS_get_u64le(&data, &u64));
+  EXPECT_EQ(0x0e0d0c0b0a090807u, u64);
 }
 
 TEST(CBSTest, GetPrefixed) {
@@ -123,27 +131,27 @@ TEST(CBSTest, GetASN1) {
   uint64_t value;
 
   CBS_init(&data, kData1, sizeof(kData1));
-  EXPECT_FALSE(CBS_peek_asn1_tag(&data, 0x1));
-  EXPECT_TRUE(CBS_peek_asn1_tag(&data, 0x30));
+  EXPECT_FALSE(CBS_peek_asn1_tag(&data, CBS_ASN1_BOOLEAN));
+  EXPECT_TRUE(CBS_peek_asn1_tag(&data, CBS_ASN1_SEQUENCE));
 
-  ASSERT_TRUE(CBS_get_asn1(&data, &contents, 0x30));
+  ASSERT_TRUE(CBS_get_asn1(&data, &contents, CBS_ASN1_SEQUENCE));
   EXPECT_EQ(Bytes("\x01\x02"), Bytes(CBS_data(&contents), CBS_len(&contents)));
 
   CBS_init(&data, kData2, sizeof(kData2));
   // data is truncated
-  EXPECT_FALSE(CBS_get_asn1(&data, &contents, 0x30));
+  EXPECT_FALSE(CBS_get_asn1(&data, &contents, CBS_ASN1_SEQUENCE));
 
   CBS_init(&data, kData3, sizeof(kData3));
   // zero byte length of length
-  EXPECT_FALSE(CBS_get_asn1(&data, &contents, 0x30));
+  EXPECT_FALSE(CBS_get_asn1(&data, &contents, CBS_ASN1_SEQUENCE));
 
   CBS_init(&data, kData4, sizeof(kData4));
   // long form mistakenly used.
-  EXPECT_FALSE(CBS_get_asn1(&data, &contents, 0x30));
+  EXPECT_FALSE(CBS_get_asn1(&data, &contents, CBS_ASN1_SEQUENCE));
 
   CBS_init(&data, kData5, sizeof(kData5));
   // length takes too many bytes.
-  EXPECT_FALSE(CBS_get_asn1(&data, &contents, 0x30));
+  EXPECT_FALSE(CBS_get_asn1(&data, &contents, CBS_ASN1_SEQUENCE));
 
   CBS_init(&data, kData1, sizeof(kData1));
   // wrong tag.
@@ -151,56 +159,72 @@ TEST(CBSTest, GetASN1) {
 
   CBS_init(&data, NULL, 0);
   // peek at empty data.
-  EXPECT_FALSE(CBS_peek_asn1_tag(&data, 0x30));
+  EXPECT_FALSE(CBS_peek_asn1_tag(&data, CBS_ASN1_SEQUENCE));
 
   CBS_init(&data, NULL, 0);
   // optional elements at empty data.
-  ASSERT_TRUE(CBS_get_optional_asn1(&data, &contents, &present, 0xa0));
+  ASSERT_TRUE(CBS_get_optional_asn1(
+      &data, &contents, &present,
+      CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0));
   EXPECT_FALSE(present);
-  ASSERT_TRUE(
-      CBS_get_optional_asn1_octet_string(&data, &contents, &present, 0xa0));
+  ASSERT_TRUE(CBS_get_optional_asn1_octet_string(
+      &data, &contents, &present,
+      CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0));
   EXPECT_FALSE(present);
   EXPECT_EQ(0u, CBS_len(&contents));
-  ASSERT_TRUE(CBS_get_optional_asn1_octet_string(&data, &contents, NULL, 0xa0));
+  ASSERT_TRUE(CBS_get_optional_asn1_octet_string(
+      &data, &contents, NULL,
+      CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0));
   EXPECT_EQ(0u, CBS_len(&contents));
-  ASSERT_TRUE(CBS_get_optional_asn1_uint64(&data, &value, 0xa0, 42));
+  ASSERT_TRUE(CBS_get_optional_asn1_uint64(
+      &data, &value, CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0, 42));
   EXPECT_EQ(42u, value);
 
   CBS_init(&data, kData6, sizeof(kData6));
   // optional element.
-  ASSERT_TRUE(CBS_get_optional_asn1(&data, &contents, &present, 0xa0));
+  ASSERT_TRUE(CBS_get_optional_asn1(
+      &data, &contents, &present,
+      CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0));
   EXPECT_FALSE(present);
-  ASSERT_TRUE(CBS_get_optional_asn1(&data, &contents, &present, 0xa1));
+  ASSERT_TRUE(CBS_get_optional_asn1(
+      &data, &contents, &present,
+      CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 1));
   EXPECT_TRUE(present);
   EXPECT_EQ(Bytes("\x04\x01\x01"),
             Bytes(CBS_data(&contents), CBS_len(&contents)));
 
   CBS_init(&data, kData6, sizeof(kData6));
   // optional octet string.
-  ASSERT_TRUE(
-      CBS_get_optional_asn1_octet_string(&data, &contents, &present, 0xa0));
+  ASSERT_TRUE(CBS_get_optional_asn1_octet_string(
+      &data, &contents, &present,
+      CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0));
   EXPECT_FALSE(present);
   EXPECT_EQ(0u, CBS_len(&contents));
-  ASSERT_TRUE(
-      CBS_get_optional_asn1_octet_string(&data, &contents, &present, 0xa1));
+  ASSERT_TRUE(CBS_get_optional_asn1_octet_string(
+      &data, &contents, &present,
+      CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 1));
   EXPECT_TRUE(present);
   EXPECT_EQ(Bytes("\x01"), Bytes(CBS_data(&contents), CBS_len(&contents)));
 
   CBS_init(&data, kData7, sizeof(kData7));
   // invalid optional octet string.
-  EXPECT_FALSE(
-      CBS_get_optional_asn1_octet_string(&data, &contents, &present, 0xa1));
+  EXPECT_FALSE(CBS_get_optional_asn1_octet_string(
+      &data, &contents, &present,
+      CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 1));
 
   CBS_init(&data, kData8, sizeof(kData8));
   // optional integer.
-  ASSERT_TRUE(CBS_get_optional_asn1_uint64(&data, &value, 0xa0, 42));
+  ASSERT_TRUE(CBS_get_optional_asn1_uint64(
+      &data, &value, CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0, 42));
   EXPECT_EQ(42u, value);
-  ASSERT_TRUE(CBS_get_optional_asn1_uint64(&data, &value, 0xa1, 42));
+  ASSERT_TRUE(CBS_get_optional_asn1_uint64(
+      &data, &value, CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 1, 42));
   EXPECT_EQ(1u, value);
 
   CBS_init(&data, kData9, sizeof(kData9));
   // invalid optional integer.
-  EXPECT_FALSE(CBS_get_optional_asn1_uint64(&data, &value, 0xa1, 42));
+  EXPECT_FALSE(CBS_get_optional_asn1_uint64(
+      &data, &value, CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 1, 42));
 
   unsigned tag;
   CBS_init(&data, kData1, sizeof(kData1));
@@ -217,6 +241,54 @@ TEST(CBSTest, GetASN1) {
             Bytes(CBS_data(&contents), CBS_len(&contents)));
 }
 
+TEST(CBSTest, ParseASN1Tag) {
+  const struct {
+    bool ok;
+    unsigned tag;
+    std::vector<uint8_t> in;
+  } kTests[] = {
+      {true, CBS_ASN1_SEQUENCE, {0x30, 0}},
+      {true, CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 4, {0xa4, 0}},
+      {true, CBS_ASN1_APPLICATION | 30, {0x5e, 0}},
+      {true, CBS_ASN1_APPLICATION | 31, {0x5f, 0x1f, 0}},
+      {true, CBS_ASN1_APPLICATION | 32, {0x5f, 0x20, 0}},
+      {true,
+       CBS_ASN1_PRIVATE | CBS_ASN1_CONSTRUCTED | 0x1fffffff,
+       {0xff, 0x81, 0xff, 0xff, 0xff, 0x7f, 0}},
+      // Tag number fits in unsigned but not |CBS_ASN1_TAG_NUMBER_MASK|.
+      {false, 0, {0xff, 0x82, 0xff, 0xff, 0xff, 0x7f, 0}},
+      // Tag number does not fit in unsigned.
+      {false, 0, {0xff, 0x90, 0x80, 0x80, 0x80, 0, 0}},
+      // Tag number is not minimally-encoded
+      {false, 0, {0x5f, 0x80, 0x1f, 0}},
+      // Tag number should have used short form.
+      {false, 0, {0x5f, 0x80, 0x1e, 0}},
+  };
+  for (const auto &t : kTests) {
+    SCOPED_TRACE(Bytes(t.in));
+    unsigned tag;
+    CBS cbs, child;
+    CBS_init(&cbs, t.in.data(), t.in.size());
+    ASSERT_EQ(t.ok, !!CBS_get_any_asn1(&cbs, &child, &tag));
+    if (t.ok) {
+      EXPECT_EQ(t.tag, tag);
+      EXPECT_EQ(0u, CBS_len(&child));
+      EXPECT_EQ(0u, CBS_len(&cbs));
+
+      CBS_init(&cbs, t.in.data(), t.in.size());
+      EXPECT_TRUE(CBS_peek_asn1_tag(&cbs, t.tag));
+      EXPECT_FALSE(CBS_peek_asn1_tag(&cbs, t.tag + 1));
+
+      EXPECT_TRUE(CBS_get_asn1(&cbs, &child, t.tag));
+      EXPECT_EQ(0u, CBS_len(&child));
+      EXPECT_EQ(0u, CBS_len(&cbs));
+
+      CBS_init(&cbs, t.in.data(), t.in.size());
+      EXPECT_FALSE(CBS_get_asn1(&cbs, &child, t.tag + 1));
+    }
+  }
+}
+
 TEST(CBSTest, GetOptionalASN1Bool) {
   static const uint8_t kTrue[] = {0x0a, 3, CBS_ASN1_BOOLEAN, 1, 0xff};
   static const uint8_t kFalse[] = {0x0a, 3, CBS_ASN1_BOOLEAN, 1, 0x00};
@@ -250,7 +322,11 @@ TEST(CBBTest, InitUninitialized) {
 }
 
 TEST(CBBTest, Basic) {
-  static const uint8_t kExpected[] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 0xa, 0xb, 0xc};
+  static const uint8_t kExpected[] = {1,   2,    3,    4,    5,    6,   7,
+                                      8,   9,    0xa,  0xb,  0xc,  0xd, 0xe,
+                                      0xf, 0x10, 0x11, 0x12, 0x13, 0x14, 3, 2,
+                                      10,  9,    8,    7,    0x12, 0x11, 0x10,
+                                      0xf, 0xe,  0xd,  0xc,  0xb};
   uint8_t *buf;
   size_t buf_len;
 
@@ -263,7 +339,11 @@ TEST(CBBTest, Basic) {
   ASSERT_TRUE(CBB_add_u16(cbb.get(), 0x203));
   ASSERT_TRUE(CBB_add_u24(cbb.get(), 0x40506));
   ASSERT_TRUE(CBB_add_u32(cbb.get(), 0x708090a));
-  ASSERT_TRUE(CBB_add_bytes(cbb.get(), (const uint8_t *)"\x0b\x0c", 2));
+  ASSERT_TRUE(CBB_add_u64(cbb.get(), 0xb0c0d0e0f101112));
+  ASSERT_TRUE(CBB_add_bytes(cbb.get(), (const uint8_t *)"\x13\x14", 2));
+  ASSERT_TRUE(CBB_add_u16le(cbb.get(), 0x203));
+  ASSERT_TRUE(CBB_add_u32le(cbb.get(), 0x708090a));
+  ASSERT_TRUE(CBB_add_u64le(cbb.get(), 0xb0c0d0e0f101112));
   ASSERT_TRUE(CBB_finish(cbb.get(), &buf, &buf_len));
 
   bssl::UniquePtr<uint8_t> scoper(buf);
@@ -416,15 +496,42 @@ TEST(CBBTest, Misuse) {
 }
 
 TEST(CBBTest, ASN1) {
-  static const uint8_t kExpected[] = {0x30, 3, 1, 2, 3};
+  static const uint8_t kExpected[] = {
+      // SEQUENCE { 1 2 3 }
+      0x30, 3, 1, 2, 3,
+      // [4 CONSTRUCTED] { 4 5 6 }
+      0xa4, 3, 4, 5, 6,
+      // [APPLICATION 30 PRIMITIVE] { 7 8 9 }
+      0x5e, 3, 7, 8, 9,
+      // [APPLICATION 31 PRIMITIVE] { 10 11 12 }
+      0x5f, 0x1f, 3, 10, 11, 12,
+      // [PRIVATE 2^29-1 CONSTRUCTED] { 13 14 15 }
+      0xff, 0x81, 0xff, 0xff, 0xff, 0x7f, 3, 13, 14, 15,
+  };
   uint8_t *buf;
   size_t buf_len;
   bssl::ScopedCBB cbb;
   CBB contents, inner_contents;
 
   ASSERT_TRUE(CBB_init(cbb.get(), 0));
-  ASSERT_TRUE(CBB_add_asn1(cbb.get(), &contents, 0x30));
+  ASSERT_TRUE(CBB_add_asn1(cbb.get(), &contents, CBS_ASN1_SEQUENCE));
   ASSERT_TRUE(CBB_add_bytes(&contents, (const uint8_t *)"\x01\x02\x03", 3));
+  ASSERT_TRUE(
+      CBB_add_asn1(cbb.get(), &contents,
+                   CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 4));
+  ASSERT_TRUE(CBB_add_bytes(&contents, (const uint8_t *)"\x04\x05\x06", 3));
+  ASSERT_TRUE(
+      CBB_add_asn1(cbb.get(), &contents,
+                   CBS_ASN1_APPLICATION | 30));
+  ASSERT_TRUE(CBB_add_bytes(&contents, (const uint8_t *)"\x07\x08\x09", 3));
+  ASSERT_TRUE(
+      CBB_add_asn1(cbb.get(), &contents,
+                   CBS_ASN1_APPLICATION | 31));
+  ASSERT_TRUE(CBB_add_bytes(&contents, (const uint8_t *)"\x0a\x0b\x0c", 3));
+  ASSERT_TRUE(
+      CBB_add_asn1(cbb.get(), &contents,
+                   CBS_ASN1_PRIVATE | CBS_ASN1_CONSTRUCTED | 0x1fffffff));
+  ASSERT_TRUE(CBB_add_bytes(&contents, (const uint8_t *)"\x0d\x0e\x0f", 3));
   ASSERT_TRUE(CBB_finish(cbb.get(), &buf, &buf_len));
   bssl::UniquePtr<uint8_t> scoper(buf);
 
@@ -432,7 +539,7 @@ TEST(CBBTest, ASN1) {
 
   std::vector<uint8_t> test_data(100000, 0x42);
   ASSERT_TRUE(CBB_init(cbb.get(), 0));
-  ASSERT_TRUE(CBB_add_asn1(cbb.get(), &contents, 0x30));
+  ASSERT_TRUE(CBB_add_asn1(cbb.get(), &contents, CBS_ASN1_SEQUENCE));
   ASSERT_TRUE(CBB_add_bytes(&contents, test_data.data(), 130));
   ASSERT_TRUE(CBB_finish(cbb.get(), &buf, &buf_len));
   scoper.reset(buf);
@@ -442,7 +549,7 @@ TEST(CBBTest, ASN1) {
   EXPECT_EQ(Bytes(test_data.data(), 130), Bytes(buf + 3, 130));
 
   ASSERT_TRUE(CBB_init(cbb.get(), 0));
-  ASSERT_TRUE(CBB_add_asn1(cbb.get(), &contents, 0x30));
+  ASSERT_TRUE(CBB_add_asn1(cbb.get(), &contents, CBS_ASN1_SEQUENCE));
   ASSERT_TRUE(CBB_add_bytes(&contents, test_data.data(), 1000));
   ASSERT_TRUE(CBB_finish(cbb.get(), &buf, &buf_len));
   scoper.reset(buf);
@@ -452,8 +559,8 @@ TEST(CBBTest, ASN1) {
   EXPECT_EQ(Bytes(test_data.data(), 1000), Bytes(buf + 4, 1000));
 
   ASSERT_TRUE(CBB_init(cbb.get(), 0));
-  ASSERT_TRUE(CBB_add_asn1(cbb.get(), &contents, 0x30));
-  ASSERT_TRUE(CBB_add_asn1(&contents, &inner_contents, 0x30));
+  ASSERT_TRUE(CBB_add_asn1(cbb.get(), &contents, CBS_ASN1_SEQUENCE));
+  ASSERT_TRUE(CBB_add_asn1(&contents, &inner_contents, CBS_ASN1_SEQUENCE));
   ASSERT_TRUE(CBB_add_bytes(&inner_contents, test_data.data(), 100000));
   ASSERT_TRUE(CBB_finish(cbb.get(), &buf, &buf_len));
   scoper.reset(buf);
@@ -467,19 +574,18 @@ static void ExpectBerConvert(const char *name, const uint8_t *der_expected,
                              size_t der_len, const uint8_t *ber,
                              size_t ber_len) {
   SCOPED_TRACE(name);
-  CBS in;
-  uint8_t *out;
-  size_t out_len;
+  CBS in, out;
+  uint8_t *storage;
 
   CBS_init(&in, ber, ber_len);
-  ASSERT_TRUE(CBS_asn1_ber_to_der(&in, &out, &out_len));
-  bssl::UniquePtr<uint8_t> scoper(out);
+  ASSERT_TRUE(CBS_asn1_ber_to_der(&in, &out, &storage));
+  bssl::UniquePtr<uint8_t> scoper(storage);
 
-  if (out == NULL) {
-    EXPECT_EQ(Bytes(der_expected, der_len), Bytes(ber, ber_len));
-  } else {
+  EXPECT_EQ(Bytes(der_expected, der_len), Bytes(CBS_data(&out), CBS_len(&out)));
+  if (storage != nullptr) {
     EXPECT_NE(Bytes(der_expected, der_len), Bytes(ber, ber_len));
-    EXPECT_EQ(Bytes(der_expected, der_len), Bytes(out, out_len));
+  } else {
+    EXPECT_EQ(Bytes(der_expected, der_len), Bytes(ber, ber_len));
   }
 }
 
@@ -490,6 +596,12 @@ TEST(CBSTest, BerConvert) {
   static const uint8_t kIndefBER[] = {0x30, 0x80, 0x01, 0x01, 0x02, 0x00, 0x00};
   static const uint8_t kIndefDER[] = {0x30, 0x03, 0x01, 0x01, 0x02};
 
+  // kIndefBER2 contains a constructed [APPLICATION 31] with an indefinite
+  // length.
+  static const uint8_t kIndefBER2[] = {0x7f, 0x1f, 0x80, 0x01,
+                                       0x01, 0x02, 0x00, 0x00};
+  static const uint8_t kIndefDER2[] = {0x7f, 0x1f, 0x03, 0x01, 0x01, 0x02};
+
   // kOctetStringBER contains an indefinite length OCTET STRING with two parts.
   // These parts need to be concatenated in DER form.
   static const uint8_t kOctetStringBER[] = {0x24, 0x80, 0x04, 0x02, 0,    1,
@@ -534,6 +646,8 @@ TEST(CBSTest, BerConvert) {
                    sizeof(kSimpleBER));
   ExpectBerConvert("kIndefBER", kIndefDER, sizeof(kIndefDER), kIndefBER,
                    sizeof(kIndefBER));
+  ExpectBerConvert("kIndefBER2", kIndefDER2, sizeof(kIndefDER2), kIndefBER2,
+                   sizeof(kIndefBER2));
   ExpectBerConvert("kOctetStringBER", kOctetStringDER, sizeof(kOctetStringDER),
                    kOctetStringBER, sizeof(kOctetStringBER));
   ExpectBerConvert("kNSSBER", kNSSDER, sizeof(kNSSDER), kNSSBER,
@@ -653,6 +767,79 @@ TEST(CBSTest, ASN1Uint64) {
   }
 }
 
+struct ASN1Int64Test {
+  int64_t value;
+  const char *encoding;
+  size_t encoding_len;
+};
+
+static const ASN1Int64Test kASN1Int64Tests[] = {
+    {0, "\x02\x01\x00", 3},
+    {1, "\x02\x01\x01", 3},
+    {-1, "\x02\x01\xff", 3},
+    {127, "\x02\x01\x7f", 3},
+    {-127, "\x02\x01\x81", 3},
+    {128, "\x02\x02\x00\x80", 4},
+    {-128, "\x02\x01\x80", 3},
+    {129, "\x02\x02\x00\x81", 4},
+    {-129, "\x02\x02\xff\x7f", 4},
+    {0xdeadbeef, "\x02\x05\x00\xde\xad\xbe\xef", 7},
+    {INT64_C(0x0102030405060708), "\x02\x08\x01\x02\x03\x04\x05\x06\x07\x08",
+     10},
+    {INT64_MIN, "\x02\x08\x80\x00\x00\x00\x00\x00\x00\x00", 10},
+    {INT64_MAX, "\x02\x08\x7f\xff\xff\xff\xff\xff\xff\xff", 10},
+};
+
+struct ASN1InvalidInt64Test {
+  const char *encoding;
+  size_t encoding_len;
+};
+
+static const ASN1InvalidInt64Test kASN1InvalidInt64Tests[] = {
+    // Bad tag.
+    {"\x03\x01\x00", 3},
+    // Empty contents.
+    {"\x02\x00", 2},
+    // Overflow.
+    {"\x02\x09\x01\x00\x00\x00\x00\x00\x00\x00\x00", 11},
+    // Leading zeros.
+    {"\x02\x02\x00\x01", 4},
+    // Leading 0xff.
+    {"\x02\x02\xff\xff", 4},
+};
+
+TEST(CBSTest, ASN1Int64) {
+  for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kASN1Int64Tests); i++) {
+    SCOPED_TRACE(i);
+    const ASN1Int64Test *test = &kASN1Int64Tests[i];
+    CBS cbs;
+    int64_t value;
+    uint8_t *out;
+    size_t len;
+
+    CBS_init(&cbs, (const uint8_t *)test->encoding, test->encoding_len);
+    ASSERT_TRUE(CBS_get_asn1_int64(&cbs, &value));
+    EXPECT_EQ(0u, CBS_len(&cbs));
+    EXPECT_EQ(test->value, value);
+
+    bssl::ScopedCBB cbb;
+    ASSERT_TRUE(CBB_init(cbb.get(), 0));
+    ASSERT_TRUE(CBB_add_asn1_int64(cbb.get(), test->value));
+    ASSERT_TRUE(CBB_finish(cbb.get(), &out, &len));
+    bssl::UniquePtr<uint8_t> scoper(out);
+    EXPECT_EQ(Bytes(test->encoding, test->encoding_len), Bytes(out, len));
+  }
+
+  for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kASN1InvalidInt64Tests); i++) {
+    const ASN1InvalidInt64Test *test = &kASN1InvalidInt64Tests[i];
+    CBS cbs;
+    int64_t value;
+
+    CBS_init(&cbs, (const uint8_t *)test->encoding, test->encoding_len);
+    EXPECT_FALSE(CBS_get_asn1_int64(&cbs, &value));
+  }
+}
+
 TEST(CBBTest, Zero) {
   CBB cbb;
   CBB_zero(&cbb);
@@ -787,3 +974,386 @@ TEST(CBSTest, BitString) {
               CBS_asn1_bitstring_has_bit(&cbs, test.bit));
   }
 }
+
+TEST(CBBTest, AddOIDFromText) {
+  const struct {
+    const char *text;
+    std::vector<uint8_t> der;
+  } kValidOIDs[] = {
+      // Some valid values.
+      {"0.0", {0x00}},
+      {"0.2.3.4", {0x2, 0x3, 0x4}},
+      {"1.2.3.4", {0x2a, 0x3, 0x4}},
+      {"2.2.3.4", {0x52, 0x3, 0x4}},
+      {"1.2.840.113554.4.1.72585",
+       {0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, 0x01, 0x84, 0xb7, 0x09}},
+      // Test edge cases around the first component.
+      {"0.39", {0x27}},
+      {"1.0", {0x28}},
+      {"1.39", {0x4f}},
+      {"2.0", {0x50}},
+      {"2.1", {0x51}},
+      {"2.40", {0x78}},
+      // Edge cases near an overflow.
+      {"1.2.18446744073709551615",
+       {0x2a, 0x81, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f}},
+      {"2.18446744073709551535",
+       {0x81, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f}},
+  };
+
+  const char *kInvalidTexts[] = {
+      // Invalid second component.
+      "0.40",
+      "1.40",
+      // Invalid first component.
+      "3.1",
+      // The empty string is not an OID.
+      "",
+      // No empty components.
+      ".1.2.3.4.5",
+      "1..2.3.4.5",
+      "1.2.3.4.5.",
+      // There must be at least two components.
+      "1",
+      // No extra leading zeros.
+      "00.1.2.3.4",
+      "01.1.2.3.4",
+      // Overflow for both components or 40*A + B.
+      "1.2.18446744073709551616",
+      "2.18446744073709551536",
+  };
+
+  const std::vector<uint8_t> kInvalidDER[] = {
+      // The empty string is not an OID.
+      {},
+      // Non-minimal representation.
+      {0x80, 0x01},
+      // Overflow. This is the DER representation of
+      // 1.2.840.113554.4.1.72585.18446744073709551616. (The final value is
+      // 2^64.)
+      {0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, 0x01, 0x84, 0xb7, 0x09,
+       0x82, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x00},
+  };
+
+  for (const auto &t : kValidOIDs) {
+    SCOPED_TRACE(t.text);
+
+    bssl::ScopedCBB cbb;
+    ASSERT_TRUE(CBB_init(cbb.get(), 0));
+    ASSERT_TRUE(CBB_add_asn1_oid_from_text(cbb.get(), t.text, strlen(t.text)));
+    uint8_t *out;
+    size_t len;
+    ASSERT_TRUE(CBB_finish(cbb.get(), &out, &len));
+    bssl::UniquePtr<uint8_t> free_out(out);
+    EXPECT_EQ(Bytes(t.der), Bytes(out, len));
+
+    CBS cbs;
+    CBS_init(&cbs, t.der.data(), t.der.size());
+    bssl::UniquePtr<char> text(CBS_asn1_oid_to_text(&cbs));
+    ASSERT_TRUE(text.get());
+    EXPECT_STREQ(t.text, text.get());
+  }
+
+  for (const char *t : kInvalidTexts) {
+    SCOPED_TRACE(t);
+    bssl::ScopedCBB cbb;
+    ASSERT_TRUE(CBB_init(cbb.get(), 0));
+    EXPECT_FALSE(CBB_add_asn1_oid_from_text(cbb.get(), t, strlen(t)));
+  }
+
+  for (const auto &t : kInvalidDER) {
+    SCOPED_TRACE(Bytes(t));
+    CBS cbs;
+    CBS_init(&cbs, t.data(), t.size());
+    bssl::UniquePtr<char> text(CBS_asn1_oid_to_text(&cbs));
+    EXPECT_FALSE(text);
+  }
+}
+
+TEST(CBBTest, FlushASN1SetOf) {
+  const struct {
+    std::vector<uint8_t> in, out;
+  } kValidInputs[] = {
+    // No elements.
+    {{}, {}},
+    // One element.
+    {{0x30, 0x00}, {0x30, 0x00}},
+    // Two identical elements.
+    {{0x30, 0x00, 0x30, 0x00}, {0x30, 0x00, 0x30, 0x00}},
+    // clang-format off
+    {{0x30, 0x02, 0x00, 0x00,
+      0x30, 0x00,
+      0x01, 0x00,
+      0x30, 0x02, 0x00, 0x00,
+      0x30, 0x03, 0x00, 0x00, 0x00,
+      0x30, 0x00,
+      0x30, 0x03, 0x00, 0x00, 0x01,
+      0x30, 0x01, 0x00,
+      0x01, 0x01, 0x00},
+     {0x01, 0x00,
+      0x01, 0x01, 0x00,
+      0x30, 0x00,
+      0x30, 0x00,
+      0x30, 0x01, 0x00,
+      0x30, 0x02, 0x00, 0x00,
+      0x30, 0x02, 0x00, 0x00,
+      0x30, 0x03, 0x00, 0x00, 0x00,
+      0x30, 0x03, 0x00, 0x00, 0x01}},
+    // clang-format on
+  };
+
+  for (const auto &t : kValidInputs) {
+    SCOPED_TRACE(Bytes(t.in));
+
+    bssl::ScopedCBB cbb;
+    CBB child;
+    ASSERT_TRUE(CBB_init(cbb.get(), 0));
+    ASSERT_TRUE(CBB_add_asn1(cbb.get(), &child, CBS_ASN1_SET));
+    ASSERT_TRUE(CBB_add_bytes(&child, t.in.data(), t.in.size()));
+    ASSERT_TRUE(CBB_flush_asn1_set_of(&child));
+    EXPECT_EQ(Bytes(t.out), Bytes(CBB_data(&child), CBB_len(&child)));
+
+    // Running it again should be idempotent.
+    ASSERT_TRUE(CBB_flush_asn1_set_of(&child));
+    EXPECT_EQ(Bytes(t.out), Bytes(CBB_data(&child), CBB_len(&child)));
+
+    // The ASN.1 header remain intact.
+    ASSERT_TRUE(CBB_flush(cbb.get()));
+    EXPECT_EQ(0x31, CBB_data(cbb.get())[0]);
+  }
+
+  const std::vector<uint8_t> kInvalidInputs[] = {
+    {0x30},
+    {0x30, 0x01},
+    {0x30, 0x00, 0x30, 0x00, 0x30, 0x01},
+  };
+
+  for (const auto &t : kInvalidInputs) {
+    SCOPED_TRACE(Bytes(t));
+
+    bssl::ScopedCBB cbb;
+    CBB child;
+    ASSERT_TRUE(CBB_init(cbb.get(), 0));
+    ASSERT_TRUE(CBB_add_asn1(cbb.get(), &child, CBS_ASN1_SET));
+    ASSERT_TRUE(CBB_add_bytes(&child, t.data(), t.size()));
+    EXPECT_FALSE(CBB_flush_asn1_set_of(&child));
+  }
+}
+
+template <class T>
+static std::vector<uint8_t> LiteralToBytes(const T *str) {
+  std::vector<uint8_t> ret;
+  for (; *str != 0; str++) {
+    for (size_t i = 0; i < sizeof(T); i++) {
+      ret.push_back(static_cast<uint8_t>(*str >> (8 * (sizeof(T) - 1 - i))));
+    }
+  }
+  return ret;
+}
+
+static std::vector<uint32_t> LiteralToCodePoints(const char32_t *str) {
+  std::vector<uint32_t> ret;
+  for (; *str != 0; str++) {
+    ret.push_back(static_cast<uint32_t>(*str));
+  }
+  return ret;
+}
+
+TEST(CBBTest, Unicode) {
+  struct {
+    int (*decode)(CBS *, uint32_t *);
+    int (*encode)(CBB *, uint32_t);
+    std::vector<uint8_t> in;
+    std::vector<uint32_t> out;
+    bool ok;
+  } kTests[] = {
+      {cbs_get_utf8, cbb_add_utf8,
+       // This test string captures all four cases in UTF-8.
+       LiteralToBytes(u8"Hello, 世界! ¡Hola, 🌎!"),
+       LiteralToCodePoints(U"Hello, 世界! ¡Hola, 🌎!"), true},
+
+      // Some invalid inputs adapted from
+      // http://www.cl.cam.ac.uk/~mgk25/ucs/examples/UTF-8-test.txt
+      // 2.1  First possible sequence of a certain length. (5- and 6-bit
+      // sequences no longer exist.)
+      {cbs_get_utf8, cbb_add_utf8, {0xf8, 0x88, 0x80, 0x80, 0x80}, {}, false},
+      {cbs_get_utf8,
+       cbb_add_utf8,
+       {0xfc, 0x84, 0x80, 0x80, 0x80, 0x80},
+       {},
+       false},
+      // 3.1  Unexpected continuation bytes.
+      {cbs_get_utf8, cbb_add_utf8, {0x80}, {}, false},
+      {cbs_get_utf8, cbb_add_utf8, {0xbf}, {}, false},
+      // 3.2  Lonely start characters.
+      {cbs_get_utf8, cbb_add_utf8, {0xc0, ' '}, {}, false},
+      {cbs_get_utf8, cbb_add_utf8, {0xe0, ' '}, {}, false},
+      {cbs_get_utf8, cbb_add_utf8, {0xf0, ' '}, {}, false},
+      // 3.3  Sequences with last continuation byte missing
+      {cbs_get_utf8, cbb_add_utf8, {0xc0}, {}, false},
+      {cbs_get_utf8, cbb_add_utf8, {0xe0, 0x80}, {}, false},
+      {cbs_get_utf8, cbb_add_utf8, {0xf0, 0x80, 0x80}, {}, false},
+      // Variation of the above with unexpected spaces.
+      {cbs_get_utf8, cbb_add_utf8, {0xe0, 0x80, ' '}, {}, false},
+      {cbs_get_utf8, cbb_add_utf8, {0xf0, 0x80, 0x80, ' '}, {}, false},
+      // 4.1  Examples of an overlong ASCII character
+      {cbs_get_utf8, cbb_add_utf8, {0xc0, 0xaf}, {}, false},
+      {cbs_get_utf8, cbb_add_utf8, {0xe0, 0x80, 0xaf}, {}, false},
+      {cbs_get_utf8, cbb_add_utf8, {0xf0, 0x80, 0x80, 0xaf}, {}, false},
+      // 4.2  Maximum overlong sequences
+      {cbs_get_utf8, cbb_add_utf8, {0xc1, 0xbf}, {}, false},
+      {cbs_get_utf8, cbb_add_utf8, {0xe0, 0x9f, 0xbf}, {}, false},
+      {cbs_get_utf8, cbb_add_utf8, {0xf0, 0x8f, 0xbf, 0xbf}, {}, false},
+      // 4.3  Overlong representation of the NUL character
+      {cbs_get_utf8, cbb_add_utf8, {0xc0, 0x80}, {}, false},
+      {cbs_get_utf8, cbb_add_utf8, {0xe0, 0x80, 0x80}, {}, false},
+      {cbs_get_utf8, cbb_add_utf8, {0xf0, 0x80, 0x80, 0x80}, {}, false},
+      // 5.1  Single UTF-16 surrogates
+      {cbs_get_utf8, cbb_add_utf8, {0xed, 0xa0, 0x80}, {}, false},
+      {cbs_get_utf8, cbb_add_utf8, {0xed, 0xad, 0xbf}, {}, false},
+      {cbs_get_utf8, cbb_add_utf8, {0xed, 0xae, 0x80}, {}, false},
+      {cbs_get_utf8, cbb_add_utf8, {0xed, 0xb0, 0x80}, {}, false},
+      {cbs_get_utf8, cbb_add_utf8, {0xed, 0xbe, 0x80}, {}, false},
+      {cbs_get_utf8, cbb_add_utf8, {0xed, 0xbf, 0xbf}, {}, false},
+      // 5.2  Paired UTF-16 surrogates
+      {cbs_get_utf8,
+       cbb_add_utf8,
+       {0xed, 0xa0, 0x80, 0xed, 0xb0, 0x80},
+       {},
+       false},
+      {cbs_get_utf8,
+       cbb_add_utf8,
+       {0xed, 0xa0, 0x80, 0xed, 0xbf, 0xbf},
+       {},
+       false},
+      {cbs_get_utf8,
+       cbb_add_utf8,
+       {0xed, 0xad, 0xbf, 0xed, 0xb0, 0x80},
+       {},
+       false},
+      {cbs_get_utf8,
+       cbb_add_utf8,
+       {0xed, 0xad, 0xbf, 0xed, 0xbf, 0xbf},
+       {},
+       false},
+      {cbs_get_utf8,
+       cbb_add_utf8,
+       {0xed, 0xae, 0x80, 0xed, 0xb0, 0x80},
+       {},
+       false},
+      {cbs_get_utf8,
+       cbb_add_utf8,
+       {0xed, 0xae, 0x80, 0xed, 0xbf, 0xbf},
+       {},
+       false},
+      {cbs_get_utf8,
+       cbb_add_utf8,
+       {0xed, 0xaf, 0xbf, 0xed, 0xb0, 0x80},
+       {},
+       false},
+      {cbs_get_utf8,
+       cbb_add_utf8,
+       {0xed, 0xaf, 0xbf, 0xed, 0xbf, 0xbf},
+       {},
+       false},
+      // 5.3  Noncharacter code positions
+      {cbs_get_utf8, cbb_add_utf8, {0xef, 0xbf, 0xbe}, {}, false},
+      {cbs_get_utf8, cbb_add_utf8, {0xef, 0xbf, 0xbf}, {}, false},
+      {cbs_get_utf8, cbb_add_utf8, {0xef, 0xb7, 0x90}, {}, false},
+      {cbs_get_utf8, cbb_add_utf8, {0xef, 0xb7, 0xaf}, {}, false},
+      {cbs_get_utf8, cbb_add_utf8, {0xf0, 0x9f, 0xbf, 0xbe}, {}, false},
+      {cbs_get_utf8, cbb_add_utf8, {0xf0, 0x9f, 0xbf, 0xbf}, {}, false},
+
+      {cbs_get_latin1, cbb_add_latin1, LiteralToBytes("\xa1Hola!"),
+       LiteralToCodePoints(U"¡Hola!"), true},
+
+      // UCS-2 matches UTF-16 on the BMP.
+      {cbs_get_ucs2_be, cbb_add_ucs2_be, LiteralToBytes(u"Hello, 世界!"),
+       LiteralToCodePoints(U"Hello, 世界!"), true},
+      // It does not support characters beyond the BMP.
+      {cbs_get_ucs2_be, cbb_add_ucs2_be,
+       LiteralToBytes(u"Hello, 世界! ¡Hola, 🌎!"),
+       LiteralToCodePoints(U"Hello, 世界! ¡Hola, "), false},
+      // Unpaired surrogates and non-characters are also rejected.
+      {cbs_get_ucs2_be, cbb_add_ucs2_be, {0xd8, 0x00}, {}, false},
+      {cbs_get_ucs2_be, cbb_add_ucs2_be, {0xff, 0xfe}, {}, false},
+
+      {cbs_get_utf32_be, cbb_add_utf32_be,
+       LiteralToBytes(U"Hello, 世界! ¡Hola, 🌎!"),
+       LiteralToCodePoints(U"Hello, 世界! ¡Hola, 🌎!"), true},
+      // Unpaired surrogates and non-characters are rejected.
+      {cbs_get_utf32_be, cbb_add_utf32_be, {0x00, 0x00, 0xd8, 0x00}, {}, false},
+      {cbs_get_utf32_be, cbb_add_utf32_be, {0x00, 0x00, 0xff, 0xfe}, {}, false},
+
+      // Test that the NUL character can be encoded.
+      {cbs_get_latin1, cbb_add_latin1, {0}, {0}, true},
+      {cbs_get_utf8, cbb_add_utf8, {0}, {0}, true},
+      {cbs_get_ucs2_be, cbb_add_ucs2_be, {0, 0}, {0}, true},
+      {cbs_get_utf32_be, cbb_add_utf32_be, {0, 0, 0, 0}, {0}, true},
+  };
+  for (const auto &t : kTests) {
+    SCOPED_TRACE(Bytes(t.in));
+
+    // Test decoding.
+    CBS cbs;
+    CBS_init(&cbs, t.in.data(), t.in.size());
+    std::vector<uint32_t> out;
+    bool ok = true;
+    while (CBS_len(&cbs) != 0) {
+      uint32_t u;
+      if (!t.decode(&cbs, &u)) {
+        ok = false;
+        break;
+      }
+      out.push_back(u);
+    }
+    EXPECT_EQ(t.ok, ok);
+    EXPECT_EQ(t.out, out);
+
+    // Test encoding.
+    if (t.ok) {
+      bssl::ScopedCBB cbb;
+      ASSERT_TRUE(CBB_init(cbb.get(), 0));
+      for (uint32_t u : t.out) {
+        ASSERT_TRUE(t.encode(cbb.get(), u));
+      }
+      EXPECT_EQ(Bytes(t.in), Bytes(CBB_data(cbb.get()), CBB_len(cbb.get())));
+    }
+  }
+
+  static const uint32_t kBadCodePoints[] = {
+    // Surrogate pairs.
+    0xd800,
+    0xdfff,
+    // Non-characters.
+    0xfffe,
+    0xffff,
+    0xfdd0,
+    0x1fffe,
+    0x1ffff,
+    // Too big.
+    0x110000,
+  };
+  bssl::ScopedCBB cbb;
+  ASSERT_TRUE(CBB_init(cbb.get(), 0));
+  for (uint32_t v : kBadCodePoints) {
+    SCOPED_TRACE(v);
+    EXPECT_FALSE(cbb_add_utf8(cbb.get(), v));
+    EXPECT_FALSE(cbb_add_latin1(cbb.get(), v));
+    EXPECT_FALSE(cbb_add_ucs2_be(cbb.get(), v));
+    EXPECT_FALSE(cbb_add_utf32_be(cbb.get(), v));
+  }
+
+  // Additional values that are out of range.
+  EXPECT_FALSE(cbb_add_latin1(cbb.get(), 0x100));
+  EXPECT_FALSE(cbb_add_ucs2_be(cbb.get(), 0x10000));
+
+  EXPECT_EQ(1u, cbb_get_utf8_len(0));
+  EXPECT_EQ(1u, cbb_get_utf8_len(0x7f));
+  EXPECT_EQ(2u, cbb_get_utf8_len(0x80));
+  EXPECT_EQ(2u, cbb_get_utf8_len(0x7ff));
+  EXPECT_EQ(3u, cbb_get_utf8_len(0x800));
+  EXPECT_EQ(3u, cbb_get_utf8_len(0xffff));
+  EXPECT_EQ(4u, cbb_get_utf8_len(0x10000));
+  EXPECT_EQ(4u, cbb_get_utf8_len(0x10ffff));
+}

crypto/bytestring/cbb.c

@@ -15,6 +15,7 @@
 #include <openssl/bytestring.h>
 
 #include <assert.h>
+#include <limits.h>
 #include <string.h>
 
 #include <openssl/mem.h>
@@ -42,7 +43,7 @@ static int cbb_init(CBB *cbb, uint8_t *buf, size_t cap) {
   base->error = 0;
 
   cbb->base = base;
-  cbb->is_top_level = 1;
+  cbb->is_child = 0;
   return 1;
 }
 
@@ -74,11 +75,14 @@ int CBB_init_fixed(CBB *cbb, uint8_t *buf, size_t len) {
 }
 
 void CBB_cleanup(CBB *cbb) {
-  if (cbb->base) {
-    // Only top-level |CBB|s are cleaned up. Child |CBB|s are non-owning. They
-    // are implicitly discarded when the parent is flushed or cleaned up.
-    assert(cbb->is_top_level);
+  // Child |CBB|s are non-owning. They are implicitly discarded and should not
+  // be used with |CBB_cleanup| or |ScopedCBB|.
+  assert(!cbb->is_child);
+  if (cbb->is_child) {
+    return;
+  }
 
+  if (cbb->base) {
     if (cbb->base->can_resize) {
       OPENSSL_free(cbb->base->buf);
     }
@@ -142,7 +146,7 @@ static int cbb_buffer_add(struct cbb_buffer_st *base, uint8_t **out,
   return 1;
 }
 
-static int cbb_buffer_add_u(struct cbb_buffer_st *base, uint32_t v,
+static int cbb_buffer_add_u(struct cbb_buffer_st *base, uint64_t v,
                             size_t len_len) {
   if (len_len == 0) {
     return 1;
@@ -167,7 +171,7 @@ static int cbb_buffer_add_u(struct cbb_buffer_st *base, uint32_t v,
 }
 
 int CBB_finish(CBB *cbb, uint8_t **out_data, size_t *out_len) {
-  if (!cbb->is_top_level) {
+  if (cbb->is_child) {
     return 0;
   }
 
@@ -308,6 +312,7 @@ static int cbb_add_length_prefixed(CBB *cbb, CBB *out_contents,
   OPENSSL_memset(prefix_bytes, 0, len_len);
   OPENSSL_memset(out_contents, 0, sizeof(CBB));
   out_contents->base = cbb->base;
+  out_contents->is_child = 1;
   cbb->child = out_contents;
   cbb->child->offset = offset;
   cbb->child->pending_len_len = len_len;
@@ -328,18 +333,47 @@ int CBB_add_u24_length_prefixed(CBB *cbb, CBB *out_contents) {
   return cbb_add_length_prefixed(cbb, out_contents, 3);
 }
 
+// add_base128_integer encodes |v| as a big-endian base-128 integer where the
+// high bit of each byte indicates where there is more data. This is the
+// encoding used in DER for both high tag number form and OID components.
+static int add_base128_integer(CBB *cbb, uint64_t v) {
+  unsigned len_len = 0;
+  uint64_t copy = v;
+  while (copy > 0) {
+    len_len++;
+    copy >>= 7;
+  }
+  if (len_len == 0) {
+    len_len = 1;  // Zero is encoded with one byte.
+  }
+  for (unsigned i = len_len - 1; i < len_len; i--) {
+    uint8_t byte = (v >> (7 * i)) & 0x7f;
+    if (i != 0) {
+      // The high bit denotes whether there is more data.
+      byte |= 0x80;
+    }
+    if (!CBB_add_u8(cbb, byte)) {
+      return 0;
+    }
+  }
+  return 1;
+}
+
 int CBB_add_asn1(CBB *cbb, CBB *out_contents, unsigned tag) {
-  if (tag > 0xff ||
-      (tag & 0x1f) == 0x1f) {
-    // Long form identifier octets are not supported. Further, all current valid
-    // tag serializations are 8 bits.
-    cbb->base->error = 1;
+  if (!CBB_flush(cbb)) {
     return 0;
   }
 
-  if (!CBB_flush(cbb) ||
-      // |tag|'s representation matches the DER encoding.
-      !CBB_add_u8(cbb, (uint8_t)tag)) {
+  // Split the tag into leading bits and tag number.
+  uint8_t tag_bits = (tag >> CBS_ASN1_TAG_SHIFT) & 0xe0;
+  unsigned tag_number = tag & CBS_ASN1_TAG_NUMBER_MASK;
+  if (tag_number >= 0x1f) {
+    // Set all the bits in the tag number to signal high tag number form.
+    if (!CBB_add_u8(cbb, tag_bits | 0x1f) ||
+        !add_base128_integer(cbb, tag_number)) {
+      return 0;
+    }
+  } else if (!CBB_add_u8(cbb, tag_bits | tag_number)) {
     return 0;
   }
 
@@ -350,6 +384,7 @@ int CBB_add_asn1(CBB *cbb, CBB *out_contents, unsigned tag) {
 
   OPENSSL_memset(out_contents, 0, sizeof(CBB));
   out_contents->base = cbb->base;
+  out_contents->is_child = 1;
   cbb->child = out_contents;
   cbb->child->offset = offset;
   cbb->child->pending_len_len = 1;
@@ -412,6 +447,10 @@ int CBB_add_u16(CBB *cbb, uint16_t value) {
   return cbb_buffer_add_u(cbb->base, value, 2);
 }
 
+int CBB_add_u16le(CBB *cbb, uint16_t value) {
+  return CBB_add_u16(cbb, CRYPTO_bswap2(value));
+}
+
 int CBB_add_u24(CBB *cbb, uint32_t value) {
   if (!CBB_flush(cbb)) {
     return 0;
@@ -428,6 +467,21 @@ int CBB_add_u32(CBB *cbb, uint32_t value) {
   return cbb_buffer_add_u(cbb->base, value, 4);
 }
 
+int CBB_add_u32le(CBB *cbb, uint32_t value) {
+  return CBB_add_u32(cbb, CRYPTO_bswap4(value));
+}
+
+int CBB_add_u64(CBB *cbb, uint64_t value) {
+  if (!CBB_flush(cbb)) {
+    return 0;
+  }
+  return cbb_buffer_add_u(cbb->base, value, 8);
+}
+
+int CBB_add_u64le(CBB *cbb, uint64_t value) {
+  return CBB_add_u64(cbb, CRYPTO_bswap8(value));
+}
+
 void CBB_discard_child(CBB *cbb) {
   if (cbb->child == NULL) {
     return;
@@ -473,3 +527,193 @@ int CBB_add_asn1_uint64(CBB *cbb, uint64_t value) {
 
   return CBB_flush(cbb);
 }
+
+int CBB_add_asn1_int64(CBB *cbb, int64_t value) {
+  if (value >= 0) {
+    return CBB_add_asn1_uint64(cbb, value);
+  }
+
+  union {
+    int64_t i;
+    uint8_t bytes[sizeof(int64_t)];
+  } u;
+  u.i = value;
+  int start = 7;
+  // Skip leading sign-extension bytes unless they are necessary.
+  while (start > 0 && (u.bytes[start] == 0xff && (u.bytes[start - 1] & 0x80))) {
+    start--;
+  }
+
+  CBB child;
+  if (!CBB_add_asn1(cbb, &child, CBS_ASN1_INTEGER)) {
+    return 0;
+  }
+  for (int i = start; i >= 0; i--) {
+    if (!CBB_add_u8(&child, u.bytes[i])) {
+      return 0;
+    }
+  }
+  return CBB_flush(cbb);
+}
+
+int CBB_add_asn1_octet_string(CBB *cbb, const uint8_t *data, size_t data_len) {
+  CBB child;
+  if (!CBB_add_asn1(cbb, &child, CBS_ASN1_OCTETSTRING) ||
+      !CBB_add_bytes(&child, data, data_len) ||
+      !CBB_flush(cbb)) {
+    return 0;
+  }
+
+  return 1;
+}
+
+int CBB_add_asn1_bool(CBB *cbb, int value) {
+  CBB child;
+  if (!CBB_add_asn1(cbb, &child, CBS_ASN1_BOOLEAN) ||
+      !CBB_add_u8(&child, value != 0 ? 0xff : 0) ||
+      !CBB_flush(cbb)) {
+    return 0;
+  }
+
+  return 1;
+}
+
+// parse_dotted_decimal parses one decimal component from |cbs|, where |cbs| is
+// an OID literal, e.g., "1.2.840.113554.4.1.72585". It consumes both the
+// component and the dot, so |cbs| may be passed into the function again for the
+// next value.
+static int parse_dotted_decimal(CBS *cbs, uint64_t *out) {
+  *out = 0;
+  int seen_digit = 0;
+  for (;;) {
+    // Valid terminators for a component are the end of the string or a
+    // non-terminal dot. If the string ends with a dot, this is not a valid OID
+    // string.
+    uint8_t u;
+    if (!CBS_get_u8(cbs, &u) ||
+        (u == '.' && CBS_len(cbs) > 0)) {
+      break;
+    }
+    if (u < '0' || u > '9' ||
+        // Forbid stray leading zeros.
+        (seen_digit && *out == 0) ||
+        // Check for overflow.
+        *out > UINT64_MAX / 10 ||
+        *out * 10 > UINT64_MAX - (u - '0')) {
+      return 0;
+    }
+    *out = *out * 10 + (u - '0');
+    seen_digit = 1;
+  }
+  // The empty string is not a legal OID component.
+  return seen_digit;
+}
+
+int CBB_add_asn1_oid_from_text(CBB *cbb, const char *text, size_t len) {
+  if (!CBB_flush(cbb)) {
+    return 0;
+  }
+
+  CBS cbs;
+  CBS_init(&cbs, (const uint8_t *)text, len);
+
+  // OIDs must have at least two components.
+  uint64_t a, b;
+  if (!parse_dotted_decimal(&cbs, &a) ||
+      !parse_dotted_decimal(&cbs, &b)) {
+    return 0;
+  }
+
+  // The first component is encoded as 40 * |a| + |b|. This assumes that |a| is
+  // 0, 1, or 2 and that, when it is 0 or 1, |b| is at most 39.
+  if (a > 2 ||
+      (a < 2 && b > 39) ||
+      b > UINT64_MAX - 80 ||
+      !add_base128_integer(cbb, 40u * a + b)) {
+    return 0;
+  }
+
+  // The remaining components are encoded unmodified.
+  while (CBS_len(&cbs) > 0) {
+    if (!parse_dotted_decimal(&cbs, &a) ||
+        !add_base128_integer(cbb, a)) {
+      return 0;
+    }
+  }
+
+  return 1;
+}
+
+static int compare_set_of_element(const void *a_ptr, const void *b_ptr) {
+  // See X.690, section 11.6 for the ordering. They are sorted in ascending
+  // order by their DER encoding.
+  const CBS *a = a_ptr, *b = b_ptr;
+  size_t a_len = CBS_len(a), b_len = CBS_len(b);
+  size_t min_len = a_len < b_len ? a_len : b_len;
+  int ret = OPENSSL_memcmp(CBS_data(a), CBS_data(b), min_len);
+  if (ret != 0) {
+    return ret;
+  }
+  if (a_len == b_len) {
+    return 0;
+  }
+  // If one is a prefix of the other, the shorter one sorts first. (This is not
+  // actually reachable. No DER encoding is a prefix of another DER encoding.)
+  return a_len < b_len ? -1 : 1;
+}
+
+int CBB_flush_asn1_set_of(CBB *cbb) {
+  if (!CBB_flush(cbb)) {
+    return 0;
+  }
+
+  CBS cbs;
+  size_t num_children = 0;
+  CBS_init(&cbs, CBB_data(cbb), CBB_len(cbb));
+  while (CBS_len(&cbs) != 0) {
+    if (!CBS_get_any_asn1_element(&cbs, NULL, NULL, NULL)) {
+      return 0;
+    }
+    num_children++;
+  }
+
+  if (num_children < 2) {
+    return 1;  // Nothing to do. This is the common case for X.509.
+  }
+  if (num_children > ((size_t)-1) / sizeof(CBS)) {
+    return 0;  // Overflow.
+  }
+
+  // Parse out the children and sort. We alias them into a copy of so they
+  // remain valid as we rewrite |cbb|.
+  int ret = 0;
+  size_t buf_len = CBB_len(cbb);
+  uint8_t *buf = OPENSSL_memdup(CBB_data(cbb), buf_len);
+  CBS *children = OPENSSL_malloc(num_children * sizeof(CBS));
+  if (buf == NULL || children == NULL) {
+    goto err;
+  }
+  CBS_init(&cbs, buf, buf_len);
+  for (size_t i = 0; i < num_children; i++) {
+    if (!CBS_get_any_asn1_element(&cbs, &children[i], NULL, NULL)) {
+      goto err;
+    }
+  }
+  qsort(children, num_children, sizeof(CBS), compare_set_of_element);
+
+  // Rewind |cbb| and write the contents back in the new order.
+  cbb->base->len = cbb->offset + cbb->pending_len_len;
+  for (size_t i = 0; i < num_children; i++) {
+    if (!CBB_add_bytes(cbb, CBS_data(&children[i]), CBS_len(&children[i]))) {
+      goto err;
+    }
+  }
+  assert(CBB_len(cbb) == buf_len);
+
+  ret = 1;
+
+err:
+  OPENSSL_free(buf);
+  OPENSSL_free(children);
+  return ret;
+}

crypto/bytestring/cbs.c

@@ -12,11 +12,11 @@
  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
 
-#include <openssl/buf.h>
 #include <openssl/mem.h>
 #include <openssl/bytestring.h>
 
 #include <assert.h>
+#include <inttypes.h>
 #include <string.h>
 
 #include "internal.h"
@@ -60,7 +60,7 @@ int CBS_stow(const CBS *cbs, uint8_t **out_ptr, size_t *out_len) {
   if (cbs->len == 0) {
     return 1;
   }
-  *out_ptr = BUF_memdup(cbs->data, cbs->len);
+  *out_ptr = OPENSSL_memdup(cbs->data, cbs->len);
   if (*out_ptr == NULL) {
     return 0;
   }
@@ -72,7 +72,7 @@ int CBS_strdup(const CBS *cbs, char **out_ptr) {
   if (*out_ptr != NULL) {
     OPENSSL_free(*out_ptr);
   }
-  *out_ptr = BUF_strndup((const char*)cbs->data, cbs->len);
+  *out_ptr = OPENSSL_strndup((const char*)cbs->data, cbs->len);
   return (*out_ptr != NULL);
 }
 
@@ -87,8 +87,8 @@ int CBS_mem_equal(const CBS *cbs, const uint8_t *data, size_t len) {
   return CRYPTO_memcmp(cbs->data, data, len) == 0;
 }
 
-static int cbs_get_u(CBS *cbs, uint32_t *out, size_t len) {
-  uint32_t result = 0;
+static int cbs_get_u(CBS *cbs, uint64_t *out, size_t len) {
+  uint64_t result = 0;
   const uint8_t *data;
 
   if (!cbs_get(cbs, &data, len)) {
@@ -112,7 +112,7 @@ int CBS_get_u8(CBS *cbs, uint8_t *out) {
 }
 
 int CBS_get_u16(CBS *cbs, uint16_t *out) {
-  uint32_t v;
+  uint64_t v;
   if (!cbs_get_u(cbs, &v, 2)) {
     return 0;
   }
@@ -120,12 +120,50 @@ int CBS_get_u16(CBS *cbs, uint16_t *out) {
   return 1;
 }
 
+int CBS_get_u16le(CBS *cbs, uint16_t *out) {
+  if (!CBS_get_u16(cbs, out)) {
+    return 0;
+  }
+  *out = CRYPTO_bswap2(*out);
+  return 1;
+}
+
 int CBS_get_u24(CBS *cbs, uint32_t *out) {
-  return cbs_get_u(cbs, out, 3);
+  uint64_t v;
+  if (!cbs_get_u(cbs, &v, 3)) {
+    return 0;
+  }
+  *out = v;
+  return 1;
 }
 
 int CBS_get_u32(CBS *cbs, uint32_t *out) {
-  return cbs_get_u(cbs, out, 4);
+  uint64_t v;
+  if (!cbs_get_u(cbs, &v, 4)) {
+    return 0;
+  }
+  *out = v;
+  return 1;
+}
+
+int CBS_get_u32le(CBS *cbs, uint32_t *out) {
+  if (!CBS_get_u32(cbs, out)) {
+    return 0;
+  }
+  *out = CRYPTO_bswap4(*out);
+  return 1;
+}
+
+int CBS_get_u64(CBS *cbs, uint64_t *out) {
+  return cbs_get_u(cbs, out, 8);
+}
+
+int CBS_get_u64le(CBS *cbs, uint64_t *out) {
+  if (!cbs_get_u(cbs, out, 8)) {
+    return 0;
+  }
+  *out = CRYPTO_bswap8(*out);
+  return 1;
 }
 
 int CBS_get_last_u8(CBS *cbs, uint8_t *out) {
@@ -156,10 +194,13 @@ int CBS_copy_bytes(CBS *cbs, uint8_t *out, size_t len) {
 }
 
 static int cbs_get_length_prefixed(CBS *cbs, CBS *out, size_t len_len) {
-  uint32_t len;
+  uint64_t len;
   if (!cbs_get_u(cbs, &len, len_len)) {
     return 0;
   }
+  // If |len_len| <= 3 then we know that |len| will fit into a |size_t|, even on
+  // 32-bit systems.
+  assert(len_len <= 3);
   return CBS_get_bytes(cbs, out, len);
 }
 
@@ -175,18 +216,36 @@ int CBS_get_u24_length_prefixed(CBS *cbs, CBS *out) {
   return cbs_get_length_prefixed(cbs, out, 3);
 }
 
-static int cbs_get_any_asn1_element(CBS *cbs, CBS *out, unsigned *out_tag,
-                                    size_t *out_header_len, int ber_ok) {
-  uint8_t tag, length_byte;
-  CBS header = *cbs;
-  CBS throwaway;
+// parse_base128_integer reads a big-endian base-128 integer from |cbs| and sets
+// |*out| to the result. This is the encoding used in DER for both high tag
+// number form and OID components.
+static int parse_base128_integer(CBS *cbs, uint64_t *out) {
+  uint64_t v = 0;
+  uint8_t b;
+  do {
+    if (!CBS_get_u8(cbs, &b)) {
+      return 0;
+    }
+    if ((v >> (64 - 7)) != 0) {
+      // The value is too large.
+      return 0;
+    }
+    if (v == 0 && b == 0x80) {
+      // The value must be minimally encoded.
+      return 0;
+    }
+    v = (v << 7) | (b & 0x7f);
 
-  if (out == NULL) {
-    out = &throwaway;
-  }
+    // Values end at an octet with the high bit cleared.
+  } while (b & 0x80);
 
-  if (!CBS_get_u8(&header, &tag) ||
-      !CBS_get_u8(&header, &length_byte)) {
+  *out = v;
+  return 1;
+}
+
+static int parse_asn1_tag(CBS *cbs, unsigned *out) {
+  uint8_t tag_byte;
+  if (!CBS_get_u8(cbs, &tag_byte)) {
     return 0;
   }
 
@@ -197,36 +256,72 @@ static int cbs_get_any_asn1_element(CBS *cbs, CBS *out, unsigned *out_tag,
   // allotted bits), then the tag is more than one byte long and the
   // continuation bytes contain the tag number. This parser only supports tag
   // numbers less than 31 (and thus single-byte tags).
-  if ((tag & 0x1f) == 0x1f) {
-    return 0;
+  unsigned tag = ((unsigned)tag_byte & 0xe0) << CBS_ASN1_TAG_SHIFT;
+  unsigned tag_number = tag_byte & 0x1f;
+  if (tag_number == 0x1f) {
+    uint64_t v;
+    if (!parse_base128_integer(cbs, &v) ||
+        // Check the tag number is within our supported bounds.
+        v > CBS_ASN1_TAG_NUMBER_MASK ||
+        // Small tag numbers should have used low tag number form.
+        v < 0x1f) {
+      return 0;
+    }
+    tag_number = (unsigned)v;
   }
 
+  tag |= tag_number;
+
+  *out = tag;
+  return 1;
+}
+
+static int cbs_get_any_asn1_element(CBS *cbs, CBS *out, unsigned *out_tag,
+                                    size_t *out_header_len, int ber_ok) {
+  CBS header = *cbs;
+  CBS throwaway;
+
+  if (out == NULL) {
+    out = &throwaway;
+  }
+
+  unsigned tag;
+  if (!parse_asn1_tag(&header, &tag)) {
+    return 0;
+  }
   if (out_tag != NULL) {
     *out_tag = tag;
   }
 
+  uint8_t length_byte;
+  if (!CBS_get_u8(&header, &length_byte)) {
+    return 0;
+  }
+
+  size_t header_len = CBS_len(cbs) - CBS_len(&header);
+
   size_t len;
   // The format for the length encoding is specified in ITU-T X.690 section
   // 8.1.3.
   if ((length_byte & 0x80) == 0) {
     // Short form length.
-    len = ((size_t) length_byte) + 2;
+    len = ((size_t) length_byte) + header_len;
     if (out_header_len != NULL) {
-      *out_header_len = 2;
+      *out_header_len = header_len;
     }
   } else {
     // The high bit indicate that this is the long form, while the next 7 bits
     // encode the number of subsequent octets used to encode the length (ITU-T
     // X.690 clause 8.1.3.5.b).
     const size_t num_bytes = length_byte & 0x7f;
-    uint32_t len32;
+    uint64_t len64;
 
     if (ber_ok && (tag & CBS_ASN1_CONSTRUCTED) != 0 && num_bytes == 0) {
       // indefinite length
       if (out_header_len != NULL) {
-        *out_header_len = 2;
+        *out_header_len = header_len;
       }
-      return CBS_get_bytes(cbs, out, 2);
+      return CBS_get_bytes(cbs, out, header_len);
     }
 
     // ITU-T X.690 clause 8.1.3.5.c specifies that the value 0xff shall not be
@@ -235,27 +330,27 @@ static int cbs_get_any_asn1_element(CBS *cbs, CBS *out, unsigned *out_tag,
     if (num_bytes == 0 || num_bytes > 4) {
       return 0;
     }
-    if (!cbs_get_u(&header, &len32, num_bytes)) {
+    if (!cbs_get_u(&header, &len64, num_bytes)) {
       return 0;
     }
     // ITU-T X.690 section 10.1 (DER length forms) requires encoding the length
     // with the minimum number of octets.
-    if (len32 < 128) {
+    if (len64 < 128) {
       // Length should have used short-form encoding.
       return 0;
     }
-    if ((len32 >> ((num_bytes-1)*8)) == 0) {
+    if ((len64 >> ((num_bytes-1)*8)) == 0) {
       // Length should have been at least one byte shorter.
       return 0;
     }
-    len = len32;
-    if (len + 2 + num_bytes < len) {
+    len = len64;
+    if (len + header_len + num_bytes < len) {
       // Overflow.
       return 0;
     }
-    len += 2 + num_bytes;
+    len += header_len + num_bytes;
     if (out_header_len != NULL) {
-      *out_header_len = 2 + num_bytes;
+      *out_header_len = header_len + num_bytes;
     }
   }
 
@@ -323,7 +418,10 @@ int CBS_peek_asn1_tag(const CBS *cbs, unsigned tag_value) {
   if (CBS_len(cbs) < 1) {
     return 0;
   }
-  return CBS_data(cbs)[0] == tag_value;
+
+  CBS copy = *cbs;
+  unsigned actual_tag;
+  return parse_asn1_tag(&copy, &actual_tag) && tag_value == actual_tag;
 }
 
 int CBS_get_asn1_uint64(CBS *cbs, uint64_t *out) {
@@ -363,6 +461,56 @@ int CBS_get_asn1_uint64(CBS *cbs, uint64_t *out) {
   return 1;
 }
 
+int CBS_get_asn1_int64(CBS *cbs, int64_t *out) {
+  CBS bytes;
+  if (!CBS_get_asn1(cbs, &bytes, CBS_ASN1_INTEGER)) {
+    return 0;
+  }
+  const uint8_t *data = CBS_data(&bytes);
+  const size_t len = CBS_len(&bytes);
+
+  if (len == 0 || len > sizeof(int64_t)) {
+    // An INTEGER is encoded with at least one octet.
+    return 0;
+  }
+  if (len > 1) {
+    if (data[0] == 0 && (data[1] & 0x80) == 0) {
+      return 0;  // Extra leading zeros.
+    }
+    if (data[0] == 0xff && (data[1] & 0x80) != 0) {
+      return 0;  // Extra leading 0xff.
+    }
+  }
+
+  union {
+    int64_t i;
+    uint8_t bytes[sizeof(int64_t)];
+  } u;
+  const int is_negative = (data[0] & 0x80);
+  memset(u.bytes, is_negative ? 0xff : 0, sizeof(u.bytes));  // Sign-extend.
+  for (size_t i = 0; i < len; i++) {
+    u.bytes[i] = data[len - i - 1];
+  }
+  *out = u.i;
+  return 1;
+}
+
+int CBS_get_asn1_bool(CBS *cbs, int *out) {
+  CBS bytes;
+  if (!CBS_get_asn1(cbs, &bytes, CBS_ASN1_BOOLEAN) ||
+      CBS_len(&bytes) != 1) {
+    return 0;
+  }
+
+  const uint8_t value = *CBS_data(&bytes);
+  if (value != 0 && value != 0xff) {
+    return 0;
+  }
+
+  *out = !!value;
+  return 1;
+}
+
 int CBS_get_optional_asn1(CBS *cbs, CBS *out, int *out_present, unsigned tag) {
   int present = 0;
 
@@ -388,6 +536,7 @@ int CBS_get_optional_asn1_octet_string(CBS *cbs, CBS *out, int *out_present,
     return 0;
   }
   if (present) {
+    assert(out);
     if (!CBS_get_asn1(&child, out, CBS_ASN1_OCTETSTRING) ||
         CBS_len(&child) != 0) {
       return 0;
@@ -485,3 +634,55 @@ int CBS_asn1_bitstring_has_bit(const CBS *cbs, unsigned bit) {
   return byte_num < CBS_len(cbs) &&
          (CBS_data(cbs)[byte_num] & (1 << bit_num)) != 0;
 }
+
+static int add_decimal(CBB *out, uint64_t v) {
+  char buf[DECIMAL_SIZE(uint64_t) + 1];
+  BIO_snprintf(buf, sizeof(buf), "%" PRIu64, v);
+  return CBB_add_bytes(out, (const uint8_t *)buf, strlen(buf));
+}
+
+char *CBS_asn1_oid_to_text(const CBS *cbs) {
+  CBB cbb;
+  if (!CBB_init(&cbb, 32)) {
+    goto err;
+  }
+
+  CBS copy = *cbs;
+  // The first component is 40 * value1 + value2, where value1 is 0, 1, or 2.
+  uint64_t v;
+  if (!parse_base128_integer(&copy, &v)) {
+    goto err;
+  }
+
+  if (v >= 80) {
+    if (!CBB_add_bytes(&cbb, (const uint8_t *)"2.", 2) ||
+        !add_decimal(&cbb, v - 80)) {
+      goto err;
+    }
+  } else if (!add_decimal(&cbb, v / 40) ||
+             !CBB_add_u8(&cbb, '.') ||
+             !add_decimal(&cbb, v % 40)) {
+    goto err;
+  }
+
+  while (CBS_len(&copy) != 0) {
+    if (!parse_base128_integer(&copy, &v) ||
+        !CBB_add_u8(&cbb, '.') ||
+        !add_decimal(&cbb, v)) {
+      goto err;
+    }
+  }
+
+  uint8_t *txt;
+  size_t txt_len;
+  if (!CBB_add_u8(&cbb, '\0') ||
+      !CBB_finish(&cbb, &txt, &txt_len)) {
+    goto err;
+  }
+
+  return (char *)txt;
+
+err:
+  CBB_cleanup(&cbb);
+  return NULL;
+}

crypto/bytestring/internal.h

@@ -24,12 +24,10 @@ extern "C" {
 
 // CBS_asn1_ber_to_der reads a BER element from |in|. If it finds
 // indefinite-length elements or constructed strings then it converts the BER
-// data to DER and sets |*out| and |*out_length| to describe a malloced buffer
-// containing the DER data. Additionally, |*in| will be advanced over the BER
-// element.
-//
-// If it doesn't find any indefinite-length elements or constructed strings then
-// it sets |*out| to NULL and |*in| is unmodified.
+// data to DER, sets |out| to the converted contents and |*out_storage| to a
+// buffer which the caller must release with |OPENSSL_free|. Otherwise, it sets
+// |out| to the original BER element in |in| and |*out_storage| to NULL.
+// Additionally, |*in| will be advanced over the BER element.
 //
 // This function should successfully process any valid BER input, however it
 // will not convert all of BER's deviations from DER. BER is ambiguous between
@@ -39,7 +37,8 @@ extern "C" {
 // must also account for BER variations in the contents of a primitive.
 //
 // It returns one on success and zero otherwise.
-OPENSSL_EXPORT int CBS_asn1_ber_to_der(CBS *in, uint8_t **out, size_t *out_len);
+OPENSSL_EXPORT int CBS_asn1_ber_to_der(CBS *in, CBS *out,
+                                       uint8_t **out_storage);
 
 // CBS_get_asn1_implicit_string parses a BER string of primitive type
 // |inner_tag| implicitly-tagged with |outer_tag|. It sets |out| to the
@@ -68,6 +67,28 @@ OPENSSL_EXPORT int CBS_get_asn1_implicit_string(CBS *in, CBS *out,
 int CBB_finish_i2d(CBB *cbb, uint8_t **outp);
 
 
+// Unicode utilities.
+
+// The following functions read one Unicode code point from |cbs| with the
+// corresponding encoding and store it in |*out|. They return one on success and
+// zero on error.
+OPENSSL_EXPORT int cbs_get_utf8(CBS *cbs, uint32_t *out);
+OPENSSL_EXPORT int cbs_get_latin1(CBS *cbs, uint32_t *out);
+OPENSSL_EXPORT int cbs_get_ucs2_be(CBS *cbs, uint32_t *out);
+OPENSSL_EXPORT int cbs_get_utf32_be(CBS *cbs, uint32_t *out);
+
+// cbb_get_utf8_len returns the number of bytes needed to represent |u| in
+// UTF-8.
+OPENSSL_EXPORT size_t cbb_get_utf8_len(uint32_t u);
+
+// The following functions encode |u| to |cbb| with the corresponding
+// encoding. They return one on success and zero on error.
+OPENSSL_EXPORT int cbb_add_utf8(CBB *cbb, uint32_t u);
+OPENSSL_EXPORT int cbb_add_latin1(CBB *cbb, uint32_t u);
+OPENSSL_EXPORT int cbb_add_ucs2_be(CBB *cbb, uint32_t u);
+OPENSSL_EXPORT int cbb_add_utf32_be(CBB *cbb, uint32_t u);
+
+
 #if defined(__cplusplus)
 }  // extern C
 #endif

crypto/bytestring/unicode.c

@@ -0,0 +1,155 @@
+/* Copyright (c) 2018, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/bytestring.h>
+
+#include "internal.h"
+
+
+static int is_valid_code_point(uint32_t v) {
+  // References in the following are to Unicode 9.0.0.
+  if (// The Unicode space runs from zero to 0x10ffff (3.4 D9).
+      v > 0x10ffff ||
+      // Values 0x...fffe, 0x...ffff, and 0xfdd0-0xfdef are permanently reserved
+      // (3.4 D14)
+      (v & 0xfffe) == 0xfffe ||
+      (v >= 0xfdd0 && v <= 0xfdef) ||
+      // Surrogate code points are invalid (3.2 C1).
+      (v >= 0xd800 && v <= 0xdfff)) {
+    return 0;
+  }
+  return 1;
+}
+
+// BOTTOM_BITS returns a byte with the bottom |n| bits set.
+#define BOTTOM_BITS(n) (uint8_t)((1u << (n)) - 1)
+
+// TOP_BITS returns a byte with the top |n| bits set.
+#define TOP_BITS(n) ((uint8_t)~BOTTOM_BITS(8 - (n)))
+
+int cbs_get_utf8(CBS *cbs, uint32_t *out) {
+  uint8_t c;
+  if (!CBS_get_u8(cbs, &c)) {
+    return 0;
+  }
+  if (c <= 0x7f) {
+    *out = c;
+    return 1;
+  }
+  uint32_t v, lower_bound;
+  size_t len;
+  if ((c & TOP_BITS(3)) == TOP_BITS(2)) {
+    v = c & BOTTOM_BITS(5);
+    len = 1;
+    lower_bound = 0x80;
+  } else if ((c & TOP_BITS(4)) == TOP_BITS(3)) {
+    v = c & BOTTOM_BITS(4);
+    len = 2;
+    lower_bound = 0x800;
+  } else if ((c & TOP_BITS(5)) == TOP_BITS(4)) {
+    v = c & BOTTOM_BITS(3);
+    len = 3;
+    lower_bound = 0x10000;
+  } else {
+    return 0;
+  }
+  for (size_t i = 0; i < len; i++) {
+    if (!CBS_get_u8(cbs, &c) ||
+        (c & TOP_BITS(2)) != TOP_BITS(1)) {
+      return 0;
+    }
+    v <<= 6;
+    v |= c & BOTTOM_BITS(6);
+  }
+  if (!is_valid_code_point(v) ||
+      v < lower_bound) {
+    return 0;
+  }
+  *out = v;
+  return 1;
+}
+
+int cbs_get_latin1(CBS *cbs, uint32_t *out) {
+  uint8_t c;
+  if (!CBS_get_u8(cbs, &c)) {
+    return 0;
+  }
+  *out = c;
+  return 1;
+}
+
+int cbs_get_ucs2_be(CBS *cbs, uint32_t *out) {
+  // Note UCS-2 (used by BMPString) does not support surrogates.
+  uint16_t c;
+  if (!CBS_get_u16(cbs, &c) ||
+      !is_valid_code_point(c)) {
+    return 0;
+  }
+  *out = c;
+  return 1;
+}
+
+int cbs_get_utf32_be(CBS *cbs, uint32_t *out) {
+  return CBS_get_u32(cbs, out) && is_valid_code_point(*out);
+}
+
+size_t cbb_get_utf8_len(uint32_t u) {
+  if (u <= 0x7f) {
+    return 1;
+  }
+  if (u <= 0x7ff) {
+    return 2;
+  }
+  if (u <= 0xffff) {
+    return 3;
+  }
+  return 4;
+}
+
+int cbb_add_utf8(CBB *cbb, uint32_t u) {
+  if (!is_valid_code_point(u)) {
+    return 0;
+  }
+  if (u <= 0x7f) {
+    return CBB_add_u8(cbb, (uint8_t)u);
+  }
+  if (u <= 0x7ff) {
+    return CBB_add_u8(cbb, TOP_BITS(2) | (u >> 6)) &&
+           CBB_add_u8(cbb, TOP_BITS(1) | (u & BOTTOM_BITS(6)));
+  }
+  if (u <= 0xffff) {
+    return CBB_add_u8(cbb, TOP_BITS(3) | (u >> 12)) &&
+           CBB_add_u8(cbb, TOP_BITS(1) | ((u >> 6) & BOTTOM_BITS(6))) &&
+           CBB_add_u8(cbb, TOP_BITS(1) | (u & BOTTOM_BITS(6)));
+  }
+  if (u <= 0x10ffff) {
+    return CBB_add_u8(cbb, TOP_BITS(4) | (u >> 18)) &&
+           CBB_add_u8(cbb, TOP_BITS(1) | ((u >> 12) & BOTTOM_BITS(6))) &&
+           CBB_add_u8(cbb, TOP_BITS(1) | ((u >> 6) & BOTTOM_BITS(6))) &&
+           CBB_add_u8(cbb, TOP_BITS(1) | (u & BOTTOM_BITS(6)));
+  }
+  return 0;
+}
+
+int cbb_add_latin1(CBB *cbb, uint32_t u) {
+  return u <= 0xff && CBB_add_u8(cbb, (uint8_t)u);
+}
+
+int cbb_add_ucs2_be(CBB *cbb, uint32_t u) {
+  return u <= 0xffff && is_valid_code_point(u) && CBB_add_u16(cbb, (uint16_t)u);
+}
+
+int cbb_add_utf32_be(CBB *cbb, uint32_t u) {
+  return is_valid_code_point(u) && CBB_add_u32(cbb, u);
+}

crypto/chacha/CMakeLists.txt

@@ -1,48 +0,0 @@
-include_directories(../../include)
-
-if (${ARCH} STREQUAL "arm")
-  set(
-    CHACHA_ARCH_SOURCES
-
-    chacha-armv4.${ASM_EXT}
-  )
-endif()
-
-if (${ARCH} STREQUAL "aarch64")
-  set(
-    CHACHA_ARCH_SOURCES
-
-    chacha-armv8.${ASM_EXT}
-  )
-endif()
-
-if (${ARCH} STREQUAL "x86")
-  set(
-    CHACHA_ARCH_SOURCES
-
-    chacha-x86.${ASM_EXT}
-  )
-endif()
-
-if (${ARCH} STREQUAL "x86_64")
-  set(
-    CHACHA_ARCH_SOURCES
-
-    chacha-x86_64.${ASM_EXT}
-  )
-endif()
-
-add_library(
-  chacha
-
-  OBJECT
-
-  chacha.c
-
-  ${CHACHA_ARCH_SOURCES}
-)
-
-perlasm(chacha-armv4.${ASM_EXT} asm/chacha-armv4.pl)
-perlasm(chacha-armv8.${ASM_EXT} asm/chacha-armv8.pl)
-perlasm(chacha-x86.${ASM_EXT} asm/chacha-x86.pl)
-perlasm(chacha-x86_64.${ASM_EXT} asm/chacha-x86_64.pl)

crypto/chacha/asm/chacha-armv4.pl

@@ -44,9 +44,11 @@ if ($flavour && $flavour ne "void") {
     ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
     die "can't locate arm-xlate.pl";
 
-    open STDOUT,"| \"$^X\" $xlate $flavour $output";
+    open OUT,"| \"$^X\" $xlate $flavour $output";
+    *STDOUT=*OUT;
 } else {
-    open STDOUT,">$output";
+    open OUT,">$output";
+    *STDOUT=*OUT;
 }
 
 sub AUTOLOAD()		# thunk [simplified] x86-style perlasm
@@ -171,6 +173,10 @@ my @ret;
 $code.=<<___;
 #include <openssl/arm_arch.h>
 
+@ Silence ARMv8 deprecated IT instruction warnings. This file is used by both
+@ ARMv7 and ARMv8 processors and does not use ARMv8 instructions.
+.arch  armv7-a
+
 .text
 #if defined(__thumb2__) || defined(__clang__)
 .syntax	unified
@@ -1157,4 +1163,4 @@ foreach (split("\n",$code)) {
 
 	print $_,"\n";
 }
-close STDOUT;
+close STDOUT or die "error closing STDOUT";

crypto/chacha/asm/chacha-armv8.pl

@@ -28,6 +28,7 @@
 # Denver		4.50/+82%       2.63		2.67(*)
 # X-Gene		9.50/+46%       8.82		8.89(*)
 # Mongoose		8.00/+44%	3.64		3.25
+# Kryo			8.17/+50%	4.83		4.65
 #
 # (*)	it's expected that doubling interleave factor doesn't help
 #	all processors, only those with higher NEON latency and
@@ -121,37 +122,32 @@ my ($a3,$b3,$c3,$d3)=map(($_&~3)+(($_+1)&3),($a2,$b2,$c2,$d2));
 $code.=<<___;
 #include <openssl/arm_arch.h>
 
-.text
-
 .extern	OPENSSL_armcap_P
 
+.section .rodata
+
 .align	5
 .Lsigma:
 .quad	0x3320646e61707865,0x6b20657479622d32		// endian-neutral
 .Lone:
 .long	1,0,0,0
-.LOPENSSL_armcap_P:
-#ifdef	__ILP32__
-.long	OPENSSL_armcap_P-.
-#else
-.quad	OPENSSL_armcap_P-.
-#endif
 .asciz	"ChaCha20 for ARMv8, CRYPTOGAMS by <appro\@openssl.org>"
 
+.text
+
 .globl	ChaCha20_ctr32
 .type	ChaCha20_ctr32,%function
 .align	5
 ChaCha20_ctr32:
 	cbz	$len,.Labort
-	adr	@x[0],.LOPENSSL_armcap_P
+#if __has_feature(hwaddress_sanitizer) && __clang_major__ >= 10
+	adrp	@x[0],:pg_hi21_nc:OPENSSL_armcap_P
+#else
+	adrp	@x[0],:pg_hi21:OPENSSL_armcap_P
+#endif
 	cmp	$len,#192
 	b.lo	.Lshort
-#ifdef	__ILP32__
-	ldrsw	@x[1],[@x[0]]
-#else
-	ldr	@x[1],[@x[0]]
-#endif
-	ldr	w17,[@x[1],@x[0]]
+	ldr	w17,[@x[0],:lo12:OPENSSL_armcap_P]
 	tst	w17,#ARMV7_NEON
 	b.ne	ChaCha20_neon
 
@@ -159,7 +155,8 @@ ChaCha20_ctr32:
 	stp	x29,x30,[sp,#-96]!
 	add	x29,sp,#0
 
-	adr	@x[0],.Lsigma
+	adrp	@x[0],:pg_hi21:.Lsigma
+	add	@x[0],@x[0],:lo12:.Lsigma
 	stp	x19,x20,[sp,#16]
 	stp	x21,x22,[sp,#32]
 	stp	x23,x24,[sp,#48]
@@ -379,7 +376,8 @@ ChaCha20_neon:
 	stp	x29,x30,[sp,#-96]!
 	add	x29,sp,#0
 
-	adr	@x[0],.Lsigma
+	adrp	@x[0],:pg_hi21:.Lsigma
+	add	@x[0],@x[0],:lo12:.Lsigma
 	stp	x19,x20,[sp,#16]
 	stp	x21,x22,[sp,#32]
 	stp	x23,x24,[sp,#48]
@@ -698,7 +696,8 @@ ChaCha20_512_neon:
 	stp	x29,x30,[sp,#-96]!
 	add	x29,sp,#0
 
-	adr	@x[0],.Lsigma
+	adrp	@x[0],:pg_hi21:.Lsigma
+	add	@x[0],@x[0],:lo12:.Lsigma
 	stp	x19,x20,[sp,#16]
 	stp	x21,x22,[sp,#32]
 	stp	x23,x24,[sp,#48]
@@ -1132,4 +1131,4 @@ foreach (split("\n",$code)) {
 
 	print $_,"\n";
 }
-close STDOUT;	# flush
+close STDOUT or die "error closing STDOUT";	# flush

crypto/chacha/asm/chacha-x86.pl

@@ -1,4 +1,11 @@
-#!/usr/bin/env perl
+#! /usr/bin/env perl
+# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
 #
 # ====================================================================
 # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
@@ -762,4 +769,4 @@ sub SSSE3ROUND {	# critical path is 20 "SIMD ticks" per round
 
 &asm_finish();
 
-close STDOUT;
+close STDOUT or die "error closing STDOUT";

crypto/chacha/asm/chacha-x86_64.pl

@@ -228,6 +228,7 @@ $code.=<<___;
 .type	ChaCha20_ctr32,\@function,5
 .align	64
 ChaCha20_ctr32:
+.cfi_startproc
 	cmp	\$0,$len
 	je	.Lno_data
 	mov	OPENSSL_ia32cap_P+4(%rip),%r10
@@ -241,12 +242,19 @@ $code.=<<___;
 	jnz	.LChaCha20_ssse3
 
 	push	%rbx
+.cfi_push	rbx
 	push	%rbp
+.cfi_push	rbp
 	push	%r12
+.cfi_push	r12
 	push	%r13
+.cfi_push	r13
 	push	%r14
+.cfi_push	r14
 	push	%r15
+.cfi_push	r15
 	sub	\$64+24,%rsp
+.cfi_adjust_cfa_offset	`64+24`
 .Lctr32_body:
 
 	#movdqa	.Lsigma(%rip),%xmm0
@@ -388,14 +396,22 @@ $code.=<<___;
 .Ldone:
 	lea	64+24+48(%rsp),%rsi
 	mov	-48(%rsi),%r15
+.cfi_restore	r15
 	mov	-40(%rsi),%r14
+.cfi_restore	r14
 	mov	-32(%rsi),%r13
+.cfi_restore	r13
 	mov	-24(%rsi),%r12
+.cfi_restore	r12
 	mov	-16(%rsi),%rbp
+.cfi_restore	rbp
 	mov	-8(%rsi),%rbx
+.cfi_restore	rbx
 	lea	(%rsi),%rsp
+.cfi_adjust_cfa_offset	`-64-24-48`
 .Lno_data:
 	ret
+.cfi_endproc
 .size	ChaCha20_ctr32,.-ChaCha20_ctr32
 ___
 
@@ -435,7 +451,9 @@ $code.=<<___;
 .align	32
 ChaCha20_ssse3:
 .LChaCha20_ssse3:
+.cfi_startproc
 	mov	%rsp,%r9		# frame pointer
+.cfi_def_cfa_register	r9
 ___
 $code.=<<___;
 	cmp	\$128,$len		# we might throw away some data,
@@ -547,8 +565,10 @@ $code.=<<___	if ($win64);
 ___
 $code.=<<___;
 	lea	(%r9),%rsp
+.cfi_def_cfa_register	rsp
 .Lssse3_epilogue:
 	ret
+.cfi_endproc
 .size	ChaCha20_ssse3,.-ChaCha20_ssse3
 ___
 }
@@ -691,7 +711,9 @@ $code.=<<___;
 .align	32
 ChaCha20_4x:
 .LChaCha20_4x:
+.cfi_startproc
 	mov		%rsp,%r9		# frame pointer
+.cfi_def_cfa_register	r9
 	mov		%r10,%r11
 ___
 $code.=<<___	if ($avx>1);
@@ -1131,8 +1153,10 @@ $code.=<<___	if ($win64);
 ___
 $code.=<<___;
 	lea		(%r9),%rsp
+.cfi_def_cfa_register	rsp
 .L4x_epilogue:
 	ret
+.cfi_endproc
 .size	ChaCha20_4x,.-ChaCha20_4x
 ___
 }
@@ -1266,7 +1290,9 @@ $code.=<<___;
 .align	32
 ChaCha20_8x:
 .LChaCha20_8x:
+.cfi_startproc
 	mov		%rsp,%r9		# frame register
+.cfi_def_cfa_register	r9
 	sub		\$0x280+$xframe,%rsp
 	and		\$-32,%rsp
 ___
@@ -1772,8 +1798,10 @@ $code.=<<___	if ($win64);
 ___
 $code.=<<___;
 	lea		(%r9),%rsp
+.cfi_def_cfa_register	rsp
 .L8x_epilogue:
 	ret
+.cfi_endproc
 .size	ChaCha20_8x,.-ChaCha20_8x
 ___
 }
@@ -1811,7 +1839,9 @@ $code.=<<___;
 .align	32
 ChaCha20_avx512:
 .LChaCha20_avx512:
+.cfi_startproc
 	mov	%rsp,%r9		# frame pointer
+.cfi_def_cfa_register	r9
 	cmp	\$512,$len
 	ja	.LChaCha20_16x
 
@@ -1991,8 +2021,10 @@ $code.=<<___	if ($win64);
 ___
 $code.=<<___;
 	lea	(%r9),%rsp
+.cfi_def_cfa_register	rsp
 .Lavx512_epilogue:
 	ret
+.cfi_endproc
 .size	ChaCha20_avx512,.-ChaCha20_avx512
 ___
 }
@@ -2075,7 +2107,9 @@ $code.=<<___;
 .align	32
 ChaCha20_16x:
 .LChaCha20_16x:
+.cfi_startproc
 	mov		%rsp,%r9		# frame register
+.cfi_def_cfa_register	r9
 	sub		\$64+$xframe,%rsp
 	and		\$-64,%rsp
 ___
@@ -2493,8 +2527,10 @@ $code.=<<___	if ($win64);
 ___
 $code.=<<___;
 	lea		(%r9),%rsp
+.cfi_def_cfa_register	rsp
 .L16x_epilogue:
 	ret
+.cfi_endproc
 .size	ChaCha20_16x,.-ChaCha20_16x
 ___
 }
@@ -2746,4 +2782,4 @@ foreach (split("\n",$code)) {
 	print $_,"\n";
 }
 
-close STDOUT;
+close STDOUT or die "error closing STDOUT";

crypto/chacha/chacha.c

@@ -22,19 +22,49 @@
 #include <openssl/cpu.h>
 
 #include "../internal.h"
+#include "internal.h"
 
 
 #define U8TO32_LITTLE(p)                              \
   (((uint32_t)((p)[0])) | ((uint32_t)((p)[1]) << 8) | \
    ((uint32_t)((p)[2]) << 16) | ((uint32_t)((p)[3]) << 24))
 
-#if !defined(OPENSSL_NO_ASM) &&                         \
-    (defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || \
-     defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64))
+// sigma contains the ChaCha constants, which happen to be an ASCII string.
+static const uint8_t sigma[16] = { 'e', 'x', 'p', 'a', 'n', 'd', ' ', '3',
+                                   '2', '-', 'b', 'y', 't', 'e', ' ', 'k' };
 
-// ChaCha20_ctr32 is defined in asm/chacha-*.pl.
-void ChaCha20_ctr32(uint8_t *out, const uint8_t *in, size_t in_len,
-                    const uint32_t key[8], const uint32_t counter[4]);
+#define ROTATE(v, n) (((v) << (n)) | ((v) >> (32 - (n))))
+
+// QUARTERROUND updates a, b, c, d with a ChaCha "quarter" round.
+#define QUARTERROUND(a, b, c, d)                \
+  x[a] += x[b]; x[d] = ROTATE(x[d] ^ x[a], 16); \
+  x[c] += x[d]; x[b] = ROTATE(x[b] ^ x[c], 12); \
+  x[a] += x[b]; x[d] = ROTATE(x[d] ^ x[a],  8); \
+  x[c] += x[d]; x[b] = ROTATE(x[b] ^ x[c],  7);
+
+void CRYPTO_hchacha20(uint8_t out[32], const uint8_t key[32],
+                      const uint8_t nonce[16]) {
+  uint32_t x[16];
+  OPENSSL_memcpy(x, sigma, sizeof(sigma));
+  OPENSSL_memcpy(&x[4], key, 32);
+  OPENSSL_memcpy(&x[12], nonce, 16);
+
+  for (size_t i = 0; i < 20; i += 2) {
+    QUARTERROUND(0, 4, 8, 12)
+    QUARTERROUND(1, 5, 9, 13)
+    QUARTERROUND(2, 6, 10, 14)
+    QUARTERROUND(3, 7, 11, 15)
+    QUARTERROUND(0, 5, 10, 15)
+    QUARTERROUND(1, 6, 11, 12)
+    QUARTERROUND(2, 7, 8, 13)
+    QUARTERROUND(3, 4, 9, 14)
+  }
+
+  OPENSSL_memcpy(out, &x[0], sizeof(uint32_t) * 4);
+  OPENSSL_memcpy(&out[16], &x[12], sizeof(uint32_t) * 4);
+}
+
+#if defined(CHACHA20_ASM)
 
 void CRYPTO_chacha_20(uint8_t *out, const uint8_t *in, size_t in_len,
                       const uint8_t key[32], const uint8_t nonce[12],
@@ -69,12 +99,6 @@ void CRYPTO_chacha_20(uint8_t *out, const uint8_t *in, size_t in_len,
 
 #else
 
-// sigma contains the ChaCha constants, which happen to be an ASCII string.
-static const uint8_t sigma[16] = { 'e', 'x', 'p', 'a', 'n', 'd', ' ', '3',
-                                   '2', '-', 'b', 'y', 't', 'e', ' ', 'k' };
-
-#define ROTATE(v, n) (((v) << (n)) | ((v) >> (32 - (n))))
-
 #define U32TO8_LITTLE(p, v)    \
   {                            \
     (p)[0] = (v >> 0) & 0xff;  \
@@ -83,13 +107,6 @@ static const uint8_t sigma[16] = { 'e', 'x', 'p', 'a', 'n', 'd', ' ', '3',
     (p)[3] = (v >> 24) & 0xff; \
   }
 
-// QUARTERROUND updates a, b, c, d with a ChaCha "quarter" round.
-#define QUARTERROUND(a, b, c, d)                \
-  x[a] += x[b]; x[d] = ROTATE(x[d] ^ x[a], 16); \
-  x[c] += x[d]; x[b] = ROTATE(x[b] ^ x[c], 12); \
-  x[a] += x[b]; x[d] = ROTATE(x[d] ^ x[a],  8); \
-  x[c] += x[d]; x[b] = ROTATE(x[b] ^ x[c],  7);
-
 // chacha_core performs 20 rounds of ChaCha on the input words in
 // |input| and writes the 64 output bytes to |output|.
 static void chacha_core(uint8_t output[64], const uint32_t input[16]) {

crypto/chacha/chacha_test.cc

@@ -23,7 +23,9 @@
 #include <openssl/crypto.h>
 #include <openssl/chacha.h>
 
+#include "internal.h"
 #include "../internal.h"
+#include "../test/abi_test.h"
 #include "../test/test_util.h"
 
 
@@ -234,3 +236,25 @@ TEST(ChaChaTest, TestVector) {
     EXPECT_EQ(Bytes(kOutput, len), Bytes(buf.get(), len));
   }
 }
+
+#if defined(CHACHA20_ASM) && defined(SUPPORTS_ABI_TEST)
+TEST(ChaChaTest, ABI) {
+  uint32_t key[8];
+  OPENSSL_memcpy(key, kKey, sizeof(key));
+
+  static const uint32_t kCounterNonce[4] = {0};
+
+  std::unique_ptr<uint8_t[]> buf(new uint8_t[sizeof(kInput)]);
+  for (size_t len = 0; len <= 32; len++) {
+    SCOPED_TRACE(len);
+    CHECK_ABI(ChaCha20_ctr32, buf.get(), kInput, len, key, kCounterNonce);
+  }
+
+  for (size_t len : {32 * 2, 32 * 4, 32 * 8, 32 * 16, 32 * 24}) {
+    SCOPED_TRACE(len);
+    CHECK_ABI(ChaCha20_ctr32, buf.get(), kInput, len, key, kCounterNonce);
+    // Cover the partial block paths.
+    CHECK_ABI(ChaCha20_ctr32, buf.get(), kInput, len + 15, key, kCounterNonce);
+  }
+}
+#endif  // CHACHA20_ASM && SUPPORTS_ABI_TEST

crypto/chacha/internal.h

@@ -0,0 +1,45 @@
+/* Copyright (c) 2018, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#ifndef OPENSSL_HEADER_CHACHA_INTERNAL
+#define OPENSSL_HEADER_CHACHA_INTERNAL
+
+#include <openssl/base.h>
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+
+// CRYPTO_hchacha20 computes the HChaCha20 function, which should only be used
+// as part of XChaCha20.
+void CRYPTO_hchacha20(uint8_t out[32], const uint8_t key[32],
+                      const uint8_t nonce[16]);
+
+#if !defined(OPENSSL_NO_ASM) &&                         \
+    (defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || \
+     defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64))
+#define CHACHA20_ASM
+
+// ChaCha20_ctr32 is defined in asm/chacha-*.pl.
+void ChaCha20_ctr32(uint8_t *out, const uint8_t *in, size_t in_len,
+                    const uint32_t key[8], const uint32_t counter[4]);
+#endif
+
+
+#if defined(__cplusplus)
+}  // extern C
+#endif
+
+#endif  // OPENSSL_HEADER_CHACHA_INTERNAL

crypto/cipher_extra/CMakeLists.txt

@@ -1,35 +0,0 @@
-include_directories(../../include)
-
-if (${ARCH} STREQUAL "x86_64")
-  set(
-    CIPHER_ARCH_SOURCES
-
-    aes128gcmsiv-x86_64.${ASM_EXT}
-    chacha20_poly1305_x86_64.${ASM_EXT}
-  )
-endif()
-
-add_library(
-  cipher_extra
-
-  OBJECT
-
-  cipher_extra.c
-  derive_key.c
-
-  e_null.c
-  e_rc2.c
-  e_rc4.c
-  e_aesgcmsiv.c
-  e_aesctrhmac.c
-  e_chacha20poly1305.c
-
-  tls_cbc.c
-  e_tls.c
-  e_ssl3.c
-
-  ${CIPHER_ARCH_SOURCES}
-)
-
-perlasm(aes128gcmsiv-x86_64.${ASM_EXT} asm/aes128gcmsiv-x86_64.pl)
-perlasm(chacha20_poly1305_x86_64.${ASM_EXT} asm/chacha20_poly1305_x86_64.pl)

crypto/cipher_extra/aead_test.cc

@@ -25,8 +25,10 @@
 
 #include "../fipsmodule/cipher/internal.h"
 #include "../internal.h"
+#include "../test/abi_test.h"
 #include "../test/file_test.h"
 #include "../test/test_util.h"
+#include "../test/wycheproof_util.h"
 
 
 struct KnownAEAD {
@@ -35,64 +37,66 @@ struct KnownAEAD {
   const char *test_vectors;
   // limited_implementation indicates that tests that assume a generic AEAD
   // interface should not be performed. For example, the key-wrap AEADs only
-  // handle inputs that are a multiple of eight bytes in length and the
-  // SSLv3/TLS AEADs have the concept of “direction”.
+  // handle inputs that are a multiple of eight bytes in length and the TLS CBC
+  // AEADs have the concept of “direction”.
   bool limited_implementation;
   // truncated_tags is true if the AEAD supports truncating tags to arbitrary
   // lengths.
   bool truncated_tags;
+  // variable_nonce is true if the AEAD supports a variable nonce length.
+  bool variable_nonce;
   // ad_len, if non-zero, is the required length of the AD.
   size_t ad_len;
 };
 
 static const struct KnownAEAD kAEADs[] = {
     {"AES_128_GCM", EVP_aead_aes_128_gcm, "aes_128_gcm_tests.txt", false, true,
-     0},
+     true, 0},
     {"AES_128_GCM_NIST", EVP_aead_aes_128_gcm, "nist_cavp/aes_128_gcm.txt",
-     false, true, 0},
+     false, true, true, 0},
+    {"AES_192_GCM", EVP_aead_aes_192_gcm, "aes_192_gcm_tests.txt", false, true,
+     true, 0},
     {"AES_256_GCM", EVP_aead_aes_256_gcm, "aes_256_gcm_tests.txt", false, true,
-     0},
+     true, 0},
     {"AES_256_GCM_NIST", EVP_aead_aes_256_gcm, "nist_cavp/aes_256_gcm.txt",
-     false, true, 0},
-#if !defined(OPENSSL_SMALL)
+     false, true, true, 0},
     {"AES_128_GCM_SIV", EVP_aead_aes_128_gcm_siv, "aes_128_gcm_siv_tests.txt",
-     false, false, 0},
+     false, false, false, 0},
     {"AES_256_GCM_SIV", EVP_aead_aes_256_gcm_siv, "aes_256_gcm_siv_tests.txt",
-     false, false, 0},
-#endif
+     false, false, false, 0},
     {"ChaCha20Poly1305", EVP_aead_chacha20_poly1305,
-     "chacha20_poly1305_tests.txt", false, true, 0},
+     "chacha20_poly1305_tests.txt", false, true, false, 0},
+    {"XChaCha20Poly1305", EVP_aead_xchacha20_poly1305,
+     "xchacha20_poly1305_tests.txt", false, true, false, 0},
     {"AES_128_CBC_SHA1_TLS", EVP_aead_aes_128_cbc_sha1_tls,
-     "aes_128_cbc_sha1_tls_tests.txt", true, false, 11},
+     "aes_128_cbc_sha1_tls_tests.txt", true, false, false, 11},
     {"AES_128_CBC_SHA1_TLSImplicitIV",
      EVP_aead_aes_128_cbc_sha1_tls_implicit_iv,
-     "aes_128_cbc_sha1_tls_implicit_iv_tests.txt", true, false, 11},
+     "aes_128_cbc_sha1_tls_implicit_iv_tests.txt", true, false, false, 11},
     {"AES_128_CBC_SHA256_TLS", EVP_aead_aes_128_cbc_sha256_tls,
-     "aes_128_cbc_sha256_tls_tests.txt", true, false, 11},
+     "aes_128_cbc_sha256_tls_tests.txt", true, false, false, 11},
     {"AES_256_CBC_SHA1_TLS", EVP_aead_aes_256_cbc_sha1_tls,
-     "aes_256_cbc_sha1_tls_tests.txt", true, false, 11},
+     "aes_256_cbc_sha1_tls_tests.txt", true, false, false, 11},
     {"AES_256_CBC_SHA1_TLSImplicitIV",
      EVP_aead_aes_256_cbc_sha1_tls_implicit_iv,
-     "aes_256_cbc_sha1_tls_implicit_iv_tests.txt", true, false, 11},
+     "aes_256_cbc_sha1_tls_implicit_iv_tests.txt", true, false, false, 11},
     {"AES_256_CBC_SHA256_TLS", EVP_aead_aes_256_cbc_sha256_tls,
-     "aes_256_cbc_sha256_tls_tests.txt", true, false, 11},
+     "aes_256_cbc_sha256_tls_tests.txt", true, false, false, 11},
     {"AES_256_CBC_SHA384_TLS", EVP_aead_aes_256_cbc_sha384_tls,
-     "aes_256_cbc_sha384_tls_tests.txt", true, false, 11},
+     "aes_256_cbc_sha384_tls_tests.txt", true, false, false, 11},
     {"DES_EDE3_CBC_SHA1_TLS", EVP_aead_des_ede3_cbc_sha1_tls,
-     "des_ede3_cbc_sha1_tls_tests.txt", true, false, 11},
+     "des_ede3_cbc_sha1_tls_tests.txt", true, false, false, 11},
     {"DES_EDE3_CBC_SHA1_TLSImplicitIV",
      EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv,
-     "des_ede3_cbc_sha1_tls_implicit_iv_tests.txt", true, false, 11},
-    {"AES_128_CBC_SHA1_SSL3", EVP_aead_aes_128_cbc_sha1_ssl3,
-     "aes_128_cbc_sha1_ssl3_tests.txt", true, false, 9},
-    {"AES_256_CBC_SHA1_SSL3", EVP_aead_aes_256_cbc_sha1_ssl3,
-     "aes_256_cbc_sha1_ssl3_tests.txt", true, false, 9},
-    {"DES_EDE3_CBC_SHA1_SSL3", EVP_aead_des_ede3_cbc_sha1_ssl3,
-     "des_ede3_cbc_sha1_ssl3_tests.txt", true, false, 9},
+     "des_ede3_cbc_sha1_tls_implicit_iv_tests.txt", true, false, false, 11},
     {"AES_128_CTR_HMAC_SHA256", EVP_aead_aes_128_ctr_hmac_sha256,
-     "aes_128_ctr_hmac_sha256.txt", false, true, 0},
+     "aes_128_ctr_hmac_sha256.txt", false, true, false, 0},
     {"AES_256_CTR_HMAC_SHA256", EVP_aead_aes_256_ctr_hmac_sha256,
-     "aes_256_ctr_hmac_sha256.txt", false, true, 0},
+     "aes_256_ctr_hmac_sha256.txt", false, true, false, 0},
+    {"AES_128_CCM_BLUETOOTH", EVP_aead_aes_128_ccm_bluetooth,
+     "aes_128_ccm_bluetooth_tests.txt", false, false, false, 0},
+    {"AES_128_CCM_BLUETOOTH_8", EVP_aead_aes_128_ccm_bluetooth_8,
+     "aes_128_ccm_bluetooth_8_tests.txt", false, false, false, 0},
 };
 
 class PerAEADTest : public testing::TestWithParam<KnownAEAD> {
@@ -100,9 +104,9 @@ class PerAEADTest : public testing::TestWithParam<KnownAEAD> {
   const EVP_AEAD *aead() { return GetParam().func(); }
 };
 
-INSTANTIATE_TEST_CASE_P(, PerAEADTest, testing::ValuesIn(kAEADs),
-                        [](const testing::TestParamInfo<KnownAEAD> &params)
-                            -> std::string { return params.param.name; });
+INSTANTIATE_TEST_SUITE_P(All, PerAEADTest, testing::ValuesIn(kAEADs),
+                         [](const testing::TestParamInfo<KnownAEAD> &params)
+                             -> std::string { return params.param.name; });
 
 // Tests an AEAD against a series of test vectors from a file, using the
 // FileTest format. As an example, here's a valid test case:
@@ -539,10 +543,10 @@ TEST_P(PerAEADTest, AliasedBuffers) {
 }
 
 TEST_P(PerAEADTest, UnalignedInput) {
-  alignas(64) uint8_t key[EVP_AEAD_MAX_KEY_LENGTH + 1];
-  alignas(64) uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH + 1];
-  alignas(64) uint8_t plaintext[32 + 1];
-  alignas(64) uint8_t ad[32 + 1];
+  alignas(16) uint8_t key[EVP_AEAD_MAX_KEY_LENGTH + 1];
+  alignas(16) uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH + 1];
+  alignas(16) uint8_t plaintext[32 + 1];
+  alignas(16) uint8_t ad[32 + 1];
   OPENSSL_memset(key, 'K', sizeof(key));
   OPENSSL_memset(nonce, 'N', sizeof(nonce));
   OPENSSL_memset(plaintext, 'P', sizeof(plaintext));
@@ -560,7 +564,7 @@ TEST_P(PerAEADTest, UnalignedInput) {
   ASSERT_TRUE(EVP_AEAD_CTX_init_with_direction(
       ctx.get(), aead(), key + 1, key_len, EVP_AEAD_DEFAULT_TAG_LENGTH,
       evp_aead_seal));
-  alignas(64) uint8_t ciphertext[sizeof(plaintext) + EVP_AEAD_MAX_OVERHEAD];
+  alignas(16) uint8_t ciphertext[sizeof(plaintext) + EVP_AEAD_MAX_OVERHEAD];
   size_t ciphertext_len;
   ASSERT_TRUE(EVP_AEAD_CTX_seal(ctx.get(), ciphertext + 1, &ciphertext_len,
                                 sizeof(ciphertext) - 1, nonce + 1, nonce_len,
@@ -568,7 +572,7 @@ TEST_P(PerAEADTest, UnalignedInput) {
                                 ad_len));
 
   // It must successfully decrypt.
-  alignas(64) uint8_t out[sizeof(ciphertext)];
+  alignas(16) uint8_t out[sizeof(ciphertext)];
   ctx.Reset();
   ASSERT_TRUE(EVP_AEAD_CTX_init_with_direction(
       ctx.get(), aead(), key + 1, key_len, EVP_AEAD_DEFAULT_TAG_LENGTH,
@@ -582,7 +586,7 @@ TEST_P(PerAEADTest, UnalignedInput) {
 }
 
 TEST_P(PerAEADTest, Overflow) {
-  alignas(64) uint8_t key[EVP_AEAD_MAX_KEY_LENGTH];
+  uint8_t key[EVP_AEAD_MAX_KEY_LENGTH];
   OPENSSL_memset(key, 'K', sizeof(key));
 
   bssl::ScopedEVP_AEAD_CTX ctx;
@@ -606,48 +610,311 @@ TEST_P(PerAEADTest, Overflow) {
   // as the input.)
 }
 
-// Test that EVP_aead_aes_128_gcm and EVP_aead_aes_256_gcm reject empty nonces.
-// AES-GCM is not defined for those.
-TEST(AEADTest, AESGCMEmptyNonce) {
-  static const uint8_t kZeros[32] = {0};
+TEST_P(PerAEADTest, InvalidNonceLength) {
+  size_t valid_nonce_len = EVP_AEAD_nonce_length(aead());
+  std::vector<size_t> nonce_lens;
+  if (valid_nonce_len != 0) {
+    // Other than the implicit IV TLS "AEAD"s, none of our AEADs allow empty
+    // nonces. In particular, although AES-GCM was incorrectly specified with
+    // variable-length nonces, it does not allow the empty nonce.
+    nonce_lens.push_back(0);
+  }
+  if (!GetParam().variable_nonce) {
+    nonce_lens.push_back(valid_nonce_len + 1);
+    if (valid_nonce_len != 0) {
+      nonce_lens.push_back(valid_nonce_len - 1);
+    }
+  }
 
-  // Test AES-128-GCM.
-  uint8_t buf[16];
-  size_t len;
-  bssl::ScopedEVP_AEAD_CTX ctx;
-  ASSERT_TRUE(EVP_AEAD_CTX_init(ctx.get(), EVP_aead_aes_128_gcm(), kZeros, 16,
-                                EVP_AEAD_DEFAULT_TAG_LENGTH, nullptr));
+  static const uint8_t kZeros[EVP_AEAD_MAX_KEY_LENGTH] = {0};
+  const size_t ad_len = GetParam().ad_len != 0 ? GetParam().ad_len : 16;
+  ASSERT_LE(ad_len, sizeof(kZeros));
 
-  EXPECT_FALSE(EVP_AEAD_CTX_seal(ctx.get(), buf, &len, sizeof(buf),
-                                 nullptr /* nonce */, 0, nullptr /* in */, 0,
-                                 nullptr /* ad */, 0));
-  uint32_t err = ERR_get_error();
-  EXPECT_EQ(ERR_LIB_CIPHER, ERR_GET_LIB(err));
-  EXPECT_EQ(CIPHER_R_INVALID_NONCE_SIZE, ERR_GET_REASON(err));
+  for (size_t nonce_len : nonce_lens) {
+    SCOPED_TRACE(nonce_len);
+    uint8_t buf[256];
+    size_t len;
+    std::vector<uint8_t> nonce(nonce_len);
+    bssl::ScopedEVP_AEAD_CTX ctx;
+    ASSERT_TRUE(EVP_AEAD_CTX_init_with_direction(
+        ctx.get(), aead(), kZeros, EVP_AEAD_key_length(aead()),
+        EVP_AEAD_DEFAULT_TAG_LENGTH, evp_aead_seal));
 
-  EXPECT_FALSE(EVP_AEAD_CTX_open(ctx.get(), buf, &len, sizeof(buf),
-                                 nullptr /* nonce */, 0, kZeros /* in */,
-                                 sizeof(kZeros), nullptr /* ad */, 0));
-  err = ERR_get_error();
-  EXPECT_EQ(ERR_LIB_CIPHER, ERR_GET_LIB(err));
-  EXPECT_EQ(CIPHER_R_INVALID_NONCE_SIZE, ERR_GET_REASON(err));
+    EXPECT_FALSE(EVP_AEAD_CTX_seal(ctx.get(), buf, &len, sizeof(buf),
+                                   nonce.data(), nonce.size(), nullptr /* in */,
+                                   0, kZeros /* ad */, ad_len));
+    uint32_t err = ERR_get_error();
+    EXPECT_EQ(ERR_LIB_CIPHER, ERR_GET_LIB(err));
+    // TODO(davidben): Merge these errors. https://crbug.com/boringssl/129.
+    if (ERR_GET_REASON(err) != CIPHER_R_UNSUPPORTED_NONCE_SIZE) {
+      EXPECT_EQ(CIPHER_R_INVALID_NONCE_SIZE, ERR_GET_REASON(err));
+    }
 
-  // Test AES-256-GCM.
-  ctx.Reset();
-  ASSERT_TRUE(EVP_AEAD_CTX_init(ctx.get(), EVP_aead_aes_256_gcm(), kZeros, 32,
-                                EVP_AEAD_DEFAULT_TAG_LENGTH, nullptr));
-
-  EXPECT_FALSE(EVP_AEAD_CTX_seal(ctx.get(), buf, &len, sizeof(buf),
-                                 nullptr /* nonce */, 0, nullptr /* in */, 0,
-                                 nullptr /* ad */, 0));
-  err = ERR_get_error();
-  EXPECT_EQ(ERR_LIB_CIPHER, ERR_GET_LIB(err));
-  EXPECT_EQ(CIPHER_R_INVALID_NONCE_SIZE, ERR_GET_REASON(err));
-
-  EXPECT_FALSE(EVP_AEAD_CTX_open(ctx.get(), buf, &len, sizeof(buf),
-                                 nullptr /* nonce */, 0, kZeros /* in */,
-                                 sizeof(kZeros), nullptr /* ad */, 0));
-  err = ERR_get_error();
-  EXPECT_EQ(ERR_LIB_CIPHER, ERR_GET_LIB(err));
-  EXPECT_EQ(CIPHER_R_INVALID_NONCE_SIZE, ERR_GET_REASON(err));
+    ctx.Reset();
+    ASSERT_TRUE(EVP_AEAD_CTX_init_with_direction(
+        ctx.get(), aead(), kZeros, EVP_AEAD_key_length(aead()),
+        EVP_AEAD_DEFAULT_TAG_LENGTH, evp_aead_open));
+    EXPECT_FALSE(EVP_AEAD_CTX_open(ctx.get(), buf, &len, sizeof(buf),
+                                   nonce.data(), nonce.size(), kZeros /* in */,
+                                   sizeof(kZeros), kZeros /* ad */, ad_len));
+    err = ERR_get_error();
+    EXPECT_EQ(ERR_LIB_CIPHER, ERR_GET_LIB(err));
+    if (ERR_GET_REASON(err) != CIPHER_R_UNSUPPORTED_NONCE_SIZE) {
+      EXPECT_EQ(CIPHER_R_INVALID_NONCE_SIZE, ERR_GET_REASON(err));
+    }
+  }
+}
+
+#if defined(SUPPORTS_ABI_TEST)
+// CHECK_ABI can't pass enums, i.e. |evp_aead_seal| and |evp_aead_open|. Thus
+// these two wrappers.
+static int aead_ctx_init_for_seal(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead,
+                                  const uint8_t *key, size_t key_len) {
+  return EVP_AEAD_CTX_init_with_direction(ctx, aead, key, key_len, 0,
+                                          evp_aead_seal);
+}
+
+static int aead_ctx_init_for_open(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead,
+                                  const uint8_t *key, size_t key_len) {
+  return EVP_AEAD_CTX_init_with_direction(ctx, aead, key, key_len, 0,
+                                          evp_aead_open);
+}
+
+// CHECK_ABI can pass, at most, eight arguments. Thus these wrappers that
+// figure out the output length from the input length, and take the nonce length
+// from the configuration of the AEAD.
+static int aead_ctx_seal(EVP_AEAD_CTX *ctx, uint8_t *out_ciphertext,
+                         size_t *out_ciphertext_len, const uint8_t *nonce,
+                         const uint8_t *plaintext, size_t plaintext_len,
+                         const uint8_t *ad, size_t ad_len) {
+  const size_t nonce_len = EVP_AEAD_nonce_length(EVP_AEAD_CTX_aead(ctx));
+  return EVP_AEAD_CTX_seal(ctx, out_ciphertext, out_ciphertext_len,
+                           plaintext_len + EVP_AEAD_MAX_OVERHEAD, nonce,
+                           nonce_len, plaintext, plaintext_len, ad, ad_len);
+}
+
+static int aead_ctx_open(EVP_AEAD_CTX *ctx, uint8_t *out_plaintext,
+                         size_t *out_plaintext_len, const uint8_t *nonce,
+                         const uint8_t *ciphertext, size_t ciphertext_len,
+                         const uint8_t *ad, size_t ad_len) {
+  const size_t nonce_len = EVP_AEAD_nonce_length(EVP_AEAD_CTX_aead(ctx));
+  return EVP_AEAD_CTX_open(ctx, out_plaintext, out_plaintext_len,
+                           ciphertext_len, nonce, nonce_len, ciphertext,
+                           ciphertext_len, ad, ad_len);
+}
+
+TEST_P(PerAEADTest, ABI) {
+  uint8_t key[EVP_AEAD_MAX_KEY_LENGTH];
+  OPENSSL_memset(key, 'K', sizeof(key));
+  const size_t key_len = EVP_AEAD_key_length(aead());
+  ASSERT_LE(key_len, sizeof(key));
+
+  bssl::ScopedEVP_AEAD_CTX ctx_seal;
+  ASSERT_TRUE(
+      CHECK_ABI(aead_ctx_init_for_seal, ctx_seal.get(), aead(), key, key_len));
+
+  bssl::ScopedEVP_AEAD_CTX ctx_open;
+  ASSERT_TRUE(
+      CHECK_ABI(aead_ctx_init_for_open, ctx_open.get(), aead(), key, key_len));
+
+  alignas(2) uint8_t plaintext[512];
+  OPENSSL_memset(plaintext, 'P', sizeof(plaintext));
+
+  alignas(2) uint8_t ad_buf[512];
+  OPENSSL_memset(ad_buf, 'A', sizeof(ad_buf));
+  const uint8_t *const ad = ad_buf + 1;
+  ASSERT_LE(GetParam().ad_len, sizeof(ad_buf) - 1);
+  const size_t ad_len =
+      GetParam().ad_len != 0 ? GetParam().ad_len : sizeof(ad_buf) - 1;
+
+  uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH];
+  const size_t nonce_len = EVP_AEAD_nonce_length(aead());
+  ASSERT_LE(nonce_len, sizeof(nonce));
+
+  alignas(2) uint8_t ciphertext[sizeof(plaintext) + EVP_AEAD_MAX_OVERHEAD + 1];
+  size_t ciphertext_len;
+  // Knock plaintext, ciphertext, and AD off alignment and give odd lengths for
+  // plaintext and AD. This hopefully triggers any edge-cases in the assembly.
+  ASSERT_TRUE(CHECK_ABI(aead_ctx_seal, ctx_seal.get(), ciphertext + 1,
+                        &ciphertext_len, nonce, plaintext + 1,
+                        sizeof(plaintext) - 1, ad, ad_len));
+
+  alignas(2) uint8_t plaintext2[sizeof(ciphertext) + 1];
+  size_t plaintext2_len;
+  ASSERT_TRUE(CHECK_ABI(aead_ctx_open, ctx_open.get(), plaintext2 + 1,
+                        &plaintext2_len, nonce, ciphertext + 1, ciphertext_len,
+                        ad, ad_len));
+
+  EXPECT_EQ(Bytes(plaintext + 1, sizeof(plaintext) - 1),
+            Bytes(plaintext2 + 1, plaintext2_len));
+}
+#endif  // SUPPORTS_ABI_TEST
+
+TEST(AEADTest, AESCCMLargeAD) {
+  static const std::vector<uint8_t> kKey(16, 'A');
+  static const std::vector<uint8_t> kNonce(13, 'N');
+  static const std::vector<uint8_t> kAD(65536, 'D');
+  static const std::vector<uint8_t> kPlaintext = {
+      0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+      0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f};
+  static const std::vector<uint8_t> kCiphertext = {
+      0xa2, 0x12, 0x3f, 0x0b, 0x07, 0xd5, 0x02, 0xff,
+      0xa9, 0xcd, 0xa0, 0xf3, 0x69, 0x1c, 0x49, 0x0c};
+  static const std::vector<uint8_t> kTag = {0x4a, 0x31, 0x82, 0x96};
+
+  // Test AES-128-CCM-Bluetooth.
+  bssl::ScopedEVP_AEAD_CTX ctx;
+  ASSERT_TRUE(EVP_AEAD_CTX_init(ctx.get(), EVP_aead_aes_128_ccm_bluetooth(),
+                                kKey.data(), kKey.size(),
+                                EVP_AEAD_DEFAULT_TAG_LENGTH, nullptr));
+
+  std::vector<uint8_t> out(kCiphertext.size() + kTag.size());
+  size_t out_len;
+  EXPECT_TRUE(EVP_AEAD_CTX_seal(ctx.get(), out.data(), &out_len, out.size(),
+                                kNonce.data(), kNonce.size(), kPlaintext.data(),
+                                kPlaintext.size(), kAD.data(), kAD.size()));
+
+  ASSERT_EQ(out_len, kCiphertext.size() + kTag.size());
+  EXPECT_EQ(Bytes(kCiphertext), Bytes(out.data(), kCiphertext.size()));
+  EXPECT_EQ(Bytes(kTag), Bytes(out.data() + kCiphertext.size(), kTag.size()));
+
+  EXPECT_TRUE(EVP_AEAD_CTX_open(ctx.get(), out.data(), &out_len, out.size(),
+                                kNonce.data(), kNonce.size(), out.data(),
+                                out.size(), kAD.data(), kAD.size()));
+
+  ASSERT_EQ(out_len, kPlaintext.size());
+  EXPECT_EQ(Bytes(kPlaintext), Bytes(out.data(), kPlaintext.size()));
+}
+
+static void RunWycheproofTestCase(FileTest *t, const EVP_AEAD *aead) {
+  t->IgnoreInstruction("ivSize");
+
+  std::vector<uint8_t> aad, ct, iv, key, msg, tag;
+  ASSERT_TRUE(t->GetBytes(&aad, "aad"));
+  ASSERT_TRUE(t->GetBytes(&ct, "ct"));
+  ASSERT_TRUE(t->GetBytes(&iv, "iv"));
+  ASSERT_TRUE(t->GetBytes(&key, "key"));
+  ASSERT_TRUE(t->GetBytes(&msg, "msg"));
+  ASSERT_TRUE(t->GetBytes(&tag, "tag"));
+  std::string tag_size_str;
+  ASSERT_TRUE(t->GetInstruction(&tag_size_str, "tagSize"));
+  size_t tag_size = static_cast<size_t>(atoi(tag_size_str.c_str()));
+  ASSERT_EQ(0u, tag_size % 8);
+  tag_size /= 8;
+  WycheproofResult result;
+  ASSERT_TRUE(GetWycheproofResult(t, &result));
+
+  std::vector<uint8_t> ct_and_tag = ct;
+  ct_and_tag.insert(ct_and_tag.end(), tag.begin(), tag.end());
+
+  bssl::ScopedEVP_AEAD_CTX ctx;
+  ASSERT_TRUE(EVP_AEAD_CTX_init(ctx.get(), aead, key.data(), key.size(),
+                                tag_size, nullptr));
+  std::vector<uint8_t> out(msg.size());
+  size_t out_len;
+  // Wycheproof tags small AES-GCM IVs as "acceptable" and otherwise does not
+  // use it in AEADs. Any AES-GCM IV that isn't 96 bits is absurd, but our API
+  // supports those, so we treat SmallIv tests as valid.
+  if (result.IsValid({"SmallIv"})) {
+    // Decryption should succeed.
+    ASSERT_TRUE(EVP_AEAD_CTX_open(ctx.get(), out.data(), &out_len, out.size(),
+                                  iv.data(), iv.size(), ct_and_tag.data(),
+                                  ct_and_tag.size(), aad.data(), aad.size()));
+    EXPECT_EQ(Bytes(msg), Bytes(out.data(), out_len));
+
+    // Decryption in-place should succeed.
+    out = ct_and_tag;
+    ASSERT_TRUE(EVP_AEAD_CTX_open(ctx.get(), out.data(), &out_len, out.size(),
+                                  iv.data(), iv.size(), out.data(), out.size(),
+                                  aad.data(), aad.size()));
+    EXPECT_EQ(Bytes(msg), Bytes(out.data(), out_len));
+
+    // AEADs are deterministic, so encryption should produce the same result.
+    out.resize(ct_and_tag.size());
+    ASSERT_TRUE(EVP_AEAD_CTX_seal(ctx.get(), out.data(), &out_len, out.size(),
+                                  iv.data(), iv.size(), msg.data(), msg.size(),
+                                  aad.data(), aad.size()));
+    EXPECT_EQ(Bytes(ct_and_tag), Bytes(out.data(), out_len));
+
+    // Encrypt in-place.
+    out = msg;
+    out.resize(ct_and_tag.size());
+    ASSERT_TRUE(EVP_AEAD_CTX_seal(ctx.get(), out.data(), &out_len, out.size(),
+                                  iv.data(), iv.size(), out.data(), msg.size(),
+                                  aad.data(), aad.size()));
+    EXPECT_EQ(Bytes(ct_and_tag), Bytes(out.data(), out_len));
+  } else {
+    // Decryption should fail.
+    EXPECT_FALSE(EVP_AEAD_CTX_open(ctx.get(), out.data(), &out_len, out.size(),
+                                   iv.data(), iv.size(), ct_and_tag.data(),
+                                   ct_and_tag.size(), aad.data(), aad.size()));
+
+    // Decryption in-place should also fail.
+    out = ct_and_tag;
+    EXPECT_FALSE(EVP_AEAD_CTX_open(ctx.get(), out.data(), &out_len, out.size(),
+                                   iv.data(), iv.size(), out.data(), out.size(),
+                                   aad.data(), aad.size()));
+  }
+}
+
+TEST(AEADTest, WycheproofAESGCMSIV) {
+  FileTestGTest("third_party/wycheproof_testvectors/aes_gcm_siv_test.txt",
+                [](FileTest *t) {
+    std::string key_size_str;
+    ASSERT_TRUE(t->GetInstruction(&key_size_str, "keySize"));
+    const EVP_AEAD *aead;
+    switch (atoi(key_size_str.c_str())) {
+      case 128:
+        aead = EVP_aead_aes_128_gcm_siv();
+        break;
+      case 256:
+        aead = EVP_aead_aes_256_gcm_siv();
+        break;
+      default:
+        FAIL() << "Unknown key size: " << key_size_str;
+    }
+
+    RunWycheproofTestCase(t, aead);
+  });
+}
+
+TEST(AEADTest, WycheproofAESGCM) {
+  FileTestGTest("third_party/wycheproof_testvectors/aes_gcm_test.txt",
+                [](FileTest *t) {
+    std::string key_size_str;
+    ASSERT_TRUE(t->GetInstruction(&key_size_str, "keySize"));
+    const EVP_AEAD *aead;
+    switch (atoi(key_size_str.c_str())) {
+      case 128:
+        aead = EVP_aead_aes_128_gcm();
+        break;
+      case 192:
+        aead = EVP_aead_aes_192_gcm();
+        break;
+      case 256:
+        aead = EVP_aead_aes_256_gcm();
+        break;
+      default:
+        FAIL() << "Unknown key size: " << key_size_str;
+    }
+
+    RunWycheproofTestCase(t, aead);
+  });
+}
+
+TEST(AEADTest, WycheproofChaCha20Poly1305) {
+  FileTestGTest("third_party/wycheproof_testvectors/chacha20_poly1305_test.txt",
+                [](FileTest *t) {
+    t->IgnoreInstruction("keySize");
+    RunWycheproofTestCase(t, EVP_aead_chacha20_poly1305());
+  });
+}
+
+TEST(AEADTest, WycheproofXChaCha20Poly1305) {
+  FileTestGTest(
+      "third_party/wycheproof_testvectors/xchacha20_poly1305_test.txt",
+      [](FileTest *t) {
+        t->IgnoreInstruction("keySize");
+        RunWycheproofTestCase(t, EVP_aead_xchacha20_poly1305());
+      });
 }

crypto/cipher_extra/asm/aes128gcmsiv-x86_64.pl

@@ -2253,4 +2253,4 @@ aes256gcmsiv_kdf();
 
 print $code;
 
-close STDOUT;
+close STDOUT or die "error closing STDOUT";

crypto/cipher_extra/asm/chacha20_poly1305_x86_64.pl

@@ -1273,7 +1273,7 @@ do_length_block:\n";
     pop %rbp
 .cfi_adjust_cfa_offset -8
     ret
-.cfi_adjust_cfa_offset (8 * 6) + 288 + 32
+.cfi_adjust_cfa_offset (8 * 7) + 288 + 32
 ################################################################################
 seal_sse_128:
     movdqu .chacha20_consts(%rip), $A0\nmovdqa $A0, $A1\nmovdqa $A0, $A2
@@ -2478,6 +2478,7 @@ if (!$win64) {
   print $code;
 } else {
   print <<___;
+.text
 .globl dummy_chacha20_poly1305_asm
 .type dummy_chacha20_poly1305_asm,\@abi-omnipotent
 dummy_chacha20_poly1305_asm:
@@ -2485,4 +2486,4 @@ dummy_chacha20_poly1305_asm:
 ___
 }
 
-close STDOUT;
+close STDOUT or die "error closing STDOUT";

crypto/cipher_extra/cipher_extra.c

@@ -94,20 +94,49 @@ const EVP_CIPHER *EVP_get_cipherbyname(const char *name) {
   } else if (OPENSSL_strcasecmp(name, "des-cbc") == 0) {
     return EVP_des_cbc();
   } else if (OPENSSL_strcasecmp(name, "des-ede3-cbc") == 0 ||
+             // This is not a name used by OpenSSL, but tcpdump registers it
+             // with |EVP_add_cipher_alias|. Our |EVP_add_cipher_alias| is a
+             // no-op, so we support the name here.
              OPENSSL_strcasecmp(name, "3des") == 0) {
     return EVP_des_ede3_cbc();
   } else if (OPENSSL_strcasecmp(name, "aes-128-cbc") == 0) {
     return EVP_aes_128_cbc();
+  } else if (OPENSSL_strcasecmp(name, "aes-192-cbc") == 0) {
+    return EVP_aes_192_cbc();
   } else if (OPENSSL_strcasecmp(name, "aes-256-cbc") == 0) {
     return EVP_aes_256_cbc();
   } else if (OPENSSL_strcasecmp(name, "aes-128-ctr") == 0) {
     return EVP_aes_128_ctr();
+  } else if (OPENSSL_strcasecmp(name, "aes-192-ctr") == 0) {
+    return EVP_aes_192_ctr();
   } else if (OPENSSL_strcasecmp(name, "aes-256-ctr") == 0) {
     return EVP_aes_256_ctr();
   } else if (OPENSSL_strcasecmp(name, "aes-128-ecb") == 0) {
     return EVP_aes_128_ecb();
+  } else if (OPENSSL_strcasecmp(name, "aes-192-ecb") == 0) {
+    return EVP_aes_192_ecb();
   } else if (OPENSSL_strcasecmp(name, "aes-256-ecb") == 0) {
     return EVP_aes_256_ecb();
+  } else if (OPENSSL_strcasecmp(name, "aes-128-gcm") == 0) {
+    return EVP_aes_128_gcm();
+  } else if (OPENSSL_strcasecmp(name, "aes-192-gcm") == 0) {
+    return EVP_aes_192_gcm();
+  } else if (OPENSSL_strcasecmp(name, "aes-256-gcm") == 0) {
+    return EVP_aes_256_gcm();
+  } else if (OPENSSL_strcasecmp(name, "aes-128-ofb") == 0) {
+    return EVP_aes_128_ofb();
+  } else if (OPENSSL_strcasecmp(name, "aes-192-ofb") == 0) {
+    return EVP_aes_192_ofb();
+  } else if (OPENSSL_strcasecmp(name, "aes-256-ofb") == 0) {
+    return EVP_aes_256_ofb();
+  } else if (OPENSSL_strcasecmp(name, "des-ecb") == 0) {
+    return EVP_des_ecb();
+  } else if (OPENSSL_strcasecmp(name, "des-ede") == 0) {
+    return EVP_des_ede();
+  } else if (OPENSSL_strcasecmp(name, "des-ede-cbc") == 0) {
+    return EVP_des_ede_cbc();
+  } else if (OPENSSL_strcasecmp(name, "rc2-cbc") == 0) {
+    return EVP_rc2_cbc();
   }
 
   return NULL;

crypto/cipher_extra/cipher_test.cc

@@ -51,19 +51,25 @@
  * ====================================================================
  */
 
+#include <limits.h>
 #include <stdlib.h>
 #include <string.h>
 
+#include <algorithm>
 #include <string>
 #include <vector>
 
 #include <gtest/gtest.h>
 
+#include <openssl/aes.h>
 #include <openssl/cipher.h>
 #include <openssl/err.h>
+#include <openssl/nid.h>
+#include <openssl/span.h>
 
 #include "../test/file_test.h"
 #include "../test/test_util.h"
+#include "../test/wycheproof_util.h"
 
 
 static const EVP_CIPHER *GetCipher(const std::string &name) {
@@ -97,6 +103,8 @@ static const EVP_CIPHER *GetCipher(const std::string &name) {
     return EVP_aes_192_ctr();
   } else if (name == "AES-192-ECB") {
     return EVP_aes_192_ecb();
+  } else if (name == "AES-192-OFB") {
+    return EVP_aes_192_ofb();
   } else if (name == "AES-256-CBC") {
     return EVP_aes_256_cbc();
   } else if (name == "AES-128-CTR") {
@@ -111,8 +119,46 @@ static const EVP_CIPHER *GetCipher(const std::string &name) {
   return nullptr;
 }
 
+static bool DoCipher(EVP_CIPHER_CTX *ctx, std::vector<uint8_t> *out,
+                     bssl::Span<const uint8_t> in, size_t chunk,
+                     bool in_place) {
+  size_t max_out = in.size();
+  if ((EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_NO_PADDING) == 0 &&
+      EVP_CIPHER_CTX_encrypting(ctx)) {
+    unsigned block_size = EVP_CIPHER_CTX_block_size(ctx);
+    max_out += block_size - (max_out % block_size);
+  }
+  out->resize(max_out);
+  if (in_place) {
+    std::copy(in.begin(), in.end(), out->begin());
+    in = bssl::MakeConstSpan(out->data(), in.size());
+  }
+
+  size_t total = 0;
+  int len;
+  while (!in.empty()) {
+    size_t todo = chunk == 0 ? in.size() : std::min(in.size(), chunk);
+    EXPECT_LE(todo, static_cast<size_t>(INT_MAX));
+    if (!EVP_CipherUpdate(ctx, out->data() + total, &len, in.data(),
+                          static_cast<int>(todo))) {
+      return false;
+    }
+    EXPECT_GE(len, 0);
+    total += static_cast<size_t>(len);
+    in = in.subspan(todo);
+  }
+  if (!EVP_CipherFinal_ex(ctx, out->data() + total, &len)) {
+    return false;
+  }
+  EXPECT_GE(len, 0);
+  total += static_cast<size_t>(len);
+  out->resize(total);
+  return true;
+}
+
 static void TestOperation(FileTest *t, const EVP_CIPHER *cipher, bool encrypt,
-                          size_t chunk_size, const std::vector<uint8_t> &key,
+                          bool copy, bool in_place, size_t chunk_size,
+                          const std::vector<uint8_t> &key,
                           const std::vector<uint8_t> &iv,
                           const std::vector<uint8_t> &plaintext,
                           const std::vector<uint8_t> &ciphertext,
@@ -129,65 +175,139 @@ static void TestOperation(FileTest *t, const EVP_CIPHER *cipher, bool encrypt,
 
   bool is_aead = EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE;
 
-  bssl::ScopedEVP_CIPHER_CTX ctx;
-  ASSERT_TRUE(EVP_CipherInit_ex(ctx.get(), cipher, nullptr, nullptr, nullptr,
-                         encrypt ? 1 : 0));
+  bssl::ScopedEVP_CIPHER_CTX ctx1;
+  ASSERT_TRUE(EVP_CipherInit_ex(ctx1.get(), cipher, nullptr, nullptr, nullptr,
+                                encrypt ? 1 : 0));
   if (t->HasAttribute("IV")) {
     if (is_aead) {
-      ASSERT_TRUE(
-          EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_SET_IVLEN, iv.size(), 0));
+      ASSERT_TRUE(EVP_CIPHER_CTX_ctrl(ctx1.get(), EVP_CTRL_AEAD_SET_IVLEN,
+                                      iv.size(), 0));
     } else {
-      ASSERT_EQ(iv.size(), EVP_CIPHER_CTX_iv_length(ctx.get()));
+      ASSERT_EQ(iv.size(), EVP_CIPHER_CTX_iv_length(ctx1.get()));
     }
   }
+
+  bssl::ScopedEVP_CIPHER_CTX ctx2;
+  EVP_CIPHER_CTX *ctx = ctx1.get();
+  if (copy) {
+    ASSERT_TRUE(EVP_CIPHER_CTX_copy(ctx2.get(), ctx1.get()));
+    ctx = ctx2.get();
+  }
+
   if (is_aead && !encrypt) {
-    ASSERT_TRUE(EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_SET_TAG, tag.size(),
+    ASSERT_TRUE(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, tag.size(),
                                     const_cast<uint8_t *>(tag.data())));
   }
   // The ciphers are run with no padding. For each of the ciphers we test, the
   // output size matches the input size.
-  std::vector<uint8_t> result(in->size());
   ASSERT_EQ(in->size(), out->size());
-  int unused, result_len1 = 0, result_len2;
-  ASSERT_TRUE(EVP_CIPHER_CTX_set_key_length(ctx.get(), key.size()));
-  ASSERT_TRUE(EVP_CipherInit_ex(ctx.get(), nullptr, nullptr, key.data(),
-                                iv.data(), -1));
-  // Note: the deprecated |EVP_CIPHER|-based AES-GCM API is sensitive to whether
+  ASSERT_TRUE(EVP_CIPHER_CTX_set_key_length(ctx, key.size()));
+  ASSERT_TRUE(
+      EVP_CipherInit_ex(ctx, nullptr, nullptr, key.data(), iv.data(), -1));
+  // Note: the deprecated |EVP_CIPHER|-based AEAD API is sensitive to whether
   // parameters are NULL, so it is important to skip the |in| and |aad|
   // |EVP_CipherUpdate| calls when empty.
   if (!aad.empty()) {
+    int unused;
     ASSERT_TRUE(
-        EVP_CipherUpdate(ctx.get(), nullptr, &unused, aad.data(), aad.size()));
+        EVP_CipherUpdate(ctx, nullptr, &unused, aad.data(), aad.size()));
   }
-  ASSERT_TRUE(EVP_CIPHER_CTX_set_padding(ctx.get(), 0));
-  if (chunk_size != 0) {
-    for (size_t i = 0; i < in->size();) {
-      size_t todo = chunk_size;
-      if (i + todo > in->size()) {
-        todo = in->size() - i;
-      }
-
-      int len;
-      ASSERT_TRUE(EVP_CipherUpdate(ctx.get(), result.data() + result_len1, &len,
-                                   in->data() + i, todo));
-      result_len1 += len;
-      i += todo;
-    }
-  } else if (!in->empty()) {
-    ASSERT_TRUE(EVP_CipherUpdate(ctx.get(), result.data(), &result_len1,
-                                 in->data(), in->size()));
-  }
-  ASSERT_TRUE(
-      EVP_CipherFinal_ex(ctx.get(), result.data() + result_len1, &result_len2));
-  result.resize(result_len1 + result_len2);
+  ASSERT_TRUE(EVP_CIPHER_CTX_set_padding(ctx, 0));
+  std::vector<uint8_t> result;
+  ASSERT_TRUE(DoCipher(ctx, &result, *in, chunk_size, in_place));
   EXPECT_EQ(Bytes(*out), Bytes(result));
   if (encrypt && is_aead) {
     uint8_t rtag[16];
     ASSERT_LE(tag.size(), sizeof(rtag));
     ASSERT_TRUE(
-        EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_GET_TAG, tag.size(), rtag));
+        EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, tag.size(), rtag));
     EXPECT_EQ(Bytes(tag), Bytes(rtag, tag.size()));
   }
+
+  // Additionally test low-level AES mode APIs. Skip runs where |copy| because
+  // it does not apply.
+  if (!copy) {
+    int nid = EVP_CIPHER_nid(cipher);
+    bool is_ctr = nid == NID_aes_128_ctr || nid == NID_aes_192_ctr ||
+                  nid == NID_aes_256_ctr;
+    bool is_cbc = nid == NID_aes_128_cbc || nid == NID_aes_192_cbc ||
+                  nid == NID_aes_256_cbc;
+    bool is_ofb = nid == NID_aes_128_ofb128 || nid == NID_aes_192_ofb128 ||
+                  nid == NID_aes_256_ofb128;
+    if (is_ctr || is_cbc || is_ofb) {
+      AES_KEY aes;
+      if (encrypt || !is_cbc) {
+        ASSERT_EQ(0, AES_set_encrypt_key(key.data(), key.size() * 8, &aes));
+      } else {
+        ASSERT_EQ(0, AES_set_decrypt_key(key.data(), key.size() * 8, &aes));
+      }
+
+      // The low-level APIs all work in-place.
+      bssl::Span<const uint8_t> input = *in;
+      result.clear();
+      if (in_place) {
+        result = *in;
+        input = result;
+      } else {
+        result.resize(out->size());
+      }
+      bssl::Span<uint8_t> output = bssl::MakeSpan(result);
+      ASSERT_EQ(input.size(), output.size());
+
+      // The low-level APIs all use block-size IVs.
+      ASSERT_EQ(iv.size(), size_t{AES_BLOCK_SIZE});
+      uint8_t ivec[AES_BLOCK_SIZE];
+      OPENSSL_memcpy(ivec, iv.data(), iv.size());
+
+      if (is_ctr) {
+        unsigned num = 0;
+        uint8_t ecount_buf[AES_BLOCK_SIZE];
+        if (chunk_size == 0) {
+          AES_ctr128_encrypt(input.data(), output.data(), input.size(), &aes,
+                             ivec, ecount_buf, &num);
+        } else {
+          do {
+            size_t todo = std::min(input.size(), chunk_size);
+            AES_ctr128_encrypt(input.data(), output.data(), todo, &aes, ivec,
+                               ecount_buf, &num);
+            input = input.subspan(todo);
+            output = output.subspan(todo);
+          } while (!input.empty());
+        }
+        EXPECT_EQ(Bytes(*out), Bytes(result));
+      } else if (is_cbc && chunk_size % AES_BLOCK_SIZE == 0) {
+        // Note |AES_cbc_encrypt| requires block-aligned chunks.
+        if (chunk_size == 0) {
+          AES_cbc_encrypt(input.data(), output.data(), input.size(), &aes, ivec,
+                          encrypt);
+        } else {
+          do {
+            size_t todo = std::min(input.size(), chunk_size);
+            AES_cbc_encrypt(input.data(), output.data(), todo, &aes, ivec,
+                            encrypt);
+            input = input.subspan(todo);
+            output = output.subspan(todo);
+          } while (!input.empty());
+        }
+        EXPECT_EQ(Bytes(*out), Bytes(result));
+      } else if (is_ofb) {
+        int num = 0;
+        if (chunk_size == 0) {
+          AES_ofb128_encrypt(input.data(), output.data(), input.size(), &aes,
+                             ivec, &num);
+        } else {
+          do {
+            size_t todo = std::min(input.size(), chunk_size);
+            AES_ofb128_encrypt(input.data(), output.data(), todo, &aes, ivec,
+                               &num);
+            input = input.subspan(todo);
+            output = output.subspan(todo);
+          } while (!input.empty());
+        }
+        EXPECT_EQ(Bytes(*out), Bytes(result));
+      }
+    }
+  }
 }
 
 static void TestCipher(FileTest *t) {
@@ -229,17 +349,24 @@ static void TestCipher(FileTest *t) {
 
   for (size_t chunk_size : chunk_sizes) {
     SCOPED_TRACE(chunk_size);
-    // By default, both directions are run, unless overridden by the operation.
-    if (operation != kDecrypt) {
-      SCOPED_TRACE("encrypt");
-      TestOperation(t, cipher, true /* encrypt */, chunk_size, key, iv,
-                    plaintext, ciphertext, aad, tag);
-    }
+    for (bool copy : {false, true}) {
+      SCOPED_TRACE(copy);
+      for (bool in_place : {false, true}) {
+        SCOPED_TRACE(in_place);
+        // By default, both directions are run, unless overridden by the
+        // operation.
+        if (operation != kDecrypt) {
+          SCOPED_TRACE("encrypt");
+          TestOperation(t, cipher, true /* encrypt */, copy, in_place,
+                        chunk_size, key, iv, plaintext, ciphertext, aad, tag);
+        }
 
-    if (operation != kEncrypt) {
-      SCOPED_TRACE("decrypt");
-      TestOperation(t, cipher, false /* decrypt */, chunk_size, key, iv,
-                    plaintext, ciphertext, aad, tag);
+        if (operation != kEncrypt) {
+          SCOPED_TRACE("decrypt");
+          TestOperation(t, cipher, false /* decrypt */, copy, in_place,
+                        chunk_size, key, iv, plaintext, ciphertext, aad, tag);
+        }
+      }
     }
   }
 }
@@ -285,3 +412,65 @@ TEST(CipherTest, CAVP_TDES_CBC) {
 TEST(CipherTest, CAVP_TDES_ECB) {
   FileTestGTest("crypto/cipher_extra/test/nist_cavp/tdes_ecb.txt", TestCipher);
 }
+
+TEST(CipherTest, WycheproofAESCBC) {
+  FileTestGTest(
+      "third_party/wycheproof_testvectors/aes_cbc_pkcs5_test.txt",
+      [](FileTest *t) {
+        t->IgnoreInstruction("type");
+        t->IgnoreInstruction("ivSize");
+
+        std::string key_size;
+        ASSERT_TRUE(t->GetInstruction(&key_size, "keySize"));
+        const EVP_CIPHER *cipher;
+        switch (atoi(key_size.c_str())) {
+          case 128:
+            cipher = EVP_aes_128_cbc();
+            break;
+          case 192:
+            cipher = EVP_aes_192_cbc();
+            break;
+          case 256:
+            cipher = EVP_aes_256_cbc();
+            break;
+          default:
+            FAIL() << "Unsupported key size: " << key_size;
+        }
+
+        std::vector<uint8_t> key, iv, msg, ct;
+        ASSERT_TRUE(t->GetBytes(&key, "key"));
+        ASSERT_TRUE(t->GetBytes(&iv, "iv"));
+        ASSERT_TRUE(t->GetBytes(&msg, "msg"));
+        ASSERT_TRUE(t->GetBytes(&ct, "ct"));
+        ASSERT_EQ(EVP_CIPHER_key_length(cipher), key.size());
+        ASSERT_EQ(EVP_CIPHER_iv_length(cipher), iv.size());
+        WycheproofResult result;
+        ASSERT_TRUE(GetWycheproofResult(t, &result));
+
+        bssl::ScopedEVP_CIPHER_CTX ctx;
+        std::vector<uint8_t> out;
+        const std::vector<size_t> chunk_sizes = {
+            0, 1, 2, 5, 7, 8, 9, 15, 16, 17, 31, 32, 33, 63, 64, 65, 512};
+        for (size_t chunk : chunk_sizes) {
+          SCOPED_TRACE(chunk);
+          for (bool in_place : {false, true}) {
+            SCOPED_TRACE(in_place);
+            if (result.IsValid()) {
+              ASSERT_TRUE(EVP_DecryptInit_ex(ctx.get(), cipher, nullptr,
+                                             key.data(), iv.data()));
+              ASSERT_TRUE(DoCipher(ctx.get(), &out, ct, chunk, in_place));
+              EXPECT_EQ(Bytes(msg), Bytes(out));
+
+              ASSERT_TRUE(EVP_EncryptInit_ex(ctx.get(), cipher, nullptr,
+                                             key.data(), iv.data()));
+              ASSERT_TRUE(DoCipher(ctx.get(), &out, msg, chunk, in_place));
+              EXPECT_EQ(Bytes(ct), Bytes(out));
+            } else {
+              ASSERT_TRUE(EVP_DecryptInit_ex(ctx.get(), cipher, nullptr,
+                                             key.data(), iv.data()));
+              EXPECT_FALSE(DoCipher(ctx.get(), &out, ct, chunk, in_place));
+            }
+          }
+        }
+      });
+}

crypto/cipher_extra/derive_key.c

@@ -86,7 +86,7 @@ int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
   EVP_MD_CTX_init(&c);
   for (;;) {
     if (!EVP_DigestInit_ex(&c, md, NULL)) {
-      return 0;
+      goto err;
     }
     if (addmd++) {
       if (!EVP_DigestUpdate(&c, md_buf, mds)) {

crypto/cipher_extra/e_aesccm.c

@@ -0,0 +1,447 @@
+/* ====================================================================
+ * Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ==================================================================== */
+
+#include <openssl/aead.h>
+
+#include <assert.h>
+
+#include <openssl/cpu.h>
+#include <openssl/cipher.h>
+#include <openssl/err.h>
+#include <openssl/mem.h>
+
+#include "../fipsmodule/cipher/internal.h"
+
+
+struct ccm128_context {
+  block128_f block;
+  ctr128_f ctr;
+  unsigned M, L;
+};
+
+struct ccm128_state {
+  union {
+    uint64_t u[2];
+    uint8_t c[16];
+  } nonce, cmac;
+};
+
+static int CRYPTO_ccm128_init(struct ccm128_context *ctx, const AES_KEY *key,
+                              block128_f block, ctr128_f ctr, unsigned M,
+                              unsigned L) {
+  if (M < 4 || M > 16 || (M & 1) != 0 || L < 2 || L > 8) {
+    return 0;
+  }
+  ctx->block = block;
+  ctx->ctr = ctr;
+  ctx->M = M;
+  ctx->L = L;
+  return 1;
+}
+
+static size_t CRYPTO_ccm128_max_input(const struct ccm128_context *ctx) {
+  return ctx->L >= sizeof(size_t) ? (size_t)-1
+                                  : (((size_t)1) << (ctx->L * 8)) - 1;
+}
+
+static int ccm128_init_state(const struct ccm128_context *ctx,
+                             struct ccm128_state *state, const AES_KEY *key,
+                             const uint8_t *nonce, size_t nonce_len,
+                             const uint8_t *aad, size_t aad_len,
+                             size_t plaintext_len) {
+  const block128_f block = ctx->block;
+  const unsigned M = ctx->M;
+  const unsigned L = ctx->L;
+
+  // |L| determines the expected |nonce_len| and the limit for |plaintext_len|.
+  if (plaintext_len > CRYPTO_ccm128_max_input(ctx) ||
+      nonce_len != 15 - L) {
+    return 0;
+  }
+
+  // Assemble the first block for computing the MAC.
+  OPENSSL_memset(state, 0, sizeof(*state));
+  state->nonce.c[0] = (uint8_t)((L - 1) | ((M - 2) / 2) << 3);
+  if (aad_len != 0) {
+    state->nonce.c[0] |= 0x40;  // Set AAD Flag
+  }
+  OPENSSL_memcpy(&state->nonce.c[1], nonce, nonce_len);
+  for (unsigned i = 0; i < L; i++) {
+    state->nonce.c[15 - i] = (uint8_t)(plaintext_len >> (8 * i));
+  }
+
+  (*block)(state->nonce.c, state->cmac.c, key);
+  size_t blocks = 1;
+
+  if (aad_len != 0) {
+    unsigned i;
+    // Cast to u64 to avoid the compiler complaining about invalid shifts.
+    uint64_t aad_len_u64 = aad_len;
+    if (aad_len_u64 < 0x10000 - 0x100) {
+      state->cmac.c[0] ^= (uint8_t)(aad_len_u64 >> 8);
+      state->cmac.c[1] ^= (uint8_t)aad_len_u64;
+      i = 2;
+    } else if (aad_len_u64 <= 0xffffffff) {
+      state->cmac.c[0] ^= 0xff;
+      state->cmac.c[1] ^= 0xfe;
+      state->cmac.c[2] ^= (uint8_t)(aad_len_u64 >> 24);
+      state->cmac.c[3] ^= (uint8_t)(aad_len_u64 >> 16);
+      state->cmac.c[4] ^= (uint8_t)(aad_len_u64 >> 8);
+      state->cmac.c[5] ^= (uint8_t)aad_len_u64;
+      i = 6;
+    } else {
+      state->cmac.c[0] ^= 0xff;
+      state->cmac.c[1] ^= 0xff;
+      state->cmac.c[2] ^= (uint8_t)(aad_len_u64 >> 56);
+      state->cmac.c[3] ^= (uint8_t)(aad_len_u64 >> 48);
+      state->cmac.c[4] ^= (uint8_t)(aad_len_u64 >> 40);
+      state->cmac.c[5] ^= (uint8_t)(aad_len_u64 >> 32);
+      state->cmac.c[6] ^= (uint8_t)(aad_len_u64 >> 24);
+      state->cmac.c[7] ^= (uint8_t)(aad_len_u64 >> 16);
+      state->cmac.c[8] ^= (uint8_t)(aad_len_u64 >> 8);
+      state->cmac.c[9] ^= (uint8_t)aad_len_u64;
+      i = 10;
+    }
+
+    do {
+      for (; i < 16 && aad_len != 0; i++) {
+        state->cmac.c[i] ^= *aad;
+        aad++;
+        aad_len--;
+      }
+      (*block)(state->cmac.c, state->cmac.c, key);
+      blocks++;
+      i = 0;
+    } while (aad_len != 0);
+  }
+
+  // Per RFC 3610, section 2.6, the total number of block cipher operations done
+  // must not exceed 2^61. There are two block cipher operations remaining per
+  // message block, plus one block at the end to encrypt the MAC.
+  size_t remaining_blocks = 2 * ((plaintext_len + 15) / 16) + 1;
+  if (plaintext_len + 15 < plaintext_len ||
+      remaining_blocks + blocks < blocks ||
+      (uint64_t) remaining_blocks + blocks > UINT64_C(1) << 61) {
+    return 0;
+  }
+
+  // Assemble the first block for encrypting and decrypting. The bottom |L|
+  // bytes are replaced with a counter and all bit the encoding of |L| is
+  // cleared in the first byte.
+  state->nonce.c[0] &= 7;
+  return 1;
+}
+
+static int ccm128_encrypt(const struct ccm128_context *ctx,
+                          struct ccm128_state *state, const AES_KEY *key,
+                          uint8_t *out, const uint8_t *in, size_t len) {
+  // The counter for encryption begins at one.
+  for (unsigned i = 0; i < ctx->L; i++) {
+    state->nonce.c[15 - i] = 0;
+  }
+  state->nonce.c[15] = 1;
+
+  uint8_t partial_buf[16];
+  unsigned num = 0;
+  if (ctx->ctr != NULL) {
+    CRYPTO_ctr128_encrypt_ctr32(in, out, len, key, state->nonce.c, partial_buf,
+                                &num, ctx->ctr);
+  } else {
+    CRYPTO_ctr128_encrypt(in, out, len, key, state->nonce.c, partial_buf, &num,
+                          ctx->block);
+  }
+  return 1;
+}
+
+static int ccm128_compute_mac(const struct ccm128_context *ctx,
+                              struct ccm128_state *state, const AES_KEY *key,
+                              uint8_t *out_tag, size_t tag_len,
+                              const uint8_t *in, size_t len) {
+  block128_f block = ctx->block;
+  if (tag_len != ctx->M) {
+    return 0;
+  }
+
+  // Incorporate |in| into the MAC.
+  union {
+    uint64_t u[2];
+    uint8_t c[16];
+  } tmp;
+  while (len >= 16) {
+    OPENSSL_memcpy(tmp.c, in, 16);
+    state->cmac.u[0] ^= tmp.u[0];
+    state->cmac.u[1] ^= tmp.u[1];
+    (*block)(state->cmac.c, state->cmac.c, key);
+    in += 16;
+    len -= 16;
+  }
+  if (len > 0) {
+    for (size_t i = 0; i < len; i++) {
+      state->cmac.c[i] ^= in[i];
+    }
+    (*block)(state->cmac.c, state->cmac.c, key);
+  }
+
+  // Encrypt the MAC with counter zero.
+  for (unsigned i = 0; i < ctx->L; i++) {
+    state->nonce.c[15 - i] = 0;
+  }
+  (*block)(state->nonce.c, tmp.c, key);
+  state->cmac.u[0] ^= tmp.u[0];
+  state->cmac.u[1] ^= tmp.u[1];
+
+  OPENSSL_memcpy(out_tag, state->cmac.c, tag_len);
+  return 1;
+}
+
+static int CRYPTO_ccm128_encrypt(const struct ccm128_context *ctx,
+                                 const AES_KEY *key, uint8_t *out,
+                                 uint8_t *out_tag, size_t tag_len,
+                                 const uint8_t *nonce, size_t nonce_len,
+                                 const uint8_t *in, size_t len,
+                                 const uint8_t *aad, size_t aad_len) {
+  struct ccm128_state state;
+  return ccm128_init_state(ctx, &state, key, nonce, nonce_len, aad, aad_len,
+                           len) &&
+         ccm128_compute_mac(ctx, &state, key, out_tag, tag_len, in, len) &&
+         ccm128_encrypt(ctx, &state, key, out, in, len);
+}
+
+static int CRYPTO_ccm128_decrypt(const struct ccm128_context *ctx,
+                                 const AES_KEY *key, uint8_t *out,
+                                 uint8_t *out_tag, size_t tag_len,
+                                 const uint8_t *nonce, size_t nonce_len,
+                                 const uint8_t *in, size_t len,
+                                 const uint8_t *aad, size_t aad_len) {
+  struct ccm128_state state;
+  return ccm128_init_state(ctx, &state, key, nonce, nonce_len, aad, aad_len,
+                           len) &&
+         ccm128_encrypt(ctx, &state, key, out, in, len) &&
+         ccm128_compute_mac(ctx, &state, key, out_tag, tag_len, out, len);
+}
+
+#define EVP_AEAD_AES_CCM_MAX_TAG_LEN 16
+
+struct aead_aes_ccm_ctx {
+  union {
+    double align;
+    AES_KEY ks;
+  } ks;
+  struct ccm128_context ccm;
+};
+
+OPENSSL_STATIC_ASSERT(sizeof(((EVP_AEAD_CTX *)NULL)->state) >=
+                          sizeof(struct aead_aes_ccm_ctx),
+                      "AEAD state is too small");
+#if defined(__GNUC__) || defined(__clang__)
+OPENSSL_STATIC_ASSERT(alignof(union evp_aead_ctx_st_state) >=
+                          alignof(struct aead_aes_ccm_ctx),
+                      "AEAD state has insufficient alignment");
+#endif
+
+static int aead_aes_ccm_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
+                             size_t key_len, size_t tag_len, unsigned M,
+                             unsigned L) {
+  assert(M == EVP_AEAD_max_overhead(ctx->aead));
+  assert(M == EVP_AEAD_max_tag_len(ctx->aead));
+  assert(15 - L == EVP_AEAD_nonce_length(ctx->aead));
+
+  if (key_len != EVP_AEAD_key_length(ctx->aead)) {
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
+    return 0;  // EVP_AEAD_CTX_init should catch this.
+  }
+
+  if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) {
+    tag_len = M;
+  }
+
+  if (tag_len != M) {
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TAG_TOO_LARGE);
+    return 0;
+  }
+
+  struct aead_aes_ccm_ctx *ccm_ctx = (struct aead_aes_ccm_ctx *)&ctx->state;
+
+  block128_f block;
+  ctr128_f ctr = aes_ctr_set_key(&ccm_ctx->ks.ks, NULL, &block, key, key_len);
+  ctx->tag_len = tag_len;
+  if (!CRYPTO_ccm128_init(&ccm_ctx->ccm, &ccm_ctx->ks.ks, block, ctr, M, L)) {
+    OPENSSL_PUT_ERROR(CIPHER, ERR_R_INTERNAL_ERROR);
+    return 0;
+  }
+
+  return 1;
+}
+
+static void aead_aes_ccm_cleanup(EVP_AEAD_CTX *ctx) {}
+
+static int aead_aes_ccm_seal_scatter(
+    const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag,
+    size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,
+    size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,
+    size_t extra_in_len, const uint8_t *ad, size_t ad_len) {
+  const struct aead_aes_ccm_ctx *ccm_ctx =
+      (struct aead_aes_ccm_ctx *)&ctx->state;
+
+  if (in_len > CRYPTO_ccm128_max_input(&ccm_ctx->ccm)) {
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
+    return 0;
+  }
+
+  if (max_out_tag_len < ctx->tag_len) {
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
+    return 0;
+  }
+
+  if (nonce_len != EVP_AEAD_nonce_length(ctx->aead)) {
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE);
+    return 0;
+  }
+
+  if (!CRYPTO_ccm128_encrypt(&ccm_ctx->ccm, &ccm_ctx->ks.ks, out, out_tag,
+                             ctx->tag_len, nonce, nonce_len, in, in_len, ad,
+                             ad_len)) {
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
+    return 0;
+  }
+
+  *out_tag_len = ctx->tag_len;
+  return 1;
+}
+
+static int aead_aes_ccm_open_gather(const EVP_AEAD_CTX *ctx, uint8_t *out,
+                                    const uint8_t *nonce, size_t nonce_len,
+                                    const uint8_t *in, size_t in_len,
+                                    const uint8_t *in_tag, size_t in_tag_len,
+                                    const uint8_t *ad, size_t ad_len) {
+  const struct aead_aes_ccm_ctx *ccm_ctx =
+      (struct aead_aes_ccm_ctx *)&ctx->state;
+
+  if (in_len > CRYPTO_ccm128_max_input(&ccm_ctx->ccm)) {
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
+    return 0;
+  }
+
+  if (nonce_len != EVP_AEAD_nonce_length(ctx->aead)) {
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE);
+    return 0;
+  }
+
+  if (in_tag_len != ctx->tag_len) {
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
+    return 0;
+  }
+
+  uint8_t tag[EVP_AEAD_AES_CCM_MAX_TAG_LEN];
+  assert(ctx->tag_len <= EVP_AEAD_AES_CCM_MAX_TAG_LEN);
+  if (!CRYPTO_ccm128_decrypt(&ccm_ctx->ccm, &ccm_ctx->ks.ks, out, tag,
+                             ctx->tag_len, nonce, nonce_len, in, in_len, ad,
+                             ad_len)) {
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
+    return 0;
+  }
+
+  if (CRYPTO_memcmp(tag, in_tag, ctx->tag_len) != 0) {
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
+    return 0;
+  }
+
+  return 1;
+}
+
+static int aead_aes_ccm_bluetooth_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
+                                       size_t key_len, size_t tag_len) {
+  return aead_aes_ccm_init(ctx, key, key_len, tag_len, 4, 2);
+}
+
+static const EVP_AEAD aead_aes_128_ccm_bluetooth = {
+    16,  // key length (AES-128)
+    13,  // nonce length
+    4,   // overhead
+    4,   // max tag length
+    0,   // seal_scatter_supports_extra_in
+
+    aead_aes_ccm_bluetooth_init,
+    NULL /* init_with_direction */,
+    aead_aes_ccm_cleanup,
+    NULL /* open */,
+    aead_aes_ccm_seal_scatter,
+    aead_aes_ccm_open_gather,
+    NULL /* get_iv */,
+    NULL /* tag_len */,
+};
+
+const EVP_AEAD *EVP_aead_aes_128_ccm_bluetooth(void) {
+  return &aead_aes_128_ccm_bluetooth;
+}
+
+static int aead_aes_ccm_bluetooth_8_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
+                                         size_t key_len, size_t tag_len) {
+  return aead_aes_ccm_init(ctx, key, key_len, tag_len, 8, 2);
+}
+
+static const EVP_AEAD aead_aes_128_ccm_bluetooth_8 = {
+    16,  // key length (AES-128)
+    13,  // nonce length
+    8,   // overhead
+    8,   // max tag length
+    0,   // seal_scatter_supports_extra_in
+
+    aead_aes_ccm_bluetooth_8_init,
+    NULL /* init_with_direction */,
+    aead_aes_ccm_cleanup,
+    NULL /* open */,
+    aead_aes_ccm_seal_scatter,
+    aead_aes_ccm_open_gather,
+    NULL /* get_iv */,
+    NULL /* tag_len */,
+};
+
+const EVP_AEAD *EVP_aead_aes_128_ccm_bluetooth_8(void) {
+  return &aead_aes_128_ccm_bluetooth_8;
+}

crypto/cipher_extra/e_aesctrhmac.c

@@ -35,6 +35,15 @@ struct aead_aes_ctr_hmac_sha256_ctx {
   SHA256_CTX outer_init_state;
 };
 
+OPENSSL_STATIC_ASSERT(sizeof(((EVP_AEAD_CTX *)NULL)->state) >=
+                          sizeof(struct aead_aes_ctr_hmac_sha256_ctx),
+                      "AEAD state is too small");
+#if defined(__GNUC__) || defined(__clang__)
+OPENSSL_STATIC_ASSERT(alignof(union evp_aead_ctx_st_state) >=
+                          alignof(struct aead_aes_ctr_hmac_sha256_ctx),
+                      "AEAD state has insufficient alignment");
+#endif
+
 static void hmac_init(SHA256_CTX *out_inner, SHA256_CTX *out_outer,
                       const uint8_t hmac_key[32]) {
   static const size_t hmac_key_len = 32;
@@ -61,7 +70,8 @@ static void hmac_init(SHA256_CTX *out_inner, SHA256_CTX *out_outer,
 
 static int aead_aes_ctr_hmac_sha256_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
                                          size_t key_len, size_t tag_len) {
-  struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx;
+  struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx =
+      (struct aead_aes_ctr_hmac_sha256_ctx *)&ctx->state;
   static const size_t hmac_key_len = 32;
 
   if (key_len < hmac_key_len) {
@@ -84,28 +94,16 @@ static int aead_aes_ctr_hmac_sha256_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
     return 0;
   }
 
-  aes_ctx = OPENSSL_malloc(sizeof(struct aead_aes_ctr_hmac_sha256_ctx));
-  if (aes_ctx == NULL) {
-    OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE);
-    return 0;
-  }
-
   aes_ctx->ctr =
       aes_ctr_set_key(&aes_ctx->ks.ks, NULL, &aes_ctx->block, key, aes_key_len);
   ctx->tag_len = tag_len;
   hmac_init(&aes_ctx->inner_init_state, &aes_ctx->outer_init_state,
             key + aes_key_len);
 
-  ctx->aead_state = aes_ctx;
-
   return 1;
 }
 
-static void aead_aes_ctr_hmac_sha256_cleanup(EVP_AEAD_CTX *ctx) {
-  struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx = ctx->aead_state;
-  OPENSSL_cleanse(aes_ctx, sizeof(struct aead_aes_ctr_hmac_sha256_ctx));
-  OPENSSL_free(aes_ctx);
-}
+static void aead_aes_ctr_hmac_sha256_cleanup(EVP_AEAD_CTX *ctx) {}
 
 static void hmac_update_uint64(SHA256_CTX *sha256, uint64_t value) {
   unsigned i;
@@ -180,7 +178,8 @@ static int aead_aes_ctr_hmac_sha256_seal_scatter(
     size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,
     size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,
     size_t extra_in_len, const uint8_t *ad, size_t ad_len) {
-  const struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx = ctx->aead_state;
+  const struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx =
+      (struct aead_aes_ctr_hmac_sha256_ctx *) &ctx->state;
   const uint64_t in_len_64 = in_len;
 
   if (in_len_64 >= (UINT64_C(1) << 32) * AES_BLOCK_SIZE) {
@@ -214,7 +213,8 @@ static int aead_aes_ctr_hmac_sha256_open_gather(
     const EVP_AEAD_CTX *ctx, uint8_t *out, const uint8_t *nonce,
     size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *in_tag,
     size_t in_tag_len, const uint8_t *ad, size_t ad_len) {
-  const struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx = ctx->aead_state;
+  const struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx =
+      (struct aead_aes_ctr_hmac_sha256_ctx *) &ctx->state;
 
   if (in_tag_len != ctx->tag_len) {
     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);

crypto/cipher_extra/e_aesgcmsiv.c

@@ -27,7 +27,11 @@
 #define EVP_AEAD_AES_GCM_SIV_NONCE_LEN 12
 #define EVP_AEAD_AES_GCM_SIV_TAG_LEN 16
 
-#if defined(OPENSSL_X86_64) && !defined(OPENSSL_NO_ASM)
+// TODO(davidben): AES-GCM-SIV assembly is not correct for Windows. It must save
+// and restore xmm6 through xmm15.
+#if defined(OPENSSL_X86_64) && !defined(OPENSSL_NO_ASM) && \
+    !defined(OPENSSL_WINDOWS)
+#define AES_GCM_SIV_ASM
 
 // Optimised AES-GCM-SIV
 
@@ -36,15 +40,34 @@ struct aead_aes_gcm_siv_asm_ctx {
   int is_128_bit;
 };
 
+// The assembly code assumes 8-byte alignment of the EVP_AEAD_CTX's state, and
+// aligns to 16 bytes itself.
+OPENSSL_STATIC_ASSERT(sizeof(((EVP_AEAD_CTX *)NULL)->state) + 8 >=
+                          sizeof(struct aead_aes_gcm_siv_asm_ctx),
+                      "AEAD state is too small");
+#if defined(__GNUC__) || defined(__clang__)
+OPENSSL_STATIC_ASSERT(alignof(union evp_aead_ctx_st_state) >= 8,
+                      "AEAD state has insufficient alignment");
+#endif
+
+// asm_ctx_from_ctx returns a 16-byte aligned context pointer from |ctx|.
+static struct aead_aes_gcm_siv_asm_ctx *asm_ctx_from_ctx(
+    const EVP_AEAD_CTX *ctx) {
+  // ctx->state must already be 8-byte aligned. Thus, at most, we may need to
+  // add eight to align it to 16 bytes.
+  const uintptr_t offset = ((uintptr_t)&ctx->state) & 8;
+  return (struct aead_aes_gcm_siv_asm_ctx *)(&ctx->state.opaque[offset]);
+}
+
 // aes128gcmsiv_aes_ks writes an AES-128 key schedule for |key| to
 // |out_expanded_key|.
 extern void aes128gcmsiv_aes_ks(
     const uint8_t key[16], uint8_t out_expanded_key[16*15]);
 
-// aes128gcmsiv_aes_ks writes an AES-128 key schedule for |key| to
+// aes256gcmsiv_aes_ks writes an AES-256 key schedule for |key| to
 // |out_expanded_key|.
 extern void aes256gcmsiv_aes_ks(
-    const uint8_t key[16], uint8_t out_expanded_key[16*15]);
+    const uint8_t key[32], uint8_t out_expanded_key[16*15]);
 
 static int aead_aes_gcm_siv_asm_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
                                      size_t key_len, size_t tag_len) {
@@ -64,13 +87,7 @@ static int aead_aes_gcm_siv_asm_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
     return 0;
   }
 
-  struct aead_aes_gcm_siv_asm_ctx *gcm_siv_ctx =
-      OPENSSL_malloc(sizeof(struct aead_aes_gcm_siv_asm_ctx));
-  if (gcm_siv_ctx == NULL) {
-    return 0;
-  }
-
-  // malloc should return a 16-byte-aligned address.
+  struct aead_aes_gcm_siv_asm_ctx *gcm_siv_ctx = asm_ctx_from_ctx(ctx);
   assert((((uintptr_t)gcm_siv_ctx) & 15) == 0);
 
   if (key_bits == 128) {
@@ -80,17 +97,13 @@ static int aead_aes_gcm_siv_asm_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
     aes256gcmsiv_aes_ks(key, &gcm_siv_ctx->key[0]);
     gcm_siv_ctx->is_128_bit = 0;
   }
-  ctx->aead_state = gcm_siv_ctx;
+
   ctx->tag_len = tag_len;
 
   return 1;
 }
 
-static void aead_aes_gcm_siv_asm_cleanup(EVP_AEAD_CTX *ctx) {
-  struct aead_aes_gcm_siv_asm_ctx *gcm_siv_asm_ctx = ctx->aead_state;
-  OPENSSL_cleanse(gcm_siv_asm_ctx, sizeof(struct aead_aes_gcm_siv_asm_ctx));
-  OPENSSL_free(gcm_siv_asm_ctx);
-}
+static void aead_aes_gcm_siv_asm_cleanup(EVP_AEAD_CTX *ctx) {}
 
 // aesgcmsiv_polyval_horner updates the POLYVAL value in |in_out_poly| to
 // include a number (|in_blocks|) of 16-byte blocks of data from |in|, given
@@ -330,7 +343,7 @@ static int aead_aes_gcm_siv_asm_seal_scatter(
     size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,
     size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,
     size_t extra_in_len, const uint8_t *ad, size_t ad_len) {
-  const struct aead_aes_gcm_siv_asm_ctx *gcm_siv_ctx = ctx->aead_state;
+  const struct aead_aes_gcm_siv_asm_ctx *gcm_siv_ctx = asm_ctx_from_ctx(ctx);
   const uint64_t in_len_64 = in_len;
   const uint64_t ad_len_64 = ad_len;
 
@@ -413,7 +426,12 @@ static int aead_aes_gcm_siv_asm_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
     return 0;
   }
 
-  const struct aead_aes_gcm_siv_asm_ctx *gcm_siv_ctx = ctx->aead_state;
+  if (nonce_len != EVP_AEAD_AES_GCM_SIV_NONCE_LEN) {
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
+    return 0;
+  }
+
+  const struct aead_aes_gcm_siv_asm_ctx *gcm_siv_ctx = asm_ctx_from_ctx(ctx);
   const size_t plaintext_len = in_len - EVP_AEAD_AES_GCM_SIV_TAG_LEN;
   const uint8_t *const given_tag = in + plaintext_len;
 
@@ -540,7 +558,7 @@ static const EVP_AEAD aead_aes_256_gcm_siv_asm = {
     NULL /* tag_len */,
 };
 
-#endif  // X86_64 && !NO_ASM
+#endif  // X86_64 && !NO_ASM && !WINDOWS
 
 struct aead_aes_gcm_siv_ctx {
   union {
@@ -551,6 +569,15 @@ struct aead_aes_gcm_siv_ctx {
   unsigned is_256:1;
 };
 
+OPENSSL_STATIC_ASSERT(sizeof(((EVP_AEAD_CTX *)NULL)->state) >=
+                          sizeof(struct aead_aes_gcm_siv_ctx),
+                      "AEAD state is too small");
+#if defined(__GNUC__) || defined(__clang__)
+OPENSSL_STATIC_ASSERT(alignof(union evp_aead_ctx_st_state) >=
+                          alignof(struct aead_aes_gcm_siv_ctx),
+                      "AEAD state has insufficient alignment");
+#endif
+
 static int aead_aes_gcm_siv_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
                                  size_t key_len, size_t tag_len) {
   const size_t key_bits = key_len * 8;
@@ -569,26 +596,18 @@ static int aead_aes_gcm_siv_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
   }
 
   struct aead_aes_gcm_siv_ctx *gcm_siv_ctx =
-      OPENSSL_malloc(sizeof(struct aead_aes_gcm_siv_ctx));
-  if (gcm_siv_ctx == NULL) {
-    return 0;
-  }
+      (struct aead_aes_gcm_siv_ctx *)&ctx->state;
   OPENSSL_memset(gcm_siv_ctx, 0, sizeof(struct aead_aes_gcm_siv_ctx));
 
   aes_ctr_set_key(&gcm_siv_ctx->ks.ks, NULL, &gcm_siv_ctx->kgk_block, key,
                   key_len);
   gcm_siv_ctx->is_256 = (key_len == 32);
-  ctx->aead_state = gcm_siv_ctx;
   ctx->tag_len = tag_len;
 
   return 1;
 }
 
-static void aead_aes_gcm_siv_cleanup(EVP_AEAD_CTX *ctx) {
-  struct aead_aes_gcm_siv_ctx *gcm_siv_ctx = ctx->aead_state;
-  OPENSSL_cleanse(gcm_siv_ctx, sizeof(struct aead_aes_gcm_siv_ctx));
-  OPENSSL_free(gcm_siv_ctx);
-}
+static void aead_aes_gcm_siv_cleanup(EVP_AEAD_CTX *ctx) {}
 
 // gcm_siv_crypt encrypts (or decrypts—it's the same thing) |in_len| bytes from
 // |in| to |out|, using the block function |enc_block| with |key| in counter
@@ -704,6 +723,14 @@ static void gcm_siv_keys(
   }
 
   OPENSSL_memcpy(out_keys->auth_key, key_material, 16);
+  // Note the |ctr128_f| function uses a big-endian couner, while AES-GCM-SIV
+  // uses a little-endian counter. We ignore the return value and only use
+  // |block128_f|. This has a significant performance cost for the fallback
+  // bitsliced AES implementations (bsaes and aes_nohw).
+  //
+  // We currently do not consider AES-GCM-SIV to be performance-sensitive on
+  // client hardware. If this changes, we can write little-endian |ctr128_f|
+  // functions.
   aes_ctr_set_key(&out_keys->enc_key.ks, NULL, &out_keys->enc_block,
                   key_material + 16, gcm_siv_ctx->is_256 ? 32 : 16);
 }
@@ -713,7 +740,8 @@ static int aead_aes_gcm_siv_seal_scatter(
     size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,
     size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,
     size_t extra_in_len, const uint8_t *ad, size_t ad_len) {
-  const struct aead_aes_gcm_siv_ctx *gcm_siv_ctx = ctx->aead_state;
+  const struct aead_aes_gcm_siv_ctx *gcm_siv_ctx =
+      (struct aead_aes_gcm_siv_ctx *)&ctx->state;
   const uint64_t in_len_64 = in_len;
   const uint64_t ad_len_64 = ad_len;
 
@@ -773,7 +801,8 @@ static int aead_aes_gcm_siv_open_gather(const EVP_AEAD_CTX *ctx, uint8_t *out,
     return 0;
   }
 
-  const struct aead_aes_gcm_siv_ctx *gcm_siv_ctx = ctx->aead_state;
+  const struct aead_aes_gcm_siv_ctx *gcm_siv_ctx =
+      (struct aead_aes_gcm_siv_ctx *)&ctx->state;
 
   struct gcm_siv_record_keys keys;
   gcm_siv_keys(gcm_siv_ctx, &keys, nonce);
@@ -826,7 +855,7 @@ static const EVP_AEAD aead_aes_256_gcm_siv = {
     NULL /* tag_len */,
 };
 
-#if defined(OPENSSL_X86_64) && !defined(OPENSSL_NO_ASM)
+#if defined(AES_GCM_SIV_ASM)
 
 static char avx_aesni_capable(void) {
   const uint32_t ecx = OPENSSL_ia32cap_P[1];
@@ -859,4 +888,4 @@ const EVP_AEAD *EVP_aead_aes_256_gcm_siv(void) {
   return &aead_aes_256_gcm_siv;
 }
 
-#endif  // X86_64 && !NO_ASM
+#endif  // AES_GCM_SIV_ASM

crypto/cipher_extra/e_chacha20poly1305.c

@@ -26,6 +26,7 @@
 
 #include "../fipsmodule/cipher/internal.h"
 #include "../internal.h"
+#include "../chacha/internal.h"
 
 
 #define POLY1305_TAG_LEN 16
@@ -34,6 +35,15 @@ struct aead_chacha20_poly1305_ctx {
   uint8_t key[32];
 };
 
+OPENSSL_STATIC_ASSERT(sizeof(((EVP_AEAD_CTX *)NULL)->state) >=
+                          sizeof(struct aead_chacha20_poly1305_ctx),
+                      "AEAD state is too small");
+#if defined(__GNUC__) || defined(__clang__)
+OPENSSL_STATIC_ASSERT(alignof(union evp_aead_ctx_st_state) >=
+                          alignof(struct aead_chacha20_poly1305_ctx),
+                      "AEAD state has insufficient alignment");
+#endif
+
 // For convenience (the x86_64 calling convention allows only six parameters in
 // registers), the final parameter for the assembly functions is both an input
 // and output parameter.
@@ -68,9 +78,9 @@ static int asm_capable(void) {
   return sse41_capable;
 }
 
-OPENSSL_COMPILE_ASSERT(sizeof(union open_data) == 48, wrong_open_data_size);
-OPENSSL_COMPILE_ASSERT(sizeof(union seal_data) == 48 + 8 + 8,
-                       wrong_seal_data_size);
+OPENSSL_STATIC_ASSERT(sizeof(union open_data) == 48, "wrong open_data size");
+OPENSSL_STATIC_ASSERT(sizeof(union seal_data) == 48 + 8 + 8,
+                      "wrong seal_data size");
 
 // chacha20_poly1305_open is defined in chacha20_poly1305_x86_64.pl. It decrypts
 // |plaintext_len| bytes from |ciphertext| and writes them to |out_plaintext|.
@@ -108,7 +118,8 @@ static void chacha20_poly1305_seal(uint8_t *out_ciphertext,
 
 static int aead_chacha20_poly1305_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
                                        size_t key_len, size_t tag_len) {
-  struct aead_chacha20_poly1305_ctx *c20_ctx;
+  struct aead_chacha20_poly1305_ctx *c20_ctx =
+      (struct aead_chacha20_poly1305_ctx *)&ctx->state;
 
   if (tag_len == 0) {
     tag_len = POLY1305_TAG_LEN;
@@ -123,23 +134,13 @@ static int aead_chacha20_poly1305_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
     return 0;  // internal error - EVP_AEAD_CTX_init should catch this.
   }
 
-  c20_ctx = OPENSSL_malloc(sizeof(struct aead_chacha20_poly1305_ctx));
-  if (c20_ctx == NULL) {
-    return 0;
-  }
-
   OPENSSL_memcpy(c20_ctx->key, key, key_len);
-  ctx->aead_state = c20_ctx;
   ctx->tag_len = tag_len;
 
   return 1;
 }
 
-static void aead_chacha20_poly1305_cleanup(EVP_AEAD_CTX *ctx) {
-  struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state;
-  OPENSSL_cleanse(c20_ctx->key, sizeof(c20_ctx->key));
-  OPENSSL_free(c20_ctx);
-}
+static void aead_chacha20_poly1305_cleanup(EVP_AEAD_CTX *ctx) {}
 
 static void poly1305_update_length(poly1305_state *poly1305, size_t data_len) {
   uint8_t length_bytes[8];
@@ -153,16 +154,15 @@ static void poly1305_update_length(poly1305_state *poly1305, size_t data_len) {
 }
 
 // calc_tag fills |tag| with the authentication tag for the given inputs.
-static void calc_tag(uint8_t tag[POLY1305_TAG_LEN],
-                     const struct aead_chacha20_poly1305_ctx *c20_ctx,
+static void calc_tag(uint8_t tag[POLY1305_TAG_LEN], const uint8_t *key,
                      const uint8_t nonce[12], const uint8_t *ad, size_t ad_len,
                      const uint8_t *ciphertext, size_t ciphertext_len,
                      const uint8_t *ciphertext_extra,
                      size_t ciphertext_extra_len) {
   alignas(16) uint8_t poly1305_key[32];
   OPENSSL_memset(poly1305_key, 0, sizeof(poly1305_key));
-  CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key),
-                   c20_ctx->key, nonce, 0);
+  CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key), key, nonce,
+                   0);
 
   static const uint8_t padding[16] = { 0 };  // Padding is all zeros.
   poly1305_state ctx;
@@ -183,18 +183,16 @@ static void calc_tag(uint8_t tag[POLY1305_TAG_LEN],
   CRYPTO_poly1305_finish(&ctx, tag);
 }
 
-static int aead_chacha20_poly1305_seal_scatter(
-    const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag,
+static int chacha20_poly1305_seal_scatter(
+    const uint8_t *key, uint8_t *out, uint8_t *out_tag,
     size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,
     size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,
-    size_t extra_in_len, const uint8_t *ad, size_t ad_len) {
-  const struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state;
-
-  if (extra_in_len + ctx->tag_len < ctx->tag_len) {
+    size_t extra_in_len, const uint8_t *ad, size_t ad_len, size_t tag_len) {
+  if (extra_in_len + tag_len < tag_len) {
     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
     return 0;
   }
-  if (max_out_tag_len < ctx->tag_len + extra_in_len) {
+  if (max_out_tag_len < tag_len + extra_in_len) {
     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
     return 0;
   }
@@ -215,7 +213,7 @@ static int aead_chacha20_poly1305_seal_scatter(
     return 0;
   }
 
-  if (max_out_tag_len < ctx->tag_len) {
+  if (max_out_tag_len < tag_len) {
     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
     return 0;
   }
@@ -230,7 +228,7 @@ static int aead_chacha20_poly1305_seal_scatter(
 
     for (size_t done = 0; done < extra_in_len; block_counter++) {
       memset(block, 0, sizeof(block));
-      CRYPTO_chacha_20(block, block, sizeof(block), c20_ctx->key, nonce,
+      CRYPTO_chacha_20(block, block, sizeof(block), key, nonce,
                        block_counter);
       for (size_t i = offset; i < sizeof(block) && done < extra_in_len;
            i++, done++) {
@@ -242,35 +240,71 @@ static int aead_chacha20_poly1305_seal_scatter(
 
   union seal_data data;
   if (asm_capable()) {
-    OPENSSL_memcpy(data.in.key, c20_ctx->key, 32);
+    OPENSSL_memcpy(data.in.key, key, 32);
     data.in.counter = 0;
     OPENSSL_memcpy(data.in.nonce, nonce, 12);
     data.in.extra_ciphertext = out_tag;
     data.in.extra_ciphertext_len = extra_in_len;
     chacha20_poly1305_seal(out, in, in_len, ad, ad_len, &data);
   } else {
-    CRYPTO_chacha_20(out, in, in_len, c20_ctx->key, nonce, 1);
-    calc_tag(data.out.tag, c20_ctx, nonce, ad, ad_len, out, in_len, out_tag,
+    CRYPTO_chacha_20(out, in, in_len, key, nonce, 1);
+    calc_tag(data.out.tag, key, nonce, ad, ad_len, out, in_len, out_tag,
              extra_in_len);
   }
 
-  OPENSSL_memcpy(out_tag + extra_in_len, data.out.tag, ctx->tag_len);
-  *out_tag_len = extra_in_len + ctx->tag_len;
+  OPENSSL_memcpy(out_tag + extra_in_len, data.out.tag, tag_len);
+  *out_tag_len = extra_in_len + tag_len;
   return 1;
 }
 
-static int aead_chacha20_poly1305_open_gather(
-    const EVP_AEAD_CTX *ctx, uint8_t *out, const uint8_t *nonce,
-    size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *in_tag,
-    size_t in_tag_len, const uint8_t *ad, size_t ad_len) {
-  const struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state;
+static int aead_chacha20_poly1305_seal_scatter(
+    const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag,
+    size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,
+    size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,
+    size_t extra_in_len, const uint8_t *ad, size_t ad_len) {
+  const struct aead_chacha20_poly1305_ctx *c20_ctx =
+      (struct aead_chacha20_poly1305_ctx *)&ctx->state;
 
+  return chacha20_poly1305_seal_scatter(
+      c20_ctx->key, out, out_tag, out_tag_len, max_out_tag_len, nonce,
+      nonce_len, in, in_len, extra_in, extra_in_len, ad, ad_len, ctx->tag_len);
+}
+
+static int aead_xchacha20_poly1305_seal_scatter(
+    const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag,
+    size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,
+    size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,
+    size_t extra_in_len, const uint8_t *ad, size_t ad_len) {
+  const struct aead_chacha20_poly1305_ctx *c20_ctx =
+      (struct aead_chacha20_poly1305_ctx *)&ctx->state;
+
+  if (nonce_len != 24) {
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
+    return 0;
+  }
+
+  alignas(4) uint8_t derived_key[32];
+  alignas(4) uint8_t derived_nonce[12];
+  CRYPTO_hchacha20(derived_key, c20_ctx->key, nonce);
+  OPENSSL_memset(derived_nonce, 0, 4);
+  OPENSSL_memcpy(&derived_nonce[4], &nonce[16], 8);
+
+  return chacha20_poly1305_seal_scatter(
+      derived_key, out, out_tag, out_tag_len, max_out_tag_len,
+      derived_nonce, sizeof(derived_nonce), in, in_len, extra_in, extra_in_len,
+      ad, ad_len, ctx->tag_len);
+}
+
+static int chacha20_poly1305_open_gather(
+    const uint8_t *key, uint8_t *out, const uint8_t *nonce,
+    size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *in_tag,
+    size_t in_tag_len, const uint8_t *ad, size_t ad_len, size_t tag_len) {
   if (nonce_len != 12) {
     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
     return 0;
   }
 
-  if (in_tag_len != ctx->tag_len) {
+  if (in_tag_len != tag_len) {
     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
     return 0;
   }
@@ -289,16 +323,16 @@ static int aead_chacha20_poly1305_open_gather(
 
   union open_data data;
   if (asm_capable()) {
-    OPENSSL_memcpy(data.in.key, c20_ctx->key, 32);
+    OPENSSL_memcpy(data.in.key, key, 32);
     data.in.counter = 0;
     OPENSSL_memcpy(data.in.nonce, nonce, 12);
     chacha20_poly1305_open(out, in, in_len, ad, ad_len, &data);
   } else {
-    calc_tag(data.out.tag, c20_ctx, nonce, ad, ad_len, in, in_len, NULL, 0);
-    CRYPTO_chacha_20(out, in, in_len, c20_ctx->key, nonce, 1);
+    calc_tag(data.out.tag, key, nonce, ad, ad_len, in, in_len, NULL, 0);
+    CRYPTO_chacha_20(out, in, in_len, key, nonce, 1);
   }
 
-  if (CRYPTO_memcmp(data.out.tag, in_tag, ctx->tag_len) != 0) {
+  if (CRYPTO_memcmp(data.out.tag, in_tag, tag_len) != 0) {
     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
     return 0;
   }
@@ -306,6 +340,41 @@ static int aead_chacha20_poly1305_open_gather(
   return 1;
 }
 
+static int aead_chacha20_poly1305_open_gather(
+    const EVP_AEAD_CTX *ctx, uint8_t *out, const uint8_t *nonce,
+    size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *in_tag,
+    size_t in_tag_len, const uint8_t *ad, size_t ad_len) {
+  const struct aead_chacha20_poly1305_ctx *c20_ctx =
+      (struct aead_chacha20_poly1305_ctx *)&ctx->state;
+
+  return chacha20_poly1305_open_gather(c20_ctx->key, out, nonce, nonce_len, in,
+                                       in_len, in_tag, in_tag_len, ad, ad_len,
+                                       ctx->tag_len);
+}
+
+static int aead_xchacha20_poly1305_open_gather(
+    const EVP_AEAD_CTX *ctx, uint8_t *out, const uint8_t *nonce,
+    size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *in_tag,
+    size_t in_tag_len, const uint8_t *ad, size_t ad_len) {
+  const struct aead_chacha20_poly1305_ctx *c20_ctx =
+      (struct aead_chacha20_poly1305_ctx *)&ctx->state;
+
+  if (nonce_len != 24) {
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
+    return 0;
+  }
+
+  alignas(4) uint8_t derived_key[32];
+  alignas(4) uint8_t derived_nonce[12];
+  CRYPTO_hchacha20(derived_key, c20_ctx->key, nonce);
+  OPENSSL_memset(derived_nonce, 0, 4);
+  OPENSSL_memcpy(&derived_nonce[4], &nonce[16], 8);
+
+  return chacha20_poly1305_open_gather(
+      derived_key, out, derived_nonce, sizeof(derived_nonce), in, in_len,
+      in_tag, in_tag_len, ad, ad_len, ctx->tag_len);
+}
+
 static const EVP_AEAD aead_chacha20_poly1305 = {
     32,                // key len
     12,                // nonce len
@@ -323,6 +392,27 @@ static const EVP_AEAD aead_chacha20_poly1305 = {
     NULL,  // tag_len
 };
 
+static const EVP_AEAD aead_xchacha20_poly1305 = {
+    32,                // key len
+    24,                // nonce len
+    POLY1305_TAG_LEN,  // overhead
+    POLY1305_TAG_LEN,  // max tag length
+    1,                 // seal_scatter_supports_extra_in
+
+    aead_chacha20_poly1305_init,
+    NULL,  // init_with_direction
+    aead_chacha20_poly1305_cleanup,
+    NULL /* open */,
+    aead_xchacha20_poly1305_seal_scatter,
+    aead_xchacha20_poly1305_open_gather,
+    NULL,  // get_iv
+    NULL,  // tag_len
+};
+
 const EVP_AEAD *EVP_aead_chacha20_poly1305(void) {
   return &aead_chacha20_poly1305;
 }
+
+const EVP_AEAD *EVP_aead_xchacha20_poly1305(void) {
+  return &aead_xchacha20_poly1305;
+}

crypto/cipher_extra/e_rc2.c

@@ -57,6 +57,8 @@
 #include <openssl/cipher.h>
 #include <openssl/nid.h>
 
+#include "../internal.h"
+
 
 #define c2l(c, l)                         \
   do {                                    \
@@ -73,18 +75,25 @@
     switch (n) {                               \
       case 8:                                  \
         (l2) = ((uint32_t)(*(--(c)))) << 24L;  \
+        OPENSSL_FALLTHROUGH;                   \
       case 7:                                  \
         (l2) |= ((uint32_t)(*(--(c)))) << 16L; \
+        OPENSSL_FALLTHROUGH;                   \
       case 6:                                  \
         (l2) |= ((uint32_t)(*(--(c)))) << 8L;  \
+        OPENSSL_FALLTHROUGH;                   \
       case 5:                                  \
         (l2) |= ((uint32_t)(*(--(c))));        \
+        OPENSSL_FALLTHROUGH;                   \
       case 4:                                  \
         (l1) = ((uint32_t)(*(--(c)))) << 24L;  \
+        OPENSSL_FALLTHROUGH;                   \
       case 3:                                  \
         (l1) |= ((uint32_t)(*(--(c)))) << 16L; \
+        OPENSSL_FALLTHROUGH;                   \
       case 2:                                  \
         (l1) |= ((uint32_t)(*(--(c)))) << 8L;  \
+        OPENSSL_FALLTHROUGH;                   \
       case 1:                                  \
         (l1) |= ((uint32_t)(*(--(c))));        \
     }                                          \
@@ -104,18 +113,25 @@
     switch (n) {                                    \
       case 8:                                       \
         *(--(c)) = (uint8_t)(((l2) >> 24L) & 0xff); \
+        OPENSSL_FALLTHROUGH;                        \
       case 7:                                       \
         *(--(c)) = (uint8_t)(((l2) >> 16L) & 0xff); \
+        OPENSSL_FALLTHROUGH;                        \
       case 6:                                       \
         *(--(c)) = (uint8_t)(((l2) >> 8L) & 0xff);  \
+        OPENSSL_FALLTHROUGH;                        \
       case 5:                                       \
         *(--(c)) = (uint8_t)(((l2)) & 0xff);        \
+        OPENSSL_FALLTHROUGH;                        \
       case 4:                                       \
         *(--(c)) = (uint8_t)(((l1) >> 24L) & 0xff); \
+        OPENSSL_FALLTHROUGH;                        \
       case 3:                                       \
         *(--(c)) = (uint8_t)(((l1) >> 16L) & 0xff); \
+        OPENSSL_FALLTHROUGH;                        \
       case 2:                                       \
         *(--(c)) = (uint8_t)(((l1) >> 8L) & 0xff);  \
+        OPENSSL_FALLTHROUGH;                        \
       case 1:                                       \
         *(--(c)) = (uint8_t)(((l1)) & 0xff);        \
     }                                               \

crypto/cipher_extra/e_ssl3.c

@@ -1,460 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <assert.h>
-#include <limits.h>
-#include <string.h>
-
-#include <openssl/aead.h>
-#include <openssl/cipher.h>
-#include <openssl/err.h>
-#include <openssl/hmac.h>
-#include <openssl/md5.h>
-#include <openssl/mem.h>
-#include <openssl/sha.h>
-
-#include "internal.h"
-#include "../internal.h"
-#include "../fipsmodule/cipher/internal.h"
-
-
-typedef struct {
-  EVP_CIPHER_CTX cipher_ctx;
-  EVP_MD_CTX md_ctx;
-} AEAD_SSL3_CTX;
-
-static int ssl3_mac(AEAD_SSL3_CTX *ssl3_ctx, uint8_t *out, unsigned *out_len,
-                    const uint8_t *ad, size_t ad_len, const uint8_t *in,
-                    size_t in_len) {
-  size_t md_size = EVP_MD_CTX_size(&ssl3_ctx->md_ctx);
-  size_t pad_len = (md_size == 20) ? 40 : 48;
-
-  // To allow for CBC mode which changes cipher length, |ad| doesn't include the
-  // length for legacy ciphers.
-  uint8_t ad_extra[2];
-  ad_extra[0] = (uint8_t)(in_len >> 8);
-  ad_extra[1] = (uint8_t)(in_len & 0xff);
-
-  EVP_MD_CTX md_ctx;
-  EVP_MD_CTX_init(&md_ctx);
-
-  uint8_t pad[48];
-  uint8_t tmp[EVP_MAX_MD_SIZE];
-  OPENSSL_memset(pad, 0x36, pad_len);
-  if (!EVP_MD_CTX_copy_ex(&md_ctx, &ssl3_ctx->md_ctx) ||
-      !EVP_DigestUpdate(&md_ctx, pad, pad_len) ||
-      !EVP_DigestUpdate(&md_ctx, ad, ad_len) ||
-      !EVP_DigestUpdate(&md_ctx, ad_extra, sizeof(ad_extra)) ||
-      !EVP_DigestUpdate(&md_ctx, in, in_len) ||
-      !EVP_DigestFinal_ex(&md_ctx, tmp, NULL)) {
-    EVP_MD_CTX_cleanup(&md_ctx);
-    return 0;
-  }
-
-  OPENSSL_memset(pad, 0x5c, pad_len);
-  if (!EVP_MD_CTX_copy_ex(&md_ctx, &ssl3_ctx->md_ctx) ||
-      !EVP_DigestUpdate(&md_ctx, pad, pad_len) ||
-      !EVP_DigestUpdate(&md_ctx, tmp, md_size) ||
-      !EVP_DigestFinal_ex(&md_ctx, out, out_len)) {
-    EVP_MD_CTX_cleanup(&md_ctx);
-    return 0;
-  }
-  EVP_MD_CTX_cleanup(&md_ctx);
-  return 1;
-}
-
-static void aead_ssl3_cleanup(EVP_AEAD_CTX *ctx) {
-  AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state;
-  EVP_CIPHER_CTX_cleanup(&ssl3_ctx->cipher_ctx);
-  EVP_MD_CTX_cleanup(&ssl3_ctx->md_ctx);
-  OPENSSL_free(ssl3_ctx);
-  ctx->aead_state = NULL;
-}
-
-static int aead_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,
-                          size_t tag_len, enum evp_aead_direction_t dir,
-                          const EVP_CIPHER *cipher, const EVP_MD *md) {
-  if (tag_len != EVP_AEAD_DEFAULT_TAG_LENGTH &&
-      tag_len != EVP_MD_size(md)) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_TAG_SIZE);
-    return 0;
-  }
-
-  if (key_len != EVP_AEAD_key_length(ctx->aead)) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
-    return 0;
-  }
-
-  size_t mac_key_len = EVP_MD_size(md);
-  size_t enc_key_len = EVP_CIPHER_key_length(cipher);
-  assert(mac_key_len + enc_key_len + EVP_CIPHER_iv_length(cipher) == key_len);
-
-  AEAD_SSL3_CTX *ssl3_ctx = OPENSSL_malloc(sizeof(AEAD_SSL3_CTX));
-  if (ssl3_ctx == NULL) {
-    OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE);
-    return 0;
-  }
-  EVP_CIPHER_CTX_init(&ssl3_ctx->cipher_ctx);
-  EVP_MD_CTX_init(&ssl3_ctx->md_ctx);
-
-  ctx->aead_state = ssl3_ctx;
-  if (!EVP_CipherInit_ex(&ssl3_ctx->cipher_ctx, cipher, NULL, &key[mac_key_len],
-                         &key[mac_key_len + enc_key_len],
-                         dir == evp_aead_seal) ||
-      !EVP_DigestInit_ex(&ssl3_ctx->md_ctx, md, NULL) ||
-      !EVP_DigestUpdate(&ssl3_ctx->md_ctx, key, mac_key_len)) {
-    aead_ssl3_cleanup(ctx);
-    ctx->aead_state = NULL;
-    return 0;
-  }
-  EVP_CIPHER_CTX_set_padding(&ssl3_ctx->cipher_ctx, 0);
-
-  return 1;
-}
-
-static size_t aead_ssl3_tag_len(const EVP_AEAD_CTX *ctx, const size_t in_len,
-                                const size_t extra_in_len) {
-  assert(extra_in_len == 0);
-  const AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX*)ctx->aead_state;
-
-  const size_t digest_len = EVP_MD_CTX_size(&ssl3_ctx->md_ctx);
-  if (EVP_CIPHER_CTX_mode(&ssl3_ctx->cipher_ctx) != EVP_CIPH_CBC_MODE) {
-    // The NULL cipher.
-    return digest_len;
-  }
-
-  const size_t block_size = EVP_CIPHER_CTX_block_size(&ssl3_ctx->cipher_ctx);
-  // An overflow of |in_len + digest_len| doesn't affect the result mod
-  // |block_size|, provided that |block_size| is a smaller power of two.
-  assert(block_size != 0 && (block_size & (block_size - 1)) == 0);
-  const size_t pad_len = block_size - ((in_len + digest_len) % block_size);
-  return digest_len + pad_len;
-}
-
-static int aead_ssl3_seal_scatter(const EVP_AEAD_CTX *ctx, uint8_t *out,
-                                  uint8_t *out_tag, size_t *out_tag_len,
-                                  const size_t max_out_tag_len,
-                                  const uint8_t *nonce, const size_t nonce_len,
-                                  const uint8_t *in, const size_t in_len,
-                                  const uint8_t *extra_in,
-                                  const size_t extra_in_len, const uint8_t *ad,
-                                  const size_t ad_len) {
-  AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state;
-
-  if (!ssl3_ctx->cipher_ctx.encrypt) {
-    // Unlike a normal AEAD, an SSL3 AEAD may only be used in one direction.
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);
-    return 0;
-  }
-
-  if (in_len > INT_MAX) {
-    // EVP_CIPHER takes int as input.
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
-    return 0;
-  }
-
-  if (max_out_tag_len < aead_ssl3_tag_len(ctx, in_len, extra_in_len)) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
-    return 0;
-  }
-
-  if (nonce_len != 0) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_IV_TOO_LARGE);
-    return 0;
-  }
-
-  if (ad_len != 11 - 2 /* length bytes */) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE);
-    return 0;
-  }
-
-  // Compute the MAC. This must be first in case the operation is being done
-  // in-place.
-  uint8_t mac[EVP_MAX_MD_SIZE];
-  unsigned mac_len;
-  if (!ssl3_mac(ssl3_ctx, mac, &mac_len, ad, ad_len, in, in_len)) {
-    return 0;
-  }
-
-  // Encrypt the input.
-  int len;
-  if (!EVP_EncryptUpdate(&ssl3_ctx->cipher_ctx, out, &len, in,
-                         (int)in_len)) {
-    return 0;
-  }
-
-  const size_t block_size = EVP_CIPHER_CTX_block_size(&ssl3_ctx->cipher_ctx);
-
-  // Feed the MAC into the cipher in two steps. First complete the final partial
-  // block from encrypting the input and split the result between |out| and
-  // |out_tag|. Then encrypt the remainder.
-
-  size_t early_mac_len = (block_size - (in_len % block_size)) % block_size;
-  if (early_mac_len != 0) {
-    assert(len + block_size - early_mac_len == in_len);
-    uint8_t buf[EVP_MAX_BLOCK_LENGTH];
-    int buf_len;
-    if (!EVP_EncryptUpdate(&ssl3_ctx->cipher_ctx, buf, &buf_len, mac,
-                           (int)early_mac_len)) {
-      return 0;
-    }
-    assert(buf_len == (int)block_size);
-    OPENSSL_memcpy(out + len, buf, block_size - early_mac_len);
-    OPENSSL_memcpy(out_tag, buf + block_size - early_mac_len, early_mac_len);
-  }
-  size_t tag_len = early_mac_len;
-
-  if (!EVP_EncryptUpdate(&ssl3_ctx->cipher_ctx, out_tag + tag_len, &len,
-                         mac + tag_len, mac_len - tag_len)) {
-    return 0;
-  }
-  tag_len += len;
-
-  if (block_size > 1) {
-    assert(block_size <= 256);
-    assert(EVP_CIPHER_CTX_mode(&ssl3_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE);
-
-    // Compute padding and feed that into the cipher.
-    uint8_t padding[256];
-    size_t padding_len = block_size - ((in_len + mac_len) % block_size);
-    OPENSSL_memset(padding, 0, padding_len - 1);
-    padding[padding_len - 1] = padding_len - 1;
-    if (!EVP_EncryptUpdate(&ssl3_ctx->cipher_ctx, out_tag + tag_len, &len, padding,
-                           (int)padding_len)) {
-      return 0;
-    }
-    tag_len += len;
-  }
-
-  if (!EVP_EncryptFinal_ex(&ssl3_ctx->cipher_ctx, out_tag + tag_len, &len)) {
-    return 0;
-  }
-  tag_len += len;
-  assert(tag_len == aead_ssl3_tag_len(ctx, in_len, extra_in_len));
-
-  *out_tag_len = tag_len;
-  return 1;
-}
-
-static int aead_ssl3_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
-                         size_t *out_len, size_t max_out_len,
-                         const uint8_t *nonce, size_t nonce_len,
-                         const uint8_t *in, size_t in_len,
-                         const uint8_t *ad, size_t ad_len) {
-  AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state;
-
-  if (ssl3_ctx->cipher_ctx.encrypt) {
-    // Unlike a normal AEAD, an SSL3 AEAD may only be used in one direction.
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);
-    return 0;
-  }
-
-  size_t mac_len = EVP_MD_CTX_size(&ssl3_ctx->md_ctx);
-  if (in_len < mac_len) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
-    return 0;
-  }
-
-  if (max_out_len < in_len) {
-    // This requires that the caller provide space for the MAC, even though it
-    // will always be removed on return.
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
-    return 0;
-  }
-
-  if (nonce_len != 0) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
-    return 0;
-  }
-
-  if (ad_len != 11 - 2 /* length bytes */) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE);
-    return 0;
-  }
-
-  if (in_len > INT_MAX) {
-    // EVP_CIPHER takes int as input.
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
-    return 0;
-  }
-
-  // Decrypt to get the plaintext + MAC + padding.
-  size_t total = 0;
-  int len;
-  if (!EVP_DecryptUpdate(&ssl3_ctx->cipher_ctx, out, &len, in, (int)in_len)) {
-    return 0;
-  }
-  total += len;
-  if (!EVP_DecryptFinal_ex(&ssl3_ctx->cipher_ctx, out + total, &len)) {
-    return 0;
-  }
-  total += len;
-  assert(total == in_len);
-
-  // Remove CBC padding and MAC. This would normally be timing-sensitive, but
-  // SSLv3 CBC ciphers are already broken. Support will be removed eventually.
-  // https://www.openssl.org/~bodo/ssl-poodle.pdf
-  size_t data_len;
-  if (EVP_CIPHER_CTX_mode(&ssl3_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE) {
-    unsigned padding_length = out[total - 1];
-    if (total < padding_length + 1 + mac_len) {
-      OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
-      return 0;
-    }
-    // The padding must be minimal.
-    if (padding_length + 1 > EVP_CIPHER_CTX_block_size(&ssl3_ctx->cipher_ctx)) {
-      OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
-      return 0;
-    }
-    data_len = total - padding_length - 1 - mac_len;
-  } else {
-    data_len = total - mac_len;
-  }
-
-  // Compute the MAC and compare against the one in the record.
-  uint8_t mac[EVP_MAX_MD_SIZE];
-  if (!ssl3_mac(ssl3_ctx, mac, NULL, ad, ad_len, out, data_len)) {
-    return 0;
-  }
-  if (CRYPTO_memcmp(&out[data_len], mac, mac_len) != 0) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
-    return 0;
-  }
-
-  *out_len = data_len;
-  return 1;
-}
-
-static int aead_ssl3_get_iv(const EVP_AEAD_CTX *ctx, const uint8_t **out_iv,
-                            size_t *out_iv_len) {
-  AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state;
-  const size_t iv_len = EVP_CIPHER_CTX_iv_length(&ssl3_ctx->cipher_ctx);
-  if (iv_len <= 1) {
-    return 0;
-  }
-
-  *out_iv = ssl3_ctx->cipher_ctx.iv;
-  *out_iv_len = iv_len;
-  return 1;
-}
-
-static int aead_aes_128_cbc_sha1_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
-                                           size_t key_len, size_t tag_len,
-                                           enum evp_aead_direction_t dir) {
-  return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(),
-                        EVP_sha1());
-}
-
-static int aead_aes_256_cbc_sha1_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
-                                           size_t key_len, size_t tag_len,
-                                           enum evp_aead_direction_t dir) {
-  return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),
-                        EVP_sha1());
-}
-static int aead_des_ede3_cbc_sha1_ssl3_init(EVP_AEAD_CTX *ctx,
-                                            const uint8_t *key, size_t key_len,
-                                            size_t tag_len,
-                                            enum evp_aead_direction_t dir) {
-  return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_des_ede3_cbc(),
-                        EVP_sha1());
-}
-
-static int aead_null_sha1_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
-                                    size_t key_len, size_t tag_len,
-                                    enum evp_aead_direction_t dir) {
-  return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_enc_null(),
-                        EVP_sha1());
-}
-
-static const EVP_AEAD aead_aes_128_cbc_sha1_ssl3 = {
-    SHA_DIGEST_LENGTH + 16 + 16,  // key len (SHA1 + AES128 + IV)
-    0,                            // nonce len
-    16 + SHA_DIGEST_LENGTH,       // overhead (padding + SHA1)
-    SHA_DIGEST_LENGTH,            // max tag length
-    0,                            // seal_scatter_supports_extra_in
-
-    NULL,  // init
-    aead_aes_128_cbc_sha1_ssl3_init,
-    aead_ssl3_cleanup,
-    aead_ssl3_open,
-    aead_ssl3_seal_scatter,
-    NULL,  // open_gather
-    aead_ssl3_get_iv,
-    aead_ssl3_tag_len,
-};
-
-static const EVP_AEAD aead_aes_256_cbc_sha1_ssl3 = {
-    SHA_DIGEST_LENGTH + 32 + 16,  // key len (SHA1 + AES256 + IV)
-    0,                            // nonce len
-    16 + SHA_DIGEST_LENGTH,       // overhead (padding + SHA1)
-    SHA_DIGEST_LENGTH,            // max tag length
-    0,                            // seal_scatter_supports_extra_in
-
-    NULL,  // init
-    aead_aes_256_cbc_sha1_ssl3_init,
-    aead_ssl3_cleanup,
-    aead_ssl3_open,
-    aead_ssl3_seal_scatter,
-    NULL,  // open_gather
-    aead_ssl3_get_iv,
-    aead_ssl3_tag_len,
-};
-
-static const EVP_AEAD aead_des_ede3_cbc_sha1_ssl3 = {
-    SHA_DIGEST_LENGTH + 24 + 8,  // key len (SHA1 + 3DES + IV)
-    0,                           // nonce len
-    8 + SHA_DIGEST_LENGTH,       // overhead (padding + SHA1)
-    SHA_DIGEST_LENGTH,           // max tag length
-    0,                           // seal_scatter_supports_extra_in
-
-    NULL,  // init
-    aead_des_ede3_cbc_sha1_ssl3_init,
-    aead_ssl3_cleanup,
-    aead_ssl3_open,
-    aead_ssl3_seal_scatter,
-    NULL,  // open_gather
-    aead_ssl3_get_iv,
-    aead_ssl3_tag_len,
-};
-
-static const EVP_AEAD aead_null_sha1_ssl3 = {
-    SHA_DIGEST_LENGTH,  // key len
-    0,                  // nonce len
-    SHA_DIGEST_LENGTH,  // overhead (SHA1)
-    SHA_DIGEST_LENGTH,  // max tag length
-    0,                  // seal_scatter_supports_extra_in
-
-    NULL,  // init
-    aead_null_sha1_ssl3_init,
-    aead_ssl3_cleanup,
-    aead_ssl3_open,
-    aead_ssl3_seal_scatter,
-    NULL,  // open_gather
-    NULL,  // get_iv
-    aead_ssl3_tag_len,
-};
-
-const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_ssl3(void) {
-  return &aead_aes_128_cbc_sha1_ssl3;
-}
-
-const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_ssl3(void) {
-  return &aead_aes_256_cbc_sha1_ssl3;
-}
-
-const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_ssl3(void) {
-  return &aead_des_ede3_cbc_sha1_ssl3;
-}
-
-const EVP_AEAD *EVP_aead_null_sha1_ssl3(void) { return &aead_null_sha1_ssl3; }

crypto/cipher_extra/e_tls.c

@@ -42,15 +42,22 @@ typedef struct {
   char implicit_iv;
 } AEAD_TLS_CTX;
 
-OPENSSL_COMPILE_ASSERT(EVP_MAX_MD_SIZE < 256, mac_key_len_fits_in_uint8_t);
+OPENSSL_STATIC_ASSERT(EVP_MAX_MD_SIZE < 256,
+                      "mac_key_len does not fit in uint8_t");
+
+OPENSSL_STATIC_ASSERT(sizeof(((EVP_AEAD_CTX *)NULL)->state) >=
+                          sizeof(AEAD_TLS_CTX),
+                      "AEAD state is too small");
+#if defined(__GNUC__) || defined(__clang__)
+OPENSSL_STATIC_ASSERT(alignof(union evp_aead_ctx_st_state) >=
+                          alignof(AEAD_TLS_CTX),
+                      "AEAD state has insufficient alignment");
+#endif
 
 static void aead_tls_cleanup(EVP_AEAD_CTX *ctx) {
-  AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)ctx->aead_state;
+  AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state;
   EVP_CIPHER_CTX_cleanup(&tls_ctx->cipher_ctx);
   HMAC_CTX_cleanup(&tls_ctx->hmac_ctx);
-  OPENSSL_cleanse(&tls_ctx->mac_key, sizeof(tls_ctx->mac_key));
-  OPENSSL_free(tls_ctx);
-  ctx->aead_state = NULL;
 }
 
 static int aead_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,
@@ -73,11 +80,7 @@ static int aead_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,
   assert(mac_key_len + enc_key_len +
          (implicit_iv ? EVP_CIPHER_iv_length(cipher) : 0) == key_len);
 
-  AEAD_TLS_CTX *tls_ctx = OPENSSL_malloc(sizeof(AEAD_TLS_CTX));
-  if (tls_ctx == NULL) {
-    OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE);
-    return 0;
-  }
+  AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state;
   EVP_CIPHER_CTX_init(&tls_ctx->cipher_ctx);
   HMAC_CTX_init(&tls_ctx->hmac_ctx);
   assert(mac_key_len <= EVP_MAX_MD_SIZE);
@@ -85,13 +88,11 @@ static int aead_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,
   tls_ctx->mac_key_len = (uint8_t)mac_key_len;
   tls_ctx->implicit_iv = implicit_iv;
 
-  ctx->aead_state = tls_ctx;
   if (!EVP_CipherInit_ex(&tls_ctx->cipher_ctx, cipher, NULL, &key[mac_key_len],
                          implicit_iv ? &key[mac_key_len + enc_key_len] : NULL,
                          dir == evp_aead_seal) ||
       !HMAC_Init_ex(&tls_ctx->hmac_ctx, key, mac_key_len, md, NULL)) {
     aead_tls_cleanup(ctx);
-    ctx->aead_state = NULL;
     return 0;
   }
   EVP_CIPHER_CTX_set_padding(&tls_ctx->cipher_ctx, 0);
@@ -102,7 +103,7 @@ static int aead_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,
 static size_t aead_tls_tag_len(const EVP_AEAD_CTX *ctx, const size_t in_len,
                                const size_t extra_in_len) {
   assert(extra_in_len == 0);
-  AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)ctx->aead_state;
+  const AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state;
 
   const size_t hmac_len = HMAC_size(&tls_ctx->hmac_ctx);
   if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) != EVP_CIPH_CBC_MODE) {
@@ -126,7 +127,7 @@ static int aead_tls_seal_scatter(const EVP_AEAD_CTX *ctx, uint8_t *out,
                                  const uint8_t *extra_in,
                                  const size_t extra_in_len, const uint8_t *ad,
                                  const size_t ad_len) {
-  AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)ctx->aead_state;
+  AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state;
 
   if (!tls_ctx->cipher_ctx.encrypt) {
     // Unlike a normal AEAD, a TLS AEAD may only be used in one direction.
@@ -192,8 +193,7 @@ static int aead_tls_seal_scatter(const EVP_AEAD_CTX *ctx, uint8_t *out,
   // block from encrypting the input and split the result between |out| and
   // |out_tag|. Then feed the rest.
 
-  const size_t early_mac_len =
-      (block_size - (in_len % block_size) % block_size);
+  const size_t early_mac_len = (block_size - (in_len % block_size)) % block_size;
   if (early_mac_len != 0) {
     assert(len + block_size - early_mac_len == in_len);
     uint8_t buf[EVP_MAX_BLOCK_LENGTH];
@@ -243,7 +243,7 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len,
                          size_t max_out_len, const uint8_t *nonce,
                          size_t nonce_len, const uint8_t *in, size_t in_len,
                          const uint8_t *ad, size_t ad_len) {
-  AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)ctx->aead_state;
+  AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state;
 
   if (tls_ctx->cipher_ctx.encrypt) {
     // Unlike a normal AEAD, a TLS AEAD may only be used in one direction.
@@ -299,6 +299,8 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len,
   total += len;
   assert(total == in_len);
 
+  CONSTTIME_SECRET(out, total);
+
   // Remove CBC padding. Code from here on is timing-sensitive with respect to
   // |padding_ok| and |data_plus_mac_len| for CBC ciphers.
   size_t data_plus_mac_len;
@@ -375,11 +377,15 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len,
   crypto_word_t good =
       constant_time_eq_int(CRYPTO_memcmp(record_mac, mac, mac_len), 0);
   good &= padding_ok;
+  CONSTTIME_DECLASSIFY(&good, sizeof(good));
   if (!good) {
     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
     return 0;
   }
 
+  CONSTTIME_DECLASSIFY(&data_len, sizeof(data_len));
+  CONSTTIME_DECLASSIFY(out, data_len);
+
   // End of timing-sensitive code.
 
   *out_len = data_len;
@@ -455,7 +461,7 @@ static int aead_des_ede3_cbc_sha1_tls_implicit_iv_init(
 
 static int aead_tls_get_iv(const EVP_AEAD_CTX *ctx, const uint8_t **out_iv,
                            size_t *out_iv_len) {
-  const AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX*) ctx->aead_state;
+  const AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state;
   const size_t iv_len = EVP_CIPHER_CTX_iv_length(&tls_ctx->cipher_ctx);
   if (iv_len <= 1) {
     return 0;

crypto/cipher_extra/test/aes_128_cbc_sha1_tls_implicit_iv_tests.txt

@@ -42,14 +42,707 @@ TAG_LEN: 20
 NO_SEAL: 01
 FAILS: 01
 
-# Test with maximal padding.
-# DIGEST: c6105cc86e18eb8376c16ea37693db5c07b77137
-KEY: 8503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371e
+# Test with maximal padding (0 mod 64).
+# DIGEST: ceb2d295bd0efd37c6c34dab1854c80e986174fc
+KEY: 37446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11b
 NONCE: 
-IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c748
-AD: 1df3f4183aa23fd8d7efd8
-CT: 7265eea4b391d880c6bc72d3282f663e5551c0a71ca35898047362694ee8f2710974350a2a38a13b0434d312
-TAG: ead153f0c9488b88357e81187178465d2416ca97dbf7460c9519ed9957d9e74e62950447e49dd233e9c504876a90fa79273e597ed751da4f32a2c60cecbfb6641ca2e8938774cbc324affa9bb027d219730d57ca1981e87d0dcd0551618493f79ff8c0366383e0698a009bd976c63f089a8b901b5a08fabf0d3f798c349743634d5dd35a2195cf0b74b67d36d65be1aa920831906acbc57cd880964ec948e9c11614104721efb62a47600ee968418b1d197c3ce6ba6246d5ac1f07819f67c2cb3ca5162aedd354e2314d65d5e863964db421846da7603b9f11c503966834ed501885763da3e89a59f89f1e31f78111324b79637dd3b6aeeb71ccf2557f9725b86dd13088ce257cd6ea71706ff8ec9036f56d76c4
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba
+AD: 2fd6773e0d0c302a5f47e0
+CT: 2840fb36bc8e03c59de49315bd8a6e091f41fb020cdb174ed0ab84fab8f94c14e840fd37fc13f48490c2d2ffd4efeb4da8d98840f6ee5af812bcbbeeb7f2992b
+TAG: a767b9c80eb4ab9270c0c08d6adc1bf56245929a79a4511a8a4ccd2c996611a0154c8101217b46b049331d3109a42093f223a8224e11fcecee906b2ef52e5650da0498e3f832101b7ef66fdbcef302f362e570e5e42d5dbc33d0d662913c78a8caf3a9e2e22949cf6d212efee4d9dc8d03fd6a00d41f3073c4b73149e8bf05d23b2dd88aab1c87ac948a3f96be79c52efe9488ceb9a1c5511b441a6ba4204beaf339539ff9b4443000b5b7c00261c663be3087c395ee448e724d1cfcbe10e15ccddcf50378fef972fa3aca38fdb1d131f1bc7ce166f4476a008883292f8422cc668e1c8e0cd53cb25a64324d187b14143563d8d1af9371602a068da959c587cd6a383d1ffc74190c0499b2d71390cdcf
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (1 mod 64).
+# DIGEST: a07054c760cc66fc704edf950201005031f3faac
+KEY: 446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be1
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2f
+AD: d6773e0d0c302a5f47e037
+CT: 2e7e6cd84e03e35d8977c9e1d4ce6784c4db3a87fa1b82e6f781e284e0d3914eb56acdde0374eed6283cc10e1f329821fefbf888dfc8fb42fa574cb64df6d88d2d
+TAG: 80503493bfa3c2cd3817bb145fc579ebe050bf0e6310a29c9e1a7e98371833a25bea5c82bb6128cba6e27e7e796b49b49cd55ad123f90aade4d76a636104e5a4f6fc9c92997c0706d709145b208523c0c890394fcec38507fa0bad3d24fdc921416501e5c9b6964db81572bb933b67c4b5bb2070ad5068069592d35902ab93bad8d5121fe15bbb2bd27ad946a21f2ecd7e95c7f4c63ddd00589ac304d638307e798d9a55bfde231f5bd8a8f89cfae591b0234662647c3b42278f4157c4fb44fcc51862bbb2f03273f680d6dccee49b51bb4b881e5a1768dbc537e67073b796047fbce6f90eb54776d9f0237978f129af7efd4a3f380547e883d9976b38819acf9e0411769fc6898eaeca53f5def25f
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (2 mod 64).
+# DIGEST: d059c266cf6233af730b7a229b19356a4c6fcf06
+KEY: 6f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6
+AD: 773e0d0c302a5f47e03744
+CT: be77b79780ae8ccda54d5f995f7c1beee8ac61735285e34d9dd137058555e723daeafe392773f428ec528a14c2f52a86365c4929d98d4504c669db1d984e2f84f7bf
+TAG: 24836360777dbacbbcea10d08e3d975a0bd32669871000178d167a1e40a6723b7c47ebd32e5df52cc4e0ee5459b355f285a0a93bd9fd016642221a335a2f09a4635f71d8575bdd081caa14b083aed01444df63e5cb01377b8a3ac31006c92621a894b71d50c85964234a5aae094a931e5456416236001f46d771767aee47f6b7c3493fc10b9f392dd629852623c1ff6f1e7dd3346d1aabd132301fa16ce88017fe3ca394d1c685942f1ed7b37f84a25682142b02ce138ae9b21c85db410cc3c266f6a490ffdaa0ce95e8b1f2da7f6e6ddda2d4570dc5619605fca903e47eb62d7419dfe49f354ac18762abbdfe5431a863b6f7371731ebb09ab41aba79e41be8603060fe921e4dc8b7f422392640
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (3 mod 64).
+# DIGEST: 8aac0687e33041fcc18da154b41f20a6af2bfb28
+KEY: 5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a7
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd677
+AD: 3e0d0c302a5f47e037446f
+CT: 82aba2e22933737ef55346865375b574f24066eabe39fb800ec790df3ad05f85a760332e8a1d45e7b0c2d969ac5689505510fe035db4ac1c5a8a01a6f6ac00ad3d8344
+TAG: 090114b0a31c301edc2bed8e25298d4f913558ce3f6f607b0fce5f9e7b1c953601ce9890f0d8e8d6a71c5ccc4e0aab08942628d21f467bfbfc4996863e8fd296b7ce153568999980ac2980ca68b16c0b2edfe5efcfff121a7e4dfc8dd9387442c4847f7c572f668aa990334dc50a54480f673c338f1ea9c81cfb9d482f6e4ae163e412108ad5775aefe89173229efd58a0f56b411008f87e3aa307413779538057f5d846a1586920b1448b4fda27b65647b946bd5b7950a5e3e37ccca55b359b4726e26fc3d168a9e8bef56c1a61fcb2b55cca61bac0123190572c939584ffae1e913b82bbd8057f302a900d2a1a7ed1ab4a1b7c8c5cd56fc472d69d013bb897ea3d72d299da0df5fcc7a745dc
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (4 mod 64).
+# DIGEST: 53658226c112b86438dd27b58a71f9e36fc73c1e
+KEY: 91d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a729
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e
+AD: 0d0c302a5f47e037446f58
+CT: 3eceac2e338b4dfd9f4840d77db69ed23ee286b522cd4a324b04b1865cc772914c8d84abbf0db1a3a2d15401759b18d6fb3b7020cca1e31d136fb97b26bc772baf5a363c
+TAG: 1b6a98c7f9b8c5c560add0eb46d2d7559ebce0894b876f0de8ec37031df30667cc3ea54a4e71d8bcfe575d6044d9f70852fcf9a1a6756643e28944b59856ed1ce9958045eae0aa64bba55b64aac0cacded741293262550b085b4cb143d8bb8f7061eda2911c86e1afce94a8afb4db1060c2da1e9bb0ca8747d71b706134e44bb7e4b73518ca9201d610860961a53438d6efb51031a1ba0fa9b437b8a3aebc0479bace7843b319c02b4987490bed351be2eced028a2d0c97a1e30ccbd820f4b3f669e33b74c1b550a8d9782b9ec7fa45b24dcd5b6788895d6246a4cdfb015c605741047c1d2323e207a8a622e55b6a19401bb67de62154392edb28ab3cdfbb2ae2f21c3181ee8033130e95e05
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (5 mod 64).
+# DIGEST: 6b7d5268b0b5037afb5be5af6a0ceb34e7656ac4
+KEY: d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d
+AD: 0c302a5f47e037446f5891
+CT: 5cfcf9e4dbe1a74e748665bf393c6fe93807ea36556590a1f2814c2b445988c1f6c2815f6b1f0fecae452d1bb89a055bc6f85bea11d99d0b0c62db8a81e3f0f3a557c208cd
+TAG: 8e73adba964c6868bb3da63b0d528a22eea8bfb4be0b1030070436f5c442649857c9c4a32759c5071d7d741692368497a978b5668b912cdfb0c404e514411ff111ea9f1224cb4a9256dc57a8a4677fe576b554cf6e4f975ac3a81eefcaa0bb68ac5bb26b1bf54bf034a50a1b3265e0baa8a900f048246c7ea825234732c3f5b34c4ddc0adc46178d0adbd9a524502061ad4c6df62dcd8f8851f270dc452be39021d5f054b7aa35f5235739894c659bc06333d0e564c38521d820dd7cb0dbb8a018543ebe7799cbd674a14821a6f92d776aed736fb4ce19ffe6ad5b456c09cc597443ae1bb41be9ea0213edfc1339636facbfdf56a8944cc548fd35fd5fa4a7b8cfbce736c6c96465326a49
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (6 mod 64).
+# DIGEST: 63efe7af502231420ed5aecce9a28446b257828d
+KEY: 7df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c
+AD: 302a5f47e037446f5891d7
+CT: b2e315ef97a1b89b4625715c61946446fe1bf27aa60e65d0ad9849f71ec53ccbee951d3628efe2795949f88795b354df0ec68b21cd699cdd0f92f31f3d6013a4c1116165b4f5
+TAG: 4e9eb0387d9121ea239b27016805f35c09c90904d9becd9ce23d77233e8b68c86e17f92ac31794be17386e5fe2f40e83147a7dea38bee4b9776fb4a4da85408b80ea7718d542a47e7e5d7db38c18560dbc37d49f4fae2e013c4b89ab59f2a529b389e2ce5b2c9f0883df472fb9ac58bc5e27dc21938344195de25f1e3c015b68e6c6f6111e037010a075e78e852f9b0b8e568359ba22eddd71714403309987ed20e381b8ff67f5fd5d9e8ce77b1517da2cd4c2909f83fe70b65af0ba8dfff1e0860ccd217a19a96d94ef3cfbe1214e204d4eab8045f97aaeae0946b455e01099513c5a763596c7495de135bd2ea2b9c01e7fcc5daa0e88bcb45ce5bd044dc300a281b2bfd18f6090f7eb
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (7 mod 64).
+# DIGEST: 1a555c300a1d1bd5b03cdd6bf2a678621624eb05
+KEY: f660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b5
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c30
+AD: 2a5f47e037446f5891d77d
+CT: 8221477092da15c94ec15f34ef2d540c87ab24236ee4d97ed3543f49f2daec059be7c0f157f2d869bae0bd4b9d214bd40ed01484c28019d6349cac27db29050831e5974b5426a9
+TAG: 9f10a7816f0b558aaed826c53d63677dc443bd48fe1faf9d8e8542db0b3959d6754d0771ce1a23d67561626c7c521401c0a8882656ded33ace7965f5978bfa1c960ed9eb3831f45d28a4fb0ea44cbd9118f39eddbe3c56886bb4bd6593e13f2bf641e88adccaf76ab0356cb77654a1b27597b1b5fbbbf15b6c7673d92aa7073745721a299797b77c5b205ee44da405d634f971abf26bd7cffb21cd6f952eec7bc214d6ee0a31622c78259ba14072536751b87b968cc5e6ecb21d1b64c53f7ac24dd9344c2a03dbea3c5704bd283a8d28eb2ba5e4dc1b16a0edd6f4cb76aaf746b1a987d58ed73eb2b266a148ddbc033bd45712a3101f7b536d2d902b7e124e199442b149e3b603f199
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (8 mod 64).
+# DIGEST: de9156349b578f2f44945ec6a676a67a829daea1
+KEY: 60ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54e
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a
+AD: 5f47e037446f5891d77df6
+CT: 8a9f0d731d72929136ed9e6993cbb28013b336540f602c7203e6a38391dc07c8c3ce5b4ca62df582dea366c4b0b5aaabcf1959a7f0bc92047023c72225f5c071a588d95774f2e2c1
+TAG: 84d60af507164a4f4958b6aed0525028918bba60b4affc1afea92c0ef485679506ffdf649b0d9bcefcfb8f1503b2e48937a3e732785d85b11a524363a55fc994e756148a3b7b2772881aaceee2ffeb0f18bd85feb215fc8352dc76d8ab5255d56db5e9f10c42b4a3447321d459ed20e536062a33e6cc598a61b905bcd579e6d68cbdfb94c3b100e05bc0009b9841fca15d909de6897276f9177cce5b049c45954b7cddb7610127c9dd40a61bd8e47b7a165940ef3084a0b523955741414a12d34aed68db231db939b1417069516333b2c0c57e843f098a55e375639ebd2acf658de1f385a1e29c5eb9efe14c16e29488a32bbfd127592c7c45807f2b3e8f57144b9cf60130592b62
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (9 mod 64).
+# DIGEST: 12812df3aa7f3bbc899f6f248f5590e02570c292
+KEY: ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f
+AD: 47e037446f5891d77df660
+CT: e3af374fb6f33c64fc2e4cc1e1b635bbe890f02359b6adb2a747beda433e003e30e1803f2169ff6abc81ff8095601cdff7aebae5fd8fc012387a70dd7db18e7eb79f87fcc1821ffdf6
+TAG: 4f9730c5eeb9cb32e005afc571d2ed5b2de38670704f854c838d00584becf8583ee7e79d9609bb73abb70bd01ab228bcf6070ee1c1c97d4f6003f6a3ccb4b8af43dfb37bbeb707e1efa51b0447e6b31e82a3fecaacad99014a8d502c3db8a36665f85d62938de6ffe30c4749535bb124129caa1fa465d04c1005e64f7f4397607b4e6fc31b9c34961b7276185fc3211eda045c06a28aec0a1e0a0e2f1f6829a1ab372d0bedd711158696b062b9dcfbff4925dca71d4ad7f7c610d40bfc6e7d04f4990d6efdd059679c7137b5f5d28c9784fca307e2e1df33dfec10a242379ff30984c62c201738edd60007c9d56557692e8f73e5d0c83059d568312b3504de9691ad3d9b30a4a2
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (10 mod 64).
+# DIGEST: f3c89f21c327fca4aa400fabea9e39780378e901
+KEY: 82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fa
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47
+AD: e037446f5891d77df660ed
+CT: 98b22a9119610480bdfc5cb6e2a950ccac8741690574730b87fbeb113d5daac699c333ff21efd0e73d2252e95f64dd2699b940b490259cb5fd698756713c0e53ff69a733ea13587cbcb6
+TAG: 63600a3d7fe8a782af7af230da63bc84dd993bcffaa5f76e5f63ef56407d0412b831dab138d117fbc081139cc49946a7631f488c11946c10530806ce7a781baa3bd072300a5cdf8aaa3b2657ea3732c1e24271c447e6d7f6a2afa0bef27aada30585c33479debc10cb72febb181c7f5f77490b339285bfbb0bf07c545ed5a0f3f183fefdc7138e330095636956328ab85a201e3cd6a2edc573d75327bdf615ffc8e6fd5e133558b831e24b67751098320e9afdfe7c7ef4598c29563113052c568263612fdc3c48d8e9a8a407bc2918ede467636dc0185d9423e9eaefef4126247012d5f1930c56dd9dd7c34d397f388e4f741953d76bb1eec911079936a8dfc584fb5b7c84e4
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (11 mod 64).
+# DIGEST: e8e41988fad6c8b44c56544964cfe0a347b35b1e
+KEY: 933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e0
+AD: 37446f5891d77df660ed82
+CT: 8795d6c225aa78fccaaff86101641081f4a440969633ca8d7830ffb14f629fa34dc4c15e8ff20a8940c7a484ee94503372e658615eb3fc07c2d2c399ae9ad7a77d684512d0ca273f77fcfe
+TAG: 534574a93db9658b653cd395e981cd4a8992e817ba058f692c5f0c1682745097ed441781afe30827bcaa29d061e2d1554a949cf7b62077b768bc1ca8679618a5d2b32c0b7e735db6a27fd762a60aa19e60a60a9edb02f20e3e99fd4653732525a0c8d8042bd3ba5387f93a7e0da483173b3abcd3ff876badd75b81741abfe2baf21be1006d1cb85bc543ddc7493f8faf4e27619686ba324cf651a16e7ffc23ae7786eb8823300a5c65982228aecde99f53d43f86d9ec0d326eb3ece9f6cf1c6bf92d1599c5f9c391e9ba189195665d3018c38207717502bb60e020773618df614bb4e0309fa0809ab215f68f0d9d46c28950d3edad6c4f71dd5af9d03dfa39ae62482601ff
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (12 mod 64).
+# DIGEST: d1c7b2c04dc25fe7b742a1d659aec20e1475ee4f
+KEY: 3f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037
+AD: 446f5891d77df660ed8293
+CT: 694868cf990a1b8ef42fcb2b45cabf1bd78eee4b429c11b27a827762b9c319bc54a2b2c8eb2ac85063ef8ac7da8bc35b16c0a98822981dc9b246381780da7833eb718bc8518e2b176656ff5c
+TAG: ca1dc8a003fd389a1eb1cfa4bf9746cdf45c548f8e52e0bb0dd456c1369686e0975fada75cd8fb261a01828fa1375941dcd8c718f82d6b64222dfbf7143ce980f3936b78e525c961b7d72d5d68127d0f98de541853ae36408ac489c5629c82f00a44dbdc89d665f94fb391c4a0618f31df9bcf39a07325b600265daaf53c2762396f9f6e83fb4f545aefaaeb447d4162ad401e1da2ec090d78d7b354d80fa975dcea9b897fc0f16681cd9a1aedc78cdcbf26249e18132e518b75849af55de38562ac32c50819a35156706510688f3a81e13e3bd5f61a0c2a8655c251f4732258c3cf34694be21caad599996c9a13303be173f916e90f606dfe1640bcf35e892eab6ca70f59ca019d27c58cb69b4cb3bcd484198d
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (13 mod 64).
+# DIGEST: 116e20ff1e79e0af464d473b1e7c187f4dd66007
+KEY: 62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be90
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e03744
+AD: 6f5891d77df660ed82933f
+CT: f2e78e183884c99ad7f199a02d87a1026c832b9a953919a98c2487bd0d724be407994fcce9e19b5a69f15ceef5d3b95c79d5fffede18a143cdfade5c0f80254cb38e47cc9c82488116640aebe9
+TAG: 11f4ab3470df6f43596f9275964c3ecc22543daebbdb99004eb6c1e001b2119ef9b247f30481117102a179a7ca72c556a029b77d0ee2167190923012aef527b8a432576f8948a7dc77ebb79fc7a9dd1d981a4bab9c00e498c09902ffb9362113f6ad3ac6c1f792fe27d3a71aa19b9f769f2417ada3d303e3fd2600484c9f6b43e4ad834e60ce4d4885088087a96eb52ad989a9e9a43aa53a78e513743a8f08cb472a144af5a6abc17f217715e074aa470ba71d2b1b75e4ff3f597c4d1993412d37f94989c1df016f72b26c8d58d78a8a3295108e9bc061facdbc4c708a1d7e7c95bb8e365d4e933c0e519d08abef948abb67c5a3ebe938b91613ae9bcb6079436af3acbbdfacf77e8b935686d4ef7ed47b5b10
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (14 mod 64).
+# DIGEST: c081d0d09b2c9eb39a372ef4a7b0246a0956b0f9
+KEY: be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f
+AD: 5891d77df660ed82933f62
+CT: c7de96bb45663dfe6da2a64ffc9ddfa7c3dc63077079bd4bc2ce52fea89924a75664782a5026fb5a099ec460eb9c6d7c3d5ea383092c8f4c67a70fc499a7689bfc27df4da7c185d573e6f8d70cc6
+TAG: 1d6cf11ee4afa8efb4e025dc32e0c73a6fcda2aa5c892031c7fde0d0d69e38e9e64e88a714184fbe73ca0f1dfd35ba3b0378a474cb4aaeb942a529cd199e20b7dd62654b97d92dc317975d5e26ca1378d41799a127c44a157982dc3677a4dd391e22b6906d303c2c60cde6052ffbdbe5f8bce22bc2ee42975f9892b68f228cb1f584b1a3fb2f15cb7bcf3d9650e72e796c46f7738986be7f7c30dc56c179299c9c368090f68b96735673f2279366122e5cd94d8d4ca2cbeddc3502d833bb365756cd511577a7499c199f403ce114ae47aabd351bd27e4595e3955e1d1c617a3d0ca2d6e4a2bc3275f5ef706fc4e02e48719958d37d172ad1473878686fca9420dafc83e0baaa9aefb1e50c98d6006ead6bd7
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (15 mod 64).
+# DIGEST: 6f7bb1f9e2772eb909c315e653e4737cfed78a18
+KEY: 8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f58
+AD: 91d77df660ed82933f62be
+CT: 3a77c0f70f9044fb3817d57be4f4e5ee4b27ffa586327f77c18346f9fef2608a552b551ac549f9e8d47c4959196162862fe2a35e44581971c2974d4a65a47ae719a7f5f070ad902b8a9e022abcf303
+TAG: 825fc7dd84de7f3bcc941d0234090a9409e47dda077e0f3fd000965bde1d4ff30e15b23affe14d94515629f8c018d085f41aa3ebfd0498f621593d57aaec4bdd0e22df21668451b098429967c8eb8789f92a5578d177e5d2e326fc14fff272eb90368d56a777849cc5a1d54c6a458d32c26f4cf99e0f80c91e6df29aa53edb03df176b9873f5827686faf26dbb038813a8170f59e3ad85ad698308748d112b7fbca45156a4410cf32fb34fbbf27b66dddc0680f2bcd7cac6b8cefa83945fad84f77a396630029e6bfe9f15cbf5a884332de5ea7f558d783858c18761983080c13f9c06be367ad856cf159656ad140e84d6af4b4c3517b90f5ec0a8e6fe18d42ce3d194f695f9b7440d4118b8170705b766
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (16 mod 64).
+# DIGEST: 172f4992e692a88f49628e5d3937959be01aed2e
+KEY: c55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d4120
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891
+AD: d77df660ed82933f62be8d
+CT: f2f3a3d985eb38c406bb0db0d141188c680656db8a4484abad2c8973267e14458e2be7cb52f06ee2a0f68eaced13db714296319b2b3557454f5e9cb47e8943ea3e66f7bd25c5757375be7bdd65fef53b
+TAG: 2c441fd3259628cab417df36374ededb37b9775c0ddff861a5b957a9237265000be0857b3b8482ccc5a348dbb9f4529da4baca8a8820468b1219fe4680221bad9a527d93ca499a988411021e0f9cbfbacc7851c63cc1886e934238d9b7f9cb6b330ad00da830b34c7e4398d148af7599a87770102622e7a68828dece16d4255bb319c75ab0046defe72269fe67780b34324eb3d57effa216411caea5661e64d8151707ffa86752c876590ec46926b7e963ced6a7fa95b1bd958e618bdf1775a9b3ff18c91ed490f39cffe0ab03bb5006cd321d8e6bbdb19597ad7692eb7a7685e075de1d383089f46c8a4bf1aa948bf08b89fde28696147c767f5fdf2aee8b8d4af2903452fc5876aa226d490140a55e
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (17 mod 64).
+# DIGEST: 00133da1f7c63fd5f0eec364e9a359be02c1d3da
+KEY: 5b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d7
+AD: 7df660ed82933f62be8dc5
+CT: 02fd26e7b51a1bc6ab6735045d2e42fdd1f31adba98ed5f8b3e89450853104633abf6cbb70ecfba2f5b39dc06f419746abae4a51d33829bb04140275021d183ba079d58c37d4147e8114bc2e3d1542b0be
+TAG: 4bc0c3d3487bb74931c27253f0f0931d15a627ad88ac1ba563d97bcec53524870d8fefd1300feae23772902058f5f4a0c1c67eb5e4ca9d4f98692398a9019c3263d2191361b73038e3c9252502ca72070f1155952b3a0c787508d7c0c96e02036b2a26513fc69b19f1c51629fd7bdf015c0c45da5de1d6899f3cc3bdaea7a3d7bf1d0e8a8430fdd7ec70f93d7bb62fab821c1f0e9ad564d04081a3fb70b43b5ffd990e53938cd34084411c0c11db13bf2e28c6fa299c720f3f68ad751c20f6d12ce79382a1d0c4bf3a6bd3a695b3040193eab3c73aa4ee751447a5a46845c86e22909cebcbfc8b653f352072aad19b725dae4cf4d1c8bfe55605f0eec27682a6a365cf2e3e94ff769c2aeb328fbe6f
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (18 mod 64).
+# DIGEST: 60a6821269be6c5b985576b245f106128eb0b325
+KEY: 436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5d
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77d
+AD: f660ed82933f62be8dc55b
+CT: b2fe392acc286bdc73cac1aee34ecb3a3e3ae2ccdb065618e3c4a17f2b2668a2c11108b0bf8a8ffe20800a698e73c9b6ed4b0da61bf6fc22c33c75439445061e198f018f271a8698d87185b7df77daf9e757
+TAG: 7a3dcda8c73da41cca4a85a9bb5226d8a94f2a39abaad492ee978b6051961be1f0023b673348fa17eb29430a340b3597c6aca9304be30abc5129bd65073aec837e55fe06c7787f4272e75c32b3f1777451e17853f4a4696cedbeabb57170f77efe9db657572035af08cbde5432478dc339147d433457d3a15f8820515a6f267dcd14cd9489352e1561414e3e1e0a85129976c24dd016d4621af0058ef4e19fe4bdfdbbec370fed7ef641434eb629fbb16fbcdd117e9b84ccf7ada8324f9815e4aa42c12d4f0609060545997afd4e6786a0457b0b2fc73ff7856adb51223d2408ce4c414ef2afe52a3bb67be43997898ba846045e96a27acf3f1bec0b755e424f57c69774cc13ada5227c7642f563
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (19 mod 64).
+# DIGEST: e2593f3b6741a9ed9fa188fc06efd057556ee624
+KEY: 6965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df6
+AD: 60ed82933f62be8dc55b43
+CT: 8780167385b8856be346b71b042332368067d5d9420b3793fe94bc1ba92991756523c7a8e0114af8fa7296ffef8fae01796b47edea43bdcaa8832a08e823c45c1ccfaf1190cc7fc73a67decbdf407c72740a7d
+TAG: 974451fd4d9d6d1f88be4404869b435b4b687a1150b31a0671c93f52f76f2e4dd71bf4a3583f68ea5fa4a0dbf8c779f83e8dca1882e9bfca3e914e77ccbf40ac94769c44f9a8bcbc35a4f9920c6860078d369f57b407d353e8022263061bc974df29fa7c862f3d06213b1190cdd3e2091b2e26532356560efc3b21a499f4841869c993272b70f153985d45756a0b3250a1b91ee3f25a6afbc202f3ef81dc607068fc7214e69255342e662c64ffd8acbe86992ad20ce376d92ee0bfbee6a72a1f83f470d0bbf6ec22b364e842b84736d3923de92c488c102344fef6f78624989460a2c45fadec2a7bf722e2e6a34162363cc04720a50f0d309f64f9322a11b642b97f023cb82a521af6b1759d37
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (20 mod 64).
+# DIGEST: 17450a437efe239e1858ac4062f34024305372be
+KEY: 65aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce99
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660
+AD: ed82933f62be8dc55b4369
+CT: 2cd2031084f8742da110ab5d8f7290828857c867b38427c3f53be0dbe2cc94527d2f0aee90a38dee77c0ce115ef650b2ae65094e99ac9bf6da89e5440c1bb4f8ccd163427bb95b3ccd629e6881107d6c9a80cc37
+TAG: 026560a6675920dfb199359bea1a03ef0d7d67d359bb6b94074eef54047e92a0940f8eb5d08aea137b7caa73904b66a8c99775e0d859e4c91d68dfab271a9401fb650a9afb83ec4b42b97a74db1908fdca0a06603cde524524ecb3bfa15a96b6e250edb83e7c59385357c075bf077ada33489dae99c2e5d5f17cdab9d23dfae4171e564bb91e3e78d61dc7f1712c2a4431e9451cc1f58df004d04ec50f77a2681969ed91e07df4ec90fd185ede409a5387538b115107a1fe22bb999082d4341ff5a6ae7af33cb27a64eff64492a08eae3c18e5914971e514f55e65ca93a8a19d7d4c2f3df76232cbac674c480e9f4316a8df7ed9d62f8144338249732dc1c3dfcc8647804c13a03a59eab926
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (21 mod 64).
+# DIGEST: a35fc7d25f90dd9cbd35910d5532aca8aba88b29
+KEY: aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed
+AD: 82933f62be8dc55b436965
+CT: cea9c7528706d506d75cf085c8475c081ee8c6145ca11610b73eb3e103a706faa66062f8edc10abaa7c3edb3fcaf43c202c4812e768fececaa04564414f45816fa5c0df5b7518ea3859be75c4567565358293e9232
+TAG: 32de5af09080604ec6b6fc5a0a542837a54131fc87b1825666e5d56f09e15b76d47fd8086dab709567aacc3e59d395656ffadab861ba9a0e1c1b30321ce334b68724877ec6806245bdab9bc0f8e5af6582fe91a2ad95f7a6bd0ad1df9f9c2d2c20f78f2fb0bd2653fc8e8fefc9255541d789a0059820b30902c3e4344b68d4603b3fb8f5001df91fc9383dcfe76f219933078c602fe2813b9e59e8f996f8943c96c10f27d02f5bae69789870a61abb6c3b118f6cc348188495798b07424a750556a8d1e444b47283b096b9cd8b98b790445ba8ad8245a040a3cc96c2d72aba1474f949dc607c386c7cbbda952651f6d3260c82e5a06c517a89c5dfbefa069136e3c094ee1af26fc4c77e21
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (22 mod 64).
+# DIGEST: 73eff0f03358879f900b6ebd515f0f4e5a6929e4
+KEY: be477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8f
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82
+AD: 933f62be8dc55b436965aa
+CT: e967973079db00d2257d84817ff4c5faaf98024ac7eb71d22af3cbb92a001a558f5cce2e8c293d6dc2a968f69cb2731bf65954affbfdef4085123aa06baf0d80edd8d04ad4b1d48120f0db0df02ca13708f66a567ed0
+TAG: b8f6b6618dc8b59b07566c1aecf97a9933b6546fd8882d14cf75b2065f17518722b5fd77f9449cdf4feb87e7943f9d48b56ab891514f608767f1711314974b020804b7227326185bcdd338e3a9df31f6c3a0190b25d02dab04ce23fab918d6176814877ffba65e410bab2ae256d4f5f937458d24a144f3c45f6fb27e9f95490e95eac4575d49d7dec6f72ebdf3efd9dc6c83ead51652223b18963651b8d957b7aa050b022e4beac68f928de0d1094dc756d8e1d2b89a1bcac0d3d40f0f71e67b166a6a56d8ea91df5c930566640be524f187be2065127cd15b2417f7d80b6a8cf781e0e90c6ef61cbc902e935ffd2dc9e84c4170fadb6f76b15d77c72b49b8aa30ad1efabef37d55b4bb
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (23 mod 64).
+# DIGEST: dd6cea270655225cb4f4231f54c19eaaa146eac5
+KEY: 477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed8293
+AD: 3f62be8dc55b436965aabe
+CT: df01c1a140da0e422919c0d34b231fa3cd767766fb35f8d78d715c44b9003e42cca112fa1543d74ac05e00da9b5740c03b5c4d1e558ceb8629adf3adb1771e6edd5b986094f724e675682e65af15bb3c0feeed8cb3407a
+TAG: 25a40fa2eda366cc951e8965249500a657316c33538f874f861753eb038dc5cce0425824f138abde55bade8b0500af1f61b8ea69d4bd68de3fc403021c2224635535bc83dcbb429a8ea6c0ca2687a34e02d1dc45e7bebafd26b4814c0766e7fce5238767280ce0424a3f16a30b943622b8c1abe4eb6c279333e9d8f7bc32afb915bc5b0328147b57d02d68584afd85107302e3c84983cff39256313c4462b693c256edbbedadc50a52cd2a3c8255c1c34ba87a70cb652d74d8375ede59a57514bf5bc50532acc8be4b438daaa2d7d2caae6c291ea2c78e27766b6e2afa2551f3287a6a2a4bf747a1706cd66fd724fbe0e7e81197b1ac612c05cde5a62fa0d5c43d01e6300c7066057e
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (24 mod 64).
+# DIGEST: 34dd9bf0ce19eff890ecad474388779f63b0af70
+KEY: 7e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2ea
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f
+AD: 62be8dc55b436965aabe47
+CT: 889ed4c7bd5455821c5b95a67a277a197140816784e820ad8e126b3d3f0ddaca73e3eede78c1c1d3ff5c2a98c0cadd644393b7e3c2273aea2be1c6fd20374b71edbed5658237d819b5e4e206698c8cc8c12e017196776bbd
+TAG: 57da1b6d2a9717b7f6f37f21dd9c686414ecd07bc24619b9d35c62c3548586bf726bdd33fcbbf64686556d1ece930f37c6f4c8bc1931a10c50269cc1dcd95bed9d9edb0463a266e6e51d2d90fa9c1a1a4dec6d21663df4f4b99060b37441cdc09386eb785b7cb0183df692d7846483998269e36d06bc7e3a010ebc798c83a5de0c4d6201f2b5b7187a7d99d109741a19e267cbe458063aa1ee66c7c2e0449549d03a9cac20d356c393de63d466ac3e04d63b88c26768f0b3fb18564acb1515ce4be0829aa99cb293adb9a0d3dde529827abeae270611c35277a4b373fb099cfc86a99483063014ec189429a243438447c9cd47a333b22e2c1c84845b79e23a661d411570c510f42c
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (25 mod 64).
+# DIGEST: 7db8cfbd3b29f96d752346eeda3c2bb0bd070099
+KEY: 0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62
+AD: be8dc55b436965aabe477e
+CT: 13833f78c9383bb4455972d6e7d8f22597e65de7dd01afa28fd99f9734366c522bcaef59c41487d84b3f84c1e0b7e5ff6de84206f54d5ae80ce80fe3cb68ea4edcd15897fd6fabe2a19904010538005668f2b05245e28bc0eb
+TAG: a76458445b8ba4572e8aed335eeb6ef8126ccaebe8b4be3f799e1def09f8a81fddc2ddde86e2d011c4b61eb16bb74cc5a2c7e1b6d0107f6b749b93fe9f6589bf4ea2444cb63f5bdd3b65827fff3adf32044621aa164160ac4662506b42b0b13ac148e09abc016102ccc988362f5cf64b969fc056e3f302a830f9a0b7f3789bac1c940d5cd7e2dd61aa3c6b970c3d066504093d658fb5f9ac7fb22ce306f5a9d495ca7e29d02bb39123b5387c43ed9fa1b8a061a339ced5a9393b7dc6401921d0fe424c1f168451286961f8ac199c3f8f8d4b154c89d290a27cc53695e082bbec8a338ee09826555a3fba8fa4bdb663ba932db800df0a1b570450f33f936cb71622854b84b260c9
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (26 mod 64).
+# DIGEST: 4abaa8453e8cfdefd918571a961d8351754ad5b4
+KEY: dd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad40
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be
+AD: 8dc55b436965aabe477e0c
+CT: 03065bb245ba12ab90903bc081198fdfe45d7d3c6fa3b1f76bde831917376ec2a5b2ac2cf629de6bd3f23025b678ea9cc3bd7801f5510b58432a8bc17999304fec4de7ab9ac22d75897cac67ed57e30d4745588b36695dd005c5
+TAG: 92877bfb09987df366759a1776b758dd9943472b933d5720e4d199002d4f3ffdd527c2cdb16993da7aec2ee53a24f6681c22fdb9f9f69a89704b6356441c6e87930b2ddc47bdc1fa0df00f7490c16e18a095b53288042525f60f0f37be0036f9a7dfa37ed3977456b3d8c4c4b2c47879a4495bbfd6a512fb59a40b20bce316ecc559aa825b4be8dbbc5dbe06fdd074c1f2132e954fb74fc97075e9c5052a0f86bb431f7fd99d62080140e0457f8b5deadb9b2528e61731488f25f0574283a1b30c80b2bfafcf0e4343ceb83dd20d2179a38866780025516e5f8216ab70c158ddfd0ad7a446969cc9f6eaf5c984ce8e9c38fd3b8a007a1c154bb4330fbee4329b8335f4ec4b23
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (27 mod 64).
+# DIGEST: 0fb9d7ffcc7c9b84f34661d472ae2d4fa25d3d99
+KEY: 46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409a
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8d
+AD: c55b436965aabe477e0cdd
+CT: 04c76011b9c4cc8ff18038d36a8c8b91debc8d0929ec173cfa5450f434308234e6a368f17a04ec0556dcf5ace0efb5ab51956d0daec5c530129aaa78309c3d0a04af17d02b0f91f70a82b2ea03522659f76d1919731ca52747da3d
+TAG: bb70d9741043c7d3d9a3c5f7d2dc1517a91729b54dc8f49291e2201331a24fb24ad212398617237c77de3d6266fd32341893a9c8bb42e60123bf3bd4fd70a065d6f3d0ae98434d8cda789be46a5e5ad05033d18cdadb36e33fca58181909dbd3cc1733dfb4b6dba689a66f19bbadd35f830d6af1edcbedca45b2810cc82ce83d39ef9d6d17aefec9b7199575e8d08df3ecb9a407b41a9c1d851e923072c96c5ffc60d3987ad10f27aab7792a198a17c8bf88c586ab11cee5008ee7ea769c56ff8d644b51059b9b2ddcfaa92d3b3055a4b3921bf95c5c131c2485d869f642cd14cd4eb9b73740534f6c48c63f76c6f1e4dfcdd9dc3c07593ee6032a98aa10e1b7f095c505d2
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (28 mod 64).
+# DIGEST: c68fec315401703e49722fe4b39cf28b14e9f50c
+KEY: be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae0
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc5
+AD: 5b436965aabe477e0cdd46
+CT: 5d9af50991ea21f041a766d8d9036073eeb0ac083b8069619ee50c64c661bad73a9e2ca7f8b49ad9df79e47b49ca3c8ea9dc254854f116a49959c91481ba96463521bfdb74902a4b454d2c6af72d130175c33e8764b64bc93955f9f3
+TAG: c3ccb45d8e69eccdb1f058a490d8de92f255953c16f27e21b49e4f29639452ff846aa45394972d895a0fcde901fee45211e835f6e4152de7475075e1e7ed832d45e0407eac1c6a0c88de4a9fb44d961b3be197e45af38a88d1070416c419046f6e43496e6fc1750de734c7773bba9b402dc96683d624117249f3d3f3d87f83a140018afde34dd5980e86e157d632acb7fa5400dd272fe74abe46652eab999b9ac1cb65a4a609f3bf9cf3c8434f9eca0bd440d665e772629c0cc76e0d9009e47f5667c0a0846ebbb1c1b23523262d3225bc23e3513ebed8f67c721cc0886efb251b374ee4e79f60c6fc7bfb81ad9ac88c0a782d3c4bb918cd21ca1f3b8e311f5e48b9e6d738ade59dafd07ca721aed0f6f7f98f1b
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (29 mod 64).
+# DIGEST: 15e1aa5285beab679aaedbf51a86b4aebbe3d7df
+KEY: 99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae021
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b
+AD: 436965aabe477e0cdd46be
+CT: 182dc2f9f412f305a8fa4813e8c8eb7a41f9708efb516fe3feaa6ae94c89b4437cbdba7c738fb97ef9739ed94d988bd60af5359194d2b5f8a48e3f5482c3be294ae65ce803e21acdee157d436188980be8e58c95a7a5a33e427473d4ba
+TAG: 2751722d2433b908076080c82895c633135bed9c7486d2fec286ea11b279b5029784972d39c8732cb1631841a60e86ad8b17c41e9c0b54ea3dba7b15121532b7d7a7fe8f92e2280481c73590cc38bbec7888932be3d10ab251157ed0335ea1b06a379c4d19d7d860bba5164da684c9d0eeb20e65c0c63a60bf94f65fa4e0f61bb94786271d5ca588093446fd563a6d513d81d590244807ce399f4bbee2f09cd8145634c1ebf06bb408489fa362b06af21a934b1114dd8233c8cb629df7fc5ac619fe2701de7daf7d7295049e1909fda9864fd7cd088316be8dc7770237748de45c3dde6d476d233983392e1a3a96f9c6550d5a7df61e3818492806db44121c277df71b9e1e176e335a68f2811637a9ce17919d
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (30 mod 64).
+# DIGEST: 8cc0b1164fc844e958e055b7ae43f2f95c29e8c3
+KEY: 371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b43
+AD: 6965aabe477e0cdd46be99
+CT: 0990f57d9a7e9b64bcee741e158eb5749e9d7b34d43c6429754689d87fc45daaa618fc62d3dc111e5a1a7a06b2b14c5b0f3e2e463085e80da6ce4a6f7815cbf871376c8c87a36555b8a74e0a14421e1e4d74f7531546369ca81e4585f86b
+TAG: 4e2e000dd4c6c0eac8aeb581fd352c8c8d4033ea944594afdaa87f05ae6be756e46cf27b7ee6eb01e9f4eb50918d2b438fc0d1eaaf7c6add8078a6a9d45be1e813c18b20eef740c85df67de7765974544f5482f9a0012192f3d84b2cf6c01141f6a8040158cf9ba03c5a1b580cfddf0a682955713a4cac6e0d3b6e273db3a91a1b8096f85fbc3c7a67e893885bae3b4c65d03d111da7e199780de379c6ee07a3657ecee397ce0c9d34ee5d39e8fc4a64c86a0d68182ea48b91c76f63011d0f0cdeaba4e1ff6a19686c5223a25a10af0fce79437322c0cab4786fdb4b93e687a1c7154bd294d784169b1bc7cc5c9f3b8bc3e1d8b808b448f926ce8731ab30a33cef85f57053ef081a8948178030a50c247e53
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (31 mod 64).
+# DIGEST: b51001b6ff9d27bccf3103a4961280e0a1406257
+KEY: 1eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae0211641
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b4369
+AD: 65aabe477e0cdd46be9937
+CT: 8d7999ec7a80e528bd6a8d2a9724930c93ee5cbb0c888d9b7c79d2449e638c03f3143f1927a1b261d66ff55bdeb7ff6616da99a2155f465d7c91f54963e7cbda7b61529381204ba43c9681260799ce66fec9b0e9882fc0ab474fd9134adb66
+TAG: e9012cda52183ec3e658c42f819dd986216e84e14eb38a462e3db010070a3056db6b148863afa9af5849e3ae963730f02bcc2b419f9cb37659609dc730008a43c41e87312b546d3b67e1f092001bd8a1b81ea304126801f149b0a37d826e0fac21045be4087f76e3c44a796bb55b6e4565d44cba7a8a48d4ffad797982256e87b95f6599b53f2ad34299d90204acc139d115b66c78a2072c741c43c81bab9dace2c0088b2a5dacd917e75ff0de07ab5febad79eb5e0d03012503110bc0f62e2aedda35c9bed4b7c2131f96a4d0c9ca4d133ee032a787e499c92cd46b33e5bfb7f1d3de52db0c7e2a15232a7c3c064c90bcd23366bf982bfbd9694e92b709a86afa4c4a6eb8d5e9b48a20ef409acec78a8c
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (32 mod 64).
+# DIGEST: aceed075f31ab159f6610f43ff0a6ed3a359bee1
+KEY: b8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417d
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965
+AD: aabe477e0cdd46be99371e
+CT: c3e61ff897b490847e6539236d2e3b208baca2e83347b7ea2ac714f65a409638e59a5dce5c3a4109e6d6cdb8a232f5f8a2577101f9fb53aa50918f924c1a5361ef98d6672258b4adb37ca5f30d22893dbde262fa9cf72d2913c1901d70a0b7c1
+TAG: a49c692364eda34c22ad3745a4339244b687f596bda16d4ff61c6697996214bffc78fe54bb30321d37f17a7ee146dd33771b9b922b475ed41e55de39f1573683e4c8147a9bc370d6f75882c991073181d3f5eaf31a9cfe0dd205540cf6a2b6c0898b3d1ebe351c7e036e136088fe88a07e2c512fd488dd5dfbaebe10e6627bebb2cccf1e9c985ec9f1924abd91d29f0862403c24496ba6c0535358de379a60adb764fe00f5e09f3487b075713a85452ebc21205279815653b39af6c7d84cb1a10178006c1b4ee3e53028c09ef59817abc2335fa2ee7a56ea18e2cbe533b7d30c80609151b58b3c711314b35d3be3df1cb6d5cddffc316a940cc78ba1734da1c09d1d05c2650ce3a0fbd60bedfef7a83f
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (33 mod 64).
+# DIGEST: 976ca4c9819e25a204a024d05fbe7420f717bc58
+KEY: da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aa
+AD: be477e0cdd46be99371eb8
+CT: 1944f256989b6acd7dc7c334d10ce71d9f2980cdb6adb03784061096955a3e10efe7cbf1c0aa1caab97cdeee4d08a8ff34d68e1b53a0df58e79a4c1d5d9b7eadb2430c0b8049b6c43a848fbc5e5feaf16c5ae08da38f973b18e33fde747702b882
+TAG: 6e0c7a079e170b669fd211bd54c2cd2c51bdd5dc84c84e0da6104dd1d5f6e8b27847a4def48c030c515b680a5db67439f300d184d2c8fe18681c7fa25840b80f53ff494fab5e1694a604c1c12b3b113aeff88bc2c5bd31e84cf5474d6429b4cd08241e94a7f4276054fed2f2a0d863eac2671c9af96045447d6422b8789c4674feb8fb27098b5ef613f08573184271899f735af845e6b7ed9dafd4524247178415479fd60da081ae076331df7ea141df29a086b76bbe35dfd4f983e45b2f1316cc27d88c48b87d2934833eeb5bde5df0866e4a9d8894fc275d6677eda6ac6b41a0475aeb9a55ce7d7a04820b581e8565c9d9919685bdf0f163d77ac45a15e4717e2e716e49ddd079f18295bc7a05e7
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (34 mod 64).
+# DIGEST: ad8cfe7556704bb1974e94f70d8743d147c5c3b4
+KEY: 7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0c
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe
+AD: 477e0cdd46be99371eb8da
+CT: a850ddac6117f7b13e15c17621fc7c99f2276ed7337cde87ada287814150f8b3f3e8ba7108a1237fa6a9ddcebb07c234660ec93b8279bb4614be85c5973603568e885f5f8ea102d0621b5ba77fc58af4285c15996d6868c520f3e09ec5b6a468cc82
+TAG: bce897e6a5dfbd940ec2c477af3411901f0f2fa9436ff3b4da7354189f097d231b95741788b45e9a56e7ca7a41b265489578bfe8667b1cd64a2ddd765144e770ae13fc2e9ad24575bfb97e0e012869ebfb52a9c7e181e79bc260442d166550435dd5c08b131ed3850f78a2e1df8a1ed026d9310a83f0b8449cf2baec42d7d7e31c4ec56d9d25246b34a479ecf8ab850c65fe8b2a6361fd185c25d6f253f556aa46825c535a4a54b855148e032d3e1ecb8d501802db1eac194a4bf7f3c70f8b8c33cd88d3362476e2080cbb4482fd9453ead6dc62a0dbc0649e41a699c53427ea8ff93fc9f2353356f695642ce7db49fffca401e9c275365dd0a339e3970d5810c5667c234986a65e1ce01e827e27
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (35 mod 64).
+# DIGEST: 1dfd9608adabb5a55e12949f1c4bfcd5a77cb703
+KEY: ac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe47
+AD: 7e0cdd46be99371eb8da7d
+CT: 0cc80c78b73b1bd898c6af38846d32837ed0712ab7cc48b01c6dd831f37237ca7634c90aba35b35da59b60aff8e6b9a622f5a481c98c03fc76c1375e4602e96c08a465f3085ec86b0a8e1ce8757df761400be6510f1cdff60b05bd46271650b9e5d5e4
+TAG: 34a24675223b1e1d363b941da5d1566dc42a61c7c239a6684a497e7ef90a78d29c1aba0a9be91a8cc8a7cd578c77e62db1234da2b913e9500cf81df22cf481ee43f0818be959ec7fe49aeb7be270d227f633f65a003b19060ffe8bdfaaacd2c20ac65b43254252fb2fa8d2264f5664f3fdfaaefe7216c3f8bc6957656d218d5f98f5b377fd675a21d16769c499b82d4fa54be52ef8c96222b83fbe5bd3b456c9d181cfb5ce23639749e9e22dbc3979f07910b83c200c82a3dd449e5ae47486bd7f2cdc26c3beea2d3c490a801bf587e323725be1a76c32396e5c5ea24a9933706260d5aa16c847e00bdc5d96b0b96652a2c73e6141367debc228af6f944bcfd65a9269a7fb8c912c25ae2a6e8c
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (36 mod 64).
+# DIGEST: ad2b43eee27e6267d8c5c1c3d558a07dcd6b1f5f
+KEY: 997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef45
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e
+AD: 0cdd46be99371eb8da7dac
+CT: ad918e7428ca106cf043d6626772cd45ce998f32fea28c3253fd58f0fcc191bb4cd250b5dc6a7b352bb2aaa66601e280576fa60ad8c3aa58742462955fd7f33ddbbb5036128617c1fc3bfdf83100dfdd069042ad1887c2821afbcf822756226c69779d88
+TAG: edae83839ae4bcbcf7da661a302815b024d7576e65ecb70c183411003b1d6c769a13de3444f82c7783ff5593d9983b369833cab8dfc80120e35bc86d3b00c307338163bd5de5863a1f2daee49b4f535ce455b131eba334b7c995dc25640833c6c0a7bac710ce37ae2b85e58179b57218e801c4a7e5dc19cb3c841c11c299a72efd9cdf249e9c4423cfff588895e38e5b2d166344ba53b083da555ae4a1e0278f5b7a557e9aec08ac70da44858306df69ad968c017f8b4c24a0b562be19e1f6416841387ee3cd9c8f7c8b3dd1fecff0609fc77c4d86fb1e387cd1932775e58b928f4022821c0b9dfc43912fe0d0755b2bc2f88682f6b11eaffb6caaab1e295755d1256810ce16d70b306ffd6e
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (37 mod 64).
+# DIGEST: 3dcddb1e4f49633e7b7bd36f4056d16c53be7f5e
+KEY: 7deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0c
+AD: dd46be99371eb8da7dac99
+CT: 8ef4db8a8444ddd056428a25b718aec0258fe05b5fe8d6d972ca6762875c030fa2b4822cf03e797a53046749e39646c8c6b373a1d77287f4124c19ef758eef75db8e4e03309b3d14e918bfd9499ae5c9e2f3079ab7da8ca7f00ab69d14ad96fdba1c58b813
+TAG: b78d95ae68ef1121b27bf93eb67605bbcbfce1e0293fa37e0de4a959cc0a1a47a374f6727edfa9aa5a330e5c3df90a30d371304258624e8015a2fe7583e362f045087ac9ff6bfdb5371d9fc9d55f7dd91bf0310450c36d33538ad5f6057d0c8a0896217643c4f95ed6c93ec95dc6df838cd43d6f60dc3d48d489922dcb1fadc586dbbef4200a6b1d67d2024493fb4dfdaae7563edb5ae93fa2065d750a10919484fbb1389f93d2f28b62c8c6708122e0abe0ed22ddba815da8bd80393fe274f545e463dfc5f26bdc207f3f056263e799b3c89f9c740748a37b7f28cdfdbd9bc89155e466e9a1830dd6d0a206d27a588c56c3b6dc92d5202dd30ec0a2e1e31a0da1a5ddd9d905204f47cc25
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (38 mod 64).
+# DIGEST: 25b982a242f669c013cab1c18da425330090e3cd
+KEY: eafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd
+AD: 46be99371eb8da7dac997d
+CT: c107710a85a49250f3a4401fdf07a44f96560ca5e71d6021075b7b6e3ff8fd6f36c652f186dc82c8a21a8a743dcc007e6710214320cb5c5e788f8c5b020e4d0d89ec2fb780c9ea915966b9f9b1e2cb0f26fb6bf1aba6e6501f2571ef1299918d4d2e6b367e22
+TAG: 3e7739cc9f98881f03a99d95250d460497e445cb24b4f8783c0010070484f8f379d74903d9a99f6a621791763af4e8e94ea305642643103b2dc0a0c1342f66154a0b4c4cac63e79d7121a2a44991273a9e1111208b3d9a5b6d11a6a28c83d16c9099d0a0247bf4670717ef0e8e6bd4e48c893ae189cab4f916862a8ebdfc0cb26cc545a9a08f01f8b4ce545914a35924f728c4e914b8cea6588116e9ebf592d4709e0c4efc8f0f8379fb30e35e36bfd68946ada030e35af5ed510a6061471659dd6780c1356c3dee7f69ab449a402456b63abd7e7763b4020db5216f099ef78a2125b42fe508cf94976b8e4e9ed65b38c254818e6aed084c037efabad7bd348e4e16099c7709cfd9116b
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (39 mod 64).
+# DIGEST: 9d7958e23777ff2472f5a24dea5fc19c151dd921
+KEY: fd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46
+AD: be99371eb8da7dac997dea
+CT: f90604401a507574dcfe5d7c5e0c36c5fa65d9a8f0a25daaa9fe5c50ffb3758f52c9c883c2f85d879f26845a130044d395b58497979cf24a9e18ee1f27d1eac4d0cd994a6338c5755c74419111b2bebed645c3d8b8071a7b5304eab2c33777eda01ce489f4a6d2
+TAG: 8a94c9c05afa552672247d156dfc8d60e9e3e1e9eaee6e58c8fd6c1f9d41bff32571526cf035ef595cb5c5b2d64b2a98bfcadebe5ff66a6a2299af8e00fa27e621217c5ee1542a86ddaf93e293d01f20ba5f9093c1fb7a1b911e659027beceb9518f59d20cc54f958945dd44ec38f73fd475647a008de974e50facab9e6e878e3968249a91b4f71f4f86486d5e3bc2abd6dcc67989f58521ee78214dbd29bb7aca0f601842b1d36833748069e409c58de54f7f6e6f17b9e05127568a1566e70254589675f2802c153bd5106afa59e00ac753fb9c3f67508deb5bcb4e25d47e52852acceabb8e5e955e16c0b4448cd313c73ee2195f185f8869165de7f30a68efcfba1adab85e2eb975
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (40 mod 64).
+# DIGEST: 09e9eab51bcb9faaa3bc3e473ff66b06e39653fa
+KEY: 64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be
+AD: 99371eb8da7dac997deafd
+CT: ff258ef9f318036586c5ec9e956c10c9423ad3a8a5468527c02bda6878c45398b0c78f3fba4eba3785282b3aa4586d31b238fb941546bdd6e3d918444d45f79b2a5ce3df0e8769a952243cce1f17f736d21e44d8d49449e017e9aa5ea20863a2f6b2f7025de029e1
+TAG: c113b619c1829f799e045047dc1587c35eea2e9b5735e9acffb8d5250acb5340d7e48f261c58f6e1dfa213980d35df3f14938a5d6c20908290444308c31cfc08d07cc3258a5221e3c8d72031ab52ed92cca76a189eef780048623f82af821d521b0489068af4ff2954bd73dbccc6d6d4124760a5c71fbf88435af2ef8eb24197c8d7b23358baa411d87dd4439249fa80b6f00c4a4c500b0b7113151bc4f385233318ccb3bdaf779d41c433b2424bb3651db990f9fa72649d657bb823f0e73fbdf08e6f81aae0552aaf37370f139e85da70fa52422fabd155d567988d1d2b930f89f72725d97c1b1aaa67217c552ba1b6a51cd97bf2ac7017a2a97298c6d86bab809b9b4a7e1776a8
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (41 mod 64).
+# DIGEST: 7b17b7cb19107af8fc4671420e461060e2ef3e61
+KEY: b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dc
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99
+AD: 371eb8da7dac997deafd64
+CT: 5e654ee6344f96fa117a2e1f9cdc08bfaca9c83b1c4d61891e49077c8ae7a8aa604e1b19995b32872087e04a59ed367e42f0ad3998cc2112035b33104164403a948ecf73c516f74adaa57688cee9417456f996847e0c637120478f7d88288b5403f0697c4834e4ea7f
+TAG: 363ea1d1325e86bb389f4c97a844b76e43d76fd4750954352aa52f5cd174c3d902a71a8265fba870b1b0e3a1add011914df362dfbc8f075cb45d2cca5498b48c49f0872f8371bf37e334c33dba4170d101dfebf14a519d37647748d92ccbb24774caf56204c1e7efb4b765b63d5ccedc308ccf06bf614e7695bfbf9e416df526ad21c4fda82cdce18ea647b6f99fd2bfebeafa94e8b9e83fb2d85fcd5f8456ed2e374ac383230dd39c528408e3b53a92a3950883f6eed412c1a5875a5db61b98c089daf3419522fbabcaa33479d4f0140963f1bb788a2471aa0384b44c0c69a4fc46a892f9ec8cca4cf0d048e30eefb1a74f8fecf77a4d61f97e4835a85594d1df3a345f720fca
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (42 mod 64).
+# DIGEST: 48586ad2eac603c136911b28e2c69f101a8ef371
+KEY: fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be9937
+AD: 1eb8da7dac997deafd64b1
+CT: 59201549a3446dcbdf5c3fa8db930606f6e9bd374d8405e15d55493a82035491811f784fd4f0e3bdb6bdd2e01558783a00b32c53d7be31525343a5a2d72921222e32891149f8dd38303ffb584485df15dd4c6917d4d8ce80e1dd5192f30770873895a0219cafbe8dfaaf
+TAG: 30b74b701e2777b537a16fa9b2d3bc9a86d718a4440ac3a0475eb675b352f215a847a286f042285b50764d14ddd3b3088189d7e26b96cdc33856347f3173c7cf4c9696ad560773e65878c4f8db001bf66a9e27e7f42593e9dc3f206e64502b4a11a235d5ff29cfeba3fcff20afac264c691a847a0b6c599bd9f7e4a57179f46b3880fac1b6cdc10444ee5875470d25c8a7bc20196aec1f028aea628092b5ecc973a058f083f4157dd9202d1f6b09c72374ea668041ab18045a383242b5e96ac127f6ff263c15d0a4999f61153ffc5d53bb77ed11b5b8bb3f2071b8ab14d92d161f7e39470913043b316ed3bf9baee35f8594785ff0f99a39b72e918bab81c49ec6c4c4ca459c
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (43 mod 64).
+# DIGEST: c37456cfc543ba6e5848b9b8f4ac5a58a104b521
+KEY: 65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371e
+AD: b8da7dac997deafd64b1fc
+CT: 54a2f87f11c6597b3013a0de46b61a8fcc28ab021465178138cdd76ef01c2701b3a48ca4d3cc885173bdeb33b7b27f9064d2f09ec187d0c9c482522fb29bb421595589aa69ec2ca4155f503bdb8f0f8d4d2f08531c0deaa386b9adad07e8aaa351e76ab938e435c7eee05b
+TAG: 2b4f8a42097dfe879397a6fdd13c8e2611399c3c53d5cb5c0e41a4a49b99522b127dff5bbcdf4a5c6fa79440e8fecfbe1df30d34df7c3a399cd79164cd39ca50a3bb6ce2b95a46a3f50e47c9041dbf8f39aba1e807f66984619c62499bb5f0bed727c5214efe67ae9863b99daad6b2814484f9e96c3f6aa5a31417624052c69252de37d7f913e5a2715459f945958adef369e59fc7f704ba9d9646870561efd3c1bea0ba785a8a39698d7ccca3e0b6a6dc3b2570650ebaee1e133488b3a227fa97a8580737cb4852ae3e04c11df82816ec4d6bba8f9e63c9c48383466d9d145d27d18358e822af696a8d7c7aa65e2bc7ac32204a8271684e3803347423608666e23e90345c
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (44 mod 64).
+# DIGEST: fc113d192686652653a15887974eb1f9b8e32248
+KEY: de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f2
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8
+AD: da7dac997deafd64b1fc65
+CT: 0f0483dd1e9ef91f215f7f9817b7f82e0b96c0d3b2996b2a1d878d0be3a70c07a4bbbba3721e646405a8a7f44347557d482d7899044af37f6df054070eb4debf7471072af1e4c98dfb3c192e956b2931967d7fdf200b464be1ff1955a658bf86faa659db9fea5c63d26c13af
+TAG: 176eae7a290cdf30272c219178d7a011400870bfb2ff611142d4e16fff9278cc5778770605f8914f09c3509fb6ec23bf5cdca390cf8dc0390502b3ac3026c47c167079f12302b6ea7eae668b6dac95a5541124aba8ecb8de4cac6c21ba17a2423ed4aac69e3292f3f4f031e9f54702c432d514726cf02ed646e0f60ed672b5f212e62aec4e51c8b8fbad3f1689f1b7dd775111695a342a279f7725da6ffa0e5a2ff5550159208bd30d28267c600e6b183dc1f72fbb4fd8013c5b4ec93f19dee5864bd854df3cabd5c813d4e3ec083d55ccdad4a0178e5d6cd262843d6309059033b987e366e66c67a3fcbba86730b5fcb4786989f86ff9b8a7318302123e0d53152a2a82a7cae76a81b017fc0b883ef6f8cca921
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (45 mod 64).
+# DIGEST: bb6e5b5be84ee383caac0378cb6f541726ecf61f
+KEY: 39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f256
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da
+AD: 7dac997deafd64b1fc65de
+CT: 978a10e04037ba7f0dec2576efaff6e5e4de5ab80b4b0c0b8a6209e22da05b8be0f832883e371c61c23b5bef969c004bf2a0f0fc8fbf1313078e12af2b3569a98ae5ee76a9bbb6da6806be3356c02dfa607c26094fd876d8f9dcc0395f3fe356b0a51d1f59582a7bdc7da9971e
+TAG: 9b37a729911834f666621a052c9d776f126e500cab45ddae7ad020874d77976af6ec581efd91dbf46ccf346a9dbb3a42d08d23de1cc074788f6887c0b15d98610b19fd2c00752136af3faa32e933518093d667617ae1dfa4e4527779bef7ccc9a1b82d8ddc0eb1d7d9247d0382c6d98ab29f60bc897d28483f1c69fe9b0d37113d237f7b3c3509411058e1c0f36fac6014b6c5937ef005a7fc2e3352da4866384d63c6aac2fdf74cdd16acf782022e4c5f1fa528cd6c977425ab19d800664577b5e5cf0a82e7ba75716c75bdf87eb8c7bdf7346c89d453bcff89ed0b93d9eb1452b72390a799498e31ae691460e5daa8ae3506aab4877cb82e3378874c6c97064b33f969786ed84e81cd1c2e2925b56266ca72
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (46 mod 64).
+# DIGEST: a27799fc2e00e7abec4c5939451a834c4606cf7a
+KEY: f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7d
+AD: ac997deafd64b1fc65de39
+CT: eded0eef58434338153caefd914cb98ff516157445bfbd25c3c5cbcc0ad68ed1bf049ac292da027acab0310ef08d66040341721524982165cfe7f6dc495f7f5f36cc410470e3b42045b718f580713dac8074b0e76a0345d11c94a9800bb5e5eef1cb8d9ba5818799cd1ef69c4ed1
+TAG: d7459df78edeb89e01ea8d685b5780b94ac339c36750f2d5bc09009c12a22893348bb74f8c38f96451e5204e0d940b9b84c6a89eea61d6a78eff111b806ad4a50c8456d13f79288cd3f3bdde755083dd64d13e1c887d8df5102deb5a23055a02b6cab1021efe6add18d00be8c3afd6f8e80bc539c76003caad47c1cf95085bf48bf9ab6d487ff4cbf5bbbe0f2a2972e6a165a2e5ad230f58fff76fb8ed563b810684daf4b5902ec8cdf2442c323e7c7630129a89432a1795380a949f1113facd9ee148e2d38d4457b508155dba0d8d4812aec13d67050e70e2ff98a1fc1dffa01dcc7eca4349a0b14f2507687314c49b3fe7cdbde2ac840bd8ff7fb7c36a037e7b7de485183fdcfda49a2281645ec1b153ba
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (47 mod 64).
+# DIGEST: f30eaff92a640a397f98e6803623e8d1f0c1fea6
+KEY: f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f0
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac
+AD: 997deafd64b1fc65de39f4
+CT: 7c433fc5255dd1e11f67c499c6a89c16b4b09355818cf304f11167bef253dc60c95486a840c3a8f77440f63a5c6a855931a90eea66a281d51d4198679e1420c824ae5c8bc0231444b65b69832b84c7b5ee2fb8484ac08727eb0cba0c14e7e0a9071cb0cdcf73d5d83ce53bba361ee4
+TAG: 2e73871e9d71defb381e4e7d49d5d45880fa3effcb0cfe673ab52805e6273723cdf99557ed9ca838aa2229fe8eeadf7c6d94c91e867ca023fbb2d2835e420a3b026fb5e3915e38a7ac02d43a8c6ba8a149e99abec42967106bff6c80adf9be5c76503c95053c21472b9a338ed4c9c11b161ce83e2d6190f87e4dcf169e945335cc5acd699b983629d0bdc452f678232be0d31b9f231aaf4c3c3df79b1b8b2fd8802df0b71cc5e26b2a5c5c5ff0616bdff6cc7b1f09aff68d5e15dc9d61c1cb6a2c9602eab7794eb77af8bed198fadd854e8f8a47bf6bc11a8f75eec584f1901fbf012d1fafc03604ae49f9585272845677a1cbc27261d5d7fbe9bf1f1c9ea42c61b110cde99a3a602fc9eb6c825656d804
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (48 mod 64).
+# DIGEST: 7227537c0113a9f46f7d332a0b37ee5303483d00
+KEY: 3541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac99
+AD: 7deafd64b1fc65de39f4f0
+CT: bcdda7eecf3331f4e7605cfd33789ab585318bbd35047755402372403a4df125e7f5bdf857e49a3f74cb8e824576a226c1942fa86de07bbf564cfb384d8420a367963020613dd2f6bd4f371ca1b53532a7015dfdabd07497367aea8db92981418eff6b51eaafe2b6d5b3b4d1b8b95659
+TAG: bea683141d42033e86b38d5e0614716ed53b7db5df93b0aa48b15e0111a46ee93c2971df88fa885f8f32e81222d9bb4b605640395e37e1ba474a17f0df48c488dd5a6051be2323f462cd94f81261289f076d60cf5907cac601e2709dc191a9ac5ef784733140ba8d45edded7e58d7316f92a9bd5aa86d6f8441604261a38359a8cbe57bd95522db7029db058a8b175eddaf8f258f2f479b348451b0786f15336e18077ba23eac377ea367d7e1afc08607ff63be2e613fea2e6097192ab41e40342e36688bad628ec273897c86e75e0b83d0d85fd13e850f29cfbe171a8d1b33b72a344a9e2bf292f0dad2ca754d45651a2067d9fb18c7a1845a9c145d4273ee2197dd0b4da66e88a7425a72fd541a78b
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (49 mod 64).
+# DIGEST: d76570385cb65d30c3d636ff25c5efeb8d1ea08e
+KEY: 41a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d03
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997d
+AD: eafd64b1fc65de39f4f035
+CT: ccecdb03830e84c5267a5b6f68dc909cafe94a1c872602961e8467b4b2723af537d79d723fc4e8f0397fe169186c23f50cf9e78af3156f507bfd38181dffcc05695583863d8a167df062cd16aeec0cc548a7b5e16b148ced8bc2a60a33a583779fef6d7160e0f6c31a03b8a0f1ed8e18e9
+TAG: 5175c37f295f196bcfcaffb35c4cfecd88d1b9c773d3162c96eb74a23722e599ac728ad68e2ac70369e0c6d212826afe93cbbc61abfc309d3f4a6f0d22421e02d711a6c97b6592b561b49ef5f6516367cbd966414d9842eb963c79bd4a8e1550199fc9cbd58b5fa5b898db2244769a950ee62bf915a074d5196732ae69cdaff05266bbc049903f5d7c702633741471bc3f8e44a426d201c5ad5987db33687db05a42778617c253576361fcbeee62707d9119cc76fa0627fcd65df7bdfd26469bd4e0265355cf885e2e515d56307adb91be258befc45ce8b238f6177d24f38ec56f0d64a46124161992a30f8a64355823397012af08f1df378effd1f67fb30796956fcf28b0ff35f618060a955b6311
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (50 mod 64).
+# DIGEST: 170369666d1f2337b29b5f14af68d47910388e7b
+KEY: a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033f
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997dea
+AD: fd64b1fc65de39f4f03541
+CT: 2828ec3db18423dc583c7ac7dc5231da07af1756d7c032a866c64155626be3b3a686a93699023f6e421da24596baf99b45244d07d86a8973450afdb87ff2e9dbab6fcef52cd476f1f25f27f6bb3abf9b406704a14ce9682613125139b238d985ab8f68c17f7b824f279c01d820fb70502dab
+TAG: 6af6f94f0ef92665d286e08fad2845c4c43f985b0cd0f09c6c6b4899c350a1a342f024c3ced7e54bb00b96d0e04c6d484e95b585a687258f4bdd1c00eb1d3f44e959b2dbb1444a292c81c92e3b1a01622fa377a583117bc2e170ea8c033864fe7dc09b7a9b1b5826ac8e38fd5849ac9024bcfb1c587be93b3da485adf297a77ecbec2a88fcd82e7eb952b6d012ec439310f624fd07de7bad33a5a59b72d88cb454d5da32d52012258c8754cc61dae82b26f8d6df7a4ca384ea88a30e12d4b07bc413791cded177d325c03a5a6c532641ca46ba2560cb3072733282305266985bc4afac41b171b28aae50266a00afb5a778e1c481a7799f29ba588ed3ebc65183517a31944921ae3a040731666daf
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (51 mod 64).
+# DIGEST: 7c52593d1d37b0dc380297231c6cb7b64e04c493
+KEY: 1be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb9
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd
+AD: 64b1fc65de39f4f03541a1
+CT: b463f7f24871b617a1001d2f73f9eb8fe39b5fe0b382d420af876defd68a893add2eb6cac45e56d669f4ac67a943a3b32daf0932072bd701f9291b5020bfa9133d2875d8f6ee78ce8c49d45b80329831799f1eee8c712683300e49c57dc8c1ad0b07465184483d669b04c183976289e3ad6070
+TAG: 2e8b0999a7792a9cfe5148a8730e28ef92557e1b5d9c318d27d12fb1356fa0dff3467e865c530d4f20fdb765f7ec7e56b7ba28fb49309bdddb413182b07670cba711d6e5e3c086b4e4211f0f19666590bdc9a121e1430f6b0c64c07eff2d81e47a02d375fa46bf8d6fb8708f3a247287b595be7aa19414e3d2d39785a0bc8ef46b547bd4805a8460fdab65d81866dbc496581ec548c51f601e13289fcf3e45f1bb4a7777f9a9243282681aa1c746fac4a8433e1f477950eea76c24d318e95f0586eb5d21a16f8b2b58a14c4780eea922b97de4b1ea292f842c662534bea84213924e837cb546c26f3bc9951eca7593f4f01e3e6360cb14248d127a08d5e0b77f438479035769e0e12c856bf3bb
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (52 mod 64).
+# DIGEST: 09a1659100052d13bebb4defd7f54f975a58ae2b
+KEY: e112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95f
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64
+AD: b1fc65de39f4f03541a11b
+CT: adfffd8a654da994aa8adb618cf69b25ad5dff201cd3a84314796e0228ae3e01be77cd8052e950fd74e3d8fb0066705874a7319dda8bee7bf7748ad844a70b1ee0d774a6156fef109dba8346a68b48458728ebde458e5bd777a26291f98cafb175864fee2d335fe5a38f1738df9a5aeb13f25442
+TAG: 0562ed87899d06eef5f3a7680c110360e5338af0b78416497e18291d4e8a75a219942acedc7d1493a15f6d35d1d8cd27b2bb26bcfd58dab2c747b4498ce1e56568226987124448509a7852588acf2dae587f0d13ca2ba54c50ea37c10e6c525b04caf0aa519662f258dee7fdbf17568ecb924c0f26701dad0952d3a57a8188d046439d7e35d73adbb39559adef95017029a9f6392d7282a1c84eae663d840184da4bbcbcf9c262d69ed2a7743aee175150e03bd3e6c38a8a1a762614ba2fbbb631ef56ffe3746dc95d9a15eae1f4f88e3180569e73b25b8eeb8474ec8dee041cdfcca5219514c5125395d83de633bf5bb05e4771e7a583f4e6a6d20af36235090454f8acab43984fda3f5740
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (53 mod 64).
+# DIGEST: 230c3353ccbd95e4f0acbbb0073053a0186f833d
+KEY: 12a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb0
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1
+AD: fc65de39f4f03541a11be1
+CT: 985481677ae867b2427182edf3de86d7b9956a4970b107ca7e01e90ee7cb02c6b9a46212e1b8ce67e7aca5e2d96272c2f412b5f16a7c1d00fe597f1390c3a686724c4846c78ae66b26ded18adb40f0d74c33a68032b97d440104cb7acc755ad7383c16013ec7fc519b293e4c624b132f91c44202c7
+TAG: 62eaabaa53e386ce7d064c718e4761d14092263af3027efcf5c343ab46e1133d3131dc3cd7dd6b8b8d9ae6ca172fc10f5887dafb169aab9f0e7eda4a5b3436750ccf47f2e3e9965b46f3dfedcf38d61dff3cea927bb3ee8509d6a4288f2879d04095eab6b9e154d0e22da31cb51638ae978a0c5cfdac346ab551d359fdbe9aa34e9ceb15051d7e04e9788240a030c0ab7c19d00f32da1df539f08d158f34a1e3fa6ee8d10ec0d99675a3465c889fe2b6631ff2765a6b83f594315768fdb30c27d2747a6e9d4c5724a5e93704a1851d606dfe97150667309b27503b09c85d86ecd83caf1ec456ac19b7fa273af74714611b3e9a3359354c7b983d700775930bd90a629d88a3cf7cf17f5058
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (54 mod 64).
+# DIGEST: 701e141608e71005d32dd1e29cd068aea736c9dd
+KEY: a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc
+AD: 65de39f4f03541a11be112
+CT: a06030a844e38f9e049bcf318b10e1cd2db6b60a2611cf9788f0c1fb31a366d2038b3a1692865b926196594850807895523a851a993b77e49c911f840f28aaa42b4f427eead4e2a578d57b101bb4795aedcffc58212e0eaecadf503e3b208eeb72d53072caa44677d6667a0d22639db7aebc2f70ebb6
+TAG: fabbfe986fa42c58408b2f008c7fed482ae568cb39c938aa531e49a85ee71fced2cdd2ebe97a35295977ccef50433b41c511d424a47274599f3f2a28678a4936c1382d6a9f5d41b4266ded97a2fb11ce4e4df03f9e976675b9b35eafbbb399eb86a79a8023de822f8c0d83da5516766f141f83d8075a77e7c55e987cd181f02d8d6f7c90775bace579d25fa1a969e4dec07a5ddbef63c67b6d76bff54dbc7fb87f8af639c392a8a32bee35255e24cc63cea90445ddbbb75e4c594d6d1441e198720c2fb7674822e52d0298fe24c6e1602fec34038e62a55cdfb5d3fe6479fe6b02b5fe648792636e03213e402f02e2a3cad928996e4b1d2fecbd97ec5ebac5ea2f9c4989599648b0577a
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (55 mod 64).
+# DIGEST: 9aaf96b472ea76fd9ff4adf56dab5fe0400d18d6
+KEY: 2933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65
+AD: de39f4f03541a11be112a7
+CT: d934f61f94d2b0aef2b63668352d2af2db2e225d0c8dd86b8d7c901de7425dca2a0d2f3bae9dbaef4946d18ebc2d9f4cff5c268cfc80b89c35f7b1a3de12173f9377a7ad9b33751fc89390cea9b44e80423702a9848c6d2562d24838e3b0511b81a737a4b65fac394da45f62f1f3b2bfaf0b4f3f0c5ca5
+TAG: da6ed936480fd159c32347d94a17ae7bf9344d4bdb1bc0921d85456e9b48a2e2c24769bdda1cd6bed0b44e980873ec3c79b4346849366ca6d6a77e8b1091c6657a009691733da37706c0f480244ec0c7839648cd0eb63a28eaacdc8b60b1ab59f7d83bd142419a5a548df23f019e560c0c9a307b4c2498f69386eb13d4dcc64ca77c8f5f7c4b6e0c18a058eac72426ed4d541477e3a036b9a450af234670c94a4ceb7cd19c9ae113477431fc2ea30738a95c5753a4b8de9e0e4e1a0f7d52f67b2957a39ff1c6eef88bac3b927ab004d64f3522e0db7e80d27309b864996aa2bafe615139732cd492608cc128295132a4f40a70f8bfbb5b18b2fa45c55c87db39872bc5c1e3300f446f
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (56 mod 64).
+# DIGEST: ac6871d354eac507556770d8b6bf10b5240273ed
+KEY: 33c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de
+AD: 39f4f03541a11be112a729
+CT: 413d2c3fbc77845409ad66cc13432824ae4ae109379a9617e8b93d4f9b17fe0d0450476c3f98c229bf35e86fa792dceb4b3864761dd442c294e43b1cafe1fe086cd1ca5e1572fe2b3753c20a74b663b536f6e686d9765bafb10566f2b5cf02ee24e3dc69cb2be9392c991848b840418835603bdd83b2cf0f
+TAG: 5df250368694b1d3b11119d8c787df534fe4526eb31af32c9289b0eaa4e9455b5cd4a44c13a335857f67fd2662317e086c1a299d794830ca08ca99df1aa79c8f49589dab551cc6269129b731e4d560c7e330fea2aeb5f06eab87738bccaae53b9661a78f3f08986f454519097a6c43837931a56caafd581ae52343dcb71b98ee0b36cb7037a1eac81f308f292eca92ff2c13c3b807aadaffc832f43ed98c0cab6174639b1ec48f3e8e3736f7a20069aaddc2414f1edffba78bbbc04babfe6d6f1a5ae8f77931f78974edb257d2ea6d5440bd7c8f8283ac0e362e1959bc35bca6f257da511f456466be60ff7451887e5ff221f30547e586cc76e7bf76dade793565d733e5705bfcf5
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (57 mod 64).
+# DIGEST: 050258d6ad6bec54f8bc48c7ba2d669d6416c11e
+KEY: c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39
+AD: f4f03541a11be112a72933
+CT: fca448fd13c6877aa9fc299953dc631df8024cebe774bb14839821b05485c4a8f1345697b072342343f6a5479d99d5ba0ab29db7760b1e21b37969333473e6fd16bcc5b52e1d6472fee31034d515f66439f092341036a48d637ec84d22af8d1848843aa33e3b2059f7f90a0db47dc41d8af3b5cd76f4b36ec3
+TAG: 3071b853c877cc72cbec5c249fe76736e87793118f0890200b64cc9b91e26448b327dd87eb314c4c074af49091051b69122a2d13b8a7fc0b15a87e7e26b791ab3a74e399d429ef4e6ed69f2036e91909b11075ef19c6554f21b5b9b90fe20c9c633f71c666519774baaa12d8f819ddddbb592a99689ba34c44e59792da3d7750f4cfbfdad6e295a73ada8957eb9a7f7bbb4e8f82d4647bd41d5ca2a51cee58be3fcaf307382efec054d880b5866a38aa0dcc72911c9e9ff902ca3743873618b2b35c45cb32e496ac7c8c69c1818583ea5016a57f6e912859b1b1a22bd701113e6cbaac2a935a94cc3fa0b9d4c23ee573b0054eebaa3414c936aee6bd9782385d690c1eb570c5ed
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (58 mod 64).
+# DIGEST: 70060f86c76e53512933c09deb5872eb23efad67
+KEY: b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d617
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4
+AD: f03541a11be112a72933c7
+CT: 8c5849a917c328d68cdf4fc279b29efb0c3c1921621276ca19206c9941a5789b0aba7283e743f94a6e4142f7febc9ad35df30daffeaa5cd0cffe0fa2e4cd5ceb687def585b2634774a01a3f00ce2ca9951fb910b4386bd0d61d1e292b2b225ac55000fdce10131ba163c97f810a2b350fc8a59348253549e0cbd
+TAG: 5beab8f1449d50a6e4a1a747fc2b9864cad962480673db6451ef7aa42b42e7f0edc3748a71df8ddb33d6f9bcc9024c7170bd7a5b81577f9594a87d90fe96a50a62d31c01368173aadd7dda6f7d4c413773649fa7e5aa0c3cbd0fc760666ce5d5ec5e4209c4eda0a8ba0d66e83ed3337067d8ecfb81d3d1c1bed7eceea2582f276c43fc15d5c2bf9d2558d3c3f4d8cdb8953d28b0221c70330c346640f1ea1acccba27466cc0ec3c14729a78f62c7537b1ca5e9f9bc74c4571be9b67f04533b1f8fa2f9232c216ecd81bd120197b558b2733d3d9bab706f67670327465722b2be2c6e3f2ee507620dce326f28400857cc28c697c9b10df0d093965c21ebc42f34d71963ca85db
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (59 mod 64).
+# DIGEST: 58286fe273bf572a76a2725933dd969777c303c1
+KEY: 4ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f0
+AD: 3541a11be112a72933c7b5
+CT: d0076d9cc2f829a33a0b1972f6c0d8c67718a7593975798e0667135db3ce31b4d9bea98710909313a4a2af88bae720963ee738f26bde44b54dd5820992569e5d2eea000baf5de9e0f76dc8e0b93244a8474beb7e922a5f30a5b5977611594af25ed35aab12a61de68f215d73173fd38f586b8c509459a5f7587d43
+TAG: d8ffaeef22eb2181a48da72bbf57ba4562e3a1ebf9cd2a872f155fbadeb78c47e64ac6419fa1a9b1ce5a8e78e60ed1f8dcf02535613b959448f754b70d7159d2dd4814122b35418d4e554992b4789e04f018234c91de44b9de80f7ab406fb6fda6f086fc6b91ace53dffe012d703e71861d0b3ecab86a287a76857781254de544985ac5b11bedf29138500598f757ae295d8577ae7e597e9cd915d15124c7f1d9786f9666bc4b69eaa18e28227d87bdc8935e537d12360b53746ad0d7834ad830aa5307f69c3e4ff6e37ee6ba8937f75723ae4f64c2a04949b0db60c979fec6f485dd0cf14cacf5e8d0e624d9a8578e4028b8076a9cee1e5a0ba5b96e9f0f6e6ef98ae84a0
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (60 mod 64).
+# DIGEST: ae701e5c8672dfaf728bf0f43f5e5247ea9ac13a
+KEY: d4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e78
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f035
+AD: 41a11be112a72933c7b54e
+CT: 298f670117678bd139c60399dcab68bb0414829b458c747b0dda5dbd67f95fa393bfd2719f815a12a2b7c6b3e769b61ddb4651970b30451cee6166545d8e4c4554c8217898186dc02684c5025ee692e12130ab41ce75d79a4ba1a4dd02e0af581a645979c1a3c8c12f5b13e9c1113316eb31b8096b4eff1bf3f7ca10
+TAG: ee9c1cae63b819ff804cc5a34d59d17a76539b7850d5164ae8ab252633acc10145c2c71b1a10b0a87cf2db361c6aeeae533201457c5952feb347f739b3c236845a887fd0974b052a4e71cffaaddd1f00c64c47251ae446a5875e1e1854ca2c032b4e01dc995f35d901b60d042aabcaad3c08cbfd12567cc789408b6710d81b6b7c6067e02f263763d74bc039e0430bc1f3b4c01f95f54492a9c5b81b8d279266b378bccc9073bf1f1db1ddd964f9b6b7ac8771ffbb55d1ff9d973cff3d4eeffa277427e0cc41a4457ad6c2f035b1c0f93880aca55888cadabcccfc9dcf53dc3924a4c03a5a7bf8416bba76d8a362893193811ddcb02b0a9ccf2ffb6902d7e0c434cc489d720487f4664d60f210433b8f71d98666
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (61 mod 64).
+# DIGEST: 4f498d0aa9205160827626ef80c163275eca1f78
+KEY: fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e780a
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541
+AD: a11be112a72933c7b54ed4
+CT: f72c519566632f89513f3f278407845ff8096a5b63929f0ea6009c3cae0dbd853662c4017ee5729eab92f2c475f0a45533de67d4b941d4b16c1964986d8f4a16cc12f02c28442ddf5790f321b3942cb65964587f3fe55ab28064c52ce3d3598d3431788ed2c26fe1b196abfd35afa0f7c8206a6bc71d61cc4e1a086c4c
+TAG: f8c75274342950e4893ca3b0e9fe95fa51343c628e1f04d9dd19ed928ef7af0a106b6bc6b70d0ebf552c0acc51b5af94dbb9f4fca444ed4eefff63e4746af9852d727d4465695b1113eda1becabbc56e2860b55b986d6122b93bb822865ab8bbf1409aef68cbe720befe0ebc6dbb639b3be391a161c2d9ed65a2898b3ea7cd993827aa8f2c60dd0d9e926cbffd8bbf6ac43fdbb61ff0024cdb9e668bd9980a39530a526c3c9cbbe1e4f46ae3e8229bc5e7c8b91855eae7a2aaa1b827d8b99ed19843aafb76cd361259c29dba7a02dfb40d9bd2d580aa12a6951f0f53ad5b283443c5bb8b4c9fcf569b30830d1844860256c18d753a8d80d1d0e8656623b1a06700fc513a7099590aa566d48eb6c078c4472d4f
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (62 mod 64).
+# DIGEST: 8c043825b2a3764e8a0cc35a011696fb3ed03c2b
+KEY: d0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e780ab8
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a1
+AD: 1be112a72933c7b54ed4fa
+CT: bc6acdf0943ba34efbf9eb27fe9e968f23bc1d4f1eff7f86e836621422e7ad8e1adc03249475b6be8ec5d3e96e167af7e6b85ac87b5da2364b1e0d87d5c49d43ddea8e9b796580fc4fea7774f8210e4ec424aa029717937bf76b148e8af72e8badcc3f12dd259fd4dd9a325d81cfc7a193fb756b5d140fb703aaa6d71496
+TAG: cdbcd83191a554bf922180902fd060fcc63a8dc39a90ccbca9fbfeefe9a09a9da72c8782f6d3ccd9e2b5a80816eb5bb6919580a8ec186b8b1e388a561b6c931b22dfe62544456f7344f4c18c4823f167b2ebb8a93e3edb8181f358e66db5a3966eae5e893e76b16e8bd5da922720f754bdb6edf3496b62d79b14f00f24c1b30ec6ea16d88cac2b336f2bd057e68d6075907de3c9e7434da017d8bc5348ad79ec14182e07fc70f4e33ca2aaa2216d29aaf4dffb583c1b5159eedd66a2515127c3db358c1ccd89da4cefaf75a6eb5a8a80396ffcef783973f552645885e20b91dc0cf4485e94d943ea4bff3704a4bd2e23388090fb7ff707cf80b0c71f6d4560b3be71edab2e0b8d5ded1998f3b1df51225495
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (63 mod 64).
+# DIGEST: f3a432271c9be858725fd024071c4f479ca9a971
+KEY: be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e780ab8b7
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11b
+AD: e112a72933c7b54ed4fad0
+CT: 0e87c57c18fdc439c968a9dab086c88271be6dd00843879ae1563e4ed03d69f9fa09a29c1bf99b1c859323eb8452acb2f808f051669bb5e097e23b947369b5a0577157995d729a75ae7a65e293acace3124a8aec53328439e5f2103fc3a236728682fc129a5b0e203bd730303fdd23962d6ea7a35aae3691f6721dafdf18fa
+TAG: d7453e8aea805b4c95ed51f1033b386cfd74fef1c205d51fe351ec3b1a3bb2e2b7debd8b20c688f4c516a61fbaa690eb635fe2974a71f45d1b4e2fdf3be4724c3eacadbc6d295ea9b6f53c249783f35898ee4818a67ce5b002f17a48199c779b17482ddf5448b6186cd979dea3d9c7b0ae3f106c4b90c960dd8899a67e9f18767b49497519c86c0b391098192299e4f85862d150bb3e439f05fc9f937c888c4f40684c25018fae0c6fedee92fc0035d073f3704f61d93e7e321a19512561676a216127e6a716d1f5ea43b67dcfaa1ffde7380c066efdc8acba10f2e790d4839419dbed3d89634ae785f7aa3ace1fa1720757066f4b75b883c0ed592b8cba79a400d5e442e23716a7a13c252a7ce156e219
 TAG_LEN: 20
 NO_SEAL: 01
 

crypto/cipher_extra/test/aes_128_cbc_sha1_tls_tests.txt

@@ -42,14 +42,707 @@ TAG_LEN: 20
 NO_SEAL: 01
 FAILS: 01
 
-# Test with maximal padding.
-# DIGEST: c6105cc86e18eb8376c16ea37693db5c07b77137
-KEY: 8503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8d
-NONCE: c55b436965aabe477e0cdd46be99371e
-IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c748
-AD: 1df3f4183aa23fd8d7efd8
-CT: 7265eea4b391d880c6bc72d3282f663e5551c0a71ca35898047362694ee8f2710974350a2a38a13b0434d312
-TAG: ead153f0c9488b88357e81187178465d2416ca97dbf7460c9519ed9957d9e74e62950447e49dd233e9c504876a90fa79273e597ed751da4f32a2c60cecbfb6641ca2e8938774cbc324affa9bb027d219730d57ca1981e87d0dcd0551618493f79ff8c0366383e0698a009bd976c63f089a8b901b5a08fabf0d3f798c349743634d5dd35a2195cf0b74b67d36d65be1aa920831906acbc57cd880964ec948e9c11614104721efb62a47600ee968418b1d197c3ce6ba6246d5ac1f07819f67c2cb3ca5162aedd354e2314d65d5e863964db421846da7603b9f11c503966834ed501885763da3e89a59f89f1e31f78111324b79637dd3b6aeeb71ccf2557f9725b86dd13088ce257cd6ea71706ff8ec9036f56d76c4
+# Test with maximal padding (0 mod 64).
+# DIGEST: ceb2d295bd0efd37c6c34dab1854c80e986174fc
+KEY: 37446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac
+NONCE: 997deafd64b1fc65de39f4f03541a11b
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba
+AD: 2fd6773e0d0c302a5f47e0
+CT: 2840fb36bc8e03c59de49315bd8a6e091f41fb020cdb174ed0ab84fab8f94c14e840fd37fc13f48490c2d2ffd4efeb4da8d98840f6ee5af812bcbbeeb7f2992b
+TAG: a767b9c80eb4ab9270c0c08d6adc1bf56245929a79a4511a8a4ccd2c996611a0154c8101217b46b049331d3109a42093f223a8224e11fcecee906b2ef52e5650da0498e3f832101b7ef66fdbcef302f362e570e5e42d5dbc33d0d662913c78a8caf3a9e2e22949cf6d212efee4d9dc8d03fd6a00d41f3073c4b73149e8bf05d23b2dd88aab1c87ac948a3f96be79c52efe9488ceb9a1c5511b441a6ba4204beaf339539ff9b4443000b5b7c00261c663be3087c395ee448e724d1cfcbe10e15ccddcf50378fef972fa3aca38fdb1d131f1bc7ce166f4476a008883292f8422cc668e1c8e0cd53cb25a64324d187b14143563d8d1af9371602a068da959c587cd6a383d1ffc74190c0499b2d71390cdcf
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (1 mod 64).
+# DIGEST: a07054c760cc66fc704edf950201005031f3faac
+KEY: 446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac99
+NONCE: 7deafd64b1fc65de39f4f03541a11be1
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2f
+AD: d6773e0d0c302a5f47e037
+CT: 2e7e6cd84e03e35d8977c9e1d4ce6784c4db3a87fa1b82e6f781e284e0d3914eb56acdde0374eed6283cc10e1f329821fefbf888dfc8fb42fa574cb64df6d88d2d
+TAG: 80503493bfa3c2cd3817bb145fc579ebe050bf0e6310a29c9e1a7e98371833a25bea5c82bb6128cba6e27e7e796b49b49cd55ad123f90aade4d76a636104e5a4f6fc9c92997c0706d709145b208523c0c890394fcec38507fa0bad3d24fdc921416501e5c9b6964db81572bb933b67c4b5bb2070ad5068069592d35902ab93bad8d5121fe15bbb2bd27ad946a21f2ecd7e95c7f4c63ddd00589ac304d638307e798d9a55bfde231f5bd8a8f89cfae591b0234662647c3b42278f4157c4fb44fcc51862bbb2f03273f680d6dccee49b51bb4b881e5a1768dbc537e67073b796047fbce6f90eb54776d9f0237978f129af7efd4a3f380547e883d9976b38819acf9e0411769fc6898eaeca53f5def25f
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (2 mod 64).
+# DIGEST: d059c266cf6233af730b7a229b19356a4c6fcf06
+KEY: 6f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997d
+NONCE: eafd64b1fc65de39f4f03541a11be112
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6
+AD: 773e0d0c302a5f47e03744
+CT: be77b79780ae8ccda54d5f995f7c1beee8ac61735285e34d9dd137058555e723daeafe392773f428ec528a14c2f52a86365c4929d98d4504c669db1d984e2f84f7bf
+TAG: 24836360777dbacbbcea10d08e3d975a0bd32669871000178d167a1e40a6723b7c47ebd32e5df52cc4e0ee5459b355f285a0a93bd9fd016642221a335a2f09a4635f71d8575bdd081caa14b083aed01444df63e5cb01377b8a3ac31006c92621a894b71d50c85964234a5aae094a931e5456416236001f46d771767aee47f6b7c3493fc10b9f392dd629852623c1ff6f1e7dd3346d1aabd132301fa16ce88017fe3ca394d1c685942f1ed7b37f84a25682142b02ce138ae9b21c85db410cc3c266f6a490ffdaa0ce95e8b1f2da7f6e6ddda2d4570dc5619605fca903e47eb62d7419dfe49f354ac18762abbdfe5431a863b6f7371731ebb09ab41aba79e41be8603060fe921e4dc8b7f422392640
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (3 mod 64).
+# DIGEST: 8aac0687e33041fcc18da154b41f20a6af2bfb28
+KEY: 5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997dea
+NONCE: fd64b1fc65de39f4f03541a11be112a7
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd677
+AD: 3e0d0c302a5f47e037446f
+CT: 82aba2e22933737ef55346865375b574f24066eabe39fb800ec790df3ad05f85a760332e8a1d45e7b0c2d969ac5689505510fe035db4ac1c5a8a01a6f6ac00ad3d8344
+TAG: 090114b0a31c301edc2bed8e25298d4f913558ce3f6f607b0fce5f9e7b1c953601ce9890f0d8e8d6a71c5ccc4e0aab08942628d21f467bfbfc4996863e8fd296b7ce153568999980ac2980ca68b16c0b2edfe5efcfff121a7e4dfc8dd9387442c4847f7c572f668aa990334dc50a54480f673c338f1ea9c81cfb9d482f6e4ae163e412108ad5775aefe89173229efd58a0f56b411008f87e3aa307413779538057f5d846a1586920b1448b4fda27b65647b946bd5b7950a5e3e37ccca55b359b4726e26fc3d168a9e8bef56c1a61fcb2b55cca61bac0123190572c939584ffae1e913b82bbd8057f302a900d2a1a7ed1ab4a1b7c8c5cd56fc472d69d013bb897ea3d72d299da0df5fcc7a745dc
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (4 mod 64).
+# DIGEST: 53658226c112b86438dd27b58a71f9e36fc73c1e
+KEY: 91d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd
+NONCE: 64b1fc65de39f4f03541a11be112a729
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e
+AD: 0d0c302a5f47e037446f58
+CT: 3eceac2e338b4dfd9f4840d77db69ed23ee286b522cd4a324b04b1865cc772914c8d84abbf0db1a3a2d15401759b18d6fb3b7020cca1e31d136fb97b26bc772baf5a363c
+TAG: 1b6a98c7f9b8c5c560add0eb46d2d7559ebce0894b876f0de8ec37031df30667cc3ea54a4e71d8bcfe575d6044d9f70852fcf9a1a6756643e28944b59856ed1ce9958045eae0aa64bba55b64aac0cacded741293262550b085b4cb143d8bb8f7061eda2911c86e1afce94a8afb4db1060c2da1e9bb0ca8747d71b706134e44bb7e4b73518ca9201d610860961a53438d6efb51031a1ba0fa9b437b8a3aebc0479bace7843b319c02b4987490bed351be2eced028a2d0c97a1e30ccbd820f4b3f669e33b74c1b550a8d9782b9ec7fa45b24dcd5b6788895d6246a4cdfb015c605741047c1d2323e207a8a622e55b6a19401bb67de62154392edb28ab3cdfbb2ae2f21c3181ee8033130e95e05
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (5 mod 64).
+# DIGEST: 6b7d5268b0b5037afb5be5af6a0ceb34e7656ac4
+KEY: d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64
+NONCE: b1fc65de39f4f03541a11be112a72933
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d
+AD: 0c302a5f47e037446f5891
+CT: 5cfcf9e4dbe1a74e748665bf393c6fe93807ea36556590a1f2814c2b445988c1f6c2815f6b1f0fecae452d1bb89a055bc6f85bea11d99d0b0c62db8a81e3f0f3a557c208cd
+TAG: 8e73adba964c6868bb3da63b0d528a22eea8bfb4be0b1030070436f5c442649857c9c4a32759c5071d7d741692368497a978b5668b912cdfb0c404e514411ff111ea9f1224cb4a9256dc57a8a4677fe576b554cf6e4f975ac3a81eefcaa0bb68ac5bb26b1bf54bf034a50a1b3265e0baa8a900f048246c7ea825234732c3f5b34c4ddc0adc46178d0adbd9a524502061ad4c6df62dcd8f8851f270dc452be39021d5f054b7aa35f5235739894c659bc06333d0e564c38521d820dd7cb0dbb8a018543ebe7799cbd674a14821a6f92d776aed736fb4ce19ffe6ad5b456c09cc597443ae1bb41be9ea0213edfc1339636facbfdf56a8944cc548fd35fd5fa4a7b8cfbce736c6c96465326a49
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (6 mod 64).
+# DIGEST: 63efe7af502231420ed5aecce9a28446b257828d
+KEY: 7df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1
+NONCE: fc65de39f4f03541a11be112a72933c7
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c
+AD: 302a5f47e037446f5891d7
+CT: b2e315ef97a1b89b4625715c61946446fe1bf27aa60e65d0ad9849f71ec53ccbee951d3628efe2795949f88795b354df0ec68b21cd699cdd0f92f31f3d6013a4c1116165b4f5
+TAG: 4e9eb0387d9121ea239b27016805f35c09c90904d9becd9ce23d77233e8b68c86e17f92ac31794be17386e5fe2f40e83147a7dea38bee4b9776fb4a4da85408b80ea7718d542a47e7e5d7db38c18560dbc37d49f4fae2e013c4b89ab59f2a529b389e2ce5b2c9f0883df472fb9ac58bc5e27dc21938344195de25f1e3c015b68e6c6f6111e037010a075e78e852f9b0b8e568359ba22eddd71714403309987ed20e381b8ff67f5fd5d9e8ce77b1517da2cd4c2909f83fe70b65af0ba8dfff1e0860ccd217a19a96d94ef3cfbe1214e204d4eab8045f97aaeae0946b455e01099513c5a763596c7495de135bd2ea2b9c01e7fcc5daa0e88bcb45ce5bd044dc300a281b2bfd18f6090f7eb
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (7 mod 64).
+# DIGEST: 1a555c300a1d1bd5b03cdd6bf2a678621624eb05
+KEY: f660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc
+NONCE: 65de39f4f03541a11be112a72933c7b5
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c30
+AD: 2a5f47e037446f5891d77d
+CT: 8221477092da15c94ec15f34ef2d540c87ab24236ee4d97ed3543f49f2daec059be7c0f157f2d869bae0bd4b9d214bd40ed01484c28019d6349cac27db29050831e5974b5426a9
+TAG: 9f10a7816f0b558aaed826c53d63677dc443bd48fe1faf9d8e8542db0b3959d6754d0771ce1a23d67561626c7c521401c0a8882656ded33ace7965f5978bfa1c960ed9eb3831f45d28a4fb0ea44cbd9118f39eddbe3c56886bb4bd6593e13f2bf641e88adccaf76ab0356cb77654a1b27597b1b5fbbbf15b6c7673d92aa7073745721a299797b77c5b205ee44da405d634f971abf26bd7cffb21cd6f952eec7bc214d6ee0a31622c78259ba14072536751b87b968cc5e6ecb21d1b64c53f7ac24dd9344c2a03dbea3c5704bd283a8d28eb2ba5e4dc1b16a0edd6f4cb76aaf746b1a987d58ed73eb2b266a148ddbc033bd45712a3101f7b536d2d902b7e124e199442b149e3b603f199
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (8 mod 64).
+# DIGEST: de9156349b578f2f44945ec6a676a67a829daea1
+KEY: 60ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65
+NONCE: de39f4f03541a11be112a72933c7b54e
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a
+AD: 5f47e037446f5891d77df6
+CT: 8a9f0d731d72929136ed9e6993cbb28013b336540f602c7203e6a38391dc07c8c3ce5b4ca62df582dea366c4b0b5aaabcf1959a7f0bc92047023c72225f5c071a588d95774f2e2c1
+TAG: 84d60af507164a4f4958b6aed0525028918bba60b4affc1afea92c0ef485679506ffdf649b0d9bcefcfb8f1503b2e48937a3e732785d85b11a524363a55fc994e756148a3b7b2772881aaceee2ffeb0f18bd85feb215fc8352dc76d8ab5255d56db5e9f10c42b4a3447321d459ed20e536062a33e6cc598a61b905bcd579e6d68cbdfb94c3b100e05bc0009b9841fca15d909de6897276f9177cce5b049c45954b7cddb7610127c9dd40a61bd8e47b7a165940ef3084a0b523955741414a12d34aed68db231db939b1417069516333b2c0c57e843f098a55e375639ebd2acf658de1f385a1e29c5eb9efe14c16e29488a32bbfd127592c7c45807f2b3e8f57144b9cf60130592b62
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (9 mod 64).
+# DIGEST: 12812df3aa7f3bbc899f6f248f5590e02570c292
+KEY: ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de
+NONCE: 39f4f03541a11be112a72933c7b54ed4
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f
+AD: 47e037446f5891d77df660
+CT: e3af374fb6f33c64fc2e4cc1e1b635bbe890f02359b6adb2a747beda433e003e30e1803f2169ff6abc81ff8095601cdff7aebae5fd8fc012387a70dd7db18e7eb79f87fcc1821ffdf6
+TAG: 4f9730c5eeb9cb32e005afc571d2ed5b2de38670704f854c838d00584becf8583ee7e79d9609bb73abb70bd01ab228bcf6070ee1c1c97d4f6003f6a3ccb4b8af43dfb37bbeb707e1efa51b0447e6b31e82a3fecaacad99014a8d502c3db8a36665f85d62938de6ffe30c4749535bb124129caa1fa465d04c1005e64f7f4397607b4e6fc31b9c34961b7276185fc3211eda045c06a28aec0a1e0a0e2f1f6829a1ab372d0bedd711158696b062b9dcfbff4925dca71d4ad7f7c610d40bfc6e7d04f4990d6efdd059679c7137b5f5d28c9784fca307e2e1df33dfec10a242379ff30984c62c201738edd60007c9d56557692e8f73e5d0c83059d568312b3504de9691ad3d9b30a4a2
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (10 mod 64).
+# DIGEST: f3c89f21c327fca4aa400fabea9e39780378e901
+KEY: 82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39
+NONCE: f4f03541a11be112a72933c7b54ed4fa
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47
+AD: e037446f5891d77df660ed
+CT: 98b22a9119610480bdfc5cb6e2a950ccac8741690574730b87fbeb113d5daac699c333ff21efd0e73d2252e95f64dd2699b940b490259cb5fd698756713c0e53ff69a733ea13587cbcb6
+TAG: 63600a3d7fe8a782af7af230da63bc84dd993bcffaa5f76e5f63ef56407d0412b831dab138d117fbc081139cc49946a7631f488c11946c10530806ce7a781baa3bd072300a5cdf8aaa3b2657ea3732c1e24271c447e6d7f6a2afa0bef27aada30585c33479debc10cb72febb181c7f5f77490b339285bfbb0bf07c545ed5a0f3f183fefdc7138e330095636956328ab85a201e3cd6a2edc573d75327bdf615ffc8e6fd5e133558b831e24b67751098320e9afdfe7c7ef4598c29563113052c568263612fdc3c48d8e9a8a407bc2918ede467636dc0185d9423e9eaefef4126247012d5f1930c56dd9dd7c34d397f388e4f741953d76bb1eec911079936a8dfc584fb5b7c84e4
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (11 mod 64).
+# DIGEST: e8e41988fad6c8b44c56544964cfe0a347b35b1e
+KEY: 933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4
+NONCE: f03541a11be112a72933c7b54ed4fad0
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e0
+AD: 37446f5891d77df660ed82
+CT: 8795d6c225aa78fccaaff86101641081f4a440969633ca8d7830ffb14f629fa34dc4c15e8ff20a8940c7a484ee94503372e658615eb3fc07c2d2c399ae9ad7a77d684512d0ca273f77fcfe
+TAG: 534574a93db9658b653cd395e981cd4a8992e817ba058f692c5f0c1682745097ed441781afe30827bcaa29d061e2d1554a949cf7b62077b768bc1ca8679618a5d2b32c0b7e735db6a27fd762a60aa19e60a60a9edb02f20e3e99fd4653732525a0c8d8042bd3ba5387f93a7e0da483173b3abcd3ff876badd75b81741abfe2baf21be1006d1cb85bc543ddc7493f8faf4e27619686ba324cf651a16e7ffc23ae7786eb8823300a5c65982228aecde99f53d43f86d9ec0d326eb3ece9f6cf1c6bf92d1599c5f9c391e9ba189195665d3018c38207717502bb60e020773618df614bb4e0309fa0809ab215f68f0d9d46c28950d3edad6c4f71dd5af9d03dfa39ae62482601ff
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (12 mod 64).
+# DIGEST: d1c7b2c04dc25fe7b742a1d659aec20e1475ee4f
+KEY: 3f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f0
+NONCE: 3541a11be112a72933c7b54ed4fad0be
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037
+AD: 446f5891d77df660ed8293
+CT: 694868cf990a1b8ef42fcb2b45cabf1bd78eee4b429c11b27a827762b9c319bc54a2b2c8eb2ac85063ef8ac7da8bc35b16c0a98822981dc9b246381780da7833eb718bc8518e2b176656ff5c
+TAG: ca1dc8a003fd389a1eb1cfa4bf9746cdf45c548f8e52e0bb0dd456c1369686e0975fada75cd8fb261a01828fa1375941dcd8c718f82d6b64222dfbf7143ce980f3936b78e525c961b7d72d5d68127d0f98de541853ae36408ac489c5629c82f00a44dbdc89d665f94fb391c4a0618f31df9bcf39a07325b600265daaf53c2762396f9f6e83fb4f545aefaaeb447d4162ad401e1da2ec090d78d7b354d80fa975dcea9b897fc0f16681cd9a1aedc78cdcbf26249e18132e518b75849af55de38562ac32c50819a35156706510688f3a81e13e3bd5f61a0c2a8655c251f4732258c3cf34694be21caad599996c9a13303be173f916e90f606dfe1640bcf35e892eab6ca70f59ca019d27c58cb69b4cb3bcd484198d
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (13 mod 64).
+# DIGEST: 116e20ff1e79e0af464d473b1e7c187f4dd66007
+KEY: 62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f035
+NONCE: 41a11be112a72933c7b54ed4fad0be90
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e03744
+AD: 6f5891d77df660ed82933f
+CT: f2e78e183884c99ad7f199a02d87a1026c832b9a953919a98c2487bd0d724be407994fcce9e19b5a69f15ceef5d3b95c79d5fffede18a143cdfade5c0f80254cb38e47cc9c82488116640aebe9
+TAG: 11f4ab3470df6f43596f9275964c3ecc22543daebbdb99004eb6c1e001b2119ef9b247f30481117102a179a7ca72c556a029b77d0ee2167190923012aef527b8a432576f8948a7dc77ebb79fc7a9dd1d981a4bab9c00e498c09902ffb9362113f6ad3ac6c1f792fe27d3a71aa19b9f769f2417ada3d303e3fd2600484c9f6b43e4ad834e60ce4d4885088087a96eb52ad989a9e9a43aa53a78e513743a8f08cb472a144af5a6abc17f217715e074aa470ba71d2b1b75e4ff3f597c4d1993412d37f94989c1df016f72b26c8d58d78a8a3295108e9bc061facdbc4c708a1d7e7c95bb8e365d4e933c0e519d08abef948abb67c5a3ebe938b91613ae9bcb6079436af3acbbdfacf77e8b935686d4ef7ed47b5b10
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (14 mod 64).
+# DIGEST: c081d0d09b2c9eb39a372ef4a7b0246a0956b0f9
+KEY: be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541
+NONCE: a11be112a72933c7b54ed4fad0be905d
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f
+AD: 5891d77df660ed82933f62
+CT: c7de96bb45663dfe6da2a64ffc9ddfa7c3dc63077079bd4bc2ce52fea89924a75664782a5026fb5a099ec460eb9c6d7c3d5ea383092c8f4c67a70fc499a7689bfc27df4da7c185d573e6f8d70cc6
+TAG: 1d6cf11ee4afa8efb4e025dc32e0c73a6fcda2aa5c892031c7fde0d0d69e38e9e64e88a714184fbe73ca0f1dfd35ba3b0378a474cb4aaeb942a529cd199e20b7dd62654b97d92dc317975d5e26ca1378d41799a127c44a157982dc3677a4dd391e22b6906d303c2c60cde6052ffbdbe5f8bce22bc2ee42975f9892b68f228cb1f584b1a3fb2f15cb7bcf3d9650e72e796c46f7738986be7f7c30dc56c179299c9c368090f68b96735673f2279366122e5cd94d8d4ca2cbeddc3502d833bb365756cd511577a7499c199f403ce114ae47aabd351bd27e4595e3955e1d1c617a3d0ca2d6e4a2bc3275f5ef706fc4e02e48719958d37d172ad1473878686fca9420dafc83e0baaa9aefb1e50c98d6006ead6bd7
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (15 mod 64).
+# DIGEST: 6f7bb1f9e2772eb909c315e653e4737cfed78a18
+KEY: 8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a1
+NONCE: 1be112a72933c7b54ed4fad0be905d41
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f58
+AD: 91d77df660ed82933f62be
+CT: 3a77c0f70f9044fb3817d57be4f4e5ee4b27ffa586327f77c18346f9fef2608a552b551ac549f9e8d47c4959196162862fe2a35e44581971c2974d4a65a47ae719a7f5f070ad902b8a9e022abcf303
+TAG: 825fc7dd84de7f3bcc941d0234090a9409e47dda077e0f3fd000965bde1d4ff30e15b23affe14d94515629f8c018d085f41aa3ebfd0498f621593d57aaec4bdd0e22df21668451b098429967c8eb8789f92a5578d177e5d2e326fc14fff272eb90368d56a777849cc5a1d54c6a458d32c26f4cf99e0f80c91e6df29aa53edb03df176b9873f5827686faf26dbb038813a8170f59e3ad85ad698308748d112b7fbca45156a4410cf32fb34fbbf27b66dddc0680f2bcd7cac6b8cefa83945fad84f77a396630029e6bfe9f15cbf5a884332de5ea7f558d783858c18761983080c13f9c06be367ad856cf159656ad140e84d6af4b4c3517b90f5ec0a8e6fe18d42ce3d194f695f9b7440d4118b8170705b766
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (16 mod 64).
+# DIGEST: 172f4992e692a88f49628e5d3937959be01aed2e
+KEY: c55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11b
+NONCE: e112a72933c7b54ed4fad0be905d4120
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891
+AD: d77df660ed82933f62be8d
+CT: f2f3a3d985eb38c406bb0db0d141188c680656db8a4484abad2c8973267e14458e2be7cb52f06ee2a0f68eaced13db714296319b2b3557454f5e9cb47e8943ea3e66f7bd25c5757375be7bdd65fef53b
+TAG: 2c441fd3259628cab417df36374ededb37b9775c0ddff861a5b957a9237265000be0857b3b8482ccc5a348dbb9f4529da4baca8a8820468b1219fe4680221bad9a527d93ca499a988411021e0f9cbfbacc7851c63cc1886e934238d9b7f9cb6b330ad00da830b34c7e4398d148af7599a87770102622e7a68828dece16d4255bb319c75ab0046defe72269fe67780b34324eb3d57effa216411caea5661e64d8151707ffa86752c876590ec46926b7e963ced6a7fa95b1bd958e618bdf1775a9b3ff18c91ed490f39cffe0ab03bb5006cd321d8e6bbdb19597ad7692eb7a7685e075de1d383089f46c8a4bf1aa948bf08b89fde28696147c767f5fdf2aee8b8d4af2903452fc5876aa226d490140a55e
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (17 mod 64).
+# DIGEST: 00133da1f7c63fd5f0eec364e9a359be02c1d3da
+KEY: 5b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be1
+NONCE: 12a72933c7b54ed4fad0be905d41203f
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d7
+AD: 7df660ed82933f62be8dc5
+CT: 02fd26e7b51a1bc6ab6735045d2e42fdd1f31adba98ed5f8b3e89450853104633abf6cbb70ecfba2f5b39dc06f419746abae4a51d33829bb04140275021d183ba079d58c37d4147e8114bc2e3d1542b0be
+TAG: 4bc0c3d3487bb74931c27253f0f0931d15a627ad88ac1ba563d97bcec53524870d8fefd1300feae23772902058f5f4a0c1c67eb5e4ca9d4f98692398a9019c3263d2191361b73038e3c9252502ca72070f1155952b3a0c787508d7c0c96e02036b2a26513fc69b19f1c51629fd7bdf015c0c45da5de1d6899f3cc3bdaea7a3d7bf1d0e8a8430fdd7ec70f93d7bb62fab821c1f0e9ad564d04081a3fb70b43b5ffd990e53938cd34084411c0c11db13bf2e28c6fa299c720f3f68ad751c20f6d12ce79382a1d0c4bf3a6bd3a695b3040193eab3c73aa4ee751447a5a46845c86e22909cebcbfc8b653f352072aad19b725dae4cf4d1c8bfe55605f0eec27682a6a365cf2e3e94ff769c2aeb328fbe6f
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (18 mod 64).
+# DIGEST: 60a6821269be6c5b985576b245f106128eb0b325
+KEY: 436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112
+NONCE: a72933c7b54ed4fad0be905d41203f5d
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77d
+AD: f660ed82933f62be8dc55b
+CT: b2fe392acc286bdc73cac1aee34ecb3a3e3ae2ccdb065618e3c4a17f2b2668a2c11108b0bf8a8ffe20800a698e73c9b6ed4b0da61bf6fc22c33c75439445061e198f018f271a8698d87185b7df77daf9e757
+TAG: 7a3dcda8c73da41cca4a85a9bb5226d8a94f2a39abaad492ee978b6051961be1f0023b673348fa17eb29430a340b3597c6aca9304be30abc5129bd65073aec837e55fe06c7787f4272e75c32b3f1777451e17853f4a4696cedbeabb57170f77efe9db657572035af08cbde5432478dc339147d433457d3a15f8820515a6f267dcd14cd9489352e1561414e3e1e0a85129976c24dd016d4621af0058ef4e19fe4bdfdbbec370fed7ef641434eb629fbb16fbcdd117e9b84ccf7ada8324f9815e4aa42c12d4f0609060545997afd4e6786a0457b0b2fc73ff7856adb51223d2408ce4c414ef2afe52a3bb67be43997898ba846045e96a27acf3f1bec0b755e424f57c69774cc13ada5227c7642f563
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (19 mod 64).
+# DIGEST: e2593f3b6741a9ed9fa188fc06efd057556ee624
+KEY: 6965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a7
+NONCE: 2933c7b54ed4fad0be905d41203f5dce
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df6
+AD: 60ed82933f62be8dc55b43
+CT: 8780167385b8856be346b71b042332368067d5d9420b3793fe94bc1ba92991756523c7a8e0114af8fa7296ffef8fae01796b47edea43bdcaa8832a08e823c45c1ccfaf1190cc7fc73a67decbdf407c72740a7d
+TAG: 974451fd4d9d6d1f88be4404869b435b4b687a1150b31a0671c93f52f76f2e4dd71bf4a3583f68ea5fa4a0dbf8c779f83e8dca1882e9bfca3e914e77ccbf40ac94769c44f9a8bcbc35a4f9920c6860078d369f57b407d353e8022263061bc974df29fa7c862f3d06213b1190cdd3e2091b2e26532356560efc3b21a499f4841869c993272b70f153985d45756a0b3250a1b91ee3f25a6afbc202f3ef81dc607068fc7214e69255342e662c64ffd8acbe86992ad20ce376d92ee0bfbee6a72a1f83f470d0bbf6ec22b364e842b84736d3923de92c488c102344fef6f78624989460a2c45fadec2a7bf722e2e6a34162363cc04720a50f0d309f64f9322a11b642b97f023cb82a521af6b1759d37
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (20 mod 64).
+# DIGEST: 17450a437efe239e1858ac4062f34024305372be
+KEY: 65aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a729
+NONCE: 33c7b54ed4fad0be905d41203f5dce99
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660
+AD: ed82933f62be8dc55b4369
+CT: 2cd2031084f8742da110ab5d8f7290828857c867b38427c3f53be0dbe2cc94527d2f0aee90a38dee77c0ce115ef650b2ae65094e99ac9bf6da89e5440c1bb4f8ccd163427bb95b3ccd629e6881107d6c9a80cc37
+TAG: 026560a6675920dfb199359bea1a03ef0d7d67d359bb6b94074eef54047e92a0940f8eb5d08aea137b7caa73904b66a8c99775e0d859e4c91d68dfab271a9401fb650a9afb83ec4b42b97a74db1908fdca0a06603cde524524ecb3bfa15a96b6e250edb83e7c59385357c075bf077ada33489dae99c2e5d5f17cdab9d23dfae4171e564bb91e3e78d61dc7f1712c2a4431e9451cc1f58df004d04ec50f77a2681969ed91e07df4ec90fd185ede409a5387538b115107a1fe22bb999082d4341ff5a6ae7af33cb27a64eff64492a08eae3c18e5914971e514f55e65ca93a8a19d7d4c2f3df76232cbac674c480e9f4316a8df7ed9d62f8144338249732dc1c3dfcc8647804c13a03a59eab926
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (21 mod 64).
+# DIGEST: a35fc7d25f90dd9cbd35910d5532aca8aba88b29
+KEY: aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933
+NONCE: c7b54ed4fad0be905d41203f5dce998f
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed
+AD: 82933f62be8dc55b436965
+CT: cea9c7528706d506d75cf085c8475c081ee8c6145ca11610b73eb3e103a706faa66062f8edc10abaa7c3edb3fcaf43c202c4812e768fececaa04564414f45816fa5c0df5b7518ea3859be75c4567565358293e9232
+TAG: 32de5af09080604ec6b6fc5a0a542837a54131fc87b1825666e5d56f09e15b76d47fd8086dab709567aacc3e59d395656ffadab861ba9a0e1c1b30321ce334b68724877ec6806245bdab9bc0f8e5af6582fe91a2ad95f7a6bd0ad1df9f9c2d2c20f78f2fb0bd2653fc8e8fefc9255541d789a0059820b30902c3e4344b68d4603b3fb8f5001df91fc9383dcfe76f219933078c602fe2813b9e59e8f996f8943c96c10f27d02f5bae69789870a61abb6c3b118f6cc348188495798b07424a750556a8d1e444b47283b096b9cd8b98b790445ba8ad8245a040a3cc96c2d72aba1474f949dc607c386c7cbbda952651f6d3260c82e5a06c517a89c5dfbefa069136e3c094ee1af26fc4c77e21
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (22 mod 64).
+# DIGEST: 73eff0f03358879f900b6ebd515f0f4e5a6929e4
+KEY: be477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7
+NONCE: b54ed4fad0be905d41203f5dce998f8f
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82
+AD: 933f62be8dc55b436965aa
+CT: e967973079db00d2257d84817ff4c5faaf98024ac7eb71d22af3cbb92a001a558f5cce2e8c293d6dc2a968f69cb2731bf65954affbfdef4085123aa06baf0d80edd8d04ad4b1d48120f0db0df02ca13708f66a567ed0
+TAG: b8f6b6618dc8b59b07566c1aecf97a9933b6546fd8882d14cf75b2065f17518722b5fd77f9449cdf4feb87e7943f9d48b56ab891514f608767f1711314974b020804b7227326185bcdd338e3a9df31f6c3a0190b25d02dab04ce23fab918d6176814877ffba65e410bab2ae256d4f5f937458d24a144f3c45f6fb27e9f95490e95eac4575d49d7dec6f72ebdf3efd9dc6c83ead51652223b18963651b8d957b7aa050b022e4beac68f928de0d1094dc756d8e1d2b89a1bcac0d3d40f0f71e67b166a6a56d8ea91df5c930566640be524f187be2065127cd15b2417f7d80b6a8cf781e0e90c6ef61cbc902e935ffd2dc9e84c4170fadb6f76b15d77c72b49b8aa30ad1efabef37d55b4bb
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (23 mod 64).
+# DIGEST: dd6cea270655225cb4f4231f54c19eaaa146eac5
+KEY: 477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b5
+NONCE: 4ed4fad0be905d41203f5dce998f8fb2
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed8293
+AD: 3f62be8dc55b436965aabe
+CT: df01c1a140da0e422919c0d34b231fa3cd767766fb35f8d78d715c44b9003e42cca112fa1543d74ac05e00da9b5740c03b5c4d1e558ceb8629adf3adb1771e6edd5b986094f724e675682e65af15bb3c0feeed8cb3407a
+TAG: 25a40fa2eda366cc951e8965249500a657316c33538f874f861753eb038dc5cce0425824f138abde55bade8b0500af1f61b8ea69d4bd68de3fc403021c2224635535bc83dcbb429a8ea6c0ca2687a34e02d1dc45e7bebafd26b4814c0766e7fce5238767280ce0424a3f16a30b943622b8c1abe4eb6c279333e9d8f7bc32afb915bc5b0328147b57d02d68584afd85107302e3c84983cff39256313c4462b693c256edbbedadc50a52cd2a3c8255c1c34ba87a70cb652d74d8375ede59a57514bf5bc50532acc8be4b438daaa2d7d2caae6c291ea2c78e27766b6e2afa2551f3287a6a2a4bf747a1706cd66fd724fbe0e7e81197b1ac612c05cde5a62fa0d5c43d01e6300c7066057e
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (24 mod 64).
+# DIGEST: 34dd9bf0ce19eff890ecad474388779f63b0af70
+KEY: 7e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54e
+NONCE: d4fad0be905d41203f5dce998f8fb2ea
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f
+AD: 62be8dc55b436965aabe47
+CT: 889ed4c7bd5455821c5b95a67a277a197140816784e820ad8e126b3d3f0ddaca73e3eede78c1c1d3ff5c2a98c0cadd644393b7e3c2273aea2be1c6fd20374b71edbed5658237d819b5e4e206698c8cc8c12e017196776bbd
+TAG: 57da1b6d2a9717b7f6f37f21dd9c686414ecd07bc24619b9d35c62c3548586bf726bdd33fcbbf64686556d1ece930f37c6f4c8bc1931a10c50269cc1dcd95bed9d9edb0463a266e6e51d2d90fa9c1a1a4dec6d21663df4f4b99060b37441cdc09386eb785b7cb0183df692d7846483998269e36d06bc7e3a010ebc798c83a5de0c4d6201f2b5b7187a7d99d109741a19e267cbe458063aa1ee66c7c2e0449549d03a9cac20d356c393de63d466ac3e04d63b88c26768f0b3fb18564acb1515ce4be0829aa99cb293adb9a0d3dde529827abeae270611c35277a4b373fb099cfc86a99483063014ec189429a243438447c9cd47a333b22e2c1c84845b79e23a661d411570c510f42c
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (25 mod 64).
+# DIGEST: 7db8cfbd3b29f96d752346eeda3c2bb0bd070099
+KEY: 0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4
+NONCE: fad0be905d41203f5dce998f8fb2eaad
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62
+AD: be8dc55b436965aabe477e
+CT: 13833f78c9383bb4455972d6e7d8f22597e65de7dd01afa28fd99f9734366c522bcaef59c41487d84b3f84c1e0b7e5ff6de84206f54d5ae80ce80fe3cb68ea4edcd15897fd6fabe2a19904010538005668f2b05245e28bc0eb
+TAG: a76458445b8ba4572e8aed335eeb6ef8126ccaebe8b4be3f799e1def09f8a81fddc2ddde86e2d011c4b61eb16bb74cc5a2c7e1b6d0107f6b749b93fe9f6589bf4ea2444cb63f5bdd3b65827fff3adf32044621aa164160ac4662506b42b0b13ac148e09abc016102ccc988362f5cf64b969fc056e3f302a830f9a0b7f3789bac1c940d5cd7e2dd61aa3c6b970c3d066504093d658fb5f9ac7fb22ce306f5a9d495ca7e29d02bb39123b5387c43ed9fa1b8a061a339ced5a9393b7dc6401921d0fe424c1f168451286961f8ac199c3f8f8d4b154c89d290a27cc53695e082bbec8a338ee09826555a3fba8fa4bdb663ba932db800df0a1b570450f33f936cb71622854b84b260c9
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (26 mod 64).
+# DIGEST: 4abaa8453e8cfdefd918571a961d8351754ad5b4
+KEY: dd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fa
+NONCE: d0be905d41203f5dce998f8fb2eaad40
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be
+AD: 8dc55b436965aabe477e0c
+CT: 03065bb245ba12ab90903bc081198fdfe45d7d3c6fa3b1f76bde831917376ec2a5b2ac2cf629de6bd3f23025b678ea9cc3bd7801f5510b58432a8bc17999304fec4de7ab9ac22d75897cac67ed57e30d4745588b36695dd005c5
+TAG: 92877bfb09987df366759a1776b758dd9943472b933d5720e4d199002d4f3ffdd527c2cdb16993da7aec2ee53a24f6681c22fdb9f9f69a89704b6356441c6e87930b2ddc47bdc1fa0df00f7490c16e18a095b53288042525f60f0f37be0036f9a7dfa37ed3977456b3d8c4c4b2c47879a4495bbfd6a512fb59a40b20bce316ecc559aa825b4be8dbbc5dbe06fdd074c1f2132e954fb74fc97075e9c5052a0f86bb431f7fd99d62080140e0457f8b5deadb9b2528e61731488f25f0574283a1b30c80b2bfafcf0e4343ceb83dd20d2179a38866780025516e5f8216ab70c158ddfd0ad7a446969cc9f6eaf5c984ce8e9c38fd3b8a007a1c154bb4330fbee4329b8335f4ec4b23
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (27 mod 64).
+# DIGEST: 0fb9d7ffcc7c9b84f34661d472ae2d4fa25d3d99
+KEY: 46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0
+NONCE: be905d41203f5dce998f8fb2eaad409a
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8d
+AD: c55b436965aabe477e0cdd
+CT: 04c76011b9c4cc8ff18038d36a8c8b91debc8d0929ec173cfa5450f434308234e6a368f17a04ec0556dcf5ace0efb5ab51956d0daec5c530129aaa78309c3d0a04af17d02b0f91f70a82b2ea03522659f76d1919731ca52747da3d
+TAG: bb70d9741043c7d3d9a3c5f7d2dc1517a91729b54dc8f49291e2201331a24fb24ad212398617237c77de3d6266fd32341893a9c8bb42e60123bf3bd4fd70a065d6f3d0ae98434d8cda789be46a5e5ad05033d18cdadb36e33fca58181909dbd3cc1733dfb4b6dba689a66f19bbadd35f830d6af1edcbedca45b2810cc82ce83d39ef9d6d17aefec9b7199575e8d08df3ecb9a407b41a9c1d851e923072c96c5ffc60d3987ad10f27aab7792a198a17c8bf88c586ab11cee5008ee7ea769c56ff8d644b51059b9b2ddcfaa92d3b3055a4b3921bf95c5c131c2485d869f642cd14cd4eb9b73740534f6c48c63f76c6f1e4dfcdd9dc3c07593ee6032a98aa10e1b7f095c505d2
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (28 mod 64).
+# DIGEST: c68fec315401703e49722fe4b39cf28b14e9f50c
+KEY: be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be
+NONCE: 905d41203f5dce998f8fb2eaad409ae0
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc5
+AD: 5b436965aabe477e0cdd46
+CT: 5d9af50991ea21f041a766d8d9036073eeb0ac083b8069619ee50c64c661bad73a9e2ca7f8b49ad9df79e47b49ca3c8ea9dc254854f116a49959c91481ba96463521bfdb74902a4b454d2c6af72d130175c33e8764b64bc93955f9f3
+TAG: c3ccb45d8e69eccdb1f058a490d8de92f255953c16f27e21b49e4f29639452ff846aa45394972d895a0fcde901fee45211e835f6e4152de7475075e1e7ed832d45e0407eac1c6a0c88de4a9fb44d961b3be197e45af38a88d1070416c419046f6e43496e6fc1750de734c7773bba9b402dc96683d624117249f3d3f3d87f83a140018afde34dd5980e86e157d632acb7fa5400dd272fe74abe46652eab999b9ac1cb65a4a609f3bf9cf3c8434f9eca0bd440d665e772629c0cc76e0d9009e47f5667c0a0846ebbb1c1b23523262d3225bc23e3513ebed8f67c721cc0886efb251b374ee4e79f60c6fc7bfb81ad9ac88c0a782d3c4bb918cd21ca1f3b8e311f5e48b9e6d738ade59dafd07ca721aed0f6f7f98f1b
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (29 mod 64).
+# DIGEST: 15e1aa5285beab679aaedbf51a86b4aebbe3d7df
+KEY: 99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be90
+NONCE: 5d41203f5dce998f8fb2eaad409ae021
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b
+AD: 436965aabe477e0cdd46be
+CT: 182dc2f9f412f305a8fa4813e8c8eb7a41f9708efb516fe3feaa6ae94c89b4437cbdba7c738fb97ef9739ed94d988bd60af5359194d2b5f8a48e3f5482c3be294ae65ce803e21acdee157d436188980be8e58c95a7a5a33e427473d4ba
+TAG: 2751722d2433b908076080c82895c633135bed9c7486d2fec286ea11b279b5029784972d39c8732cb1631841a60e86ad8b17c41e9c0b54ea3dba7b15121532b7d7a7fe8f92e2280481c73590cc38bbec7888932be3d10ab251157ed0335ea1b06a379c4d19d7d860bba5164da684c9d0eeb20e65c0c63a60bf94f65fa4e0f61bb94786271d5ca588093446fd563a6d513d81d590244807ce399f4bbee2f09cd8145634c1ebf06bb408489fa362b06af21a934b1114dd8233c8cb629df7fc5ac619fe2701de7daf7d7295049e1909fda9864fd7cd088316be8dc7770237748de45c3dde6d476d233983392e1a3a96f9c6550d5a7df61e3818492806db44121c277df71b9e1e176e335a68f2811637a9ce17919d
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (30 mod 64).
+# DIGEST: 8cc0b1164fc844e958e055b7ae43f2f95c29e8c3
+KEY: 371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d
+NONCE: 41203f5dce998f8fb2eaad409ae02116
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b43
+AD: 6965aabe477e0cdd46be99
+CT: 0990f57d9a7e9b64bcee741e158eb5749e9d7b34d43c6429754689d87fc45daaa618fc62d3dc111e5a1a7a06b2b14c5b0f3e2e463085e80da6ce4a6f7815cbf871376c8c87a36555b8a74e0a14421e1e4d74f7531546369ca81e4585f86b
+TAG: 4e2e000dd4c6c0eac8aeb581fd352c8c8d4033ea944594afdaa87f05ae6be756e46cf27b7ee6eb01e9f4eb50918d2b438fc0d1eaaf7c6add8078a6a9d45be1e813c18b20eef740c85df67de7765974544f5482f9a0012192f3d84b2cf6c01141f6a8040158cf9ba03c5a1b580cfddf0a682955713a4cac6e0d3b6e273db3a91a1b8096f85fbc3c7a67e893885bae3b4c65d03d111da7e199780de379c6ee07a3657ecee397ce0c9d34ee5d39e8fc4a64c86a0d68182ea48b91c76f63011d0f0cdeaba4e1ff6a19686c5223a25a10af0fce79437322c0cab4786fdb4b93e687a1c7154bd294d784169b1bc7cc5c9f3b8bc3e1d8b808b448f926ce8731ab30a33cef85f57053ef081a8948178030a50c247e53
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (31 mod 64).
+# DIGEST: b51001b6ff9d27bccf3103a4961280e0a1406257
+KEY: 1eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41
+NONCE: 203f5dce998f8fb2eaad409ae0211641
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b4369
+AD: 65aabe477e0cdd46be9937
+CT: 8d7999ec7a80e528bd6a8d2a9724930c93ee5cbb0c888d9b7c79d2449e638c03f3143f1927a1b261d66ff55bdeb7ff6616da99a2155f465d7c91f54963e7cbda7b61529381204ba43c9681260799ce66fec9b0e9882fc0ab474fd9134adb66
+TAG: e9012cda52183ec3e658c42f819dd986216e84e14eb38a462e3db010070a3056db6b148863afa9af5849e3ae963730f02bcc2b419f9cb37659609dc730008a43c41e87312b546d3b67e1f092001bd8a1b81ea304126801f149b0a37d826e0fac21045be4087f76e3c44a796bb55b6e4565d44cba7a8a48d4ffad797982256e87b95f6599b53f2ad34299d90204acc139d115b66c78a2072c741c43c81bab9dace2c0088b2a5dacd917e75ff0de07ab5febad79eb5e0d03012503110bc0f62e2aedda35c9bed4b7c2131f96a4d0c9ca4d133ee032a787e499c92cd46b33e5bfb7f1d3de52db0c7e2a15232a7c3c064c90bcd23366bf982bfbd9694e92b709a86afa4c4a6eb8d5e9b48a20ef409acec78a8c
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (32 mod 64).
+# DIGEST: aceed075f31ab159f6610f43ff0a6ed3a359bee1
+KEY: b8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d4120
+NONCE: 3f5dce998f8fb2eaad409ae02116417d
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965
+AD: aabe477e0cdd46be99371e
+CT: c3e61ff897b490847e6539236d2e3b208baca2e83347b7ea2ac714f65a409638e59a5dce5c3a4109e6d6cdb8a232f5f8a2577101f9fb53aa50918f924c1a5361ef98d6672258b4adb37ca5f30d22893dbde262fa9cf72d2913c1901d70a0b7c1
+TAG: a49c692364eda34c22ad3745a4339244b687f596bda16d4ff61c6697996214bffc78fe54bb30321d37f17a7ee146dd33771b9b922b475ed41e55de39f1573683e4c8147a9bc370d6f75882c991073181d3f5eaf31a9cfe0dd205540cf6a2b6c0898b3d1ebe351c7e036e136088fe88a07e2c512fd488dd5dfbaebe10e6627bebb2cccf1e9c985ec9f1924abd91d29f0862403c24496ba6c0535358de379a60adb764fe00f5e09f3487b075713a85452ebc21205279815653b39af6c7d84cb1a10178006c1b4ee3e53028c09ef59817abc2335fa2ee7a56ea18e2cbe533b7d30c80609151b58b3c711314b35d3be3df1cb6d5cddffc316a940cc78ba1734da1c09d1d05c2650ce3a0fbd60bedfef7a83f
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (33 mod 64).
+# DIGEST: 976ca4c9819e25a204a024d05fbe7420f717bc58
+KEY: da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f
+NONCE: 5dce998f8fb2eaad409ae02116417dae
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aa
+AD: be477e0cdd46be99371eb8
+CT: 1944f256989b6acd7dc7c334d10ce71d9f2980cdb6adb03784061096955a3e10efe7cbf1c0aa1caab97cdeee4d08a8ff34d68e1b53a0df58e79a4c1d5d9b7eadb2430c0b8049b6c43a848fbc5e5feaf16c5ae08da38f973b18e33fde747702b882
+TAG: 6e0c7a079e170b669fd211bd54c2cd2c51bdd5dc84c84e0da6104dd1d5f6e8b27847a4def48c030c515b680a5db67439f300d184d2c8fe18681c7fa25840b80f53ff494fab5e1694a604c1c12b3b113aeff88bc2c5bd31e84cf5474d6429b4cd08241e94a7f4276054fed2f2a0d863eac2671c9af96045447d6422b8789c4674feb8fb27098b5ef613f08573184271899f735af845e6b7ed9dafd4524247178415479fd60da081ae076331df7ea141df29a086b76bbe35dfd4f983e45b2f1316cc27d88c48b87d2934833eeb5bde5df0866e4a9d8894fc275d6677eda6ac6b41a0475aeb9a55ce7d7a04820b581e8565c9d9919685bdf0f163d77ac45a15e4717e2e716e49ddd079f18295bc7a05e7
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (34 mod 64).
+# DIGEST: ad8cfe7556704bb1974e94f70d8743d147c5c3b4
+KEY: 7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5d
+NONCE: ce998f8fb2eaad409ae02116417dae0c
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe
+AD: 477e0cdd46be99371eb8da
+CT: a850ddac6117f7b13e15c17621fc7c99f2276ed7337cde87ada287814150f8b3f3e8ba7108a1237fa6a9ddcebb07c234660ec93b8279bb4614be85c5973603568e885f5f8ea102d0621b5ba77fc58af4285c15996d6868c520f3e09ec5b6a468cc82
+TAG: bce897e6a5dfbd940ec2c477af3411901f0f2fa9436ff3b4da7354189f097d231b95741788b45e9a56e7ca7a41b265489578bfe8667b1cd64a2ddd765144e770ae13fc2e9ad24575bfb97e0e012869ebfb52a9c7e181e79bc260442d166550435dd5c08b131ed3850f78a2e1df8a1ed026d9310a83f0b8449cf2baec42d7d7e31c4ec56d9d25246b34a479ecf8ab850c65fe8b2a6361fd185c25d6f253f556aa46825c535a4a54b855148e032d3e1ecb8d501802db1eac194a4bf7f3c70f8b8c33cd88d3362476e2080cbb4482fd9453ead6dc62a0dbc0649e41a699c53427ea8ff93fc9f2353356f695642ce7db49fffca401e9c275365dd0a339e3970d5810c5667c234986a65e1ce01e827e27
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (35 mod 64).
+# DIGEST: 1dfd9608adabb5a55e12949f1c4bfcd5a77cb703
+KEY: ac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce
+NONCE: 998f8fb2eaad409ae02116417dae0cef
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe47
+AD: 7e0cdd46be99371eb8da7d
+CT: 0cc80c78b73b1bd898c6af38846d32837ed0712ab7cc48b01c6dd831f37237ca7634c90aba35b35da59b60aff8e6b9a622f5a481c98c03fc76c1375e4602e96c08a465f3085ec86b0a8e1ce8757df761400be6510f1cdff60b05bd46271650b9e5d5e4
+TAG: 34a24675223b1e1d363b941da5d1566dc42a61c7c239a6684a497e7ef90a78d29c1aba0a9be91a8cc8a7cd578c77e62db1234da2b913e9500cf81df22cf481ee43f0818be959ec7fe49aeb7be270d227f633f65a003b19060ffe8bdfaaacd2c20ac65b43254252fb2fa8d2264f5664f3fdfaaefe7216c3f8bc6957656d218d5f98f5b377fd675a21d16769c499b82d4fa54be52ef8c96222b83fbe5bd3b456c9d181cfb5ce23639749e9e22dbc3979f07910b83c200c82a3dd449e5ae47486bd7f2cdc26c3beea2d3c490a801bf587e323725be1a76c32396e5c5ea24a9933706260d5aa16c847e00bdc5d96b0b96652a2c73e6141367debc228af6f944bcfd65a9269a7fb8c912c25ae2a6e8c
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (36 mod 64).
+# DIGEST: ad2b43eee27e6267d8c5c1c3d558a07dcd6b1f5f
+KEY: 997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce99
+NONCE: 8f8fb2eaad409ae02116417dae0cef45
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e
+AD: 0cdd46be99371eb8da7dac
+CT: ad918e7428ca106cf043d6626772cd45ce998f32fea28c3253fd58f0fcc191bb4cd250b5dc6a7b352bb2aaa66601e280576fa60ad8c3aa58742462955fd7f33ddbbb5036128617c1fc3bfdf83100dfdd069042ad1887c2821afbcf822756226c69779d88
+TAG: edae83839ae4bcbcf7da661a302815b024d7576e65ecb70c183411003b1d6c769a13de3444f82c7783ff5593d9983b369833cab8dfc80120e35bc86d3b00c307338163bd5de5863a1f2daee49b4f535ce455b131eba334b7c995dc25640833c6c0a7bac710ce37ae2b85e58179b57218e801c4a7e5dc19cb3c841c11c299a72efd9cdf249e9c4423cfff588895e38e5b2d166344ba53b083da555ae4a1e0278f5b7a557e9aec08ac70da44858306df69ad968c017f8b4c24a0b562be19e1f6416841387ee3cd9c8f7c8b3dd1fecff0609fc77c4d86fb1e387cd1932775e58b928f4022821c0b9dfc43912fe0d0755b2bc2f88682f6b11eaffb6caaab1e295755d1256810ce16d70b306ffd6e
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (37 mod 64).
+# DIGEST: 3dcddb1e4f49633e7b7bd36f4056d16c53be7f5e
+KEY: 7deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f
+NONCE: 8fb2eaad409ae02116417dae0cef457b
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0c
+AD: dd46be99371eb8da7dac99
+CT: 8ef4db8a8444ddd056428a25b718aec0258fe05b5fe8d6d972ca6762875c030fa2b4822cf03e797a53046749e39646c8c6b373a1d77287f4124c19ef758eef75db8e4e03309b3d14e918bfd9499ae5c9e2f3079ab7da8ca7f00ab69d14ad96fdba1c58b813
+TAG: b78d95ae68ef1121b27bf93eb67605bbcbfce1e0293fa37e0de4a959cc0a1a47a374f6727edfa9aa5a330e5c3df90a30d371304258624e8015a2fe7583e362f045087ac9ff6bfdb5371d9fc9d55f7dd91bf0310450c36d33538ad5f6057d0c8a0896217643c4f95ed6c93ec95dc6df838cd43d6f60dc3d48d489922dcb1fadc586dbbef4200a6b1d67d2024493fb4dfdaae7563edb5ae93fa2065d750a10919484fbb1389f93d2f28b62c8c6708122e0abe0ed22ddba815da8bd80393fe274f545e463dfc5f26bdc207f3f056263e799b3c89f9c740748a37b7f28cdfdbd9bc89155e466e9a1830dd6d0a206d27a588c56c3b6dc92d5202dd30ec0a2e1e31a0da1a5ddd9d905204f47cc25
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (38 mod 64).
+# DIGEST: 25b982a242f669c013cab1c18da425330090e3cd
+KEY: eafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8f
+NONCE: b2eaad409ae02116417dae0cef457b9e
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd
+AD: 46be99371eb8da7dac997d
+CT: c107710a85a49250f3a4401fdf07a44f96560ca5e71d6021075b7b6e3ff8fd6f36c652f186dc82c8a21a8a743dcc007e6710214320cb5c5e788f8c5b020e4d0d89ec2fb780c9ea915966b9f9b1e2cb0f26fb6bf1aba6e6501f2571ef1299918d4d2e6b367e22
+TAG: 3e7739cc9f98881f03a99d95250d460497e445cb24b4f8783c0010070484f8f379d74903d9a99f6a621791763af4e8e94ea305642643103b2dc0a0c1342f66154a0b4c4cac63e79d7121a2a44991273a9e1111208b3d9a5b6d11a6a28c83d16c9099d0a0247bf4670717ef0e8e6bd4e48c893ae189cab4f916862a8ebdfc0cb26cc545a9a08f01f8b4ce545914a35924f728c4e914b8cea6588116e9ebf592d4709e0c4efc8f0f8379fb30e35e36bfd68946ada030e35af5ed510a6061471659dd6780c1356c3dee7f69ab449a402456b63abd7e7763b4020db5216f099ef78a2125b42fe508cf94976b8e4e9ed65b38c254818e6aed084c037efabad7bd348e4e16099c7709cfd9116b
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (39 mod 64).
+# DIGEST: 9d7958e23777ff2472f5a24dea5fc19c151dd921
+KEY: fd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2
+NONCE: eaad409ae02116417dae0cef457b9e5e
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46
+AD: be99371eb8da7dac997dea
+CT: f90604401a507574dcfe5d7c5e0c36c5fa65d9a8f0a25daaa9fe5c50ffb3758f52c9c883c2f85d879f26845a130044d395b58497979cf24a9e18ee1f27d1eac4d0cd994a6338c5755c74419111b2bebed645c3d8b8071a7b5304eab2c33777eda01ce489f4a6d2
+TAG: 8a94c9c05afa552672247d156dfc8d60e9e3e1e9eaee6e58c8fd6c1f9d41bff32571526cf035ef595cb5c5b2d64b2a98bfcadebe5ff66a6a2299af8e00fa27e621217c5ee1542a86ddaf93e293d01f20ba5f9093c1fb7a1b911e659027beceb9518f59d20cc54f958945dd44ec38f73fd475647a008de974e50facab9e6e878e3968249a91b4f71f4f86486d5e3bc2abd6dcc67989f58521ee78214dbd29bb7aca0f601842b1d36833748069e409c58de54f7f6e6f17b9e05127568a1566e70254589675f2802c153bd5106afa59e00ac753fb9c3f67508deb5bcb4e25d47e52852acceabb8e5e955e16c0b4448cd313c73ee2195f185f8869165de7f30a68efcfba1adab85e2eb975
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (40 mod 64).
+# DIGEST: 09e9eab51bcb9faaa3bc3e473ff66b06e39653fa
+KEY: 64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2ea
+NONCE: ad409ae02116417dae0cef457b9e5e16
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be
+AD: 99371eb8da7dac997deafd
+CT: ff258ef9f318036586c5ec9e956c10c9423ad3a8a5468527c02bda6878c45398b0c78f3fba4eba3785282b3aa4586d31b238fb941546bdd6e3d918444d45f79b2a5ce3df0e8769a952243cce1f17f736d21e44d8d49449e017e9aa5ea20863a2f6b2f7025de029e1
+TAG: c113b619c1829f799e045047dc1587c35eea2e9b5735e9acffb8d5250acb5340d7e48f261c58f6e1dfa213980d35df3f14938a5d6c20908290444308c31cfc08d07cc3258a5221e3c8d72031ab52ed92cca76a189eef780048623f82af821d521b0489068af4ff2954bd73dbccc6d6d4124760a5c71fbf88435af2ef8eb24197c8d7b23358baa411d87dd4439249fa80b6f00c4a4c500b0b7113151bc4f385233318ccb3bdaf779d41c433b2424bb3651db990f9fa72649d657bb823f0e73fbdf08e6f81aae0552aaf37370f139e85da70fa52422fabd155d567988d1d2b930f89f72725d97c1b1aaa67217c552ba1b6a51cd97bf2ac7017a2a97298c6d86bab809b9b4a7e1776a8
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (41 mod 64).
+# DIGEST: 7b17b7cb19107af8fc4671420e461060e2ef3e61
+KEY: b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad
+NONCE: 409ae02116417dae0cef457b9e5e16dc
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99
+AD: 371eb8da7dac997deafd64
+CT: 5e654ee6344f96fa117a2e1f9cdc08bfaca9c83b1c4d61891e49077c8ae7a8aa604e1b19995b32872087e04a59ed367e42f0ad3998cc2112035b33104164403a948ecf73c516f74adaa57688cee9417456f996847e0c637120478f7d88288b5403f0697c4834e4ea7f
+TAG: 363ea1d1325e86bb389f4c97a844b76e43d76fd4750954352aa52f5cd174c3d902a71a8265fba870b1b0e3a1add011914df362dfbc8f075cb45d2cca5498b48c49f0872f8371bf37e334c33dba4170d101dfebf14a519d37647748d92ccbb24774caf56204c1e7efb4b765b63d5ccedc308ccf06bf614e7695bfbf9e416df526ad21c4fda82cdce18ea647b6f99fd2bfebeafa94e8b9e83fb2d85fcd5f8456ed2e374ac383230dd39c528408e3b53a92a3950883f6eed412c1a5875a5db61b98c089daf3419522fbabcaa33479d4f0140963f1bb788a2471aa0384b44c0c69a4fc46a892f9ec8cca4cf0d048e30eefb1a74f8fecf77a4d61f97e4835a85594d1df3a345f720fca
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (42 mod 64).
+# DIGEST: 48586ad2eac603c136911b28e2c69f101a8ef371
+KEY: fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad40
+NONCE: 9ae02116417dae0cef457b9e5e16dcc5
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be9937
+AD: 1eb8da7dac997deafd64b1
+CT: 59201549a3446dcbdf5c3fa8db930606f6e9bd374d8405e15d55493a82035491811f784fd4f0e3bdb6bdd2e01558783a00b32c53d7be31525343a5a2d72921222e32891149f8dd38303ffb584485df15dd4c6917d4d8ce80e1dd5192f30770873895a0219cafbe8dfaaf
+TAG: 30b74b701e2777b537a16fa9b2d3bc9a86d718a4440ac3a0475eb675b352f215a847a286f042285b50764d14ddd3b3088189d7e26b96cdc33856347f3173c7cf4c9696ad560773e65878c4f8db001bf66a9e27e7f42593e9dc3f206e64502b4a11a235d5ff29cfeba3fcff20afac264c691a847a0b6c599bd9f7e4a57179f46b3880fac1b6cdc10444ee5875470d25c8a7bc20196aec1f028aea628092b5ecc973a058f083f4157dd9202d1f6b09c72374ea668041ab18045a383242b5e96ac127f6ff263c15d0a4999f61153ffc5d53bb77ed11b5b8bb3f2071b8ab14d92d161f7e39470913043b316ed3bf9baee35f8594785ff0f99a39b72e918bab81c49ec6c4c4ca459c
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (43 mod 64).
+# DIGEST: c37456cfc543ba6e5848b9b8f4ac5a58a104b521
+KEY: 65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409a
+NONCE: e02116417dae0cef457b9e5e16dcc5b6
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371e
+AD: b8da7dac997deafd64b1fc
+CT: 54a2f87f11c6597b3013a0de46b61a8fcc28ab021465178138cdd76ef01c2701b3a48ca4d3cc885173bdeb33b7b27f9064d2f09ec187d0c9c482522fb29bb421595589aa69ec2ca4155f503bdb8f0f8d4d2f08531c0deaa386b9adad07e8aaa351e76ab938e435c7eee05b
+TAG: 2b4f8a42097dfe879397a6fdd13c8e2611399c3c53d5cb5c0e41a4a49b99522b127dff5bbcdf4a5c6fa79440e8fecfbe1df30d34df7c3a399cd79164cd39ca50a3bb6ce2b95a46a3f50e47c9041dbf8f39aba1e807f66984619c62499bb5f0bed727c5214efe67ae9863b99daad6b2814484f9e96c3f6aa5a31417624052c69252de37d7f913e5a2715459f945958adef369e59fc7f704ba9d9646870561efd3c1bea0ba785a8a39698d7ccca3e0b6a6dc3b2570650ebaee1e133488b3a227fa97a8580737cb4852ae3e04c11df82816ec4d6bba8f9e63c9c48383466d9d145d27d18358e822af696a8d7c7aa65e2bc7ac32204a8271684e3803347423608666e23e90345c
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (44 mod 64).
+# DIGEST: fc113d192686652653a15887974eb1f9b8e32248
+KEY: de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae0
+NONCE: 2116417dae0cef457b9e5e16dcc5b6f2
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8
+AD: da7dac997deafd64b1fc65
+CT: 0f0483dd1e9ef91f215f7f9817b7f82e0b96c0d3b2996b2a1d878d0be3a70c07a4bbbba3721e646405a8a7f44347557d482d7899044af37f6df054070eb4debf7471072af1e4c98dfb3c192e956b2931967d7fdf200b464be1ff1955a658bf86faa659db9fea5c63d26c13af
+TAG: 176eae7a290cdf30272c219178d7a011400870bfb2ff611142d4e16fff9278cc5778770605f8914f09c3509fb6ec23bf5cdca390cf8dc0390502b3ac3026c47c167079f12302b6ea7eae668b6dac95a5541124aba8ecb8de4cac6c21ba17a2423ed4aac69e3292f3f4f031e9f54702c432d514726cf02ed646e0f60ed672b5f212e62aec4e51c8b8fbad3f1689f1b7dd775111695a342a279f7725da6ffa0e5a2ff5550159208bd30d28267c600e6b183dc1f72fbb4fd8013c5b4ec93f19dee5864bd854df3cabd5c813d4e3ec083d55ccdad4a0178e5d6cd262843d6309059033b987e366e66c67a3fcbba86730b5fcb4786989f86ff9b8a7318302123e0d53152a2a82a7cae76a81b017fc0b883ef6f8cca921
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (45 mod 64).
+# DIGEST: bb6e5b5be84ee383caac0378cb6f541726ecf61f
+KEY: 39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae021
+NONCE: 16417dae0cef457b9e5e16dcc5b6f256
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da
+AD: 7dac997deafd64b1fc65de
+CT: 978a10e04037ba7f0dec2576efaff6e5e4de5ab80b4b0c0b8a6209e22da05b8be0f832883e371c61c23b5bef969c004bf2a0f0fc8fbf1313078e12af2b3569a98ae5ee76a9bbb6da6806be3356c02dfa607c26094fd876d8f9dcc0395f3fe356b0a51d1f59582a7bdc7da9971e
+TAG: 9b37a729911834f666621a052c9d776f126e500cab45ddae7ad020874d77976af6ec581efd91dbf46ccf346a9dbb3a42d08d23de1cc074788f6887c0b15d98610b19fd2c00752136af3faa32e933518093d667617ae1dfa4e4527779bef7ccc9a1b82d8ddc0eb1d7d9247d0382c6d98ab29f60bc897d28483f1c69fe9b0d37113d237f7b3c3509411058e1c0f36fac6014b6c5937ef005a7fc2e3352da4866384d63c6aac2fdf74cdd16acf782022e4c5f1fa528cd6c977425ab19d800664577b5e5cf0a82e7ba75716c75bdf87eb8c7bdf7346c89d453bcff89ed0b93d9eb1452b72390a799498e31ae691460e5daa8ae3506aab4877cb82e3378874c6c97064b33f969786ed84e81cd1c2e2925b56266ca72
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (46 mod 64).
+# DIGEST: a27799fc2e00e7abec4c5939451a834c4606cf7a
+KEY: f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116
+NONCE: 417dae0cef457b9e5e16dcc5b6f25607
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7d
+AD: ac997deafd64b1fc65de39
+CT: eded0eef58434338153caefd914cb98ff516157445bfbd25c3c5cbcc0ad68ed1bf049ac292da027acab0310ef08d66040341721524982165cfe7f6dc495f7f5f36cc410470e3b42045b718f580713dac8074b0e76a0345d11c94a9800bb5e5eef1cb8d9ba5818799cd1ef69c4ed1
+TAG: d7459df78edeb89e01ea8d685b5780b94ac339c36750f2d5bc09009c12a22893348bb74f8c38f96451e5204e0d940b9b84c6a89eea61d6a78eff111b806ad4a50c8456d13f79288cd3f3bdde755083dd64d13e1c887d8df5102deb5a23055a02b6cab1021efe6add18d00be8c3afd6f8e80bc539c76003caad47c1cf95085bf48bf9ab6d487ff4cbf5bbbe0f2a2972e6a165a2e5ad230f58fff76fb8ed563b810684daf4b5902ec8cdf2442c323e7c7630129a89432a1795380a949f1113facd9ee148e2d38d4457b508155dba0d8d4812aec13d67050e70e2ff98a1fc1dffa01dcc7eca4349a0b14f2507687314c49b3fe7cdbde2ac840bd8ff7fb7c36a037e7b7de485183fdcfda49a2281645ec1b153ba
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (47 mod 64).
+# DIGEST: f30eaff92a640a397f98e6803623e8d1f0c1fea6
+KEY: f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae0211641
+NONCE: 7dae0cef457b9e5e16dcc5b6f25607f0
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac
+AD: 997deafd64b1fc65de39f4
+CT: 7c433fc5255dd1e11f67c499c6a89c16b4b09355818cf304f11167bef253dc60c95486a840c3a8f77440f63a5c6a855931a90eea66a281d51d4198679e1420c824ae5c8bc0231444b65b69832b84c7b5ee2fb8484ac08727eb0cba0c14e7e0a9071cb0cdcf73d5d83ce53bba361ee4
+TAG: 2e73871e9d71defb381e4e7d49d5d45880fa3effcb0cfe673ab52805e6273723cdf99557ed9ca838aa2229fe8eeadf7c6d94c91e867ca023fbb2d2835e420a3b026fb5e3915e38a7ac02d43a8c6ba8a149e99abec42967106bff6c80adf9be5c76503c95053c21472b9a338ed4c9c11b161ce83e2d6190f87e4dcf169e945335cc5acd699b983629d0bdc452f678232be0d31b9f231aaf4c3c3df79b1b8b2fd8802df0b71cc5e26b2a5c5c5ff0616bdff6cc7b1f09aff68d5e15dc9d61c1cb6a2c9602eab7794eb77af8bed198fadd854e8f8a47bf6bc11a8f75eec584f1901fbf012d1fafc03604ae49f9585272845677a1cbc27261d5d7fbe9bf1f1c9ea42c61b110cde99a3a602fc9eb6c825656d804
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (48 mod 64).
+# DIGEST: 7227537c0113a9f46f7d332a0b37ee5303483d00
+KEY: 3541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417d
+NONCE: ae0cef457b9e5e16dcc5b6f25607f00d
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac99
+AD: 7deafd64b1fc65de39f4f0
+CT: bcdda7eecf3331f4e7605cfd33789ab585318bbd35047755402372403a4df125e7f5bdf857e49a3f74cb8e824576a226c1942fa86de07bbf564cfb384d8420a367963020613dd2f6bd4f371ca1b53532a7015dfdabd07497367aea8db92981418eff6b51eaafe2b6d5b3b4d1b8b95659
+TAG: bea683141d42033e86b38d5e0614716ed53b7db5df93b0aa48b15e0111a46ee93c2971df88fa885f8f32e81222d9bb4b605640395e37e1ba474a17f0df48c488dd5a6051be2323f462cd94f81261289f076d60cf5907cac601e2709dc191a9ac5ef784733140ba8d45edded7e58d7316f92a9bd5aa86d6f8441604261a38359a8cbe57bd95522db7029db058a8b175eddaf8f258f2f479b348451b0786f15336e18077ba23eac377ea367d7e1afc08607ff63be2e613fea2e6097192ab41e40342e36688bad628ec273897c86e75e0b83d0d85fd13e850f29cfbe171a8d1b33b72a344a9e2bf292f0dad2ca754d45651a2067d9fb18c7a1845a9c145d4273ee2197dd0b4da66e88a7425a72fd541a78b
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (49 mod 64).
+# DIGEST: d76570385cb65d30c3d636ff25c5efeb8d1ea08e
+KEY: 41a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae
+NONCE: 0cef457b9e5e16dcc5b6f25607f00d03
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997d
+AD: eafd64b1fc65de39f4f035
+CT: ccecdb03830e84c5267a5b6f68dc909cafe94a1c872602961e8467b4b2723af537d79d723fc4e8f0397fe169186c23f50cf9e78af3156f507bfd38181dffcc05695583863d8a167df062cd16aeec0cc548a7b5e16b148ced8bc2a60a33a583779fef6d7160e0f6c31a03b8a0f1ed8e18e9
+TAG: 5175c37f295f196bcfcaffb35c4cfecd88d1b9c773d3162c96eb74a23722e599ac728ad68e2ac70369e0c6d212826afe93cbbc61abfc309d3f4a6f0d22421e02d711a6c97b6592b561b49ef5f6516367cbd966414d9842eb963c79bd4a8e1550199fc9cbd58b5fa5b898db2244769a950ee62bf915a074d5196732ae69cdaff05266bbc049903f5d7c702633741471bc3f8e44a426d201c5ad5987db33687db05a42778617c253576361fcbeee62707d9119cc76fa0627fcd65df7bdfd26469bd4e0265355cf885e2e515d56307adb91be258befc45ce8b238f6177d24f38ec56f0d64a46124161992a30f8a64355823397012af08f1df378effd1f67fb30796956fcf28b0ff35f618060a955b6311
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (50 mod 64).
+# DIGEST: 170369666d1f2337b29b5f14af68d47910388e7b
+KEY: a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0c
+NONCE: ef457b9e5e16dcc5b6f25607f00d033f
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997dea
+AD: fd64b1fc65de39f4f03541
+CT: 2828ec3db18423dc583c7ac7dc5231da07af1756d7c032a866c64155626be3b3a686a93699023f6e421da24596baf99b45244d07d86a8973450afdb87ff2e9dbab6fcef52cd476f1f25f27f6bb3abf9b406704a14ce9682613125139b238d985ab8f68c17f7b824f279c01d820fb70502dab
+TAG: 6af6f94f0ef92665d286e08fad2845c4c43f985b0cd0f09c6c6b4899c350a1a342f024c3ced7e54bb00b96d0e04c6d484e95b585a687258f4bdd1c00eb1d3f44e959b2dbb1444a292c81c92e3b1a01622fa377a583117bc2e170ea8c033864fe7dc09b7a9b1b5826ac8e38fd5849ac9024bcfb1c587be93b3da485adf297a77ecbec2a88fcd82e7eb952b6d012ec439310f624fd07de7bad33a5a59b72d88cb454d5da32d52012258c8754cc61dae82b26f8d6df7a4ca384ea88a30e12d4b07bc413791cded177d325c03a5a6c532641ca46ba2560cb3072733282305266985bc4afac41b171b28aae50266a00afb5a778e1c481a7799f29ba588ed3ebc65183517a31944921ae3a040731666daf
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (51 mod 64).
+# DIGEST: 7c52593d1d37b0dc380297231c6cb7b64e04c493
+KEY: 1be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef
+NONCE: 457b9e5e16dcc5b6f25607f00d033fb9
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd
+AD: 64b1fc65de39f4f03541a1
+CT: b463f7f24871b617a1001d2f73f9eb8fe39b5fe0b382d420af876defd68a893add2eb6cac45e56d669f4ac67a943a3b32daf0932072bd701f9291b5020bfa9133d2875d8f6ee78ce8c49d45b80329831799f1eee8c712683300e49c57dc8c1ad0b07465184483d669b04c183976289e3ad6070
+TAG: 2e8b0999a7792a9cfe5148a8730e28ef92557e1b5d9c318d27d12fb1356fa0dff3467e865c530d4f20fdb765f7ec7e56b7ba28fb49309bdddb413182b07670cba711d6e5e3c086b4e4211f0f19666590bdc9a121e1430f6b0c64c07eff2d81e47a02d375fa46bf8d6fb8708f3a247287b595be7aa19414e3d2d39785a0bc8ef46b547bd4805a8460fdab65d81866dbc496581ec548c51f601e13289fcf3e45f1bb4a7777f9a9243282681aa1c746fac4a8433e1f477950eea76c24d318e95f0586eb5d21a16f8b2b58a14c4780eea922b97de4b1ea292f842c662534bea84213924e837cb546c26f3bc9951eca7593f4f01e3e6360cb14248d127a08d5e0b77f438479035769e0e12c856bf3bb
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (52 mod 64).
+# DIGEST: 09a1659100052d13bebb4defd7f54f975a58ae2b
+KEY: e112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef45
+NONCE: 7b9e5e16dcc5b6f25607f00d033fb95f
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64
+AD: b1fc65de39f4f03541a11b
+CT: adfffd8a654da994aa8adb618cf69b25ad5dff201cd3a84314796e0228ae3e01be77cd8052e950fd74e3d8fb0066705874a7319dda8bee7bf7748ad844a70b1ee0d774a6156fef109dba8346a68b48458728ebde458e5bd777a26291f98cafb175864fee2d335fe5a38f1738df9a5aeb13f25442
+TAG: 0562ed87899d06eef5f3a7680c110360e5338af0b78416497e18291d4e8a75a219942acedc7d1493a15f6d35d1d8cd27b2bb26bcfd58dab2c747b4498ce1e56568226987124448509a7852588acf2dae587f0d13ca2ba54c50ea37c10e6c525b04caf0aa519662f258dee7fdbf17568ecb924c0f26701dad0952d3a57a8188d046439d7e35d73adbb39559adef95017029a9f6392d7282a1c84eae663d840184da4bbcbcf9c262d69ed2a7743aee175150e03bd3e6c38a8a1a762614ba2fbbb631ef56ffe3746dc95d9a15eae1f4f88e3180569e73b25b8eeb8474ec8dee041cdfcca5219514c5125395d83de633bf5bb05e4771e7a583f4e6a6d20af36235090454f8acab43984fda3f5740
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (53 mod 64).
+# DIGEST: 230c3353ccbd95e4f0acbbb0073053a0186f833d
+KEY: 12a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b
+NONCE: 9e5e16dcc5b6f25607f00d033fb95fb0
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1
+AD: fc65de39f4f03541a11be1
+CT: 985481677ae867b2427182edf3de86d7b9956a4970b107ca7e01e90ee7cb02c6b9a46212e1b8ce67e7aca5e2d96272c2f412b5f16a7c1d00fe597f1390c3a686724c4846c78ae66b26ded18adb40f0d74c33a68032b97d440104cb7acc755ad7383c16013ec7fc519b293e4c624b132f91c44202c7
+TAG: 62eaabaa53e386ce7d064c718e4761d14092263af3027efcf5c343ab46e1133d3131dc3cd7dd6b8b8d9ae6ca172fc10f5887dafb169aab9f0e7eda4a5b3436750ccf47f2e3e9965b46f3dfedcf38d61dff3cea927bb3ee8509d6a4288f2879d04095eab6b9e154d0e22da31cb51638ae978a0c5cfdac346ab551d359fdbe9aa34e9ceb15051d7e04e9788240a030c0ab7c19d00f32da1df539f08d158f34a1e3fa6ee8d10ec0d99675a3465c889fe2b6631ff2765a6b83f594315768fdb30c27d2747a6e9d4c5724a5e93704a1851d606dfe97150667309b27503b09c85d86ecd83caf1ec456ac19b7fa273af74714611b3e9a3359354c7b983d700775930bd90a629d88a3cf7cf17f5058
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (54 mod 64).
+# DIGEST: 701e141608e71005d32dd1e29cd068aea736c9dd
+KEY: a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e
+NONCE: 5e16dcc5b6f25607f00d033fb95fb09e
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc
+AD: 65de39f4f03541a11be112
+CT: a06030a844e38f9e049bcf318b10e1cd2db6b60a2611cf9788f0c1fb31a366d2038b3a1692865b926196594850807895523a851a993b77e49c911f840f28aaa42b4f427eead4e2a578d57b101bb4795aedcffc58212e0eaecadf503e3b208eeb72d53072caa44677d6667a0d22639db7aebc2f70ebb6
+TAG: fabbfe986fa42c58408b2f008c7fed482ae568cb39c938aa531e49a85ee71fced2cdd2ebe97a35295977ccef50433b41c511d424a47274599f3f2a28678a4936c1382d6a9f5d41b4266ded97a2fb11ce4e4df03f9e976675b9b35eafbbb399eb86a79a8023de822f8c0d83da5516766f141f83d8075a77e7c55e987cd181f02d8d6f7c90775bace579d25fa1a969e4dec07a5ddbef63c67b6d76bff54dbc7fb87f8af639c392a8a32bee35255e24cc63cea90445ddbbb75e4c594d6d1441e198720c2fb7674822e52d0298fe24c6e1602fec34038e62a55cdfb5d3fe6479fe6b02b5fe648792636e03213e402f02e2a3cad928996e4b1d2fecbd97ec5ebac5ea2f9c4989599648b0577a
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (55 mod 64).
+# DIGEST: 9aaf96b472ea76fd9ff4adf56dab5fe0400d18d6
+KEY: 2933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e
+NONCE: 16dcc5b6f25607f00d033fb95fb09e4d
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65
+AD: de39f4f03541a11be112a7
+CT: d934f61f94d2b0aef2b63668352d2af2db2e225d0c8dd86b8d7c901de7425dca2a0d2f3bae9dbaef4946d18ebc2d9f4cff5c268cfc80b89c35f7b1a3de12173f9377a7ad9b33751fc89390cea9b44e80423702a9848c6d2562d24838e3b0511b81a737a4b65fac394da45f62f1f3b2bfaf0b4f3f0c5ca5
+TAG: da6ed936480fd159c32347d94a17ae7bf9344d4bdb1bc0921d85456e9b48a2e2c24769bdda1cd6bed0b44e980873ec3c79b4346849366ca6d6a77e8b1091c6657a009691733da37706c0f480244ec0c7839648cd0eb63a28eaacdc8b60b1ab59f7d83bd142419a5a548df23f019e560c0c9a307b4c2498f69386eb13d4dcc64ca77c8f5f7c4b6e0c18a058eac72426ed4d541477e3a036b9a450af234670c94a4ceb7cd19c9ae113477431fc2ea30738a95c5753a4b8de9e0e4e1a0f7d52f67b2957a39ff1c6eef88bac3b927ab004d64f3522e0db7e80d27309b864996aa2bafe615139732cd492608cc128295132a4f40a70f8bfbb5b18b2fa45c55c87db39872bc5c1e3300f446f
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (56 mod 64).
+# DIGEST: ac6871d354eac507556770d8b6bf10b5240273ed
+KEY: 33c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16
+NONCE: dcc5b6f25607f00d033fb95fb09e4d00
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de
+AD: 39f4f03541a11be112a729
+CT: 413d2c3fbc77845409ad66cc13432824ae4ae109379a9617e8b93d4f9b17fe0d0450476c3f98c229bf35e86fa792dceb4b3864761dd442c294e43b1cafe1fe086cd1ca5e1572fe2b3753c20a74b663b536f6e686d9765bafb10566f2b5cf02ee24e3dc69cb2be9392c991848b840418835603bdd83b2cf0f
+TAG: 5df250368694b1d3b11119d8c787df534fe4526eb31af32c9289b0eaa4e9455b5cd4a44c13a335857f67fd2662317e086c1a299d794830ca08ca99df1aa79c8f49589dab551cc6269129b731e4d560c7e330fea2aeb5f06eab87738bccaae53b9661a78f3f08986f454519097a6c43837931a56caafd581ae52343dcb71b98ee0b36cb7037a1eac81f308f292eca92ff2c13c3b807aadaffc832f43ed98c0cab6174639b1ec48f3e8e3736f7a20069aaddc2414f1edffba78bbbc04babfe6d6f1a5ae8f77931f78974edb257d2ea6d5440bd7c8f8283ac0e362e1959bc35bca6f257da511f456466be60ff7451887e5ff221f30547e586cc76e7bf76dade793565d733e5705bfcf5
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (57 mod 64).
+# DIGEST: 050258d6ad6bec54f8bc48c7ba2d669d6416c11e
+KEY: c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dc
+NONCE: c5b6f25607f00d033fb95fb09e4d00d6
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39
+AD: f4f03541a11be112a72933
+CT: fca448fd13c6877aa9fc299953dc631df8024cebe774bb14839821b05485c4a8f1345697b072342343f6a5479d99d5ba0ab29db7760b1e21b37969333473e6fd16bcc5b52e1d6472fee31034d515f66439f092341036a48d637ec84d22af8d1848843aa33e3b2059f7f90a0db47dc41d8af3b5cd76f4b36ec3
+TAG: 3071b853c877cc72cbec5c249fe76736e87793118f0890200b64cc9b91e26448b327dd87eb314c4c074af49091051b69122a2d13b8a7fc0b15a87e7e26b791ab3a74e399d429ef4e6ed69f2036e91909b11075ef19c6554f21b5b9b90fe20c9c633f71c666519774baaa12d8f819ddddbb592a99689ba34c44e59792da3d7750f4cfbfdad6e295a73ada8957eb9a7f7bbb4e8f82d4647bd41d5ca2a51cee58be3fcaf307382efec054d880b5866a38aa0dcc72911c9e9ff902ca3743873618b2b35c45cb32e496ac7c8c69c1818583ea5016a57f6e912859b1b1a22bd701113e6cbaac2a935a94cc3fa0b9d4c23ee573b0054eebaa3414c936aee6bd9782385d690c1eb570c5ed
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (58 mod 64).
+# DIGEST: 70060f86c76e53512933c09deb5872eb23efad67
+KEY: b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5
+NONCE: b6f25607f00d033fb95fb09e4d00d617
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4
+AD: f03541a11be112a72933c7
+CT: 8c5849a917c328d68cdf4fc279b29efb0c3c1921621276ca19206c9941a5789b0aba7283e743f94a6e4142f7febc9ad35df30daffeaa5cd0cffe0fa2e4cd5ceb687def585b2634774a01a3f00ce2ca9951fb910b4386bd0d61d1e292b2b225ac55000fdce10131ba163c97f810a2b350fc8a59348253549e0cbd
+TAG: 5beab8f1449d50a6e4a1a747fc2b9864cad962480673db6451ef7aa42b42e7f0edc3748a71df8ddb33d6f9bcc9024c7170bd7a5b81577f9594a87d90fe96a50a62d31c01368173aadd7dda6f7d4c413773649fa7e5aa0c3cbd0fc760666ce5d5ec5e4209c4eda0a8ba0d66e83ed3337067d8ecfb81d3d1c1bed7eceea2582f276c43fc15d5c2bf9d2558d3c3f4d8cdb8953d28b0221c70330c346640f1ea1acccba27466cc0ec3c14729a78f62c7537b1ca5e9f9bc74c4571be9b67f04533b1f8fa2f9232c216ecd81bd120197b558b2733d3d9bab706f67670327465722b2be2c6e3f2ee507620dce326f28400857cc28c697c9b10df0d093965c21ebc42f34d71963ca85db
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (59 mod 64).
+# DIGEST: 58286fe273bf572a76a2725933dd969777c303c1
+KEY: 4ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6
+NONCE: f25607f00d033fb95fb09e4d00d6172e
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f0
+AD: 3541a11be112a72933c7b5
+CT: d0076d9cc2f829a33a0b1972f6c0d8c67718a7593975798e0667135db3ce31b4d9bea98710909313a4a2af88bae720963ee738f26bde44b54dd5820992569e5d2eea000baf5de9e0f76dc8e0b93244a8474beb7e922a5f30a5b5977611594af25ed35aab12a61de68f215d73173fd38f586b8c509459a5f7587d43
+TAG: d8ffaeef22eb2181a48da72bbf57ba4562e3a1ebf9cd2a872f155fbadeb78c47e64ac6419fa1a9b1ce5a8e78e60ed1f8dcf02535613b959448f754b70d7159d2dd4814122b35418d4e554992b4789e04f018234c91de44b9de80f7ab406fb6fda6f086fc6b91ace53dffe012d703e71861d0b3ecab86a287a76857781254de544985ac5b11bedf29138500598f757ae295d8577ae7e597e9cd915d15124c7f1d9786f9666bc4b69eaa18e28227d87bdc8935e537d12360b53746ad0d7834ad830aa5307f69c3e4ff6e37ee6ba8937f75723ae4f64c2a04949b0db60c979fec6f485dd0cf14cacf5e8d0e624d9a8578e4028b8076a9cee1e5a0ba5b96e9f0f6e6ef98ae84a0
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (60 mod 64).
+# DIGEST: ae701e5c8672dfaf728bf0f43f5e5247ea9ac13a
+KEY: d4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f2
+NONCE: 5607f00d033fb95fb09e4d00d6172e78
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f035
+AD: 41a11be112a72933c7b54e
+CT: 298f670117678bd139c60399dcab68bb0414829b458c747b0dda5dbd67f95fa393bfd2719f815a12a2b7c6b3e769b61ddb4651970b30451cee6166545d8e4c4554c8217898186dc02684c5025ee692e12130ab41ce75d79a4ba1a4dd02e0af581a645979c1a3c8c12f5b13e9c1113316eb31b8096b4eff1bf3f7ca10
+TAG: ee9c1cae63b819ff804cc5a34d59d17a76539b7850d5164ae8ab252633acc10145c2c71b1a10b0a87cf2db361c6aeeae533201457c5952feb347f739b3c236845a887fd0974b052a4e71cffaaddd1f00c64c47251ae446a5875e1e1854ca2c032b4e01dc995f35d901b60d042aabcaad3c08cbfd12567cc789408b6710d81b6b7c6067e02f263763d74bc039e0430bc1f3b4c01f95f54492a9c5b81b8d279266b378bccc9073bf1f1db1ddd964f9b6b7ac8771ffbb55d1ff9d973cff3d4eeffa277427e0cc41a4457ad6c2f035b1c0f93880aca55888cadabcccfc9dcf53dc3924a4c03a5a7bf8416bba76d8a362893193811ddcb02b0a9ccf2ffb6902d7e0c434cc489d720487f4664d60f210433b8f71d98666
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (61 mod 64).
+# DIGEST: 4f498d0aa9205160827626ef80c163275eca1f78
+KEY: fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f256
+NONCE: 07f00d033fb95fb09e4d00d6172e780a
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541
+AD: a11be112a72933c7b54ed4
+CT: f72c519566632f89513f3f278407845ff8096a5b63929f0ea6009c3cae0dbd853662c4017ee5729eab92f2c475f0a45533de67d4b941d4b16c1964986d8f4a16cc12f02c28442ddf5790f321b3942cb65964587f3fe55ab28064c52ce3d3598d3431788ed2c26fe1b196abfd35afa0f7c8206a6bc71d61cc4e1a086c4c
+TAG: f8c75274342950e4893ca3b0e9fe95fa51343c628e1f04d9dd19ed928ef7af0a106b6bc6b70d0ebf552c0acc51b5af94dbb9f4fca444ed4eefff63e4746af9852d727d4465695b1113eda1becabbc56e2860b55b986d6122b93bb822865ab8bbf1409aef68cbe720befe0ebc6dbb639b3be391a161c2d9ed65a2898b3ea7cd993827aa8f2c60dd0d9e926cbffd8bbf6ac43fdbb61ff0024cdb9e668bd9980a39530a526c3c9cbbe1e4f46ae3e8229bc5e7c8b91855eae7a2aaa1b827d8b99ed19843aafb76cd361259c29dba7a02dfb40d9bd2d580aa12a6951f0f53ad5b283443c5bb8b4c9fcf569b30830d1844860256c18d753a8d80d1d0e8656623b1a06700fc513a7099590aa566d48eb6c078c4472d4f
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (62 mod 64).
+# DIGEST: 8c043825b2a3764e8a0cc35a011696fb3ed03c2b
+KEY: d0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607
+NONCE: f00d033fb95fb09e4d00d6172e780ab8
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a1
+AD: 1be112a72933c7b54ed4fa
+CT: bc6acdf0943ba34efbf9eb27fe9e968f23bc1d4f1eff7f86e836621422e7ad8e1adc03249475b6be8ec5d3e96e167af7e6b85ac87b5da2364b1e0d87d5c49d43ddea8e9b796580fc4fea7774f8210e4ec424aa029717937bf76b148e8af72e8badcc3f12dd259fd4dd9a325d81cfc7a193fb756b5d140fb703aaa6d71496
+TAG: cdbcd83191a554bf922180902fd060fcc63a8dc39a90ccbca9fbfeefe9a09a9da72c8782f6d3ccd9e2b5a80816eb5bb6919580a8ec186b8b1e388a561b6c931b22dfe62544456f7344f4c18c4823f167b2ebb8a93e3edb8181f358e66db5a3966eae5e893e76b16e8bd5da922720f754bdb6edf3496b62d79b14f00f24c1b30ec6ea16d88cac2b336f2bd057e68d6075907de3c9e7434da017d8bc5348ad79ec14182e07fc70f4e33ca2aaa2216d29aaf4dffb583c1b5159eedd66a2515127c3db358c1ccd89da4cefaf75a6eb5a8a80396ffcef783973f552645885e20b91dc0cf4485e94d943ea4bff3704a4bd2e23388090fb7ff707cf80b0c71f6d4560b3be71edab2e0b8d5ded1998f3b1df51225495
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (63 mod 64).
+# DIGEST: f3a432271c9be858725fd024071c4f479ca9a971
+KEY: be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f0
+NONCE: 0d033fb95fb09e4d00d6172e780ab8b7
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11b
+AD: e112a72933c7b54ed4fad0
+CT: 0e87c57c18fdc439c968a9dab086c88271be6dd00843879ae1563e4ed03d69f9fa09a29c1bf99b1c859323eb8452acb2f808f051669bb5e097e23b947369b5a0577157995d729a75ae7a65e293acace3124a8aec53328439e5f2103fc3a236728682fc129a5b0e203bd730303fdd23962d6ea7a35aae3691f6721dafdf18fa
+TAG: d7453e8aea805b4c95ed51f1033b386cfd74fef1c205d51fe351ec3b1a3bb2e2b7debd8b20c688f4c516a61fbaa690eb635fe2974a71f45d1b4e2fdf3be4724c3eacadbc6d295ea9b6f53c249783f35898ee4818a67ce5b002f17a48199c779b17482ddf5448b6186cd979dea3d9c7b0ae3f106c4b90c960dd8899a67e9f18767b49497519c86c0b391098192299e4f85862d150bb3e439f05fc9f937c888c4f40684c25018fae0c6fedee92fc0035d073f3704f61d93e7e321a19512561676a216127e6a716d1f5ea43b67dcfaa1ffde7380c066efdc8acba10f2e790d4839419dbed3d89634ae785f7aa3ace1fa1720757066f4b75b883c0ed592b8cba79a400d5e442e23716a7a13c252a7ce156e219
 TAG_LEN: 20
 NO_SEAL: 01
 

crypto/cipher_extra/test/aes_128_cbc_sha256_tls_tests.txt

@@ -42,14 +42,707 @@ TAG_LEN: 32
 NO_SEAL: 01
 FAILS: 01
 
-# Test with maximal padding.
-# DIGEST: 3519ab2b2943d2a50996628f6c26bea29f84c95af4c128cc3af012bb358ee9f7
-KEY: 481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8d
-NONCE: c55b436965aabe477e0cdd46be99371e
-IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8
-AD: afa22993a340b9b3c589c7
-CT: 7265eea4b391d880c6bc72d3282f663e5551c0a71ca35898047362694ee8f271
-TAG: 713c1f8817ca022f454f0c6c7d6efea46b86d79baaa4341843404a416f301640d175a628c7a80fdf1b37d1958b76888c69e42404a406005a31f52a59c308729063c6512864cf59608e45639630c5711ced56adf09840c4aa1d1c195b5f9fca08e6631ee9817a4792012dde00b4fb3bed7bfdd6dbdf6bfe82fab5f8406f783874b2a56607bffa361d773c9a7e5c0dc945e7a2dbfaaa5797551685a4700f6ab397c906630ac018704ad0e8697498fb9c1d5b843d808a5cf3c28015e5021dbea15f548745ed8c38ac250632efc66d0fe0f619b942fa90a41fefc779c8710c83ba586ed6ecbdb5b281003c93846299c86d09c7cf88bcfe76c5ffb1512ae5db71c1cc42bfbc03e6f3dd17b160e4b5696b2741786d5ae3f934e9d6ce0a4c372bf876cb
+# Test with maximal padding (0 mod 64).
+# DIGEST: 6d9cc64eaa0b3c7482d8431bff6d24c9bec634ef6459d873af4ff97756c9fe46
+KEY: 37446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f0
+NONCE: 3541a11be112a72933c7b54ed4fad0be
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba
+AD: 2fd6773e0d0c302a5f47e0
+CT: 694868cf990a1b8ef42fcb2b45cabf1bd78eee4b429c11b27a827762b9c319bc54a2b2c8eb2ac85063ef8ac7da8bc35b16c0a98822981dc9b246381780da7833
+TAG: 47a2e2e74bed25960a83686013e0e10c057acc81e21d44bbc7abdb4e4dce746127f3e700bf3dc7183e6e9c2ab3a205b00ddbb0404fde852f7c0525e17c036dc56c7646344100e379a765bdf5bf776b957982befdfbf21276841df2c4dff60858e495f63b7760166c9a6da21092b58eb9eefdcae0332e291003a5d21b4ea897d0fc61d4e4eb6d2182a05a0d6aaf1ac924dff58d9618cf3dec05283788796c5126850db94de1625c6081da29969720a9fddb7186e6e1dc7ab1ad0e684118847762c25f820585720138651e08468229533a3ff3f1ddfd15fdc301318c603f49946548eed95d29d38c82fffd73f0c9df69116c056d959ce9198788ceba78cf4ee0fd890f6d72b59b9702c0ffbcab82674b688afe0348d58d700a83ad10704d004bc7
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (1 mod 64).
+# DIGEST: bb57bd76fe5f29b96ee3f2d62d8f3c4d1c8c986c0991382834046dc907fe1ea7
+KEY: 446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f035
+NONCE: 41a11be112a72933c7b54ed4fad0be90
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2f
+AD: d6773e0d0c302a5f47e037
+CT: f2e78e183884c99ad7f199a02d87a1026c832b9a953919a98c2487bd0d724be407994fcce9e19b5a69f15ceef5d3b95c79d5fffede18a143cdfade5c0f80254c99
+TAG: 24e9ae181761a00bf1d1af920bdde00d9e1ef046fd7f5b8af753a3c9da8fc14b00a5fe6bed0baa8e378f49d1874619e01567d914656397ac8c4e3c098211e08c6551183515a2c2c08d485a9387737568a22d5209de3084020da27f64abdac4451536baf006228325093a5d92210f9134bf2600bd6349b152504a2b2fa69a2ce1dd25852e4f57d0c7319862f5c4b663503aa3465c4b8696dbf853178f64b1f8f348e7fb7c423c05038a49bd0ca5363a5db1ae7dcc144a13edfba63a6ebe2a7df15eb313bc7e8b5372bd1a309ec41cdb78023c383a98c903ec28816cbe95b1a0696897b9d4afc9d4f22eece3094e473c94aad55f7041a499dcb0f7d99dfc101c313dd5c651ae01968899f152e77f8aead394faad8c545dc77ff89bcfe11bf32e
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (2 mod 64).
+# DIGEST: b09802c727f0f85cb590791372c52bfdc2e69de36b9695daaf7a93d2fcf56fda
+KEY: 6f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541
+NONCE: a11be112a72933c7b54ed4fad0be905d
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6
+AD: 773e0d0c302a5f47e03744
+CT: c7de96bb45663dfe6da2a64ffc9ddfa7c3dc63077079bd4bc2ce52fea89924a75664782a5026fb5a099ec460eb9c6d7c3d5ea383092c8f4c67a70fc499a7689bf10f
+TAG: 8ce29a56849f32a829c3e62c81f74a4e2c37206dca2fa9f736f65a2fb378849d181c06874de6db0158e629661ff7ec5b157cf8bcaf5dfe015c0c4168f9b3acb55388eb2a5d5bb7503ce5b8a03320f4799522669bfdfea3d97b9c960dbe3bff25d58b660785eb0ac73f5b2a18b7fba4b7369824ec18f7c79482a5ae6ee52f563dbe1637664a3081dc7e682408f473413c87d58cf384bf569fb41b6172b7d85f43ac06709d77f270659267561a0f15f7486dd61ee840195132997846c4614d0c2a9a03ef0f4a8de1d7ab6417180f184510452539270ebbfd4b13627734a183d8f5480db12077f6044066d4cb321d67caf4da996704b2ca40411222b541c84241ad7bc0c5835345e29c70b881ff77a8a20c3cfedc30df1b913c9fb722665de4
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (3 mod 64).
+# DIGEST: 13588ebf114df38b7b59f890dffab8b1a4c85f090c3f4a0e508603ecd34f78f4
+KEY: 5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a1
+NONCE: 1be112a72933c7b54ed4fad0be905d41
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd677
+AD: 3e0d0c302a5f47e037446f
+CT: 3a77c0f70f9044fb3817d57be4f4e5ee4b27ffa586327f77c18346f9fef2608a552b551ac549f9e8d47c4959196162862fe2a35e44581971c2974d4a65a47ae7b8900e
+TAG: 3f71cd59844c0498f849d2c2bda9945a2b33db723ea572de20a8e6df9b2721f4c065f00d66a6c69621cf6131a4fd5d712f14bdb226e66e494c97e096aa7d5f4c9e8e83f87a7a5f997b33cc3b6527d9a441375c859fb3ef82ddc78f86eb28cc883c528698ef592919e702b3a290d1137d995a91d0eb1e1da9688eb168ff7dfcb443d655b8336de2286b9fecd446d05398f1e25834968ed5d00cb3f3e3bb8612a17bbf958d516cd18b637f9b8b3082acdd32e87950539f08565e7db8321d6d84ac2d990cd183210a2c6309b30e944bcdbe9b17002b60c4fefb6047cceb6d89a1ed947c549addb0e528c3d525f85d3ef43f0abdb2d5d2043b7ff2457392460f28c1cad181b76c9ec6f4aa9c5843e792f4e9597ea0cdda36da0ff3e2090b8d
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (4 mod 64).
+# DIGEST: 25c98c13e308408c882677b48f3a49a53b500146eadf5bbc0f5a240ab6ccbfb8
+KEY: 91d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11b
+NONCE: e112a72933c7b54ed4fad0be905d4120
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e
+AD: 0d0c302a5f47e037446f58
+CT: f2f3a3d985eb38c406bb0db0d141188c680656db8a4484abad2c8973267e14458e2be7cb52f06ee2a0f68eaced13db714296319b2b3557454f5e9cb47e8943ea91e0de64
+TAG: d54b96ed058f5c69779994d8e841d4fd61470531e8fb5e7a6a85eb99d4676a8b2be1c11b27657f4fb0555b32c96c34d7f76212d8304029616998b4aba7b56dc29630a8e7602580c078966a56ad0dc188e347e37d819eab39cdbb2c44edec032eda568e87eb8851f6a6bb3275527430fd6b56ae80ee20be664cb8e11a7ac66365c48a06c2cbc7524f39f3e5931af206e412a39fe9acd7e6a938c26d71916b0f5d9c9c4ed3179eeb581a8ccedc626b60cf04b7e04d4ed61c009b29c839c66bf3edf7becf8403bf032190644030b93f559ef11316747d0ba898473977e377789a161c9b0682aba91120065d250bec31113f21cab32b0e4b0d1ad4295fe650728322453e4279eec0c7830b8e4acc92f3fb1916e069c69d37794ea3017235
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (5 mod 64).
+# DIGEST: 3fb8ba4df90f52332bc7a20df805fe903351279e0424c232365cfc4e62982296
+KEY: d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be1
+NONCE: 12a72933c7b54ed4fad0be905d41203f
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d
+AD: 0c302a5f47e037446f5891
+CT: 02fd26e7b51a1bc6ab6735045d2e42fdd1f31adba98ed5f8b3e89450853104633abf6cbb70ecfba2f5b39dc06f419746abae4a51d33829bb04140275021d183bfc990d727c
+TAG: 6e129a3a1de6045a9ffe8faed80494aed9d21635c29cd38c7d410a8ee0b690be4d7ece4de27862281e26b7a7f2660ddc18b33bdbbaeedcf68e068cae4a4cc9be126c66dfa14059adfcf4215e9316bba088ebee16a1532277b90dba74eb853c5ff5e844ffded2fd2f8b243496172cd1247618239fceb1432e6e2a8188145753b4e66275bc00d418d6782167b943b78a40816365ac7d49b5d8833046f032732e0a134202c5555f5b43434aced634b6e7fd0dc3b3bef955800822be1802392a424e8ec250dc1a223cb58393b49270f1b97f3021f9aa9d9f4980c3512e1fc297fb963d41d242000867c2873792b0211750688d6047e599ce1a390bf039a6061740d735fbdfa0e3b5905e1b24e9e4336a3f91433c0ee3dedade34c05285
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (6 mod 64).
+# DIGEST: 23f13497afad98ac65bd2a1642935ff7185a839a672fd94b18279ff92202a3b7
+KEY: 7df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112
+NONCE: a72933c7b54ed4fad0be905d41203f5d
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c
+AD: 302a5f47e037446f5891d7
+CT: b2fe392acc286bdc73cac1aee34ecb3a3e3ae2ccdb065618e3c4a17f2b2668a2c11108b0bf8a8ffe20800a698e73c9b6ed4b0da61bf6fc22c33c75439445061ebc8b6fccb4ec
+TAG: 738a07f02a376df628555d3755a9a76ca66cb12c6899bd77f49af1cc8b266b8a19ebf74d4b31c73ddcaab06e43eddbc931e35fece138f112e3c1eaf94d0eb568988fddb8b0c34f067d72bf6748b5f929cfb06b793df87a5fe17924df4841f98024e9b0ec1563244265a13896cd60cd1ca8c6818098d06470db3d9f7c873f33e3ca913a9238b7344a6eaaaf4c152ced9f5c9d20de930aeea453381ce7bda0f89804799e439dab022934742d0f36a61538973e98006d5f576900e0429a7ca68c0388895e05672949e5e4d1978381a9486002b7c3bcc39c4b07a8a4c6bcc502ff2afdaf29a77099c520a1a8517824dc724683e3866841de80030af402ab282cf27c1c749256ed40451bc91bd2be4d768df1718fc1ec481761000a4b
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (7 mod 64).
+# DIGEST: fc71e48cdc62c15988a84f32ad60aa760b5766c892e559fa1ebd882a587ce590
+KEY: f660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a7
+NONCE: 2933c7b54ed4fad0be905d41203f5dce
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c30
+AD: 2a5f47e037446f5891d77d
+CT: 8780167385b8856be346b71b042332368067d5d9420b3793fe94bc1ba92991756523c7a8e0114af8fa7296ffef8fae01796b47edea43bdcaa8832a08e823c45c3608580249eb9d
+TAG: 049a09e2d5e6ba8673f1963aa2d64759b4cc8d4b3583b103dfbb7595289478f13762fbcb464bc64b1b7704e3f72390ec2c9644496616c4b119b880e4a04a47b15a9c490df71c27c4dd47b3f2f46cd1cdbd2afdb87c33ec9af66a50f4757c0b9d0ed4776af0acae1951393c1ef95597f32057ceb35fb61ab2f34ccda4cf9fe81c7aa8ee4b5b01609460b2fe156478d1585d2a118acfae5f401761310f7d8b48973b5b8f3abd0b2b512aafc8e5251133054d8e0a197ba95f5900307a7f9c23e1a859e0e11091499030d7b51b410f4602239a278bd363185e6c7a1a31bf6aac78e2687a5aa4151a636bf7ac6bd89c668ef466d1cc4aae653736d296e4b6d9fc4c9f9e5f9ab51699317af018a009fa5718fa288c3618fec1e0fa63
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (8 mod 64).
+# DIGEST: ff4f42d72ae561abda38963a2713bb743038589bc2d7efa0f3fab298630b9c02
+KEY: 60ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a729
+NONCE: 33c7b54ed4fad0be905d41203f5dce99
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a
+AD: 5f47e037446f5891d77df6
+CT: 2cd2031084f8742da110ab5d8f7290828857c867b38427c3f53be0dbe2cc94527d2f0aee90a38dee77c0ce115ef650b2ae65094e99ac9bf6da89e5440c1bb4f8021520429171362a
+TAG: f3966d82808723b2398186d45098794ab366631d753a69f949c63dfec5c8d5222dc8765088fd387fea234286771a2228c05dbbfb73ce4a403c5e90a790e34fc677d685c9a7dcb6d8173956865e6c48394e4d95284d2e02c162de3ba4cd09516a321be8e07c8836408a76abf8edcbe767053488d6b07974b92d84934ec5b82856a65e6938620f4a6f346d654e3bd5255f3ca3fc5ee91dcc851b62d7dbe4f050e1fd65c6350ddb07314b7b05c00416f4a4787c82bc1dc6c7b25b4407c5bb67f32f5fb39c77c47782694e7c6086bfe6a6e873d7ba9c4c93a9e192b3e9c9ab47a91ef652021434ec1dafe189d5b427602c5694698d64549b7f734bcb0482c25267c2dbb985110e40834d536feb2491828b748feca9907d687ec9
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (9 mod 64).
+# DIGEST: f4f7f147b43ea50a1f5a4f19c093ef917d3b92b46e5798e18b5294b0a0fef814
+KEY: ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933
+NONCE: c7b54ed4fad0be905d41203f5dce998f
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f
+AD: 47e037446f5891d77df660
+CT: cea9c7528706d506d75cf085c8475c081ee8c6145ca11610b73eb3e103a706faa66062f8edc10abaa7c3edb3fcaf43c202c4812e768fececaa04564414f45816a4138e4d35d7768b07
+TAG: a61a67eb499525e4456b9853222c9612b7663dc3cd83aa9d78e680963fe2e1e23e69cacfba013e03c50b477b20df9ade41621e48c7ced451b4acc5d002f325bc19a237c327dd5d0f0af14e8cc60dcb8001d6d40c9b49d760e6135bd7a3a8ff9e313814ffadc6a5e6c285ee470fd05599465950c5887f9d7b4a1d1a7e80f8c5c76b41f51f403fa10b5140bbb68b2d7f3d2e19035357118ab72f327927ab75b369db9b426c176b937fc3fc92cb02f383aa069e07a223522fb7118a8440aef9ffa44da7a7c880b8513135e4b54f8fcd53ea1e6be7fdc2e7924ce529c846e67ad9460acb86ddfa938cd482d4216315806d45f658586006aca019fe6e2dd3453df00ae296beeb96a751dd29ef350e6da085059a8d70a5793abc
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (10 mod 64).
+# DIGEST: c48f43e4386dbf727ca93d57b5b2a4ccd8e1f27b201db03000660078b773faf7
+KEY: 82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7
+NONCE: b54ed4fad0be905d41203f5dce998f8f
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47
+AD: e037446f5891d77df660ed
+CT: e967973079db00d2257d84817ff4c5faaf98024ac7eb71d22af3cbb92a001a558f5cce2e8c293d6dc2a968f69cb2731bf65954affbfdef4085123aa06baf0d80d7c80645d2d0f528a374
+TAG: 00a4282530b0993737f2b1b3464cd5545fe2ada974f00d11f5737f9a165229c23b8f5cd13a9bb1d7d909b78b8101ba0d7903a427c076282f9fab0ad68598779d22bb0f9001c2a108d43bc4fef5e75147f7195cf4ad831d27d6e54adad6031985af12a41de780a1661764d87aacac5a94489c6639a655dc9682646e32d93dd2c0a8bf0a525908760a715cbc3aa5596bb641bc6cd8cb16b4195f66046ae3f19dfebd1a3e2bda23e00ac4055b0176be89ae987badb83291c4acf781855946c1b445efa542ec97fd4c9aea02a474e3d8eae50893fc827e4c44b4f5f18e773013b37e66dd7f4874b399f765f6f41a81e0407169ee1fb93b15a43a5d3b9538a9acbed534628bb961f2d02a2b55570bfa4fa98bc69298acafee
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (11 mod 64).
+# DIGEST: 4fb8d7ccd762998c343aef821e49cf91783d15669105b725eb1123ddc16ea445
+KEY: 933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b5
+NONCE: 4ed4fad0be905d41203f5dce998f8fb2
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e0
+AD: 37446f5891d77df660ed82
+CT: df01c1a140da0e422919c0d34b231fa3cd767766fb35f8d78d715c44b9003e42cca112fa1543d74ac05e00da9b5740c03b5c4d1e558ceb8629adf3adb1771e6e8cfde8edcdcd8de584ef28
+TAG: 520d6becaa190f3c1fbf6165ff2c4e7b62b8281cc4e77c542a88354baaf8d75b6d1f15ee26340a58c9e2fdbbc5864c307d35f7866a67b3db37998fc20eebb5c83270f7eb7d53c9352ab4c6f59cecb74d53e5751c6da3dc2a09dd90e3c55a0651ce4bf433da143527cb751a6c5fd97c7cd8dc4eb7d90f2f1919e975933468573924c9d1f0cb36d5da802cbb3916aa6f7264a22883792bbdd24e480e8d9adf44486efbde47afb91dc1131bbf2b0568ae91c92022f72185244b9fcf545449e5c197cc77a8dc4485e46daf3d9f84d3dd3facd793f0a2a9cb0f03395b8a23537efc0f922e51e5a43ecd0d3d4256851271f77c235718e4b444e12cf7bfb10a7a4354de62d1c62a2e3dcc687d40ab4ee6f0dd7a20fb32ebd7
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (12 mod 64).
+# DIGEST: 756ef874fe4546df371e012dc34660cebd6321b67dac201988cc72e48917d7b0
+KEY: 3f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54e
+NONCE: d4fad0be905d41203f5dce998f8fb2ea
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037
+AD: 446f5891d77df660ed8293
+CT: 889ed4c7bd5455821c5b95a67a277a197140816784e820ad8e126b3d3f0ddaca73e3eede78c1c1d3ff5c2a98c0cadd644393b7e3c2273aea2be1c6fd20374b710b88bf2700f8b4c556698aea
+TAG: 7dc1a08e3e948acb236f2dd5644ba6d8646ce8bbfb98b658807f6fdfd4e406be67b7a0ff9fe9868e013b7e3eee72aeef4ed6954047521046354c5e665fbaaad517d35fd7e633c1fae894aa36033dd2825506a3be826172b79ba6c1adc63533edd7e8b21ea9178e7ae9e191dd597ebf83a760862718200d4a23235c7460e48d415faa2426f0ec7edcbb0cbbb9ad15ce8580aad6d1934cf1549876d2bfd10710bf367796473fcd5b36189a32950a5fdbe582975860f289ad1da75c3bf72ff8e7627a736b7e0e123009dc47ca15dfa4eabb590825b2e584fc78262822758246549e3f7d436a2df974f0ec5a00eae4d9a5bdda4a9f815ae980d70befe63962b14870d1e72088fb410edb5f2b2dbe137e03702be94233
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (13 mod 64).
+# DIGEST: 01fbec0db232a15b4f3e02a14f412e296a0f2c7bbc539ea1e5e835206e197929
+KEY: 62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4
+NONCE: fad0be905d41203f5dce998f8fb2eaad
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e03744
+AD: 6f5891d77df660ed82933f
+CT: 13833f78c9383bb4455972d6e7d8f22597e65de7dd01afa28fd99f9734366c522bcaef59c41487d84b3f84c1e0b7e5ff6de84206f54d5ae80ce80fe3cb68ea4eb40914e915f36730b911427c6b
+TAG: da212acc6ab53e49e8e5d773c0f7911de1d9ff05c2cce077c77690af36bdb44c936d3ebaca584f7b4e08c43be26bc0adb9765fa984e8da7ba51a4b88a3da3fd8077ed5adba4b12da076d97c3016c05441baa10e28120aa1f023e52c558d6f4197be54313706f890d036b6dd3837c86a70ec9a8f035a0d339df73a50374c3530740b4d158efa875b57295366f21c81a3d8403d278cd04d0c74df93f01655d1e223f0151f098dd30f72a8b8cfe1fca085d482232633e23a813a796ddff3c314c706ccfc6ca9aae43d83cbbbd8fab795e98475fd2c818e74a1bb8436d190d45307d2e7909ce8fc2d94a6cb91fd13cff020e561e89661416c19ec958de8f8db7a32a5117c37af975b3023562a5d7e768aa7aa306e3
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (14 mod 64).
+# DIGEST: c49af18a935082656e153daa62270e736e336727424bf48be78da0b7dced9de0
+KEY: be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fa
+NONCE: d0be905d41203f5dce998f8fb2eaad40
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f
+AD: 5891d77df660ed82933f62
+CT: 03065bb245ba12ab90903bc081198fdfe45d7d3c6fa3b1f76bde831917376ec2a5b2ac2cf629de6bd3f23025b678ea9cc3bd7801f5510b58432a8bc17999304f7b183e9404a235f1e0db578d53e4
+TAG: 5f62471a66673b5967f2ee748d4f8c0e50c1a7bae064fabfaae832a53d4b18eebeb1eaa8cdaed0967900f46ba0f66ae9e8492a4cdc4feedc7d6c1176404d4d9eebb4d0c474ae07d008ef2e8e4dce39dddac3f4b759a34ce37d8908ff16825e3ccbcc84b6fd6276fd72ca4d4479f6c586253e4f8997cb76c66bc3e5b3151be6914454f176c3386a029b2e254dc73b9d5237f5a9abd1aea0cae50fb9c87f6493f5fb8e02d12bdbbd2709690ee6bc8466ae98fec44d8f39082a1d2187647ece97fc95816121e0152677cde571f678a594c18de4dd8b4bbf0dbf4faf5da7c00b81451d728e87bf4607866b342808bf0130a3e516e87cca43a6f4737da23261d5382fde1b2c2e011380177c47ba4101a8503dfcf8
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (15 mod 64).
+# DIGEST: 8d6f1fdc3d60175573775cc289d7436b88d10dfa029e90e10e513c8e739666c4
+KEY: 8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0
+NONCE: be905d41203f5dce998f8fb2eaad409a
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f58
+AD: 91d77df660ed82933f62be
+CT: 04c76011b9c4cc8ff18038d36a8c8b91debc8d0929ec173cfa5450f434308234e6a368f17a04ec0556dcf5ace0efb5ab51956d0daec5c530129aaa78309c3d0a2a48687f6dd146c94ef9bd1b755db8
+TAG: bf249369d0e07ecf93c9d4bbf7564d81140741bc564ace2852b680e2504bacaf181e1379810b5283a7aa4f24e2c70f956658d0e02e4199e78da1dccf480e3f8095ce3e273985c31de6f14f57b5a934a1a9eeb443164d176ca4fc0e9eaf09fad485a380a6d654073d08c17f26883b1d5e02fdca8406dca07a97cda68b400e5c0fce90ebd82ad9fe285769da0492ef30dfb13110c5c9146cd530ef0d757bc2b14e97ff983c931fb1cf2d64bbe5f9feceb7baf68bd13f8de5b4dda756acf7c9922809927df5ddf53f46288387d38afdb803a86fdf86e0f0f431cbeaa626aca0b942ed46fca72d7710cf7e0b466f88c913d04cd140037767cd7d1fb0a8dcc943ac5eb10c8d65d1bf00c6ccdd5db219db74f3bf
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (16 mod 64).
+# DIGEST: 11a40304bc276c51e2e7d8e3fa16f905bf050f3861586be68ca4257b1e6cc566
+KEY: c55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be
+NONCE: 905d41203f5dce998f8fb2eaad409ae0
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891
+AD: d77df660ed82933f62be8d
+CT: 5d9af50991ea21f041a766d8d9036073eeb0ac083b8069619ee50c64c661bad73a9e2ca7f8b49ad9df79e47b49ca3c8ea9dc254854f116a49959c91481ba96463521bfdb74902a4b454d2c6af72d1301
+TAG: 19c6ef896aa751a22b3504609e8f4497a4987ec3469fa6578e271d77e8d15a2eda3e8db8b6b00b40def47a16dfcd41c95ef6e2a650aac71031b4b2733ffef47d1d68c79b2f6962874727ef36613f0461f4b1a4db9f30121d7656b53c2e31285b0e4049b5ec8db3d813e9c1b66c7143813a65ad18618dbb0dbab39e12fbafc6b26a0f034311fdfdb1181117ecdd42cc2964f759b224c455fb5b69ccc25ec0831ee24a84c51985bebe23c238b48ab7cde07b3fc79f70fce2e514ccd2a5c91227824a58ff0e9f15226ef30b55510f870e6f75de34ac0deabbde13536075cf72c5c09d51264f29145f47163069edc421c9b818ce727283a09d7bd415bdc6201e632781b58eb8a9a519520b9ad994cc6524b464a6d719917a6691f6b1537a6b363aca
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (17 mod 64).
+# DIGEST: da3fd1aaca630fe609395b45a44384c57f779505188c8b12391b9f34de17dbf5
+KEY: 5b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be90
+NONCE: 5d41203f5dce998f8fb2eaad409ae021
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d7
+AD: 7df660ed82933f62be8dc5
+CT: 182dc2f9f412f305a8fa4813e8c8eb7a41f9708efb516fe3feaa6ae94c89b4437cbdba7c738fb97ef9739ed94d988bd60af5359194d2b5f8a48e3f5482c3be294ae65ce803e21acdee157d436188980bcc
+TAG: 35fa57f8dc3b68320462a41feb88654d838d684efa009c9cf0e68c79991045ab69baa6d662824d50fb589690b54edd144466b8d7332430da1bb53ccc0d3a640ff8eef6cb0d46c6faaaf81e9479fc2199ef1bb2256754c392aad96a5d702a269ab2e07cab5a2ec93d4c29cc64aa269c4d68dd7c54b1bb20aa4fb0475193e97a7ba0acfa719eb00a8651b64f57924e24af34cd9b369d062ec327dcaaf1cedddf11c3bfa578215cf8e9f958e63f0ae8e59ee783cd11d0c3637b91bcfa083a60551987fd6b225dbb502a700a94e01888b871b274e1b73f2b9db05a504cf420f47c51e5b235aa4d9a2c180db3687b021d506c96f4697b4ab510f3fe54d5c07f0b30f5eeda6dc542114f2d16be454b1a186ee6ee6aed6f8a07043527475b7df6cf5d
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (18 mod 64).
+# DIGEST: 2ea803a4525d24849aeda1b0adb81676b32d99c42bcd0011932085424a0a8078
+KEY: 436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d
+NONCE: 41203f5dce998f8fb2eaad409ae02116
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77d
+AD: f660ed82933f62be8dc55b
+CT: 0990f57d9a7e9b64bcee741e158eb5749e9d7b34d43c6429754689d87fc45daaa618fc62d3dc111e5a1a7a06b2b14c5b0f3e2e463085e80da6ce4a6f7815cbf871376c8c87a36555b8a74e0a14421e1eed77
+TAG: 52730d53e2849fa94025fecd80e64e2a9a0a5f88a6a88890754dccbaa84c2b4ae10825a15f389490cc8f87de08cf0f4f82ae824b4fbd9f016dee50b5d586b7e03cef258754a6a82550cb26177a83f9e7bbe0b3b17d60a7a89929b2451a79032f6a200f645c6c53838a2debb81f756a2a37ced064c673291591e29ea62bea505cd612e3ec55f0db630a2e7ac545b68e64cac59b639e1b80df1d3cd98a0e00865958b64a9bc1dbd0897fc5d6187989ceb766e71cdaa0de7df0ca36100b2541b5faf97092d6309ff4dbcc896dd5e08102fabb76042b8329a0691e571ced8da3cff1a6aeea3faf00197c4e0bfc57bebb1e2f8896fe71dfefff6032bb7459686e2d4828c19b8105ad6622328c5bbe8da11cf0087aca05686e53b432fec4d4c065
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (19 mod 64).
+# DIGEST: 6802d4c044d85fe270b3761ec10ae5cb4b912a565e00cafc8eab935935523126
+KEY: 6965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41
+NONCE: 203f5dce998f8fb2eaad409ae0211641
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df6
+AD: 60ed82933f62be8dc55b43
+CT: 8d7999ec7a80e528bd6a8d2a9724930c93ee5cbb0c888d9b7c79d2449e638c03f3143f1927a1b261d66ff55bdeb7ff6616da99a2155f465d7c91f54963e7cbda7b61529381204ba43c9681260799ce66f7b8e9
+TAG: e3d5c0e2427d0f24ce9199efae32408cf0a22b62e59aee3bae992b397aeff675d4e723c7ca2f0671f95cec68a21be86389508910ceceb13f6b6004e965656783fd2ffa6881a96bce6e3cdd80adfd6eaf7c57c836743a1b486979046c9c7d8ece2b871ad5c9c4c3401a467d7c0ea30fc90bb8be5cc35a1566120ac14eaad9a5c99f944be06eca9d473ce82125dbf4f7e3b0add283ae31098e26c94a6daa6f406c273ce3d91b801cbbe09731a8eac4ba38c6bb571f103a3557094a2a3b3477c4c3538e04957fc3afdb3cf7cb649bd6b6134c138da9e33c4677236244951898daa22fbd07f94b9b7091672ac0f6dca513de86186e102a51f59d6b96c80d64844e160b34c4f98248196130ec0965e6fa02d988f83f016b35e8681b4f8dfe39
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (20 mod 64).
+# DIGEST: d159516557052899ecffe8072d2cdb753939d812db2f8861e3ba7a837f0fe29e
+KEY: 65aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d4120
+NONCE: 3f5dce998f8fb2eaad409ae02116417d
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660
+AD: ed82933f62be8dc55b4369
+CT: c3e61ff897b490847e6539236d2e3b208baca2e83347b7ea2ac714f65a409638e59a5dce5c3a4109e6d6cdb8a232f5f8a2577101f9fb53aa50918f924c1a5361ef98d6672258b4adb37ca5f30d22893dcf6d0349
+TAG: d81126eaf7e4e4d12f66810696ea8a7b26806b688ad1f8863427879fc31407a2d8ddaccd00bf3351c267e14263d0c138716277e47eb31d93204bf1020db38af84802b1f17110073ed04748b367d06fee5336a98866d3e1bfbd259bbedea78129beb3e446e9c451ae9b905eb1f19517c4d15e9ba3e9fade980131899178a0b29e6c35a81ce9701a59880b3cd925738302bb1495c0ddda69ee1aba582ed158df2ea84b75abf60d389050a25e7eed1b3cf36e0b04756f67819d21776c33ccd802ce04aeb57881f92ce940303971a2d02a800b8557b08805f055a299c2870789f5a2a1f38f9187be63d7e3e3a7af804d334319a79d9fea40684d9b03059800502c5e92dd0cce30de11d89e8d2c816589d440fa1fdb0e4cccc57c1511ef60
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (21 mod 64).
+# DIGEST: 8b4c76888085f1030618cca2b0ef708b79b68fbe879c266adab2211c35baebae
+KEY: aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f
+NONCE: 5dce998f8fb2eaad409ae02116417dae
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed
+AD: 82933f62be8dc55b436965
+CT: 1944f256989b6acd7dc7c334d10ce71d9f2980cdb6adb03784061096955a3e10efe7cbf1c0aa1caab97cdeee4d08a8ff34d68e1b53a0df58e79a4c1d5d9b7eadb2430c0b8049b6c43a848fbc5e5feaf18e45691b7c
+TAG: 7d89642640d19b0427d5d948adada9000755d3703a092201740a80074c1c4489d2edc363654e721de3c3d5a5ec5ae16bbc8534c23dd037989fa7d816e3c0030adeb88f4a36b8257732f33f2d58391b88a06e2d50055ccd71080922524c02c371713a755cf0636f7c6d5a9fa2edb366773e519125a3ae46ec1369416c028fc00570d5bb80882fba31792d42d3247d669c8b704f765125246f38d1dc1504b22d361055bc79a3195ce4cdff14a16008c1c6e7a5ee1a67f95dbe7ca08fded965ede2a0367eb13670c877685aefcbd7d7a9162b3c69f5d59ce3ff9dea4db78a0abc6eafa1c45666564d8fe1648b20b3a5ca8c19acae4ca514b79554c4c3eab74fb18ed41e061e6b4e83395f54eeb0863db3ed0b6509f7c9920d110d23aa
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (22 mod 64).
+# DIGEST: c93f922285c3abf65fd70f22abd7ef859a392a9db0a979acbc99563829e3fd77
+KEY: be477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5d
+NONCE: ce998f8fb2eaad409ae02116417dae0c
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82
+AD: 933f62be8dc55b436965aa
+CT: a850ddac6117f7b13e15c17621fc7c99f2276ed7337cde87ada287814150f8b3f3e8ba7108a1237fa6a9ddcebb07c234660ec93b8279bb4614be85c5973603568e885f5f8ea102d0621b5ba77fc58af4d6df034ac59f
+TAG: ca216ce4ab900dc62f66dd21c314cbfb3a6512cc74ae3f46f3e8209bb2753d7559ea3ebb553eb57215fdeabe9fd10b001893ba2c92d3a9f7171c0b86427a416d137b239bb2d8ecfda6d6ce01bd8862079c32eef3c932bdb49fcb1b9940a9d4399630865834050f1d81635f894547420421d606729105123c49d6d34e267a7e8e9e27c85b048a1f83b5c0257cc4c111851457b431c5cbfc5302fb1c459f7f7e339f9e11a91c36df1ae2faa0d5528b80eb38adcf7de3bc1cb5e0cd066a67d2184950531a36331117f94166ead4c630425d22fdfd94abe4e7170f17c7247aa8d2f4872d7fc74cecd40ad4d5f3ae8895874d15cc7bf203196c6e9e8a515d8e4c70073eadeff727e57514d85e1b914c12229afbfd69f450aec61247f5
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (23 mod 64).
+# DIGEST: fecc2d68e7e0874de9d063a889b18ca83d3d5908aae064db20d723a8da1b3978
+KEY: 477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce
+NONCE: 998f8fb2eaad409ae02116417dae0cef
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed8293
+AD: 3f62be8dc55b436965aabe
+CT: 0cc80c78b73b1bd898c6af38846d32837ed0712ab7cc48b01c6dd831f37237ca7634c90aba35b35da59b60aff8e6b9a622f5a481c98c03fc76c1375e4602e96c08a465f3085ec86b0a8e1ce8757df76193de2a06ccbc63
+TAG: 9e4eb28cbb60fefd301f975e22d687098d06727b3b730599f3824abb3965911cd2ad9bd4fc70be6b62147b968aec7f591646066edde324140591632130cd71d7555c0fe87dded42808a41460cc45b27012d0d8e16ef8704102be8d788db90e1cf260a7a774192a850979a25ebdbc723a3af5c13aa7c5c86ff91412307e0755240f82fadefc1f23dc57c5f703346b5d8bb2d2811eb07dbaac1abd456b2864ab652059c54a5bc74643509ba0dc0778a946f5e40e5fb955468ad4f30365bc2ba0e42f6af17bb562fef2ce63a881077762c722c840bc7ac7faac11984c0a77283bb2b2984042456873e6e368f9139b5c50b424c97cb8b6dee50881be33b96decad3c2b5aa9298f334b85c0de683c037447a5036dc282f8b42aa214
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (24 mod 64).
+# DIGEST: a182bceec087418714d31fdad208a5d5c578fa8917a754e0b0527364378afa81
+KEY: 7e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce99
+NONCE: 8f8fb2eaad409ae02116417dae0cef45
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f
+AD: 62be8dc55b436965aabe47
+CT: ad918e7428ca106cf043d6626772cd45ce998f32fea28c3253fd58f0fcc191bb4cd250b5dc6a7b352bb2aaa66601e280576fa60ad8c3aa58742462955fd7f33ddbbb5036128617c1fc3bfdf83100dfddcbde1814d15ffe81
+TAG: 946a6de726a9f45f40fae17258b38b3f16fb8d288b876bd59255ed61091e270f16d6cb7f140fdd72fa1c45991180c1be805db33e7ddf3db5f928d533d182e49a178ffcd6f119bdc6400343697c2e6da7221fe849ef9ba1e2b68343965526c889377be4e60d3c46b6a997497c85c9cdf2931babc76b0da50fcc7e49bab9fc1dc42eb27ff4d09cd7c5d2ef558b5e5d2a0c0ba8a31bc7b25f32f08aa27542c59c1d7593f6db75dd12c7d3e12e45d76345337af9168ef03d8eb86581b651e61889fe3fcbaac6e925a99b17e4d414bd2401695c562b0229d168c65f52c3f11fbc6d817a3b691217090dd9f1bddc6017c87bb41f683de94d0ec564d2440c19e42797ee6deaa13479afc7872a0c7edf4c3b988806f7d2cf0811f946
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (25 mod 64).
+# DIGEST: 81dd23016c18f838fcfdaa8afa9c52009af9d93092e250bde67ac11e8588a238
+KEY: 0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f
+NONCE: 8fb2eaad409ae02116417dae0cef457b
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62
+AD: be8dc55b436965aabe477e
+CT: 8ef4db8a8444ddd056428a25b718aec0258fe05b5fe8d6d972ca6762875c030fa2b4822cf03e797a53046749e39646c8c6b373a1d77287f4124c19ef758eef75db8e4e03309b3d14e918bfd9499ae5c96bf10b513ae9b38511
+TAG: 50c96ccda0e56e203860ee8bf4d6e7092ff1bfc02470e291b1e6debdd71353745cad7887d47ecdfeec6996bc1f44754515a82c4aba9ca7758b609d7bb6e0be19170428afd8017478233f2582cb0ea1c52d1396395b6c83b0694786f4bea423167293e479fde3fb906a213411684d65e889a3dc9ece6a188b86421eedf6f2ef14da596800a8eefbae2461395f960d9ee05c3f1b1d05fb94a4b14d214d1aa8fc3612a7b7267e7272fd7330d85e66969c0a1202cd2843da7c01981e7565bd98f3e8fb5a55d17454d7d1c43d9faf130022d85428213251c20700e1bc069243fb408f69e39a11dda7ef2647cc78d040b1ed4c7b95c965fbec6b32fa0c7d51cd192f12f93a02df3e03afae0fc5a517d2b6f1a807718f8a31b8d5
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (26 mod 64).
+# DIGEST: 20f01a20150588ee1067e30a2ab84904a34ac56cb9e327756a700b1af24c6200
+KEY: dd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8f
+NONCE: b2eaad409ae02116417dae0cef457b9e
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be
+AD: 8dc55b436965aabe477e0c
+CT: c107710a85a49250f3a4401fdf07a44f96560ca5e71d6021075b7b6e3ff8fd6f36c652f186dc82c8a21a8a743dcc007e6710214320cb5c5e788f8c5b020e4d0d89ec2fb780c9ea915966b9f9b1e2cb0f48800ab75f986e8d2c52
+TAG: 4e7360dc7f6630f04c8f1d2f7839ea3f2389d40b2a0b50ac5e54be15b451b0c17e1f48e0d642dede861bf6ad751de565ff0d56d5595941fb6978084d5fd92ec0b26d1357ff33ad08811825acfc0f4370f3845af494d9851c202a5a3af65c1f96b6252a8c850c8ff4e14ed9ebbdaec69322ac90d060f0d1cd9591f0a8eaf9009c3d1835343d0fc1bf53616831ddad08c4852110333b31b733d5f8c30df3de0cc5b6201cc4fb086d3a4cbd6f5b09b7d2bafd20ca24af45e066c86d417481c984ab5c2aef71d11d1c1ebf714e96dfb4c0eea9510086d457529238cccb946e17f0e378725c230e15a0403f05f48df45ca3a1b5f7848bc49faa52aca2c5cffab9b59a0d91a192f89e3a50fb7b5a22dbe88c63daf4a5e4eb72
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (27 mod 64).
+# DIGEST: 83a45f4fafff7e1ec40a34e75a49a431478bbe8c9234da4c1b3129aeaf453d5a
+KEY: 46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2
+NONCE: eaad409ae02116417dae0cef457b9e5e
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8d
+AD: c55b436965aabe477e0cdd
+CT: f90604401a507574dcfe5d7c5e0c36c5fa65d9a8f0a25daaa9fe5c50ffb3758f52c9c883c2f85d879f26845a130044d395b58497979cf24a9e18ee1f27d1eac4d0cd994a6338c5755c74419111b2bebec0dc90e28faccdb1a000e4
+TAG: f4b3d162e2284dec1a2dd88163b4f319604d87a6d4eb576a021119146a8f0dd74773f3c2c82ac1413c1a66683743c413c68dd3368dd7d855b6ba54a45705b9cca49e920427b0917d2efb2df8f05705d7a4fc02e019c56da52bd3e9de2f10b150d06c70c7d365b7bb0241db500879dc2a441e003d3b534f13153eed94c2b822ca12fd728f04131e96b21770d1455c01ed9e5da2662f4b270b47c2ea8d7d0bd82533dd42a94ddba06f076d01d0a2003a38db14ac31d01dacc0b28254cfc451a5479f569a68ca21c5babc4b47a6f8d3fc33b9ca8a91d6b49523c2d1fb490030b0bf2dcd3f621c2934af7f9e920573fd8ea86380c15785c1699eb93737b5e9748e07ae3579fa73283e5c0aa1294e53fb5b71224634aa63
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (28 mod 64).
+# DIGEST: ec9b1b48a2e7600c92e69277c9e55d1cf7a9135ec73cb736fd26718c5531fb7b
+KEY: be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2ea
+NONCE: ad409ae02116417dae0cef457b9e5e16
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc5
+AD: 5b436965aabe477e0cdd46
+CT: ff258ef9f318036586c5ec9e956c10c9423ad3a8a5468527c02bda6878c45398b0c78f3fba4eba3785282b3aa4586d31b238fb941546bdd6e3d918444d45f79b2a5ce3df0e8769a952243cce1f17f736bf39c070d9eaf57633315791
+TAG: 87eb4bcb34d8d52975e556030cd976f4a63b074e466a55996d09bba1441279f4784279e587c30548d4584dbaf30291b01df4a212aa83cb217b9423841f39e9806c5e9e32bcd9a6cf65771b47264b9c41544645c020cf132cde08ed38eb335fa01f54e6b43b646b30b34fe2fb14e38a916fb328d7c82de7961d38a88377454bd9b89d1be1563f8edf9d0779a3733b59ac1218c4d94d1dad1373c242114f20c359c37ab2786e7525ed4bd96312de1078f0343fb18b6f703273febe9c6a3be7ebfc4d9eb82b796f3fa86fbb3bed56d31cf0613fb03bdf4cd6b24fb5e8678d6c817998fa71ee8a839418faf9ac578d7f360e30cb5b592634b86e064b78641445bfe29883b444ee32ab3a2d25ba6249560c2b56f57ed2
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (29 mod 64).
+# DIGEST: 7b0d19af32e867b61fe57398a3ed863a56666fbb67100e6a5ff01971ab693fc8
+KEY: 99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad
+NONCE: 409ae02116417dae0cef457b9e5e16dc
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b
+AD: 436965aabe477e0cdd46be
+CT: 5e654ee6344f96fa117a2e1f9cdc08bfaca9c83b1c4d61891e49077c8ae7a8aa604e1b19995b32872087e04a59ed367e42f0ad3998cc2112035b33104164403a948ecf73c516f74adaa57688cee94174ccd5f9c7a9dfe10dd843d763c6
+TAG: 1463adfb0bb32cd1573ce92e65dbef1c6fa62943172705d5df92b654d50fef6ca92786a55c3e5d28b70739cc3be99980c67f646cbcb840f69aa8bab199aed6d77d070dfa605aa81df92d211c31af752ce517bea945c95fe5953e14c129eeb3e51f9f58fa56808c247f0154624724bc98f0fad295963906b4a186b6b759f3129ca39a5658bdd5dad91f73befdc71e8c21d9cf1517a9bbc69c065a1574f4d84997e4e1a21d69f2822afa3109482a6e0049aa34a1a0aa1778adec7f58ccea95678667743f30a15fb4875ad3195b6fb0b9d9cad0eb36a6e736280c7e3ecdbefa69c41cf5f97bd27c3b6ff11df050c51d90df67e12c03afeac273099dffaf0870176232df3965df87be3f53d41dc53f56120a31e74c
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (30 mod 64).
+# DIGEST: e3b7a347d9bdc63bb1c689eb823076d5ab24c3f502c328f70d71a1b3f00111d2
+KEY: 371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad40
+NONCE: 9ae02116417dae0cef457b9e5e16dcc5
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b43
+AD: 6965aabe477e0cdd46be99
+CT: 59201549a3446dcbdf5c3fa8db930606f6e9bd374d8405e15d55493a82035491811f784fd4f0e3bdb6bdd2e01558783a00b32c53d7be31525343a5a2d72921222e32891149f8dd38303ffb584485df1578e10a3aa048972303c2e7a2b630
+TAG: df451bc64666a07ff2647e41aea895a4794217cf995b36a5e71b0df002f0aa44dcddfa01dccf8eacc1aa729262c1e70e91181e2f2ab353a856dd8157ba12e300f20be0d828b91b04f67e7a3e54f4443e9f43d32dc64985b73a9b687c3acf82e495d9ed0565f63c355045e991c9af8e93e2b912519022487009632adb94e42be70c1268ca3abd10e1acc02a7283c938133b68b58c063c2da00dbea6407e5751ea03c5899a615a18a26ea95be5b82818acf11f51ef8fb49e5a0e742bc7da8e2669cb2833143d7b8fc990010a5885808ecb294246301be69479d21106982bf906b020441a88899cd6096e1afbca056bf66339a02bb22993c10cd0c6320419bd8f61d5dfca05d543076eab65af5ceda36c2872f7
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (31 mod 64).
+# DIGEST: 9ee27167f084f493a4e6e5b80c1cd07babdac057ed98dc28cea1f107ebc68787
+KEY: 1eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409a
+NONCE: e02116417dae0cef457b9e5e16dcc5b6
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b4369
+AD: 65aabe477e0cdd46be9937
+CT: 54a2f87f11c6597b3013a0de46b61a8fcc28ab021465178138cdd76ef01c2701b3a48ca4d3cc885173bdeb33b7b27f9064d2f09ec187d0c9c482522fb29bb421595589aa69ec2ca4155f503bdb8f0f8d79a5870e0d0be26ac239c56803ea81
+TAG: 7975b116a955bd24273dd59c90130d59dd7d4344c2480064fd8947609ad90b6fdf2ece45a4c9bca094922af9c092336ecbb14e54737dc911218af7d385490a7ebf8e5e742924b332246d1c65ffa36a4d5d92f8549e1d67a7f7ee09d7a782cb8cc10c0d90222144aafa82b40e5347f42e937779515683062b6ce1841ea3eed2bc0af7b02567c2cec30d34ff6c7001a94c4e8cc28d4ae4f208b4e5cbd630909435e49edef7a63d036aaecd7a4e3aad81d8a9738bb627092e925ccb75440a05e0ae8773f7ebc11d61a49f4eecd74bc7d5512ddc3fd930a40637fc9f444634b09a9de52e35fd950c064dd7858d8ec0ec6cfdd62366aaefe6789e1b70e596e821352cdfef5942e280a3a02c7346f51d0f3f63f5
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (32 mod 64).
+# DIGEST: f6b15333af80c49e8ea591c2272618074822d453d85ed3a96c29f249873acfc1
+KEY: b8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae0
+NONCE: 2116417dae0cef457b9e5e16dcc5b6f2
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965
+AD: aabe477e0cdd46be99371e
+CT: 0f0483dd1e9ef91f215f7f9817b7f82e0b96c0d3b2996b2a1d878d0be3a70c07a4bbbba3721e646405a8a7f44347557d482d7899044af37f6df054070eb4debf7471072af1e4c98dfb3c192e956b2931967d7fdf200b464be1ff1955a658bf86
+TAG: 180e408dc7f0eba0dfd78cfabb6268c9f22c3d01895476a0b5e6b4f49af416fdfc2c6b5fa770db01bf14911c3287fc63279d67670966851d61488416a7cf636b0c4379cd07d0af5ac12a5fa73deb5f5b917307137761a2dc419c78519c207b66e04e018e650f202ed21751acd5ae72b42a66de3e93055b3bb4f69d57cbd18db29d6dedd2275c87e303725c8d7472dd3196aaba3d4182f72e48f3b46d2179e401a4dba81b87ee95c013da967901c0ffdc244f2b4c1645cce4731ef62a68ff1c5bda808d18331d64694801b6d668f6cc4be147ecf4c260f2ac53b6dcf65683ae430ce6ac77be9f9892af33d02eb928b4bf14c98088988b5dd2f2a9d21bfc4b745b4b701eed508b7f0352c84d8bb6ea5262717cffccbc4b8ad5f52c20c8dd122107
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (33 mod 64).
+# DIGEST: 02dd1eae128cbeb47dbbbf90e2f5cd63293bb0091815c93bc1153d46f176374f
+KEY: da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae021
+NONCE: 16417dae0cef457b9e5e16dcc5b6f256
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aa
+AD: be477e0cdd46be99371eb8
+CT: 978a10e04037ba7f0dec2576efaff6e5e4de5ab80b4b0c0b8a6209e22da05b8be0f832883e371c61c23b5bef969c004bf2a0f0fc8fbf1313078e12af2b3569a98ae5ee76a9bbb6da6806be3356c02dfa607c26094fd876d8f9dcc0395f3fe35630
+TAG: 963465dcde83c1f5833ec41c413660923c5ff60805f640a727f551d8349bbe0a90f41d97cdc07883aa06de8237b96a6d6118753745e4955855e056280106775ced9a7fe692e85aa99e5c7af4d0d619fec553ce1cc4f121b42bb7343968059b8ac5d95ef3c28fb672294dfb2cd58fba75aea06dfe70a90e40971551ad11929359d720f4c7da32373f57d85bd31b6cb95e2f0182c244c589ad4f9121cb717c1fd9298bdb4ae240dc9d144c2279924b2aa956a9a62c19b1816a88cdf83d169ba06849a012c83285daaac7560d1d59e2d24dea97a5b5e84fb1372dcbdafb746c4ba8b6ec786b9c21699bfd6cfe05c8be97731162b8eb62cd305ee5e275bc0371fe1a1ad0e74c0e518386270096dca101eb77ea0f9d23cb55d9bdfa3dc8352786f5
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (34 mod 64).
+# DIGEST: 137fc408ae1b3684a802229d78368f9fc2202311cd6f5da091b2eb998ceb048e
+KEY: 7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116
+NONCE: 417dae0cef457b9e5e16dcc5b6f25607
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe
+AD: 477e0cdd46be99371eb8da
+CT: eded0eef58434338153caefd914cb98ff516157445bfbd25c3c5cbcc0ad68ed1bf049ac292da027acab0310ef08d66040341721524982165cfe7f6dc495f7f5f36cc410470e3b42045b718f580713dac8074b0e76a0345d11c94a9800bb5e5eeeaa1
+TAG: 96f23023f81e6df33fbd6bb66f5d902bea2e91725f5ee0eda35fdc528d9adfc180a9faf9d5b49e015aa88384fa9fe9c22607292577079bb11bf074d5dbe0bcd683137449c15cce948e8faf560fe8e24fa764c03a8b5a8629e9c650cbe57c8e01da88659b6836ec59f362175df032a80ac4fa0a6d6f2110faec6067ad26b1182bf871982ce077b79736f29760cdf91c13939d8bca21b6c85cc1fbaa18ebb98dc350f1bb0ab4275f4a0325208a29b5f90895ea1552cdd9a1e05342b5be18bc5971252a1ae75cfce449c7b5d2eb0bbde05886a68e772e24689828c86c6f6d2717b8a9e035afbaab6c93789b015118ae6418b4e8388ee6692ee34c2baf02e45440088c67248c8e1803ddd0f94834bb3820fab5ed1a05336e99081290168c3fcd
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (35 mod 64).
+# DIGEST: ac9d4fe33627d4e9868c57a42aab21659ccc7efe18df8b57819b7d25e665454c
+KEY: ac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae0211641
+NONCE: 7dae0cef457b9e5e16dcc5b6f25607f0
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe47
+AD: 7e0cdd46be99371eb8da7d
+CT: 7c433fc5255dd1e11f67c499c6a89c16b4b09355818cf304f11167bef253dc60c95486a840c3a8f77440f63a5c6a855931a90eea66a281d51d4198679e1420c824ae5c8bc0231444b65b69832b84c7b5ee2fb8484ac08727eb0cba0c14e7e0a93c4eb0
+TAG: ca78160fd3dac00b2bd95406775dd73b99866fe209f372768f80c7c4f72ca9ae6f78808ac65fedfd62ea880f451ccad75dab2c692c0e0f4656bbccb89dfaac23cfd967a5a7fce24f7b872b417122cee869ce593c6025354abea20d5fbcb86d0d81af4314347b25e2d6f4cafb33f192fe1095b24285700c879403aa90e9096dfcc7060661fb32376c8674c68bd2b6bd801794b3e9a9c66818e2c6ea41db10f4b890bac070d29a08a199efd6c0c40ac555b419588ac084818aa194f014afc4de9d447ce09c02eeadbf6e706fa9eb46ad6934af479e51be512dfe6af009c855f822afa11c4c3689dadf989d662101404b8eec479e191df14604ff1b1346747078280fb41998bcd901842090b3ee068da1097f908fbceffcca6f81554142de
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (36 mod 64).
+# DIGEST: e59c699ea2887f6c829b7a0e895c45710aef6911fa3c930de3da61fc988e955b
+KEY: 997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417d
+NONCE: ae0cef457b9e5e16dcc5b6f25607f00d
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e
+AD: 0cdd46be99371eb8da7dac
+CT: bcdda7eecf3331f4e7605cfd33789ab585318bbd35047755402372403a4df125e7f5bdf857e49a3f74cb8e824576a226c1942fa86de07bbf564cfb384d8420a367963020613dd2f6bd4f371ca1b53532a7015dfdabd07497367aea8db9298141229325ef
+TAG: 13440914c85b7e154828290e09ac244fe4cae2f9f3019ce37d2b34c8b04ef7be063990524798b64646f5bce918de25b19ca5ce8826fcbc26dce412f97d1a78dc121e0cccc20821a153b65b8d40d8ad8a5aafe9537521fffd26de9380feca57cff1151b2519a2b72468ae1c85e66cc567b5c828488e35f45cc95defbcb7b08cd440484d110a6cc8afe2de4a77cd19df6aef85547a082de228a8d4ac8a0862078e07ce324cbddd2fc233dc11c4e6e076ac1e5b4a7c85dee0e0a0250b8ce4be19604623e8346d5e0da8a95e85d12c8e911b1d8a0f93a2ebb68bcd5465d1c4798ac2e76fa65d7063d6bea3b32881c8523d127eb6fe74450cca213c9d29d7f6dbf80ffbb5395b20fed6ae0608a159a853745e4f842d3c4c3bbdd8762d2810
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (37 mod 64).
+# DIGEST: b0ffb7b78f23593d738e845daeb3ed175ee48ed5ed2d827565030b047dd0ed17
+KEY: 7deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae
+NONCE: 0cef457b9e5e16dcc5b6f25607f00d03
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0c
+AD: dd46be99371eb8da7dac99
+CT: ccecdb03830e84c5267a5b6f68dc909cafe94a1c872602961e8467b4b2723af537d79d723fc4e8f0397fe169186c23f50cf9e78af3156f507bfd38181dffcc05695583863d8a167df062cd16aeec0cc548a7b5e16b148ced8bc2a60a33a58377b987a53b95
+TAG: e27f5bb5d85a43237ff065bdf963bd8ccfcb59793dc01c52f8a839d7e018222cba303b6a02f05004e8216496e36415efa80025b00e0be713698f95fda502ebefa8369f5d99c080dc851dd7f1967f1977136e8698ce304dfebc2e023ebb61313d1b0b2b169c0e6e3f1d6fbff3b5aeeda703c16af90bdde0783b2776d94ffed024296a0c8f4141af04e5ba5dcbffe8680b4f5af848306e4e6974acd173556f735c954397a4871de74a12a88f3bda3fb590fbbcf3d14e1201d401ee658fa80b3a2e81f55783582fc1022aeee5f7e7bb8af36ed63c82fec6ffd875a01c9626d52cf91c6b7ceab2e195e2dc248769cf829250b4300cc23cdbbad6a8146314838ede7b7e1ef9ca802d110414f6e5664b91b801060b6a16329c4b8d9b555e
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (38 mod 64).
+# DIGEST: e8928848fef7e0556377fbf3ed36b4105f334fa17bd5c5fbe2117ef82051903f
+KEY: eafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0c
+NONCE: ef457b9e5e16dcc5b6f25607f00d033f
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd
+AD: 46be99371eb8da7dac997d
+CT: 2828ec3db18423dc583c7ac7dc5231da07af1756d7c032a866c64155626be3b3a686a93699023f6e421da24596baf99b45244d07d86a8973450afdb87ff2e9dbab6fcef52cd476f1f25f27f6bb3abf9b406704a14ce9682613125139b238d9853c3fe5e948d2
+TAG: 7305f0e1fb25d024bc5d6d9026d1149ac535629c76f3c230a06398af0a1e1477aa6128eccd4714ad23b0008a32569a8fa3ed76a00c05abd5d4be887f97d8808eb9a25471e8328a1641bbc30e7aaf110b7e7aa2c81ec733c7be97be03140376ed808f00a710943ec9a5eed3bb62404d2267688dcc5570a21e56885338f12503edb7d1817586963fac14d4fd0b44336656e68b6bc1af82cb6211b9cd2ed0b5c2fc7832e759bfafd123f7812ebca13e000e80c0761d63807ee04f5a866a507ec2fa95b4ac5bd15502f8b3aa3cc906e41ee2268342a824850d17507405e7029c2ce61a3331bd0168f40ed99bb09d05b9bf8d906630e6b17426e83699ce9ea48ec0e0567fea02b62f83e14976444bdb80de1559df6c7b16c1f4639b58
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (39 mod 64).
+# DIGEST: cfc1420c24eff01a9e6acebe2a96090e25738c3e1c14da2c6f36f9e20a857165
+KEY: fd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef
+NONCE: 457b9e5e16dcc5b6f25607f00d033fb9
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46
+AD: be99371eb8da7dac997dea
+CT: b463f7f24871b617a1001d2f73f9eb8fe39b5fe0b382d420af876defd68a893add2eb6cac45e56d669f4ac67a943a3b32daf0932072bd701f9291b5020bfa9133d2875d8f6ee78ce8c49d45b80329831799f1eee8c712683300e49c57dc8c1ad83f7716753e7a5
+TAG: 5f037d241e016785b18877a82a891ff34b22caf1ce927a47a694a72d2ebb927b23ba264dd2bfc0b5929ffc66a18d1efec9dd91fb7b103e7f734269ba07382f320beb19bab4c6669bcc99c1306b1bd5f26ca8c98a520bb0c12bfdd4bf1b4336c550cbc6a3586f51702aec5c3c2d1923960a589ced9069b2a8aec7879ad627541e611842c8e6ef09e9f6ca61067a1fcc1947c1a3cb437a347206e9cccf6817e01f958e6de776d7e60100e6b8d7d350e59918522f96adf211430b32e8692688445c99204ef9d59c6d35e15834be6ec1623fe89c048251e8f38436197c21c65edeb0ee1334a4ac262bed07236c5b46b09e9c2dbf91772c4a9619b98b054037af1e0a5c1354c9f0f704521e310617b806f317ccb3809ee58d91d049
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (40 mod 64).
+# DIGEST: bdb122b808f40da0ae98fe9ace91fef7f2b39bc734f4f735f7cbccb2c00e4666
+KEY: 64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef45
+NONCE: 7b9e5e16dcc5b6f25607f00d033fb95f
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be
+AD: 99371eb8da7dac997deafd
+CT: adfffd8a654da994aa8adb618cf69b25ad5dff201cd3a84314796e0228ae3e01be77cd8052e950fd74e3d8fb0066705874a7319dda8bee7bf7748ad844a70b1ee0d774a6156fef109dba8346a68b48458728ebde458e5bd777a26291f98cafb1684b200f84b13743
+TAG: afd3d8b88f6846623af7588123e57743a37939244e723b69a20568123485645d1c714c937aa5974666470fb040ae1106d6fc2b48f5a58e44aaa6ef8cd4b7704c9a424558a25dbd6986fc695001680505e03603f4237cef08ccc81e6319f4586cef9e3accdc88f297d1913418bfc75ce2bfc102cfe85d71c422c951ec83bb041a0e740f220badafb9ec3742f4752d45f0e949eb2e63b2d6409eca3b4ce438381fe551545684ebd78cf066262963564275a3486d6f48dda57656c2132f3ee874d11ce5dedb90ee58ce23da7ef7c126957736735a8c8762c1d5aa03542454f7ae6db0f13408f01950961680d7ca85b4d3f7f02d5f0e8f85ec613afacf90910d0bcb550b321b3ebc47170fe082e5e41675a4cd33bb5b11a5a4b4
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (41 mod 64).
+# DIGEST: a1c40dc7a17b3ef6c9170eeaa9500014ef9ada833615b6d40af3fb2e14d7ddb7
+KEY: b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b
+NONCE: 9e5e16dcc5b6f25607f00d033fb95fb0
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99
+AD: 371eb8da7dac997deafd64
+CT: 985481677ae867b2427182edf3de86d7b9956a4970b107ca7e01e90ee7cb02c6b9a46212e1b8ce67e7aca5e2d96272c2f412b5f16a7c1d00fe597f1390c3a686724c4846c78ae66b26ded18adb40f0d74c33a68032b97d440104cb7acc755ad759ef9b371d04e4394a
+TAG: 02dc6b8ba61937d3e551c3207759d54de21b85ecd47c2c22160c6b7af023ede884eb7962d1238780e64fceba414ab543cb0177fd3223a7ad67f6bc74932de90aa195078805925df61081a72b96fbd7f68d2f26996f787ba7226528d2c26cc512347c1a639f01d361b5e1b41c359ea8b832408ccb0adee18f8ce9cf1dbc939029de54ff7748c9cf5a0c6c3b37c5fb0f39c8b73c3d2fbe5e20b393e00ff38b7d8ea4f5dfd8e276c2172b113cfc6cda46b930ea99c2c9716475368b69e0af8b2976c585bfa1cffb301f8b321abd1f2363227a9f2d195bdd772354e2355e9b027043d299f2a96721d9c0657f4e4f0820953173af30b832a8a90ca2f1bc0365207da62e857dab5abe31be5c6ed4d1bc01db223cdbca7c1c4d68
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (42 mod 64).
+# DIGEST: 677f053b9f421414ba91c060ec7ed66d27982e992da0372e5264898c9edd2bab
+KEY: fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e
+NONCE: 5e16dcc5b6f25607f00d033fb95fb09e
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be9937
+AD: 1eb8da7dac997deafd64b1
+CT: a06030a844e38f9e049bcf318b10e1cd2db6b60a2611cf9788f0c1fb31a366d2038b3a1692865b926196594850807895523a851a993b77e49c911f840f28aaa42b4f427eead4e2a578d57b101bb4795aedcffc58212e0eaecadf503e3b208eeb36c6511dbf87f8fcd695
+TAG: 3c5dab36f4690dbdcdb16d6cbe1ebaad64f8ba09bc9b7b112ff64fb7a21ba22706d8fd26318ccbfdf0ad944a8e67caeb3a939bc5384ae29524ba853ada968303db3f56d3c482a37bd8f1bb4d78235c1eb7e9eab833953def9bbe913767b871b626677f0b9420204a7d62b6825a647bec84c0da4c406e1a891586681e1699d4e5c348b6582746178ed5e1d8985bf265d2bf55cb553d76f68d2b3ad81dd9ad1fe409a604c3bcff45746b8c426e73d424d6bf3d6075db622c7a5866892805e4d4d653bf98a8f512766ad5a27aeb8f6badc00c49901c13d8eaa01628c667c4b48fa437c7bcc088036b44e0a195d1da95fb9952c0aeeb1060fe8a21c8eb911247e65a48802e9e6a55a3a4c8ba9ef90fbfd4bbf22afa803673
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (43 mod 64).
+# DIGEST: 9c1c2b1853244d015dde7f4068220d7640501b1aca325b82c1be8c015b61e59d
+KEY: 65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e
+NONCE: 16dcc5b6f25607f00d033fb95fb09e4d
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371e
+AD: b8da7dac997deafd64b1fc
+CT: d934f61f94d2b0aef2b63668352d2af2db2e225d0c8dd86b8d7c901de7425dca2a0d2f3bae9dbaef4946d18ebc2d9f4cff5c268cfc80b89c35f7b1a3de12173f9377a7ad9b33751fc89390cea9b44e80423702a9848c6d2562d24838e3b0511bad71f4015da53ec8c435dd
+TAG: 1ebd06a10660cef77361e20c5ffc08b077df3b79a4bf3333573469e4a42585771daf5a85eebd7753c8a305b81c32ffebef51a9827419c7b0f1d1ba5bf5aa3c947ba2db788747256a5e8e8644a66ba7c04a54884670aa7ac30f14ede3f38686e0b482b248dbc3ab8e3e39b939b22c21db990c59ed728a2f11eff3508330f29dee7d314df8304af2609739419eacce7d06c9e3073581e91a811b2f96710f791baece65a19fad9f94999158dd1261f1ccf7881c0752488a6817a373a7d25d83e9a13c2241ee0ce9355a2fa908974dd552514de09fcde23a5f744437f38d740ea8d950e061c6e19d6cf58a8f032b24a9ab7b496478fece8e273f1aac381af28679996eae33b01daa3393890d93e27d7c6cfbb9c7e25ea3
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (44 mod 64).
+# DIGEST: 6bfc1f2aeae329867e5d7f268979743cf267d0dd73b7882abc0240ea586b21fd
+KEY: de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16
+NONCE: dcc5b6f25607f00d033fb95fb09e4d00
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8
+AD: da7dac997deafd64b1fc65
+CT: 413d2c3fbc77845409ad66cc13432824ae4ae109379a9617e8b93d4f9b17fe0d0450476c3f98c229bf35e86fa792dceb4b3864761dd442c294e43b1cafe1fe086cd1ca5e1572fe2b3753c20a74b663b536f6e686d9765bafb10566f2b5cf02ee77bcb753c13186c4d091927f
+TAG: 40f0ab390d64582df98890aa0edc3e6b920bf856ebbe65c87539980aa95518ae9feb5353a6881454f86ce986a8d5a8dd2c65c9baf91b9f0adc103983ca7346574d909399e4a3ea228211e06fa4ff8c716351482199c71a53d08c908ad0443d39d6c57c86efc1cefab52e701ba474b370e60f694ed871ecc06ed6f6f931fa277d00f94bc0b19fa2dac026126f745547c28e5eccc60557087d6ca78e83def0d27594c82ee365859fdd50261aa2d8f93f8a3925cb689bcd051bf45f001cbae68f91f294628cd8ddcf54d72570e15238336ba002c0595580410562d428a00ff88a80686ea256a3510bf70cf5028cb43d84c363bd3d463fd6231e708b9c13e01aedba7b703899bdfc5696616f8f3f0a85ca2e092b3458
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (45 mod 64).
+# DIGEST: c1702d4f70a18932e2f4d3951603ed904588a990123e0a02d29d7259afeedf69
+KEY: 39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dc
+NONCE: c5b6f25607f00d033fb95fb09e4d00d6
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da
+AD: 7dac997deafd64b1fc65de
+CT: fca448fd13c6877aa9fc299953dc631df8024cebe774bb14839821b05485c4a8f1345697b072342343f6a5479d99d5ba0ab29db7760b1e21b37969333473e6fd16bcc5b52e1d6472fee31034d515f66439f092341036a48d637ec84d22af8d182850bfd4140616471d3b5b41da
+TAG: 8dab3658a601045d948222390159aef603aa6dd7a44ee2c0c5a688a6d87ae21cdc7e3a16521c41e1a4c4b46465484d32306b9cd01f92058e837bc0abbe328604bd46608ff38e225bcc898f5e4478d04f9a671a7993076a8ba39112f34d110c699a524fa4e7b1d6202641dbd0b401c17569bb207f61613064bee24c1dae9c3a67e7774682eaf2846c11bd849e33fb6c6fc2ea4ada8d115208914cbd6523a74ebf1364d38bec9dd913f01cd15c7e1e96001942cedd7f756194d0df3b095140d1d85bcbbb8c6810446b96c18c6ab728073bc89a0f6e13befec438f008ed5e13d4c4468436045773b173aff7096387d25bf6bd2a6d3555881f1b69b99750974b332c187583d0751720d554219124e6ba8944a33a35
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (46 mod 64).
+# DIGEST: 09ec84331099e1d602d0998d99c199a6037255a5a4d96bb3af54cfba357bbbf1
+KEY: f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5
+NONCE: b6f25607f00d033fb95fb09e4d00d617
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7d
+AD: ac997deafd64b1fc65de39
+CT: 8c5849a917c328d68cdf4fc279b29efb0c3c1921621276ca19206c9941a5789b0aba7283e743f94a6e4142f7febc9ad35df30daffeaa5cd0cffe0fa2e4cd5ceb687def585b2634774a01a3f00ce2ca9951fb910b4386bd0d61d1e292b2b225ac68617962b28bee0d40f195ff45a5
+TAG: 7efa8ddd692c0285de19d483dc17b89babd2143390b72e06375d88fa3f37ae611638c82ba20627ff311e8d29d2b4bf850e01fad1fc2150cba93d9fb52a21a1ca6c434783b66d5858eada584e4c8227dbfd329ef24eb1fc75de04aeaf811b09d67e5675ba0649fb784ed92c0a8893b77ba894d6799c4c2ec60a02dba67958927a22f5094c5620f89aa78544270d65213411c2382b4586e197ea45ba5d3425c2f4975a15e073370b358511155d222250148ceeab807684818324e48fe989eb12234d8023370de80a6fd942872d176f93f576514b1382a7ec12108d654bf0029196abcffb70c703df2157dc1c5f74f191bbf5892a5a6192bb0f1f1903ed08ac36a5060563405d150d0082ba646fca777e765f33
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (47 mod 64).
+# DIGEST: 7d506a5c0299a82f5f93dd69526156e0de9aa5cf94f9fcaa12064ef920a1c5b6
+KEY: f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6
+NONCE: f25607f00d033fb95fb09e4d00d6172e
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac
+AD: 997deafd64b1fc65de39f4
+CT: d0076d9cc2f829a33a0b1972f6c0d8c67718a7593975798e0667135db3ce31b4d9bea98710909313a4a2af88bae720963ee738f26bde44b54dd5820992569e5d2eea000baf5de9e0f76dc8e0b93244a8474beb7e922a5f30a5b5977611594af258e26fdfe001e0e3573eaf8f8cbbb3
+TAG: 3443426c166f9329de723222f80fab5c2c36855a9fb63ebefe6c7675f247328b84078869593bdae8b217859332817d88ed6227bb64e338a4ad03e881399702ed04b00aa223e57a620cc2330b19eb36bb7798083964e169f8593c8bcd076fb6ab923d443af0656e43ec069e12994f49b955e5fa42b800541233099d54b9b06b061145cfdfb6c67870b6ad5c6d5c7098753d063fe238a8a72184654087fe21133899a13dd3606ad7d61bbfd380284af41604ad9fb7486115170b9dbda77cd289374fa79d3e3811d87de3b645b55d976fdde37e93bee6e4552d55ff5ff85775e0682df3c108565639592228f722c9543df2951463377928f04ed65ecfa0c56262d19684ce2766e160f45b2b43cc2a70e88e5b
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (48 mod 64).
+# DIGEST: 5e9c0270955ffa14e3383a79a1cfef00baec4e8be496c867cc14dbcaf609b61a
+KEY: 3541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f2
+NONCE: 5607f00d033fb95fb09e4d00d6172e78
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac99
+AD: 7deafd64b1fc65de39f4f0
+CT: 298f670117678bd139c60399dcab68bb0414829b458c747b0dda5dbd67f95fa393bfd2719f815a12a2b7c6b3e769b61ddb4651970b30451cee6166545d8e4c4554c8217898186dc02684c5025ee692e12130ab41ce75d79a4ba1a4dd02e0af581a645979c1a3c8c12f5b13e9c1113316
+TAG: d0c431153a8757861b003602fd6d3ebb9e6724db6cfde4708b4838cc18c51b9bd17c2c84a66643b31768a745a221d8b4e7d2c8a8245b4c405ba37a8010e0517521b46458a49648b4bca3eea1f01b15e6c65c6434b6601dbff307111d2e77e440365272390524d527e043c5252471ae604b9637423cc9a4a0ee7a99859aadc26aff9676896d77bb8fd15d6834bee492ed85779b94f76c0c6aec2e10bedca5bc0a648fccc3bac478285fb85bbf0d9d43c03f7bba002bd0762ecbac2b10d42ab2ae9d3003a775628b329a282c55a27a17c9ecfd083c70c2633f2803e3ce7b7312186e50e48f1c48f42b8a3cffb4d94c14b86733fe374e12d0b68ffe864d04acb9295cc96d557b0634f44182c925f431e2168bceb72cae8ac3002434bc7951eb58cd
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (49 mod 64).
+# DIGEST: 57739c0c5b8e1f0255bb93eb53822ce8688a4078d971c0a51e757a0269760bde
+KEY: 41a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f256
+NONCE: 07f00d033fb95fb09e4d00d6172e780a
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997d
+AD: eafd64b1fc65de39f4f035
+CT: f72c519566632f89513f3f278407845ff8096a5b63929f0ea6009c3cae0dbd853662c4017ee5729eab92f2c475f0a45533de67d4b941d4b16c1964986d8f4a16cc12f02c28442ddf5790f321b3942cb65964587f3fe55ab28064c52ce3d3598d3431788ed2c26fe1b196abfd35afa0f7a0
+TAG: 272fe10ff7aa3a6e1e708647b30ea468b7676df14b88642bf6a45dfb07196147fcce3ec70cadf1a3c6e8308df7d1bcabfae38cc53e356d7a5a9205c3c4a4ba93330f234ea5d83163f4e0673f1b03414d7c4d56444b5772e574224229eae3b06c787d61931a5b67e148f57203739e16d4ed47a8a838179d2f2de404940d28dc348cfeacac92dfc099a809167422fc462ad433f1a7bd5d4f3398b1199492531c48975e4d8769f872393cfa05a821ab4cec2a173d187d59c8f5c26a3ff5b180bd6c02af9de6ff03639092fbf1eee9eedf505456eccc68327824898ac70d5f098ab8dde38511549e9520f41b578f715057b0ee505ef11ab177ed6c8bdd67627c8ddd5aba89fc9ab84fb748b02137f28f1aa59072929f067b8ca0fac0759d2c2317
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (50 mod 64).
+# DIGEST: 0ec4072fc3c850d4ee958a0af170d5aabd223b024c617df36f4ad245d0304c0a
+KEY: a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607
+NONCE: f00d033fb95fb09e4d00d6172e780ab8
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997dea
+AD: fd64b1fc65de39f4f03541
+CT: bc6acdf0943ba34efbf9eb27fe9e968f23bc1d4f1eff7f86e836621422e7ad8e1adc03249475b6be8ec5d3e96e167af7e6b85ac87b5da2364b1e0d87d5c49d43ddea8e9b796580fc4fea7774f8210e4ec424aa029717937bf76b148e8af72e8badcc3f12dd259fd4dd9a325d81cfc7a188b3
+TAG: a5343f428a33670552af3bbdb5b97ac5b52539ac60112fb6973224088e3089712b64f411d0288827180373d3989bf682c95a303700bb476887da936131fce26835b3a413bb24ffb6508d6b229b273954bda18670a04c65b2a30e4159f84bea5e60fb8df734c792bddfaee0599f19f62f54a37abd2a456aee65dac5f9bd946a244ade11308bcdcb14b4ca37fc1c7565077fea06465ddbc03b459fd19e69da017d1d45bcd427babfe31778ebe3629adce4c72264bb472762b6c4c9eacdc09584a05d375775e37be64bfdc5e0a4a3b63959188c1068afa05bdc12dba42311160c17c11e930855fcd0a7541b728f456866f577c57a979b4b9722658d237caf44b9fdd5ac55239b4e1328fbade275cb41a72cc4e08674c5f05223d8a5cd377d2b
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (51 mod 64).
+# DIGEST: 640ba3888e6cc260a6022fb69dbe5c5267dc8604aa92216e11888394fe59d292
+KEY: 1be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f0
+NONCE: 0d033fb95fb09e4d00d6172e780ab8b7
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd
+AD: 64b1fc65de39f4f03541a1
+CT: 0e87c57c18fdc439c968a9dab086c88271be6dd00843879ae1563e4ed03d69f9fa09a29c1bf99b1c859323eb8452acb2f808f051669bb5e097e23b947369b5a0577157995d729a75ae7a65e293acace3124a8aec53328439e5f2103fc3a236728682fc129a5b0e203bd730303fdd2396270e00
+TAG: 0f83d6bddf9d40d259dbaa002acac91b5e7623fdde5257b305581f67322abc2bd2c78f06196f106867c67eb23973e26df8abb47c47500eaccbe39292cd854a9c2376f928f53d124f6489b959f7a3b70c52cd5c01ee29a77698dfb3706ef2d600caee9707e8c18fcb9622ef34fa396ef4851498f9bfc7fd0160199607db896162cd7d9bcad5c47ddd8ecd4fee7c9028dc546094e7386ae9fe751ed5ebb5bcce4ba084922e5358b2e1e5a3e0ec2ab08fb33e6c2eb50d8bf8b106937a948ca0ca6ce538b08974647d305e2489ceebd8d77e8541fd1831a0f7203c420741f3bb8f2d894f890c04c6838e82a8aaa14b5f22314402890852b61a3e95b1811c9bebcdf65a9f358c0b607362a855c70715bc3cc38bc97c01064a843cbb9f9e1578
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (52 mod 64).
+# DIGEST: 7c10e4553a91588e2c39060e9b438736721926cb7bf53858293ad763e9b70fe2
+KEY: e112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d
+NONCE: 033fb95fb09e4d00d6172e780ab8b700
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64
+AD: b1fc65de39f4f03541a11b
+CT: 688cd509094cd4bbc4084ae78885afbd16845ca8cd47077450408a85c8f3da0025623f3365a65f04d281ba5397fa74b6f90e01cf138e01ee22280fb3a7d4da5c1a3b0e0507bd46636984a0b91e11492ea47136b32c2f364cdfff19625878ba42a4fa736bb277740e58e4aef156616715f9ba2d84
+TAG: fd1520aec4df666b38a77b5e8921addeec555fb803e5f56edd2d5822cfa8e422f5cf988860969cf7c9dd58bc80cdf8f5964b91182f6f45789d029c844e406c4fc4fdf313bee180947df1fa9f51e20706d746723baf917e23f110c7fbbfaa15b7bd8539b4c399d4212eab074e439249c30647085d305760dffa861786ec18e4d8b1b94c0338723fa2757d33ab9b2e8b3e26f94a5779270216c9801f7c330bdfe7de294cea505f4cbf9dfa4dca7638b4bfc31e6fc582aeb10f606e77c095ab7ff434e104a8a68f43408b1ba055a7d2fbf80e1dc84e0c1fc6ef754c6af823027c9cd63514b962e31b6932c1d9420fd0b510f845546700a048dc1549ae7877b25266d838b0a848349b3ac1fc3e64503e0a2c79eff9e16940681629b2a156
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (53 mod 64).
+# DIGEST: 0e88468ae741a9ac1114e212499c092ba60869973f2cdaf456ceb336ad40cee9
+KEY: 12a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d03
+NONCE: 3fb95fb09e4d00d6172e780ab8b70043
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1
+AD: fc65de39f4f03541a11be1
+CT: 21be2dfd45845471a4356b8729da67d713a6aec1b72119e38626317384c349b06b04901a789f95bca41ca42e89549be13e29dfc322d3e88f9fc8c0129626c19ef5bd49c2ba8838c0fc3e04d48e3f5d69d99a07a9b69722f89cc896b1631f5e14458fdedbb6220da18328ab02ef8c72330c077b89c0
+TAG: 0e832bdd33e00ebd16c9c3f6aebb3d9a89838462eb293bf94f83ea9d5e7b694330a143ccbf189e2a6acc6be8b4195d4a4c29c311e89c0f61e4e18ffdcf6100c69d837213c64f3b902314465231aeacebd86d3b8a1186e23abfacfb50819792020555ed206029ce5f18dc0aff8a8f7872f6a28c6a07999a485a706a670cfe3ee5dc307610c0e29656935ac41faae3b8f344cda2e06f46599ec4a338d23adf76b4dbb15963707cce130a6c35cc42ead1715dbd55eb26bb9e54203a9635afda43f2269a518b83041dd6f519f33d521f221d60cdc86be9c5d188afe2e80ff43051544cbafa9dd958e41a0b26df06698535ae3aa826241045bb980e0009132f972a291564eddb45bffe5d133c8cfbf013c1cfdb05ae13aca462c8c4eb1d
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (54 mod 64).
+# DIGEST: 4bc1f00622d792e473151668845b2ffb30c43027972bf59ff86ce53a380f2aea
+KEY: a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033f
+NONCE: b95fb09e4d00d6172e780ab8b700433a
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc
+AD: 65de39f4f03541a11be112
+CT: 71fd9ada130acec7deffa6a53eab506bb5fc80ed7e98e656a5282cd88cdf9c253a87832ac42dae0e8a476011b11cd5c075c74b0f29c1c966983f3fa69e00df1ea93fad4942bde475e7ee08ea2c5f6676145c3dfb8d07521133468ce6e573b789a71e59d622587f8fb76e93af95b0c47e347764302bf5
+TAG: 10e23776607c4b3980eb7ea6a3398defd2aad76439f34c2e360f60aefc52f030f969c761fde94aba35f80867065deb51773479233d91b1b11b52f84237dd3a20ebd8668f685d372ad884dd074cfb46e115aeb1e0d6de5001ac136bf7a0fd0bacf214c6f71a19709998fd23f9ecd1ef2cc4cd6cb8f91f03daf7d89098f47a2f29833fbabaf5b72b2ec17c5bf052ba3be3e6567431cd02be7b310b1c3fdd0c69cb0acf10660bfebde43ef5dfcb1717a878e024b027c07bbc6a809290ecfb99b8e2165ca10eac2d15846b6512cd1ad4065de5805dcaf8747dce9759c5e2b46b7e77b096f4da1601e0744a2c13d73b6c0962372628aac01c787be37605ee9910d4dbaf9259dbc28889fa5d405916ec57ac3a9c1e3d56257e4cefaaf1
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (55 mod 64).
+# DIGEST: 7ddb9526ac0b917c3d63a2c0a4cd720d4814a25e29c34a5b203d8aa4d4e0eb00
+KEY: 2933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb9
+NONCE: 5fb09e4d00d6172e780ab8b700433a95
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65
+AD: de39f4f03541a11be112a7
+CT: 0efe6e536bd68a04db4c3d6a2d09bb7de3bd8422ac918573e9e769e5fe8496e4630763085ea5fb939ec972a16b0b01f4e39623d35eb2c514b653a4a716a2837964eaf232d5bdffac9111c4fa0136226b396928bf3df92ab7f04638f3f3cf090c05b14b086cb2883ba64c7680d3ea3e1a020451d259bf8e
+TAG: d75d4338d0c73371bbc214d8f21d0a8ed40d3212ac4f91569f51b41cd2c5b9e1cfb67d4052a70a4d702538f58247be89d04038b27d7366fd5adb189764c1f54b6c2bcce81b0012d367a3efdd90ec9eb895432f1a95abc04669f93aad3283e4e56fffe95e0a8016514663d6e6f37df9c26c063bc7bcf23c2e9af26ad984c4769e994e6798dae965b0f288094ae179601d14a2b263db71993a0a6c81918aa38fd1302a82a7d830e1c36ddf40bea1817995c1520d493c874f54e7d441d288caed8434b6a790984ae81895c5088939f2428de79e3076abcc35d483f2601659e87e6d622d5e37104c9ced7012ec7122c849bfbf43354e7a559f01d526ef416748f366ae82c3c8b60f5364095e0382ae6c4e573b3fa119d49d2d7433
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (56 mod 64).
+# DIGEST: cf85268a8412f6a450d7c8d48a2e744b508b00017da678e76cac09902ca6b0ad
+KEY: 33c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95f
+NONCE: b09e4d00d6172e780ab8b700433a957a
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de
+AD: 39f4f03541a11be112a729
+CT: d9832e63c2bc9936f33f10fbdb262711e715fb09ca209b46106c77e03b1bf7b062eebbb99185c684e9bfbceb083b5e459bceea895ce3fb7ec4eee3a5375c15066196b3cf24fc7b89a756184abb59ac80bc73116cd277e7ad4d9d02a9a9541cb4c71a644973b959b9405c9b109dc367c96ccf4c49a8cb942c
+TAG: 9945a3c66ab56d5ba42914d0da1221752f381bb8929cdcfcc5df9a025c888273762ab6aeddb17b7e359923b1a4146a45692749b6751ab0f91df4678ea172de23a1b62a40921854513099a362c94cfe3be87bac38711b30df6748a21def3bf65e654d545b49ae975625975b27e789580a01c73c67f97fbff56d81d21f5d46cf32010090e2faa957e739902149511dec88a65d4dfd7e997db77879c7a3e53e5fd93a914300477ac5381ec213c8050dbbcc85273db55a5f3590b435669d956c5c54cc3bb95cde05791f8986c79138ca73883a65f22f58a8f6fd99b7ac8b81e6d8a7ca8cad64534e1d2a85641b3ca1c5b55e3fe41335f49b05b0a7cff05d1e788d37686cc5cbf97001fc0b5e509e7d99306a8e81e38bd94f54e8
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (57 mod 64).
+# DIGEST: 0ecc677bf17604e63d1e4ac4a1d56702dfb16e205af1da5d105d553e87d14680
+KEY: c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb0
+NONCE: 9e4d00d6172e780ab8b700433a957a74
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39
+AD: f4f03541a11be112a72933
+CT: 90c83b333d6aa133026223c4966a43fb67f666db06d95f45cff479a626698bc2a73c64066e904ef04800aa8151adec851a51293b7bab1ce22d3e86cd3ba3924d8c0a1253f9714b7c1add9fba2be58b243e6f7ff4f0cf9ae6d4ccd2d4edbbc54d09abb8b9e3f0b269a2cf424a213f0dde799319e633b0fe1dc6
+TAG: c2bd8abd58134322fdc45b2bc3bb19b1a7d1e374fb50ec18bd8b0a005e4fcd8a8fb89471e00b1c7c7d579582ffcd151a412b64f7eed5e2cef7ea6ebd5a8326c0723978f81dacd50cf79e363d0716a08512c051706d20b76f7752d9595629dfb99d53b3eb7b3c590aa05d061e35156aa5fc6552ab7858d78b875a120e14e5eafc06d336c683a6874f1759f8adb2159ad91c8240206f0f5093eed17532568c5262d4228d3285e7ffa17d38de7f50ee25ef25485e9692888b80f5ea64976fab5829920e6c9436b1f95e78de7b181fbcb6bde0ba50c18339cb59f942caca5647d8e40c58c0c17d9f4876e275bdaafbd1c73298fa0f79512e896ddb86d7f8234e9612dc624919aaa744ac5a3caa67cb8b809303854cf369fec2
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (58 mod 64).
+# DIGEST: 75073f11e219dda101a54987959be5353c48af4af654fa6dd23e32639ca2ea1a
+KEY: b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e
+NONCE: 4d00d6172e780ab8b700433a957a741c
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4
+AD: f03541a11be112a72933c7
+CT: 7c9990e7f62cf12afa4e5a4eb3cce88da630a30c3a86a53ed009545de30a08f277e2b8202e138ddd380bb343b606fe7f9d8f53e924c74a21826b1240a76b8ca99ca1a73c8fe87c469793bcc03e84cbf98154b85123332327e0e8218cea0b9fefa3b92835ab96a369b90c7383667f0ba5e62e275c5f4870bcf1ad
+TAG: 4b0023b660c25aee68d10550fb50140eb0c70dd881dfc8c9c99b7033eee7c72f6464368013845e2cd98fe6585ca56fcd8b09cce7ef29e88d97d719d5678189dcccf411a3a717b3985837f57641e74cda0bcc104f0058ff69c4b75a43a71e09e1ff6c9f26aaf940b34c7a4d29b645abeebe615e7b4c645b1622b866733f64cb2ceceb89183ea0bdb7b9fd13fc0fdc8c1379cbff97ea47828d265f73a140ffd454a68dbc03b0f43aa97bc3dbf326319004654d3f9085dacc461a45c0d334aa52eec9ede99435a8e4d6818c2c3ac263d6cd482f0b753ac2906827baa452360b120855f7f1ebdd35e30c104bcbf0dd76ea98584f15082b2418d18d9ea8fdd0cae0e6204a4421d3eaab6ed1eca6c49f411bd236b1fcb7629d
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (59 mod 64).
+# DIGEST: 7390da1949a9ec86934b6f6c7af07d60fc37be21edd0ba9d937e888402731c54
+KEY: 4ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d
+NONCE: 00d6172e780ab8b700433a957a741c9e
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f0
+AD: 3541a11be112a72933c7b5
+CT: da1b99574d59c3998b39dc057d093134c9bb4d0f9a38758e95273694e405b55d8047bf119dbf29c346ea5318a13c8eac769230c085cc2b67e57800279fd47aee9f2ba8e572bebb9f231e954430bfa53bd193ed74b4dc59d6c6e3687451c95d996c86283f10bccde027b90be52f6e2003c061446ad646ef6794073e
+TAG: c47a0239314493854571f92f50efbe318131d94c773d811848f642d29ee7ce1706c1ce3f55b7be4b57f4ef893fa9816b0cb3c1d74559f7f3d6119f7c7460eea64bdf660f13ca59723eca7401dc93c687172842b88e446b0aadecea68b924917d06e234098295b1345ae215c33474fbd1b010255fd233229998c21ec87024b1331288f6fc6ddbfc5cf0ef2587f216617d041df338e4ca14bd12c7e6c7d1625f46057755b2f9f18f5bf5cdba9eb0132f84b954fd6e0aa30d26c0a5937b2ffe982456326bd16c002ee0bdcf4a2a38000b1164b143b52fd69adc4855a7a5bad09a97fadc5b1d9b7bdbdb1d6cfc63ae44931019b61ed2573aa8912ebfc436e7e92a636d337bb0e2054ce2dbf30180ee7bac0bdc687e63cd
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (60 mod 64).
+# DIGEST: 174d05b7079b80d455325eda1a010ec9bfec7110a14120c6cfe365d270099069
+KEY: d4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00
+NONCE: d6172e780ab8b700433a957a741c9eb8
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f035
+AD: 41a11be112a72933c7b54e
+CT: 003e3e54c1df8c46595d812418ee8157054b3191a3f73ec99a047f8c8d25499dcbd028b90caf67af13f72b1632a2e605047c784cfd47b533a947238bed948ab395f83dbc1e5e63e05d50f085aca5dc7ac958e0138e9dddb0883bf8214eb3c43474bc7476deec216841d5648e1db04a898d5dbcdf3d8a832063739aea
+TAG: df1cacab73190492bfb49c18745fb0ebb0e2826941621d2ad4a7556a677e71865a25556d15f6c243ad98d65d7d48bf0926e86417256f6eddaf648b23e0bc877b1f4a144f5cb8025d68831f6440b6524fa61d701337764e887fe08073a0bf0a0a279c50ec8f799bf9fc6e9709a376fb1b1d52a1fb60d50657e56cc283fd36c0b07e7612a025d5fb17d407a85b8b0b7f70dced03d39f0958d0364df204b92cfc5b04189a741395d9bc288cad4bf12b6d7c590200f295598209c133ed9cef848b0f716db41f29db4d5ca48cc2b0cf536d89f6a8201738497bb1f04dd9df01e9623d09ebcea9f1587c93c44c5d1bd99ac021fd98142d9f02f8b4e52470b23588e3229c0f769f43abef626bfc91f32894cb406882d055
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (61 mod 64).
+# DIGEST: 338800a96a5cf6db2ec5d06de2a53d0fb1b94918f1f8d5c0f222640d4c1bb96d
+KEY: fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6
+NONCE: 172e780ab8b700433a957a741c9eb80f
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541
+AD: a11be112a72933c7b54ed4
+CT: 088728abe87e0abc8f5991ed5b43811f4134b159111b0fe9a173122864baf70c5a904e46404399ad705084830860d7e78bf85bb166576117af665dd709ed380aa5de72a9d5819177fff5ca3b536f40f6518a21ccc50dc1cdd1a3d4dc89128de2ec6a6c64cdb50df0e11b55769dbc1e3cc18c9e57c06f5ee705590654bd
+TAG: 092370b96f4351ecdf553259224c8b6e90e656c00886aee0bc6a8c2e54ead2e35b7c68cf9ec40e01a2fdbd796a1fd018c92b8872eb56b9a4ca371d72b56f3e57feb77187510200b154fedc6b139a36a49bb2060d1567c167935c31941dd80fbef0d296a8256f144ef3cab87983c9e4e2bbcd3fb339217021c93c6662feb87821efcddebe9e2a106c5b724bfdc9b00cfe533615b8c97bd90c7c825709ad1619dec1d4f914a1b4c7b2776d69e4d51b905806a6edb67d4b926ba299af119a520227f5c409bf247c35b4b2b8fbeb2a4ee2f2192455883db9bf2dce2bb62506a6eb1f00e6223502aa1af04eb6d1250e3aa9aa193e9468b96a5788f88ee2524b55064d94c7d5b9227c9d988e1b19474342932d3f8e4c
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (62 mod 64).
+# DIGEST: 6dc3a2d32318422ad20e9c7b09a9a73d8608a326eb14efd6eb52b87ffe4bad09
+KEY: d0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d617
+NONCE: 2e780ab8b700433a957a741c9eb80f2b
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a1
+AD: 1be112a72933c7b54ed4fa
+CT: 2e844cc46c1eb905c90fa857be56d4bf947ffe31238ecd92f62c3fdbb1df4c65b14acce9aedbcf6e0d6b0099023fb89084d0658af9d148c00798ba511cfe93ca2604109939a2ed5c8be6a6557f270c14ec9dcf1953014c5324bddbd19c5de88cdfd90c17b06161dc3faac0b551ea15fb1ef49b20d5ba92ff185e0f2a1342
+TAG: fdc906b90e526f25e414d44f8ef584c232bc97634e4b4af65ebf6ab6c3adcee9a7b6cc010e33f9181a83e6c8482e28b299f7495631df8068b454e952ea2467093ded7c93da6ea3a7faa91fb507789fccfcd8c0cbb115602c269e94900fe34daf36862b068376f1aa0d11a175ea2a47166891fc08d86d99b0cdc36134f2cb0c48a1dc5e7009348c9788ef122c92e82028de1e2ab27596cf9ce5bcc18115859084db6cd598341c60aa6189080e1d27014f442dc98d6ad3074bf357134209337eafd57c9e71b9fb505f7f442729f16cc2ebcadf3b1b521d22731a417c0ac06f7dcc3719ad8612ff1dfd9fdaea8b626b172be78a8fef4dd5e681282c108c925adafa5bb03b372b623d0e1aff82038cf70c72f481
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (63 mod 64).
+# DIGEST: e2c5b8d5e6f07c136223bdb8a1c0197cd99132dd8320a3f1dd1a393a90e575ad
+KEY: be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e
+NONCE: 780ab8b700433a957a741c9eb80f2b02
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11b
+AD: e112a72933c7b54ed4fad0
+CT: c0d206171605ceaa8cf507e9c5b785162dc985f8e6d02c9b78d1ee7a50ffe0f2f9eaa80444445da0f42f08cfec019f2aec8b0dc7e9e49eb63180811b092cd737191d8a4b9b2a4f802f484f5b3e7144899b29878c9e7173f24b732eecdcb6bfc88b3a87cbda306c296176d18d794c1f1382c7df66b9c97666ebde165ed92869
+TAG: f33071d221e0e38375c6e17bfe1edfcc9628e765995441ec3f3535501ef80c66b03f7c9127e59464aae5a9c62a6cc80e5b9ba164ca644171e309aa408757e5a4ac5956ac9f47a9d2c1b01a5e4fba3870422803efb2ce809954f1dda2a64a5ed16b98bf911ed1a505d6c5837d16e79587219cf47211de415de99fcee110f11a3bac9b2a234cac4172afbc404ecdc471dd5a756ff8936fc481b0bdd876501dab51174710b920f75ae0d2ab1605b11cdac009aeb26fac1ec2ed4627f05e5f8507e38765cb9bc886bf15b37278ac25b9230838900e17e31ce1d4f15fe7767db19e6405f6cb85db43cbb6b764a9506eff8efb80a706cabcd4beb646aa7bd5f62e2edfd6191bab4ecc948527902307ccc4479b67
 TAG_LEN: 32
 NO_SEAL: 01
 

crypto/cipher_extra/test/aes_128_ccm_bluetooth_8_tests.txt

@@ -0,0 +1,105 @@
+# From the Bluetooth Mesh Profile Specification v1.0.
+#
+# The relevant AES-CCM calls are:
+#
+# KEY: EncryptionKey
+# NONCE: Network Nonce
+# IN: DST || TransportPDU
+# AD: (none)
+# CT: EncTransportPDU
+# TAG: NetMIC
+#
+# KEY: DevKey if present, otherwise AppKey
+# NONCE: Application Nonce
+# IN: Access Payload
+# AD: Label UUID, if present
+# CT: EncAccessPayload
+# TAG: TransMIC
+
+# Section 8.3.1.
+KEY: 0953fa93e7caac9638f58820220a398e
+NONCE: 00800000011201000012345678
+IN: fffd034b50057e400000010000
+AD:
+CT: b5e5bfdacbaf6cb7fb6bff871f
+TAG: 035444ce83a670df
+
+# Section 8.3.2
+KEY: 0953fa93e7caac9638f58820220a398e
+NONCE: 00800148202345000012345678
+IN: 120104320308ba072f
+AD:
+CT: 79d7dbc0c9b4d43eeb
+TAG: ec129d20a620d01e
+
+# Section 8.3.3.
+KEY: 0953fa93e7caac9638f58820220a398e
+NONCE: 00802b38322fe3000012345678
+IN: 120104fa0205a6000a
+AD:
+CT: 53273086b8c5ee00bd
+TAG: d9cfcc62a2ddf572
+
+# Section 8.3.4.
+KEY: be635105434859f484fc798e043ce40e
+NONCE: 00800000021201000012345678
+IN: 23450100
+AD:
+CT: b0e5d0ad
+TAG: 970d579a4e88051c
+
+# Section 8.3.5.
+KEY: be635105434859f484fc798e043ce40e
+NONCE: 00800148342345000012345678
+IN: 120102001234567800
+AD:
+CT: 5c39da1792b1fee9ec
+TAG: 74b786c56d3a9dee
+
+# Section 8.3.7.
+KEY: 0953fa93e7caac9638f58820220a398e
+NONCE: 008b0148352345000012345678
+IN: 000300a6ac00000002
+AD:
+CT: 0d0d730f94d7f3509d
+TAG: f987bb417eb7c05f
+
+# Section 8.3.9.
+KEY: 0953fa93e7caac9638f58820220a398e
+NONCE: 008b0148362345000012345678
+IN: 000300a6ac00000003
+AD:
+CT: d85d806bbed248614f
+TAG: 938067b0d983bb7b
+
+# Section 8.3.10.
+KEY: be635105434859f484fc798e043ce40e
+NONCE: 00800000031201000012345678
+IN: 23450101
+AD:
+CT: 7777ed35
+TAG: 5afaf66d899c1e3d
+
+# Section 8.3.12.
+KEY: be635105434859f484fc798e043ce40e
+NONCE: 00800000041201000012345678
+IN: 23450101
+AD:
+CT: ae214660
+TAG: 87599c2426ce9a35
+
+# Section 8.3.14.
+KEY: be635105434859f484fc798e043ce40e
+NONCE: 00800000051201000012345678
+IN: 23450100
+AD:
+CT: 7d3ae62a
+TAG: 3c75dff683dce24e
+
+# Section 8.3.24.
+KEY: 63964771734fbd76e3b40519d1d94a48
+NONCE: 010007080d1234973612345677
+IN: ea0a00576f726c64
+AD: f4a002c7fb1e4ca0a469a021de0db875
+CT: de1547118463123e
+TAG: 5f6a17b99dbca387

crypto/cipher_extra/test/aes_128_ccm_bluetooth_tests.txt

@@ -0,0 +1,208 @@
+KEY: 404142434445464748494a4b4c4d4e4f
+NONCE: 101112131415161718191a1b1c
+IN: 20212223
+AD: 0001020304050607
+CT: 69915dad
+TAG: 064617ca
+
+KEY: 404142434445464748494a4b4c4d4e4f
+NONCE: 101112131415161718191a1b1c
+IN: 202122232425262728292a2b2c2d2e2f
+AD: 0001020304050607
+CT: 69915dad1e84c6376a68c2967e4dab61
+TAG: 99763ebb
+
+KEY: 404142434445464748494a4b4c4d4e4f
+NONCE: 101112131415161718191a1b1c
+IN: 202122232425262728292a2b2c2d2e2f
+AD:
+CT: 69915dad1e84c6376a68c2967e4dab61
+TAG: c4630026
+
+# From the Bluetooth Mesh Profile Specification v1.0.
+#
+# The relevant AES-CCM calls are:
+#
+# KEY: EncryptionKey
+# NONCE: Network Nonce
+# IN: DST || TransportPDU
+# AD: (none)
+# CT: EncTransportPDU
+# TAG: NetMIC
+#
+# KEY: DevKey if present, otherwise AppKey
+# NONCE: Application Nonce
+# IN: Access Payload
+# AD: Label UUID, if present
+# CT: EncAccessPayload
+# TAG: TransMIC
+
+# Section 8.3.6.
+KEY: 9d6dd0e96eb25dc19a40ed9914f8f03f
+NONCE: 02003129ab0003120112345678
+IN: 0056341263964771734fbd76e3b40519d1d94a48
+AD:
+CT: ee9dddfd2169326d23f3afdfcfdc18c52fdef772
+TAG: e0e17308
+
+KEY: 0953fa93e7caac9638f58820220a398e
+NONCE: 00043129ab0003000012345678
+IN: 12018026ac01ee9dddfd2169326d23f3afdf
+AD:
+CT: 0afba8c63d4e686364979deaf4fd40961145
+TAG: 939cda0e
+
+KEY: 0953fa93e7caac9638f58820220a398e
+NONCE: 00043129ac0003000012345678
+IN: 12018026ac21cfdc18c52fdef772e0e17308
+AD:
+CT: 6cae0c032bf0746f44f1b8cc8ce5edc57e55
+TAG: beed49c0
+
+# Section 8.3.8.
+KEY: 0953fa93e7caac9638f58820220a398e
+NONCE: 00043129ad0003000012345678
+IN: 12018026ac01ee9dddfd2169326d23f3afdf
+AD:
+CT: 0e2f91add6f06e66006844cec97f973105ae
+TAG: 2534f958
+
+# Section 8.3.11.
+KEY: be635105434859f484fc798e043ce40e
+NONCE: 00033129ad0003000012345678
+IN: 1201c026ac01ee9dddfd2169326d23f3afdf
+AD:
+CT: d5e748a20ecfd98ddfd32de80befb400213d
+TAG: 113813b5
+
+# Section 8.3.13's test vector is identical to 8.3.11.
+
+# Section 8.3.15.
+KEY: be635105434859f484fc798e043ce40e
+NONCE: 00033129ac0003000012345678
+IN: 12018026ac21cfdc18c52fdef772e0e17308
+AD:
+CT: f1d29805664d235eacd707217dedfe78497f
+TAG: efec7391
+
+# Section 8.3.16.
+KEY: 9d6dd0e96eb25dc19a40ed9914f8f03f
+NONCE: 02000000061201000312345678
+IN: 800300563412
+AD:
+CT: 89511bf1d1a8
+TAG: 1c11dcef
+
+KEY: 0953fa93e7caac9638f58820220a398e
+NONCE: 000b0000061201000012345678
+IN: 00030089511bf1d1a81c11dcef
+AD:
+CT: 6b9be7f5a642f2f98680e61c3a
+TAG: 8b47f228
+
+# Section 8.3.17's test vector is identical to 8.3.16.
+
+# Section 8.3.18.
+KEY: 63964771734fbd76e3b40519d1d94a48
+NONCE: 01000000071201ffff12345678
+IN: 0400000000
+AD:
+CT: 5a8bde6d91
+TAG: 06ea078a
+
+KEY: 0953fa93e7caac9638f58820220a398e
+NONCE: 00030000071201000012345678
+IN: ffff665a8bde6d9106ea078a
+AD:
+CT: 5673728a627fb938535508e2
+TAG: 1a6baf57
+
+# Section 8.3.19.
+KEY: 63964771734fbd76e3b40519d1d94a48
+NONCE: 01000000091201ffff12345678
+IN: 04000000010703
+AD:
+CT: ca6cd88e698d12
+TAG: 65f43fc5
+
+KEY: 0953fa93e7caac9638f58820220a398e
+NONCE: 00030000091201000012345678
+IN: ffff66ca6cd88e698d1265f43fc5
+AD:
+CT: 3010a05e1b23a926023da75d25ba
+TAG: 91793736
+
+# Section 8.3.20.
+KEY: 63964771734fbd76e3b40519d1d94a48
+NONCE: 01000708091234ffff12345677
+IN: 04000000010703
+AD:
+CT: 9c9803e110fea9
+TAG: 29e9542d
+
+KEY: 0953fa93e7caac9638f58820220a398e
+NONCE: 00030708091234000012345677
+IN: ffff669c9803e110fea929e9542d
+AD:
+CT: 8c3dc87344a16c787f6b08cc897c
+TAG: 941a5368
+
+# Section 8.3.21.
+KEY: 63964771734fbd76e3b40519d1d94a48
+NONCE: 010007080a1234810512345677
+IN: d50a0048656c6c6f
+AD:
+CT: 2fa730fd98f6e4bd
+TAG: 120ea9d6
+
+KEY: 0953fa93e7caac9638f58820220a398e
+NONCE: 000307080a1234000012345677
+IN: 8105662fa730fd98f6e4bd120ea9d6
+AD:
+CT: e4d611358eaf17796a6c98977f69e5
+TAG: 872c4620
+
+# Section 8.3.22.
+KEY: 63964771734fbd76e3b40519d1d94a48
+NONCE: 010007080b1234b52912345677
+IN: d50a0048656c6c6f
+AD: 0073e7e4d8b9440faf8415df4c56c0e1
+CT: 3871b904d4315263
+TAG: 16ca48a0
+
+KEY: 0953fa93e7caac9638f58820220a398e
+NONCE: 000307080b1234000012345677
+IN: b529663871b904d431526316ca48a0
+AD:
+CT: ed31f3fdcf88a411135fea55df730b
+TAG: 6b28e255
+
+# Section 8.3.23.
+KEY: 63964771734fbd76e3b40519d1d94a48
+NONCE: 010007080c1234973612345677
+IN: d50a0048656c6c6f
+AD: f4a002c7fb1e4ca0a469a021de0db875
+CT: 2456db5e3100eef6
+TAG: 5daa7a38
+
+KEY: 0953fa93e7caac9638f58820220a398e
+NONCE: 000307080c1234000012345677
+IN: 9736662456db5e3100eef65daa7a38
+AD:
+CT: 7a9d696d3dd16a75489696f0b70c71
+TAG: 1b881385
+
+# Section 8.3.24.
+KEY: 0953fa93e7caac9638f58820220a398e
+NONCE: 000307080d1234000012345677
+IN: 9736e6a03401de1547118463123e5f6a17b9
+AD:
+CT: 94e998b4081f5a7308ce3edbb3b06cdecd02
+TAG: 8e307f1c
+
+KEY: 0953fa93e7caac9638f58820220a398e
+NONCE: 000307080e1234000012345677
+IN: 9736e6a034219dbca387
+AD:
+CT: dc2f4dd6fb4d32870129
+TAG: 1be4aafe

crypto/cipher_extra/test/aes_192_gcm_tests.txt

@@ -0,0 +1,43 @@
+# Test vectors from NIST: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf
+
+KEY: 000000000000000000000000000000000000000000000000
+NONCE: 000000000000000000000000
+AD:
+TAG: cd33b28ac773f74ba00ed1f312572435
+IN:
+CT:
+
+KEY: 000000000000000000000000000000000000000000000000
+NONCE: 000000000000000000000000
+AD:
+TAG: 2ff58d80033927ab8ef4d4587514f0fb
+IN: 00000000000000000000000000000000
+CT: 98e7247c07f0fe411c267e4384b0f600
+
+KEY: feffe9928665731c6d6a8f9467308308feffe9928665731c
+NONCE: cafebabefacedbaddecaf888
+AD:
+TAG: 9924a7c8587336bfb118024db8674a14
+IN: d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255
+CT: 3980ca0b3c00e841eb06fac4872a2757859e1ceaa6efd984628593b40ca1e19c7d773d00c144c525ac619d18c84a3f4718e2448b2fe324d9ccda2710acade256
+
+KEY: feffe9928665731c6d6a8f9467308308feffe9928665731c
+NONCE: cafebabefacedbaddecaf888
+AD:  feedfacedeadbeeffeedfacedeadbeefabaddad2
+TAG: 2519498e80f1478f37ba55bd6d27618c
+IN: d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39
+CT: 3980ca0b3c00e841eb06fac4872a2757859e1ceaa6efd984628593b40ca1e19c7d773d00c144c525ac619d18c84a3f4718e2448b2fe324d9ccda2710
+
+KEY: feffe9928665731c6d6a8f9467308308feffe9928665731c
+NONCE: cafebabefacedbad
+AD:  feedfacedeadbeeffeedfacedeadbeefabaddad2
+TAG: 65dcc57fcf623a24094fcca40d3533f8
+IN: d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39
+CT: 0f10f599ae14a154ed24b36e25324db8c566632ef2bbb34f8347280fc4507057fddc29df9a471f75c66541d4d4dad1c9e93a19a58e8b473fa0f062f7
+
+KEY: feffe9928665731c6d6a8f9467308308feffe9928665731c
+NONCE: 9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b
+AD:  feedfacedeadbeeffeedfacedeadbeefabaddad2
+TAG: dcf566ff291c25bbb8568fc3d376a6d9
+IN: d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39
+CT: d27e88681ce3243c4830165a8fdcf9ff1de9a1d8e6b447ef6ef7b79828666e4581e79012af34ddd9e2f037589b292db3e67c036745fa22e7e9b7373b

crypto/cipher_extra/test/aes_256_cbc_sha1_tls_implicit_iv_tests.txt

@@ -42,14 +42,707 @@ TAG_LEN: 20
 NO_SEAL: 01
 FAILS: 01
 
-# Test with maximal padding.
-# DIGEST: c6105cc86e18eb8376c16ea37693db5c07b77137
-KEY: 8503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f0
+# Test with maximal padding (0 mod 64).
+# DIGEST: ceb2d295bd0efd37c6c34dab1854c80e986174fc
+KEY: 37446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d4120
 NONCE: 
-IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c748
-AD: 1df3f4183aa23fd8d7efd8
-CT: c90e0c2567341ea7e9d968dbde46ecb46ad78dc8be7d47672068de66d6e7eae14b500b94927f24ff6a4f7b07
-TAG: ec90d128ef465f4a3645fd0b2601fbe2b0bceae2f890f0700c7a15c82fcbee6ab492908ba5f2df0f04dd0635c047cbe52069d85fcfabe53ceb43dc71c46e51c0e3a9ff435840d62bdcb93341a1624b69397fa1bbd9229814a2788b91a107534b41ed488f4ce95fd2ab46963e4f1a3096c74acc8466d034eeaa7c0f1fe46a4eee7abb740367266cd36fba96dc74e520f64b9605c067bef516f517f99ec73c1104b43bf3e94eadd7dd6b9b7db847d6ff4c03dc454d8edbf8f694f09754f249fd1dc0bb4b130b2e43ddc1d24a0cc14edc8e7328515cc8498ae89beec66127508676fb04db92055abf2be22e0c2a7a3d9664e17d919f655ffaaaa7246a0ea29f9c42f72b6edd0dfb4867802d6992ce25efd8fe0dd0cb
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba
+AD: 2fd6773e0d0c302a5f47e0
+CT: 000893d3434c5be7cbf9daffd81f03545f735cb70d1bd16eab26e07da7ee29b4c607d9a57077d74437e5b01a89c808c7ceca0d3838e5c6ee9947f1d4ee1d5e5e
+TAG: 6d8dc4edeeea81cb503d7389da209ae335876393fdab048965c7eb1a1403d05f8ef059788d08c2e906444388fd416a87bf8706f78d35797453b242618f4a99f47c3756116ec0318d96435032225ff82b902b9b6985189ca438e466154ded91676676c645926e2cf8a5d6f3bfafbb713d646cfd35b091f68e5ac2e7ec10badf1fd80767e6953abeecdc89beb2180dc92be21631164ef801147917e0c8d7841bdcdb52ea03344ab5f2bf3d5157794f5be79f51eb1efdacc0b77b27b72e2ce03d05473203522e3c2c196390d77dc28a35951f3aebd72ee58021d55e521dd029719a7660408ed0da5ab41830102bceb514b0b172d0ee10937111edba82b47e719c3beb3ce49a665accdc1c5bf028d465b5e1
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (1 mod 64).
+# DIGEST: a07054c760cc66fc704edf950201005031f3faac
+KEY: 446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2f
+AD: d6773e0d0c302a5f47e037
+CT: a1e92776d0ffcfed03d1be956169f606733755d5a7011620c7ced6a825d8e59627e75692a41a1f2a86e62fc6052873b5458616414584e36bad698cf4c44909e0a2
+TAG: 6e0b32528feac2d7f69abb480efc7aae6cd1c5f8a654bcd10ec5be08b58f5a2198bddd83439d69ba9f55408cdf087e8a7f33fca6859638c5a4e8bc6961afee7534d8ffd95249d554b02e5beb81100be5e10abf679300f4ba514c03f4fbbba3cc62bd13dc8c8b9a726a9f217446c6e3b89cadb40488b177926c88c9d22a6c4ad9deca67f0d976fe62cd24c3cbb2e51dd16ee2e7bfe91d867b77c77a9a65c387e2682d946e617d0128034f5fe436eb7fa88aca82526d71dfefbdeeeb5a2c15d57fce0cf12e6ce0b101ef92d9ca540447e0bb65bc04b6a02e4e6d9378c6eebcd6d530c4ae14243beebb18403e8bcd434c2d88cc121e2df182edc3e1f52b060b1aecc48490c6cf3260299449945c803891
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (2 mod 64).
+# DIGEST: d059c266cf6233af730b7a229b19356a4c6fcf06
+KEY: 6f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5d
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6
+AD: 773e0d0c302a5f47e03744
+CT: f414f0321370af1490839677747893befa438051fef5f02fef488d7b84dc03140b3a5dc3a57041be4c8b688633110fc07251d877de0d6242928e4d937e3cc58ed611
+TAG: 4ee98ac6f10e179314a251a9db190037c47b9fdfc66321d83a995f6dccc5259801b18c3f466f7f4939b7d2d7196e0b161aaa013721e81bb9707b974b904f670e4aa495357b562a254908417b65fa69e86c42b3efdd423838575db08465a7f4889c85201629f6350c0865b5b0cfbac4f51ea1eacc8f9768014975d780438c3bd77f7f18612080abdeac9331e1a068c8f3a345d0026c5723bdbc48643c1a733a5b7ca9078424522db9491bc38d2644dab2d75499715707cd83ed655343ca73672d480f1420754fbbfeae0fba05be3b5235a5fa48bda9f39df0b298351d8f4da3fb8a2feab8b1aca9335eb31ab03f40ab19f668bb864c798ae08de37bf848fe2e898172d26fa23f383787d7199a6990
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (3 mod 64).
+# DIGEST: 8aac0687e33041fcc18da154b41f20a6af2bfb28
+KEY: 5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd677
+AD: 3e0d0c302a5f47e037446f
+CT: b51ab2f8c4ba3e8638d454ea72da5e3cb15336c347c442b8e1ade85c5cbd0dde790dc707d60d452d5b88d72e718f13cd0e0f4c9149b72e8d6be869d817a3232513c958
+TAG: dc8feba112517f6a820ca12de43c5d64c51cca713d3702a2b4a5cdbe86a90946a7369ec26ea8b5b35df329bfc6e29ef50c2774649134bd6e3f3fb38ef13d9c7fbe066e9cac4fb88dd0c02b677472ebbb2d0679dffedcaf13fccef6a25aed3a272ec01e7680becf80a624518e1333d28c97487b06e0581cc80c94989db4e93489f3dece9eab6dbbee73aeab572d1ee7705d18b899d9c62d7a370311e64131a801400b580d3c8f7af88be485b84fbdd89f7f7dacb29afeb56658f3d8e49f27adc542e412b0fd652b9f60575bf61622d7306c54bed50b43d89cdaecf1981ede09f9ea36fd174118ac178ade5f26ba04fcbd2eb035f030e2139506456ff8d342a4e59bd55dfafebda23a66cacfe6d1
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (4 mod 64).
+# DIGEST: 53658226c112b86438dd27b58a71f9e36fc73c1e
+KEY: 91d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce99
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e
+AD: 0d0c302a5f47e037446f58
+CT: 87bf1af7e4987cdab35bfe32adc6b1be286751426cf926217f2c699bc095bde7b6ff3d6cc96b79328ab776547c2cb756d9de8c1245d21619a51dba8364ef6914590f15f8
+TAG: 55b9a1ee198080846389dd088016acab73622b1e2f902b0776846c74d99c27e67c7bbb55b2ac0efff91af0f6cb2ddcc0b5b8bab768048bb1662bb343d2f3a164bd4ca4850fbf8111b29e9be7bb836e2a8ac50ec2cb0b1c4529e50904007372284ec9187ea27d8faa03fc9535ba744155d06c06a0a97d96c03de71c13c95f185f426615f1368be346aa5ebf80049ac6771763235f2ee44dc910a01035c53caf8f9fa6f51fe3ad094513a8db177b6a66e24d21e1e40a23aa3629fffad45f84a58a29ef9237fac5eb6f5deb3825de6f399e46b2b2b91faf64ce45d164155e4dc757f6005c7c3e7fb3d8829623fd7c6ca48b923be90c38f5209c6d94696d2b2b7ebc5dfbf2cfa1a37e8ed038e830
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (5 mod 64).
+# DIGEST: 6b7d5268b0b5037afb5be5af6a0ceb34e7656ac4
+KEY: d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d
+AD: 0c302a5f47e037446f5891
+CT: 44237c388c3d017300db0fc9827f9b575e59bd971a0fd89cde4aeb1763912b49d50e92ba19d7594ef6da27320ac2bd1db3bcfe56b68a9ea8e2347d69890fa1fdc8bed782ad
+TAG: c1068d84aa962e7b89090993378806194ffbf677e7a66524d2ebfa7bdc52d76d09b914168eec4a5fde0953d4567affd3a4e0e48190e7a84471efe8ad1ce577c21df93b9d641c865d90ea1e6069bd703c4ee372379a4ec94f7e99867179561d41e9053977cc985b98f7a9fbc675d77052809b89b8f23f993e191ed1a07f97b89d05de948107f94245f216c413288eb4e40f3cee9c00c15926657d9ef9187ab405ee8000b4bd84d5771464401d59156a97eea7b23b4a6e9f1587cd3b75826a621b699515829dfc57740ad5719c43e88d835e13ebf703a0966779d31dc26866e0e9d27e3376137c92c97af49a876eed425d3980f1904f013143faeccb4fc920185ec2325361e5b318434487f9
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (6 mod 64).
+# DIGEST: 63efe7af502231420ed5aecce9a28446b257828d
+KEY: 7df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8f
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c
+AD: 302a5f47e037446f5891d7
+CT: 2f25b5a3b01af5411466c8aa5d8ece037434d5e12b62306f2732cb063d0dcdfc2725e67118a242a5576d470fcaf9be6d811bf2789cc66f5561d0542438b5432fe713187a879f
+TAG: d80e1f4edc2137f430d36a5ac93680c973fd7c64a03f7c2ce1b7e33085fe94da70ee26f47998947310508448cc70daa595687eaa540e48f048132de108a045da6d71170e39bb45160a344a2fdb5cb56ab020b9c0842ef2a1a5c83b4d63359fb8d71506d1e611fafa29e77d0669474d135e37bd8aefc3e17f024093186ff80fef73889e887b8d6672256dd592946ea84becc08c29445c8d978e896b1dad5e2608e347e54a97f3f757d7362f95f4cedebed07ab45b05713f7119c38d15a0f22d4259893f5e2401267543b3f78b52d54dd2d608173119e2dc7fe01f66589628e95fd7528958e993b21e4db664b8cba2f776d5cc305c42553da936d580c17d6f5090ff04e106c6488b5b18dd
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (7 mod 64).
+# DIGEST: 1a555c300a1d1bd5b03cdd6bf2a678621624eb05
+KEY: f660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c30
+AD: 2a5f47e037446f5891d77d
+CT: bbf934979c5d9da5c8b27d0341a164d640f12956a392303b0f1665935b5c39de458f53e0a6f824cc56081db1615fc67ffff0d300d1564666b81bb37da59e4da30de9d6a19df74e
+TAG: 9c18b0f9ee6a167a23566325eb330660997193385214abaf945dc18fb8252fbab8330b9809a6f1b300ae5a0c9d841fdd6f77e8d65f1cd0b221fb9b94b5e5d7215e6f501f490a7fa0a754efa7f2d9f5b927a5da2bea736e73af067e5d988901032d503ef3ab89894d03e48a096e7c31fe64bbc2c13f02d878590659ee7606d9212898d4d246e52b03c5646b1c3fbd43baaeda6548156987fc8f490f5763da18198bf0754d20f16dcf7df6bd35ca4bd95cd5c95a60427fc541aaf1f6923ff150de825cff9900ac9492350770bdd13fc4d0ac858ccdf36efbaeeb572aa45ca5470a04a7fa1ce5954d58771730b7202def47b303e560e81ebba2080d044a0851043c5af1a05c30a5a448eb
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (8 mod 64).
+# DIGEST: de9156349b578f2f44945ec6a676a67a829daea1
+KEY: 60ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2ea
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a
+AD: 5f47e037446f5891d77df6
+CT: 9b9bb61ca4d5aab8d0342d2b174e8f39b8e21db0fb7146025fb298016df3bab4363bb47f5b1fa038587df98851d09d473a68c959ead8062c52b9d6de86bd6a0fc9a2daab4667c621
+TAG: 897472da6d837ec173c2ae738721306e8d3c9e5353b65d1ecb3be3d0039739de379c9b06f42af8e952aa9acb4780a6de888dc8c54fe9a2eec19ae4a864b3b9696d712153bb66c49825ec5c891e30915c4b7b66b190525195429426ad694467dab09e8c2f9f21ffae4d54b74c0c5ed9a05963651dfcb9560677693429c63f3024043385ab0a31066243d42b80d2aa9854005504d6c8b9b7f736a8731c5dea0f3fc9007aae0c6edcd0a91dd1bbc5750de12ee13d4a77379cd3b2c2bbac885fa17338011b7b81cec6711fd5d65178f20a06f5475e09c202deef57939161ca8ed3e4aa9b010277acddc4478d1afb64138b276e265182ef2dea321b4f136c5c439ef6d099621813209a43
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (9 mod 64).
+# DIGEST: 12812df3aa7f3bbc899f6f248f5590e02570c292
+KEY: ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f
+AD: 47e037446f5891d77df660
+CT: 33ac574b7962d03b7816c0199a7f661a485832b9023867a749fc4bfe8ff0485571744f801139afd8215863b23e2d68ee7a254c60d8029e0f1ee10a1b947a4984f37f98a6767f52661e
+TAG: 3ee493d8cc764880f4ae7fc3c189b95bfe11d89640e3c9ddb55b230ba0d142d53fe18be8b955cf0d0d237c3b295459fc4c723b27ba8a29ed8dd5c80fb9839e30bc92e6afbf28ef6f72d1c28e5452460f986444678e7ea982d8bae63b69788012bd43aa66e5a521840c79831ae74426fb16f0917c5d2747b9c31fe43ecee604f26afddb093a9f1f1205a4451d50080ed0a9208a88ed6dbde37a674932bca837c46dd8725982c2ef6ac54511151c4cd59e511ca3835ea9bdbbd2e0842dc9674a854b8d4b063d0685086cdf917a7b7983dcc28af2addf3bc302034e365da1a87334a68477aa34a3a878d926d4c17f50316749d917e172e47597d060403a0279ee68dcd864652f37c6
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (10 mod 64).
+# DIGEST: f3c89f21c327fca4aa400fabea9e39780378e901
+KEY: 82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad40
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47
+AD: e037446f5891d77df660ed
+CT: 8517e13ca00214ebfc748efd3a233e8b64801dcce99f9fee3d271357220dff7b1678c1cd6392a6ade62146c0e783248918a7cb69dd26dea525bd9060f380dba75e502bdc19581ebc3295
+TAG: d1f1280699f5514e4a56b08a5c3146142ef8e44c18ccac74577ec0feffbc29884da82212cba95b31d8464954498340f35e9a3d84256e8628368edd166d4b429fcb76e0072d2f5276ed8dc7bd5f34e754f6577ba00ee7ad74e9c89c4f82af0a7716d6ac77c39643909dedcc9356ba42f07874031878229a076da9ac7b0e49b2d170239089ceaf84392e889e7bceb3e383d0f744e229c53e8654ef0099a11773885efc456883e4a973557852f70c0e35668f3f212260e131962087416e668c9f995f226152251f5873fb89047a9dfa65b9fd0116486092b1092c4ee33e7625772944c06a2969b162986cd46d2b4185af2658c25c69a7a599d17f37be0fe1c8250cd7df5e6cf304
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (11 mod 64).
+# DIGEST: e8e41988fad6c8b44c56544964cfe0a347b35b1e
+KEY: 933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409a
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e0
+AD: 37446f5891d77df660ed82
+CT: b1cf0005c93547664e09031d923c4ef9ad663a808189cd8aaa68fbada340d8bb13330499131ef3788cd91e9527702a2388802fdd2e91998a53ffbb466bb7e362d06677edd673cae71418a6
+TAG: 7cad97328236aee512598d1a4c7d51b2154218fddf0ef21724921c1afe61fed1b7a1d1b56b8099dafff77362c4154e4bd7089fb0908ab1de49244a053997a0d04229250e52bc1ecf4550da5753a35108b6752f907ddf7a77fefbdb5d7290b02ae231d019d04ad9a5295336639e7e6c81ea46863d2bc3c4fca7d0f3b05237306759b156ac1fd10b044730987d04a943f0f598704f2191f6c627299b92a2c01a4004111c21f650376c3f28fc9793eddaefd74a2bb3cc5dea73685c954c63b71f2924ebcf9853ff084117cc84a0785d96d8d55d02723a2082ecd8c4b49b8d4068071593aff50c2e08fe7c49f6de1d7586e299b42ec723063f2341fd9b3445cf40893cf8c2bfa5
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (12 mod 64).
+# DIGEST: d1c7b2c04dc25fe7b742a1d659aec20e1475ee4f
+KEY: 3f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae0
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037
+AD: 446f5891d77df660ed8293
+CT: 7195b9643e0f7a4293c865db36442d4fe2cf3ea2c648dc88cd5636fe5e6bcea3d1197966e800da8c78bcb8830f3fa97671aebce98549e62827adf612e70f946673b07e2f953c8fe5e0b97aa1
+TAG: 3a909a9fa57e720bea6251ebbc1a71bbae1fd894f6bbd16e11abe51bbd1293abc0ad4c152a08b4acfac7a65b723fc6bd6923db66bbf202e184e8dbba150e6021ad1310ab4752cd4ae874409688996fdf88636084db7762b9578bb0c98d77c5156a82a97a3f6989db2359d252ff7c6405bd4834708c88d4481b35eabe2f7069bf8bac374fa382f4225659b41dd2a8006c0ff8d7c77c8d157e0373f45fcc0abc804a9f8a6b816f2b729befd606dc61e7f763f18121f56255662e36d120b27adfc8e1b528bd8ced5386cdb62cc73e58cc7918d27253297e9cbb9c740c7765cb014cf7bf160cbf09e00d32d31d462f356791bcf1286bb9023254afa6c41fe3d165f1bf7e6c002ef64ecdf3b5e073fb569028032e6713
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (13 mod 64).
+# DIGEST: 116e20ff1e79e0af464d473b1e7c187f4dd66007
+KEY: 62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae021
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e03744
+AD: 6f5891d77df660ed82933f
+CT: 1d50f3eb1cd76d8e08a9f386db0cdc3eddfc694e8502ccae47ab431c2935fc461254b80386c87690b01c22f38ea9bd118d2e0ed316ac249437a3e9c30f6c1f767c150216ec90e6c8913ff3d469
+TAG: e44bfe162cbba654362d1c86088564b14120815f181932e9f111d6da5efb5f4caad61f1161d1d148cc429ad34fcad9128bab101c7cc004fb8f0b516216a809a6599b5144b4c5828cf159fcecac46a86ba0698a6e5267610bad10cd7ce9079b6c691c2ecd522dbe3563074f2ac85712e58cca41761aa94449199a8b440016e68eb8bc9db3ff2c2bd9c64d9d3c71566bfb5d234af1a144859431f16ce6d65b4cc604e9cbf4e5539c192f07a2981b55582376bedc07aa20f5a841c9f500915fef353c37446511da3affd743fc551d5c22454797b3eb957770f1ca16da138c71bf5c00ab7893ae83b3f499a2c42f55551a986555925337e0604227ebf1c65312f0b1a8cdf2d06b5daf3e5ea97ceeb2f33421d0b44b
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (14 mod 64).
+# DIGEST: c081d0d09b2c9eb39a372ef4a7b0246a0956b0f9
+KEY: be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f
+AD: 5891d77df660ed82933f62
+CT: 4d754c684658bcc89208bcd75f24dc8e18b70a28b8a2201535e60ab755fb20e1ddfa98742d257eadd02d96c6a65f880d058312311efdf67f9a106beff9f5ace0ac6af586aefbb5e8b4850e584bb7
+TAG: a9bc9bdf2c16ace8cd471c2bcfbc2cf933fc1886faeec62d4809ed5cc4dd4fcb6ca6c42f31bab300264b278dc0b10fe8a54005b590160b410dcdfa3db413dd04a72c897b262ed0fe4ad6683fc5229010f1d2bc939e61a2c9e0480ef3e03e90f74a3edd8bb523271adc45d097b197ca9034bff48677efa763e1ae7528d3f775f827b9c56ba7f042d7f9413b4c5d01972e86976ab3a398afae27faf3cd19ef1b24b5342f9d067e7702bf1ae9679540a72f7a12cdbfbac234d596856b3bfdc2190dff0b50f45b4355cfa25ebf8d1d16528fe6c4baf9b0e5a50f95c4091704e939c8ffe69183c2695ecb1f12f24fdf288a8e8bdf3fe510bae70c46d0214303d5503d21366c4eec24cc2808542a203d81789efbb6
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (15 mod 64).
+# DIGEST: 6f7bb1f9e2772eb909c315e653e4737cfed78a18
+KEY: 8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae0211641
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f58
+AD: 91d77df660ed82933f62be
+CT: 25bc47e58e7d4f3a417c95768699c92240a2be0e86232a41fe02d64f66716023996772e1118be48e685042f989dcd9cdc574614c9c3989f1885b4b71dfd5b1c32c1321ca41ca1e6ff1828e677e30fe
+TAG: c96a78b9ca68054bc1ed2a150dff9f9585174f343d3df80350982002b4c95106b72813a90028f2855faef235909686607f39655ec48f4024e170c9f9574b0c81b63c8df7af6b4d0f0633853a09c334379952bbaead7415125f541a01e320c5f5d9806b71c3ba71890e3229e751f25ac82c245596b5fa688f1b13844d91169354bf0cc03cccf576c2216aeb9eeab33e2a9f8bad2145d36cf0e7585a02296a7a3b434f4efeeaa4d7ed65befda32b287d9d0946e25dbc0edc22de871184ae8c76777528b917585be784d5e0674b1e5693d0b8cbe8253f8db67c879e1d2b7ddd5df4777a15509f813eb4d0f5a935aa011daaf0cc1ba2ebba9a20a74847e9c53b648f6fce4c08b6e7babc1919e6de22210a6f05
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (16 mod 64).
+# DIGEST: 172f4992e692a88f49628e5d3937959be01aed2e
+KEY: c55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417d
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891
+AD: d77df660ed82933f62be8d
+CT: f1ab85a35a17541efb4f906e7fc85e64efec6ab40d59d3da920c4ec09797c3ad47820e9d934e51e3f4d097c4a555575939bfaeb8cfea062b64816a160d6e4d1ff02a5fded435ab9aa2daf22fa7d676fa
+TAG: 14684ce099f4f0e11e785320debb89c79c03e8bb8751860d3779b4b553f6dedabdb23119d2866ad63fc974a6c6442b734394cb6705309a4d3889e90c4a222bbd14624cd89a9c3f904367c418140375dd592107f839ca94d43d09495a8dc8273201bd8f5a447bdf57506421a975ff4db3aab7878ff18e5b73c8f072a8d092461257d0182710ee9df9f86ac5ad321eac7ee96dddb27ecf561db222ed1c7c183c2ecdf4c7f57cf295638de3c4176ea244100d51c006282e98af1a8fd540daf0ca6f2fc0b88c550b4ab638760d95f2f9d09612da198616cd13fbfa1ad12a3fd30ac9956491cb11539a1be43175fb1452393f13f8d03501c89cf5962730125a7e185dc089b41124fc1e7f69b1fad46bd661c1
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (17 mod 64).
+# DIGEST: 00133da1f7c63fd5f0eec364e9a359be02c1d3da
+KEY: 5b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d7
+AD: 7df660ed82933f62be8dc5
+CT: 5d6bfe91cd2273a9b986397a38e81be5fbbcd0403ef51873c2c467a9fbadc7bf540e83c538a43dc0e0ab780a4c4b1f5b77ced74f65b61f8b8b58b26fa3e8cba568bb717dc7071bf82dd8c68b068e739706
+TAG: 2ab9e654859c35e065f763d949d43c65dc85dc5d918850809ad8efaed6569d4b3ad064bef3427ae4c3be571fb914cefe2362169bed5b4c0cb17d2106fd6993d20ab8a8b70edb5f5d59b3357c8499c36e2b0b67edf7f334ff02d599031f43252b8d30d39affbd2093a6687c771b672329e14901ad9128f063267d3ab332ea31a79d37cb24ad0fd2d07f23b13d4643d1d9c529e1dd0490c851b0009fc1192f2438a48aba5a39be2ee925b1a38647197ead5cdea3499daa5abf9f4503d3581115a6847363348d5e7933948dce867752cde69ecc401012674ad75e12245dee86d775989275a5fc635c66d42c01b7646e180d28798905a3beb210c049be35b522ad580e1ca29f81b9469448749fce961ba6
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (18 mod 64).
+# DIGEST: 60a6821269be6c5b985576b245f106128eb0b325
+KEY: 436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0c
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77d
+AD: f660ed82933f62be8dc55b
+CT: 16e3c681ba1ece3bdbfb1da491f877e806ddac5f1ae96bc406bd195c9d48bcd4a9b700a8ced21d824bfb99eb057e401c3529818725b51e96c576e8009bfe4866e98f550a23ef4748ff761a4d1c44ccb5eba0
+TAG: a30286b3d06306818a268db0e5116abc2c7361c5a32d334d8ce5f4007aaeab750980018b435c79391151fdd33df2a97dc2cf62c4426ce45be43f7e4949be735bcd33f0e81cc6b5a3c2255fbac9ff5a8fd7e7b57554d7ef00640d92b605c9afb0c19dd5ca4c79c409d85c197e8f21d79e91df01a817bf68e8718bc771028c945471ae003c0a210c572b79d772560031b5d3e5495aa8d9bd6fa3f8ae9976ed7e7f8d7275030d2f12ed5ab05276ebebafcac7d0ca41f9d860583f800e4f1b9658b12fab31fd63f6a5e4b80463918f8295ae11d7b97f9b5f89b8166861aec8f1b1417163a6a8adce23ce66c9a4306acae7ca75435cbaece814d6010a3e335bd7db9783812052179d5337d1c353be6e0b
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (19 mod 64).
+# DIGEST: e2593f3b6741a9ed9fa188fc06efd057556ee624
+KEY: 6965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df6
+AD: 60ed82933f62be8dc55b43
+CT: 9b51ba0eebf72bbcd7a1b8452a49f30bf2d96bf0cde4d9e5efe7f1903eb4e09f53aec649c5a8ad7e7fc6c28a0dcf4bd3556f4377bbf8b3f9c79dffa5978692559f732c109a7a02390746f5975d5a0aac4d04ce
+TAG: 636f7bcc9b0b5320643f4b6acbecd60a0a89d2511621ab47fa4c9af610fa1ff9c6cc5cb8fb64493d6a4dca0e94a90794f31698cb1c5bb5658e8b6a63a2cc9b2f1f297240d3d6c62087e32f5d5e9f9d608eccf4b41253933c7391983db1138012a5f5caa5abde25c8a16fc33cccb0604421d985f198c48552650f5dd299bf9163c136c042c9a35cdf7120a702bf460d739ab264fe1f58453ff4990f7315379ff074e01730e7cace8d45a5d0355c0acc409db8fbc759516ad56818b37700548aca769719937103787311b6dbc8488d9e68ee439cec3075bafb725f44734326df9b10d6a4f7133ba84489a9985febc96200276a1fb513f8a3c062466cbe63e7ad668cade7ea70c3b8cd040a6162be
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (20 mod 64).
+# DIGEST: 17450a437efe239e1858ac4062f34024305372be
+KEY: 65aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef45
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660
+AD: ed82933f62be8dc55b4369
+CT: 5e4df84379f9736d784d9166047003e3ce3375a8e7add80c8687e94f68595aaa52e3bd39a45a7f67d35b4df0c5d62abc81680ebea78d1ec02153833b4dc4bc51b4d1725f5a830a064e33cd5052e90735477c069d
+TAG: ddefe8bc965ff097f22b8978296cb5eac25732862def3ce5a7d2ee9f7b7d6a6cfe5778b9d6901e7540d8c62f3d97f68b43224e00f8536bd7df50f3ccd1e0917eeff5c32d196cc2b594d23347f4bc1db22ede4f2ffa7f0774c1a073b5e91fbec2b634d0d60458f215309be0c2d1b553f22a87cdd75cb64cfaaa0a15ce876bad26f48b2d6464488f97e35899c7aa80957491823239173843dd88a617839e5bbcf78d51dee3418defcea0a72e5ba7a1e8d652139955570510a9c8e6b6902a5c74133c641fe3950db1b7123406eb4cd86e17bf4efda4128e83172ae78e8c2b632c0cef066ef311f38fa1a210a7802a39b95cb699962daf41e5d436d474753997ac3c826ad39980aacc954adbb12c
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (21 mod 64).
+# DIGEST: a35fc7d25f90dd9cbd35910d5532aca8aba88b29
+KEY: aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed
+AD: 82933f62be8dc55b436965
+CT: 1ddce9b3f674dfc1b94a6cb34418e6b75c93f14941a6dbe028ed59667404b93afead95ec50b9393a8e0e5f469fc1cbc5136f4dc54f3a005af6c88cf70ff39487cdc730dc131538279704a67492f5241faf00aa8c46
+TAG: d43074349115775a6db0a999c8b492d65bf1c10f046b7c7fa6335d54854a202748ed412c82088bac5d07db529fd2358c66e48a1a40083d9911834522091a61d25013bee70e3d9bed1c1a63ff50c2f0c1ec80bbba5bbb25fd8b2c787e9e6c90fe73a8e476743050c06c8f72344842507a75e6514fdb760f1c733242fd447a8c0658e3045324da0dd132841d0ca758429c6fc0355434a6ae86cc1c798cc9a558e767730437f66f08bc8fd0301d3447f5f5f5ae483ddbbf61f1c8de15bb2421f500ab10ed643d4bb54367946206d5d5cfa6a4a2bd16527a7cfc619d1d7df22fecabdb0541201825e2af362adb3033ccc4eac11db0b563d5bfd65ef1a95a28d5798a33230a78af0b38bed6d429
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (22 mod 64).
+# DIGEST: 73eff0f03358879f900b6ebd515f0f4e5a6929e4
+KEY: be477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82
+AD: 933f62be8dc55b436965aa
+CT: 6736ca287cf31ea3ec92c68697bfd1f88642e67d9dcab11c5dc8ecfc61611ecffc54a04119f53f9e5476196f220486ab53e2b21e1135bc6745731f0bd32eee9777a1b3d208c21d86048a4cc945389d60ec8954aaec13
+TAG: 53f11651de2a737a0117aef6790d2683681561ca2b26586c5564d5fe06565e17200115d2a473aab781b9f8d4002fb4060f1eb43e77e31f270c143ae08a1cb5a2887c2ba393e050473894f62c6a7ec438eaa575d631b0736c3fcce58b9e81c28701a6d4c1dfd19a5d2de366d7b1c2433997dc826b48222fccf919ae872e42332b74d24027dbdd487014adae3813d52bd20271ab8da425e641701f78312026f117423f90145181d9af2696cfa08059a2f3b1f7f63e48c7ca8f63396620b4046210cc431a1b1311834659338f957141da2cba2d499ce121223f45078668652c9b699209bd1a33832e8a53c7bcd5fad62acbedbcfc1cf839b6d1444a991c573e8c2ecafbe33a23701291a8cb
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (23 mod 64).
+# DIGEST: dd6cea270655225cb4f4231f54c19eaaa146eac5
+KEY: 477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed8293
+AD: 3f62be8dc55b436965aabe
+CT: 95b9375058667abde693e7e3a598dd4c326ae4db29f54667c54453e6191c52f86d2fb4fe324e9a02b94f094f1dc272b1e6ad85529206a511468879d31ab9e74f7666691dcd7365ce52fd6df951c20e7a71ba740901f797
+TAG: 533eaf7ba2c963ee7357a118f8306660f786ef35206612b3bb8a87748c76c6bd67c15aca895927b6a92c1fda33dc4c330e8fca65d6b82343247d070a5bc0d0d632f7ec3060546cf2fa4f3bb7f144356bb2371cd19100e7d7066f2c304039836d62a647300bba5b7501241b8126a8f39bf8ac2946aee674d0a64644b8aa0e261f4049c9ab56b16e717d162d9a43936852047d4adeb17bda109d3aea0a46acb70e7fc9351978b4bfea20cfa0f437fe8c1308e45a390e40ca17739c4edc6a0bf6e0c14d84ea315e36ad0e80d22011b02675ae09e814c08ce607d4e3fe18a4bb9380966c174ca8a1c397966dccddbbaf85f47bbd97c5d99936c26917df99b6356de065ac0ddee7dfede113
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (24 mod 64).
+# DIGEST: 34dd9bf0ce19eff890ecad474388779f63b0af70
+KEY: 7e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f
+AD: 62be8dc55b436965aabe47
+CT: eded2db8c302b3b5b5b0c0d556f8d34408fdb2af75d38231049b5f91e02a4086e6ffcfabcba5e3ec68173dfde382a41523d3c8ea1f7944351baad1588516c548125b1005d3375b03a4ff4bb19937068e0efea0abbeac4f8f
+TAG: 379af744a549ee2fc70f6fd955d68da610b9e28178af1e7d6034c5e583f838a84882937060dee0838a6d0e008c51d312956cbc233af4e94ee992a3a9fc427f98283ffa000fe22e62e6181754cd434b066e685a514bc6ec82444c3d722fd37b305e1c514541208c4cc8298acfbc9f41762f50c87a9b95ca7a4d47ef412f0079cff9affdad66dec43d8fa706ef5bfa7deb9826c28ba66a7395e6491bd45ce3750864e3b0d466d236d1d5a5a6dfa8f531c2ae985515d367eca43505de759ad476ca08a6ad5265e8550a4d1fcdb0f8c3ef1a4567ae3262d5d5a78e7ef6c8097ca22815e35ac82ff78fb39b029edf5521311d0904b2e10822ffdf3f93118412181f8679363766430beedf
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (25 mod 64).
+# DIGEST: 7db8cfbd3b29f96d752346eeda3c2bb0bd070099
+KEY: 0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dc
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62
+AD: be8dc55b436965aabe477e
+CT: a56c9d8579b78c9ef40c4a230e8bd42750510340fbd0cf55393bd13d93b105fd2cd1d701b6882bacc661e8da81b7c9eed6b5dd4da12353298150819c748f464f5c60b86f92a9e89e483055b8dd3f42605a3065f08189f74021
+TAG: 2704ec8335c00380797ebe4100b3ce3fceb38704eeb5db223e4256f4b2a5353ec0a89676e0542ccbcf3ccf131832f2d4af2fa86de6fb456ccc6add9e453c16e303755dc4e841344efb5251cd266a88f4f0efa3155db9bb475e9e97904a2efaabd8b2e836d54babc9fe4a5a0805d113ad28843994e83694fef3172ef45abfb037b3c78205fe9e6042fe4c2db156b78fcc52b0f43eb3b2ca0f40ddd0077be8880c29c9cf5d3a5b68eac071874a7c96fc531cac7c0245dfd87febabc641b081a7de6693cc85d7851238f239914d96e8281e6c44b1576d0e2a3ea02079762e05923cd53134db1524c28c02474bd539d0ffd8bea24cc743a35267ccfd405a834bbbeb3819a3060ae254
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (26 mod 64).
+# DIGEST: 4abaa8453e8cfdefd918571a961d8351754ad5b4
+KEY: dd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be
+AD: 8dc55b436965aabe477e0c
+CT: bf13550fa32201ffc699cbf22de17ca268652f8ba2693dde72b626d01855eea7c21f0afae3fa03dc757491e8efb9091a4c100f8dccfd15a9b4dd94e4fe1f5e90cec62768d0a91e132acb1fbec1052878706359cab3445d38b1a7
+TAG: 87370bba8adc7957b9f4b468f584e1483306cbfa87738a2a047d9e5b0af76efafe46dd1028aba3d3677967124f2adfa8d88922bbad39c82f9272e4734a12c9a82201024147b14c50f110371ca57d3cadba332d46efd5a936feea2f74609ee8b39e22d4e49f608229b9963417661e47610547970d017d1afba6c5d653eeb9d6b596ee2560f1879437c81dd7b7ff64737f68e295cb558c3833fb481b582817bad184290f7b731b611aa09c63272a14f4471ec654e460fe7e2061de628bca07cb52682d4d46a3e29abd90faa42e9cda1118c92ba698ea985bfa4dae1e5a5edc2eff590d609b37786d1d577b55b0cc671d237e338cf46269451be059e44a2e6b40664d060919e7bd
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (27 mod 64).
+# DIGEST: 0fb9d7ffcc7c9b84f34661d472ae2d4fa25d3d99
+KEY: 46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8d
+AD: c55b436965aabe477e0cdd
+CT: 9f9a3ab733e50c1584c4f0c2a2dc0ff71bb3a9b32dbe92da2fcff8fe46a4bf16d4f30ec8efb1319891b7d2586839fffe5012a6dc3d5f0ad21e1572a1ffb48fbb59ee4b8e0234e543786e775dd4c54cb1ed006b4e8f5195610e267f
+TAG: e3e1b44b7aa92166a01da7ba9c7dd6ed9245dfe296ee16fc20addd7a6c15462ca1c0bf1b90a136dba0749837bcf133377d6ff21fd3cb7c1f7fc50df8ada45e671e1bfdd4f711462c9655c8159f2dda37bcc96df425ef3fcba2056973d39378fd2189375bcb96ca84d023f45f880166ba262c3f089e58888b8a67ce85048c5628061e04a7f09d8a6eda422d424482dc4dd4d361fde54b3c659b273ee9a04faa389befbe2816e164d9bcd9fb6ec7aecf51e9288cbeca4d3e0dd776a3c122eb4524196dd7e4b8420a08a3276173c282dc1463ce6e6b17fb419c1bdb47882e6685c877119fb6348bd0f80b867d60fc8ffc4e89768eb33ada5f32a81eca38965b28bac74f5dcaa1
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (28 mod 64).
+# DIGEST: c68fec315401703e49722fe4b39cf28b14e9f50c
+KEY: be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f2
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc5
+AD: 5b436965aabe477e0cdd46
+CT: b4d33c5131701c960eda4c50fc0a918acbe28cd47fbcaa328c6a9eb08e3c36b697928c6981992ab155c30984c6b8e9340cb00decef7086f589ed2d730cfafd5ccfb95373b8c55044fa1c95927d02278a48f986a6b8301426bbdd504e
+TAG: c327263a3dc33abbbb6985406703ecee6ddb0d9b236ff2366c65effb2c936e5961d99de3bab4eb9c5aba4f65a55bf768a369181b191545f4421be3bc5bd2155257374ba8ac8e70823421da77aa1e2001a4e2f4942a40dc586e1c9e3d0e8dba136bcd823eb644d8d152182fb0c88ba540ba3a71ff1b147e4e072298023ae0c8d37cff859108b02d586d5357076e6e649e2a8ad3d4a9de1ffdea88b4dacb2d2c7fe12c8739e0d50d91e3fb57d54e22e6c4ca3c8e47b2b9c7de9220a1588c631dd6ac85d04f58559b796b8adf5559365f8009181a75e1f7f1a3c1097d81065be9b30bdcd0c5572db64f633561e426f1a6023fd7b7e1c4f66919e9ee67c5ac4026cb11aac92e445d90ba020153333c8db152113c5cbe
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (29 mod 64).
+# DIGEST: 15e1aa5285beab679aaedbf51a86b4aebbe3d7df
+KEY: 99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f256
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b
+AD: 436965aabe477e0cdd46be
+CT: fe6540372ad1c40ec1dd644e935c480b9e34aed05a7f21e2e37dd46db52ebc5352cbc3be2aa289cc2e9712aa7d393f4454c9fa3a4acc30db41ada1257693d3469b0a1d5680dc8dbfea8cbb4768161f829a4f853c1c48d08825aa2b44f1
+TAG: 53f79cf7b8f4380a1d1f1def457d4ad78c5819e0654d4052186213880228c482e2a54bbffb71483d32a8eb97ea8e9057a99a52fc3381820bd5c8fa43b846257380c07075592d6a445075a0df4e48f20dac7e2df8967a1cda41bbd4b0411a54b3ab9e79354a59aef5291599176599db82c0f6ee8a05e012067e2961b147a7baa73a818c64b52dbefd767b285fad111972528e3865b78c3c8aed658b1e84ecfd6ba292bca83ef66968e1bbdc05f616ae79d1d7932a0e8d5fdd7f98159b199bf933ada7670bfd4992bc2ec95daac00f10b7cf2bb68755edeb646395efccbfe322c9f381d39ec36d92c914fabb74d4df8dd506d9a8e233c591a503e92943e9437b10268bc9fd1a512b31a3aa62034ebb2dfc2ee3ae
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (30 mod 64).
+# DIGEST: 8cc0b1164fc844e958e055b7ae43f2f95c29e8c3
+KEY: 371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b43
+AD: 6965aabe477e0cdd46be99
+CT: 22e6c691ae1ba796667ceeaba4dcf85582e398e529d938da63c8221a58c2fbe242f6da82eae8c896dd31b45b3e8b72ff3dd7906130954f7b68d4c8729d3ff66ffad72104047209a56f1d6cdd927b57e8f29108140f903d03da3f4d210219
+TAG: 6c22c87e07027df3721970ac8ebb881edad4c00566f7b53dff9189ba9844543d4c5894ff1579a353db455a1597370c9d8f2c16a191d6e0eacf6c0cb3bc30b979ba40244a12dcdbf806e609fee1cb9531813ab90854c5eef9527b0e546193df1d3b2e52c5c01cb67db0f4fae9e1557e89b130fde7ae3f7b493d1b0296ef965538ddb7519ec972ddd1926ca29e3a9ff5c9f55414f07a1c1785908975ed43b16bb7c96b2820fa3c317582dacaec45c71b3ed841a41358c87340f5fbac68dcd4590d9aa4cdae3374d7c332c6ace45644a8805ac792c4ae5bbd09ca06581fcb46e71381031d5ad54b117005c2924a538501c944c416e19480d48e792a741e863043be0cf0cc12c700c3238a77ca4dbd168da1618a
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (31 mod 64).
+# DIGEST: b51001b6ff9d27bccf3103a4961280e0a1406257
+KEY: 1eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f0
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b4369
+AD: 65aabe477e0cdd46be9937
+CT: 4772e647d03817c0f9deb39ff4f4f27fb0fed33e0630eb453883c707336f0e74ef206e92e31fb2935a466105dbdfd42c180ef63cf5cdd3c281337895e399df6078c22762eba5d84b8845ea00bd88bf5e4f0da518cae42502e8531b14d979bd
+TAG: a6a89cb7f4f54501b3fc90129f28198a9c3ebebcd6fbf6513ae3b136ab79b5cdf4df4563910a498137864bf3a63b6dc731a29e2ce7768a8216ee39bb67f73b16f73fcf6bfb934ef67dbd964d016d876ed884e5c3357a5238dd7ad6f979e81952d9e2c2c6c5bbcb1ef860c67aa977b8b0e0288bb37c94b48ca7f8f5df733e1bc522c9b06292ae4340710d15079b8d4e9e7dc95b653844a7a5f795d71bd7611900698a21335e0736418cc31a6c29409f501e0d88be63b54d6ab8ab5c7f07f7375860f949168f9555ee49f7fcc41900bbe1b769a65ec344e172e0de68d74c94d261fd9785b6516ff425c6669adeb426c2deef874dd6b510791baa8778601c134dc5e05e0b414836303f21bcc7c300958a0200
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (32 mod 64).
+# DIGEST: aceed075f31ab159f6610f43ff0a6ed3a359bee1
+KEY: b8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965
+AD: aabe477e0cdd46be99371e
+CT: 6dadacb58a7b88e2daba277f66e5757042c142115871c9813d1a72a79e5a71366801a757a5f9982e99c355fe7d742fe3f047b711dbe340bf2ffd00cea6dc6ed7a4a416c17138404854ab8a5420960d60cd1b86424b2668740910a922865e4c13
+TAG: 98e4dbc80aff1a2c04156dec77deab9850b5b951f501d58f265f2c75344f7e6d0aba191b077877ed269e75ec40c84d8644070e68e18583be6e13788ff2c7f9a923f84eec8642ffb6eb40ca773a45c003df69c80de0ba199354f231f9091d1b4078ac218835e2df3e76e77d657099bef5a6a1367e6c39b23a0b7cd345bb8f5a97b9dc86300132e95853fc3635da842ed214fd00bac3b46f002f3c26cfd36c575a56af06e74032cec9451837db3542aa717aebf6e3ab3037dfab7cf0aa0177eba2dc3a56c3e3011d4c940b124b565c4450b08ce2f900d400e01a9b469d327cd9bda24af77f60e8ec6f5da196ad850c38d5cec0fba6bbab584c8b486bbac87a7f559be463e5929985ce710243260fb9258e
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (33 mod 64).
+# DIGEST: 976ca4c9819e25a204a024d05fbe7420f717bc58
+KEY: da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d03
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aa
+AD: be477e0cdd46be99371eb8
+CT: 4307f039e09bbc51fa0477941e321dec14e5f562d3a5ba25d71c3c8afa23f44e1ca619d130890b7476e5227442c27995cd292ed9d0a649773b752b3bc7abf171244624bc55784adc9282f1776789fdbcca048313a1e6c8a23119db185ea4ec1925
+TAG: 87187cd5d301d869cd1b4bb721475f6dd5b64be330781e20a24c1784dcd74cbec221914ad4ae88d4c9a1a9eaae7b13052d2c6ded662507a07594feae4de66b72c7fc1143c4e7100293f842ac0022d8a916a687e436ab7bbb56b2a4fc18677a813b38ab1e1d48a474322d44f581a8d007ffc6f7f4a132212e7bef5d5c9b13889dd2009c6398fa2dba18eecfcc5f41c5ed56be7f451f9b7b7a908f0838d3d8e2696512c6ec159a6dd94a1628be9911a3d827105d8cee209b6ec4cee3a488ef5eae355826d9a474f55bc736605c6c24444330fe5eff18a735736b66ea5d0c5b3278e373b57d86dc7815603993814ecb0dbdbd330c69dc46d7e6fc8555a18cc0ba5b5da89e5075c7ad835fef0fa46ea426
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (34 mod 64).
+# DIGEST: ad8cfe7556704bb1974e94f70d8743d147c5c3b4
+KEY: 7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033f
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe
+AD: 477e0cdd46be99371eb8da
+CT: ee9fa11a7d6f965e7d65d8f48810754770b9d237ba0111978b97e24f223817d0c6ce4dbde85c4e0979bea607a36c66f908c25384184fc334d8d985b78c2e9872d82c4cb1aad49d7dc21d6484b80f9192bd724ca57cdced2fdf142283126721c1c2f2
+TAG: ba76fb9c71f51c92d4602572883846812cc94a83e86dd16136d65c3ab932f89b28ecf49ce22335f0c643e3d979401bad3ca97673f062cf69855b23b6a1b14927594d92f689b4204ddb32d95d577ef4379890d804ce26e0e4565dfce891c992a29b9b1fa57f633b0c231e4e9c4939679bd52205988cffc989e34ae744e49a7ada77c6fda5537c5b031208acca0628913fd8a2ecd9f2b5d50254da5f7f00189dfa6d553300d805807141ef0b75557a693f1f90698a8ac912931b7a1a3a889295046219394a0884f823d204d0a3bc4cd4e3fa6adbddab80d123368d2f29ce5e8a992ab9c1c5d2c8cbc99e99647410abb5c73d8e00a0482834f97a576e99311d747088e9e65b8546265f71a237c1f74b
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (35 mod 64).
+# DIGEST: 1dfd9608adabb5a55e12949f1c4bfcd5a77cb703
+KEY: ac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb9
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe47
+AD: 7e0cdd46be99371eb8da7d
+CT: 1a95f47f7bdb2d91358f683b7bf803254d88b59e2d3c1d873a09794e1c18f1c924d480727599a1a6890bb664335e690e4e52c385b634bed45e08410448ffda3ea2593a02a11a03d994617b9f7ac85317bf09c41b08b416863cd90f0244d22c795a34b0
+TAG: 4537e27f1bd4b1b873ef4b3eb83cfc860c44921195a0250a96e553280b15e9ed379d4eac959a2809ce808e40dda881cf8a08cd50302f7dd5e67659613932ffdc086db4de634000cdda80fc576294c265f49a48c79ece6d42423a4f86c25c0a168d5eca502e87c419ec09134c27e4db1f2255de7e10f0102b44f30c67c8e07aa23aecd3f62ac8a24f9e8f82be61b539e288d22f8e05e914c191877c5ad1a546415df68427f97576adcb8d428ce7ce2c96acc98fe0d6dcb42049206ee1679f037955cbc12be9ae020774bea675b7c17d0033a60927f75e87d9c7ca263a5e0ed38450af657a81434afc9b4f4a14f02f82e33e17e7f61c276cc1e630dd773547b6cd78231de0895e447235cbac4b3a
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (36 mod 64).
+# DIGEST: ad2b43eee27e6267d8c5c1c3d558a07dcd6b1f5f
+KEY: 997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95f
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e
+AD: 0cdd46be99371eb8da7dac
+CT: 67466a0bda0815f726cd09d159e06088b2530b73775a8c18eab2d09ed7bd12b743b0a10345cb3126dc14d8f5c503b65a45467ef9b56ec7c5b24e5548e734d3f0fc90fd9c8019fc782882ea6e72f4df5fc6e8105e79d12fc588c9137c758995666f480dcf
+TAG: 24b828c3e60182873556d7aa85480180d7cc42ba81732058a109b5ecf21f66f1ab580d18f70604ff31dab5a1bbee007d213d2fc7070e3377aed31399291cfad53a334bad7c1c61ddac5015d19cca020dec137fb76472b1a595e0fd5dbdd127b3267521aee32fd12c1f54493d23c27671750776f8937032b9164ed78bee6b8234972634fc7cb32cc0b7f6fdae850110d1979e380b4578b8747de6f3d89bb66d546949ac94e49b0a460c192f98373e2359fdea2cf2a6ad4d09199cc145fc537459d73f48d265a1cdd458f306e3596b2088f233630ee0a37a5c2c21a76bcd47871a7954cd9bf911ab942ff7221623cc7539344e23dba7b0aea370a7d2e2383a4ec9db06a8123016d73b4323d19a
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (37 mod 64).
+# DIGEST: 3dcddb1e4f49633e7b7bd36f4056d16c53be7f5e
+KEY: 7deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb0
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0c
+AD: dd46be99371eb8da7dac99
+CT: 34f8a83c831f374e77c5601317b658e47091d811285791eac2fc59fb06658c115dc875c80b1089a62fc7d072534617dc81dc3adffbbba4b9db2e7272eb0b8aea73eb9de6480c43190e239fc300377f186e4659b1f239906614865f10444ee64ae77ccf8e3f
+TAG: 4c975e14b038359ddc06d23ea5a5119eeef3708347d7de47875cc88138b79d5c644507363c0a951623f3c26f8dffd51a2a282641d96ff107fc69684add9e93c56a7d29c8e097dbeac0a56d7afc522b7f5c921cff17c6ae4c7bd456bdbf95c052b18751e1c3ad9a26517c29071361aadf06740e43afb13762b4bc2a80aeb5e042259a36cf03a208b8f6162515fdd3623343b127655de069d5eb8c7b6c00fabec02186cd39bac62768303dbfed24cb20105c7d8b2a6b2c34d5f4472c6f372a841672c1f7b405d70d05c632f7a53997e3e4e0aedbb05813a8712dfcd3c8df4fcd83971cdb81538d2516a3a4a9372dbca6bdee43a2ed77309076fdb367fec85e5db2f01e59d3cc188b67f5edcf
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (38 mod 64).
+# DIGEST: 25b982a242f669c013cab1c18da425330090e3cd
+KEY: eafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd
+AD: 46be99371eb8da7dac997d
+CT: 2ec0aab31fbb036bd2af5ce39025ee2d5591fd525a199f2233384f52a8746f4fb547843c92d1e4c9fa92bc268174d4a59134142f14e8e1e277f1f1844c64f76dcd20f3b73dfec8e9fc59a639616fe4075a4732dcd3e1de806086239d2e09deca0ffc081f2ef2
+TAG: 3049393a7f477630782378966f7ed4d33451da6b00ba751aee542cfe5aba67748a46953b578d0fad0e37b5627b4295a4f44b0c28d16e300888c0c8db965c14c23310279cdc9834d2ff9ec85932b7e341393fa3b6661bb8d3ab0cff6c6b646d927626b8710d3243ad7a971efbe3f6ede39d8b9f77585e4565a8b07917a712d85b846469807e94f3073097a69c30dfc5f92fd88cc36d3a5f670155aa98ebc80112db1fd1db0685261c1e7711d9c82a73dece8629a4025d7837852749fb8ee1489bacfb0bd8fada1389fc31ece84558d5732c9b559db32d8a498aafdc0aad020240e00f3fe22c2932924305fc1b3d648c53b9fcad835189b41a150ccf234988f26eda2655054c395924fe50
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (39 mod 64).
+# DIGEST: 9d7958e23777ff2472f5a24dea5fc19c151dd921
+KEY: fd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46
+AD: be99371eb8da7dac997dea
+CT: 90712d5e3edeed5000c62ce80212d41773a393792a3a8fc62a1cfbff38b3555aadd88f0e36f93c8a12897d7779972b3e42978cdf85da7a3ba2e4b261f0a0cf4e1edaf259849e87133a9c057e5d3e693a2a181eff1f5d6f84e0679c625ad9a0f72c47d607ffa453
+TAG: 90b31128a2f6673d25ec56c9431584416b2e8c62fdadf580db2d5dd2ef8fcff5da4edfc09685b16db527abf1258b82c13761e41e41646479c833c8606b438a53fbc3718bb5e2ab3d9e25ee8862ff2d088aa5b37877ce5bcedf184713b2d5acb8408bf2f50b3041a0e582230a1f4034b6eee294808ca78e605b0461c1fa383b8194a30b3e66ed58c1b30331a97b3b87e12d2239f8f34e632caee944450e99165b9a317029c9f658c7182cfaadbb6f52da0f8c4f3fd73959c58559404ff80ea3af53c4430ebf2e41197ddde0e3d380668b4e72f72022e3b1ead76284506cfb3a20b9bf6e8425eeb89fc5582f4f1c6736e1185452e87133cb1e8ec045d2e40315fcdceb02da252a5cbd3a
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (40 mod 64).
+# DIGEST: 09e9eab51bcb9faaa3bc3e473ff66b06e39653fa
+KEY: 64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be
+AD: 99371eb8da7dac997deafd
+CT: ea1b542c224788ae66ded1b3ed9f9e35708252a1cd1d4725b0a187b669c51d282776471be5a07f256faa9ff16fa4248c629a4bcd31a9dfb7f260d9b1cb62dbae424624fd816bd81f781b93ca9dab437b5e0cb64a37874b0117cf7b96adba2cb7d75b834adf572d99
+TAG: 1e6a782f455ebe54ce2dbac88683437494c4433ddef95e45bae93bfbf4b1d5d0d2a459e9db88be408428c47c256f73d42778e42b936dad9ed773a02d0e7298c22b60280cf1b7191eb7c8fa307076f5129720bad5961206dea4ea1a05645827b30ff3bfb6066db13a2f9f1bde975c80ea902e9e51e64086ea4641150c531df51b328de057d850502fdbf50b4a1295d170c0dada86a0209d2026501f111247b75826953366ecfee0e4c3479040cf27370de1711a73d0ccde18e218b9f6f6aa20e0a8cb0fa4aa75ee585e96a0a0968423c86b35c899b5409e577e093c36d18149199b59caf99f19d1163c31a0d3da31b8c5cd372372e2bacdb2b03ed28605e346cf794872e096ae048b
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (41 mod 64).
+# DIGEST: 7b17b7cb19107af8fc4671420e461060e2ef3e61
+KEY: b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99
+AD: 371eb8da7dac997deafd64
+CT: b1025c9eb02f72e5526ef641778aebe786c2f85961997f1eaa090a33caae3a9df34da7088352a2df7a61eaaa026dadbcd604f5baa3a0de4fcbb3812816408d61384984141d9c78f47e725e99cea9d52f73cdd5e2c3961b035589db1d2283476006a1e10a992d499762
+TAG: 3f441554acad8b8f9565a0a69a17d231684a6293aa032e140eb41ea302b45d0e2e36e62ca23e981f98721a97ec02ea946282e23fd4838dd07b9a8cfbc069d913226cf543235541dc1a8881394e9cc0999c63b543e5ab74c35436637578148ff48bca333734d768b15a6e9535a69705248f28961e50facf4e8bc0825b7d2152cb2b85ac2e767b6650376a677f4c7e76521c790d59d9588e54deb9cda034551544ba80cf9d11a9f589b7e8980e6ab95ab77848e2bba36ed85afd9774f32bc9ab9173db20fb97a53d23091add97f16d8ced6bac6399aa089718d8bcc94c13b6e0d08e805b7fa252e787958d4780d24d812e0ea0df1652c04ac325355be7b21aaa97c2749f274a31c6
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (42 mod 64).
+# DIGEST: 48586ad2eac603c136911b28e2c69f101a8ef371
+KEY: fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d617
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be9937
+AD: 1eb8da7dac997deafd64b1
+CT: 10623f3b3c8888a31cbf51eae0989eb3caad5f5b786c13b41c04e0b6cb2641f850df4ebea610a4d521557c8f987ded40e9702503fc4ae62d1830a0f04d168888062f5b147e858a134a4022bf2790d81a89133aee08a34a704f152cc3cc763c21207d2231109e0b71a801
+TAG: dab4bcc473354bdea1e31b926a19fb97ce2c8b47e76082bcc93a1db2707b67e4f72b18cfb728232ca334bfe9a4a55c347777a25b1a13ada600adfdc4fd57275414b3bfdc9613f300b4b29fefa8820b5c8989bc79db1bcafb69b0d89f7624a510d3a1597f953564a29367aefdaf36d238b957460f50b71adb5f85e9275aa511b7118d2310f5e3cc2bf0c21b0be6e6adcbbb24064a760b74679de7fc146a00014f36d39f59df902925710de6397bf32f5d108902159755feea57fb58a7bcce680babfb90e05a8d15c1b42a3b7d779af99e3cab04eb59e5ef45128195ca17bdc25dcaefee874e919bc8edbc8e28e3997aa396768ccfcd25e59dfe27e46de35dd101c38f7e48bd8d
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (43 mod 64).
+# DIGEST: c37456cfc543ba6e5848b9b8f4ac5a58a104b521
+KEY: 65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371e
+AD: b8da7dac997deafd64b1fc
+CT: 60d4a0ba2caff08ac046349b511017a7c5f5537eff0bda94bf838d50c14d59426424e4a8f531103773aa0eb9d242a9e6f2ba5002ef04aef8144c8a88f05788fa5fa1ab1cb5cad84da0d31b280ff8a55c2e8f32f39549736bb055169ad5ae93c02561006a3f13e65094f7d4
+TAG: 140431d7b2bcf5139b7c9436fdfb3b44834ca810fb478eb0aaf7b0e2c68ce434f05c1f825b245d9fb4af48056925a50315b9f1b7d340e5f797dde4f460ad3c526853049976c0f680b691b28fb79d61cc9f7d8a4b28ddab1f610ac6cc44b91d64275ff1d26aa2b5ef314b1f280181cf72cd8b8fbc939a8751538d85f7fe03617a9cabd79dea5e64832d0b4aeb4893ac35c0d9f1475d928e3ed40292687926ccf5f9f76f78e00f217c013a12e38686423dcee930366e79950955c07399183d775c7030a50addaa42c7aabe5d8ebb95611f3c2f68be067e179e3de60d45b828d54bd6be07948508ff8a9b68abd944da07a484a8b9bfd4be1a22ff006e578b0c43c2bb1359d012
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (44 mod 64).
+# DIGEST: fc113d192686652653a15887974eb1f9b8e32248
+KEY: de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e78
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8
+AD: da7dac997deafd64b1fc65
+CT: e59fdb3d1413cd6a1098b5daf1662c698076996e2581e11a286e5acd6f29d41ff9d04da8308ce7f5defc52be0b4d1ee96d8e5f4eddbdd5fa9894e7d1b0a1bed483b7e7549e1c10cf5b8ebd1e7f1177972ff061cdecdad8d97bb0308b19bbc2c84d32a41f4c2b7e58721349e9
+TAG: 6cfe1e101e9b8fd2b209a30c0c1127e1bc8a51b8826c64258b573711f4af7c7e4ede036de4a94d70e17695481424907475180c7899a982d7eb94536a30a57be43d5c6b5e9c34972e61b9356a9338af6e8dbf27c920edc9bd02ed5535018d3b3e3df45664f4c0bc01f1876f36338e85b4a127181b42f7cdfa7a4da5a6c249f1bcee2959e25d0fe17717b0181c026ca814cf21d6af3b548435df052ffa0a0e8f74b8c3f7bb37a6b5bcd2b3f2c0e4b24daad586f7b59996072f82c123aa0ae66d3f6bd9980e8ea0312ab9fe0052e1fb3911e35d880f1df50612799033c384f4899f69714efe5df2727528f7b3af6d69e525a04375391643febed777fe3fa3807a73aae666c137dff28eb3b2ccc1d07bc665094d33c4
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (45 mod 64).
+# DIGEST: bb6e5b5be84ee383caac0378cb6f541726ecf61f
+KEY: 39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e780a
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da
+AD: 7dac997deafd64b1fc65de
+CT: 9764272fe16e12bb42a8f2a6620e44d4f202c21d51692e2948e2f4e4a18acf58a12d399310f15e78bac1f5f2a48416e5f4262ab9a8480d9f1429e5e9d15d81df0719f8db8d7ac08da696048e8a048255071ba8926be1dfbbcf53e7430862f64c891edaf772a830fd525aa8796c
+TAG: 2cdb47ae25d087c752c007dc8b83cc050b53376aa92e9bc2c46d05ac7137dce0f70ac601b76fe40efd84be464015b5397031ec3e394f880713ad10727d270730e469ca30ea5897a84fd204bb14a920c4c1bba0d27fb154cd1f8277fa6aab1f4c743b52b51d09657b80398aac269f57196fdfb219d745f53a72ca08cfaebd736e7d016806d68e5deba428b484d958335bf03c0ab713b9a54b9a5bb4f3b82b76c45d04b5b6141aeb7271d0a71ebf90ba74b27dff1ece371f6353b8ce8615475a1b82c3276569b99de52b7ae5f27cb1cf9ceca291c1922382ad5260ebbb32cf995772eab6d6213d2e4c438909f691a81825c2adad290839c08566e5cfb3c13de4ebb016529de5549a9ac57d2e76086db82a3ad881
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (46 mod 64).
+# DIGEST: a27799fc2e00e7abec4c5939451a834c4606cf7a
+KEY: f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e780ab8
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7d
+AD: ac997deafd64b1fc65de39
+CT: 9b6a8359acfc5d15067e2e6d812727d768f44b3edf4272f57fb54db41d95153fb03d7a7b3371e91c4be80326f4d70a8f2ac1e867ad3772901c513895e694214d6c0fa1f431aeb016ccc93faacb4950082f0cf00d3a5879c9a4f3fdb281e911b40d6d0a84b05f4ce32f85b1657d75
+TAG: a3c72b69369cbf0d435790c97438a38109f36b147943b0629b1c2e4926e831d27155f5617f1f884af2799774b69bf0e092d29158fa51495e132b206cf51156c2116b23848ea51d684808d5a291b68f57250626d2190a7c0779512bca6ed44e619d0f7f8bc28e1c9b729514e12e7cc08e8e8d72bd1ae30229e56fa7e3246dab29e75bfc866a2b83c48036ea0296dfad04357ed990aecf6b28a0a3fe7eaed48f5fa59202f109ad0cfe6aa5cbedfcd62eeeb15df7be0645e161ee6f7f9dd811c98158de6534739268757a1813e1aa6c331586867acc75ae410c371a81cab835fcd928519d9468ed61fb5d7c191807e613d40fe174c8b33a400baea2e96d9d7f1734dd11092481e71d0b0c0c86419d5c50cf6e18
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (47 mod 64).
+# DIGEST: f30eaff92a640a397f98e6803623e8d1f0c1fea6
+KEY: f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e780ab8b7
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac
+AD: 997deafd64b1fc65de39f4
+CT: 5818d2a656fce95d7a24bcb216f4d6b91d45d58d6ca2df5c9d6412d917951a9f61ff07fcb6b078fad69862aace436194f86f309373452e813c461fdb36a95f575fdf0f784ffa0914f0c0ee0c57ed1e604ca7a7a4b3d20c272b3b7f2e65b18c1abdf8c88e1e7e7dbbe9569eddfb226a
+TAG: f6bfe8a461cc83a7bc7c5a39b6c521ed3e0ff050a6b01999b2710e0997e1a36a72c11363307aab1e4d921e9364ce826419d15b3a14e251e82bca615281c19bd243a294365492b11567341f13f14764e2b30ebc8ac4d313047694a884598daae76a45797f583a8279529e9352c8c13a06510ece3057c0936de84e6c292e3266424eb9aa4b7e5891fe7180f0a31580a700a4e24d7f1e53e1b69bf36a7c0db63473566920565cb9a22a47aad6afc8910a6b6019a67a092ae814c0260f2fada1a6dc44c5447217b6831457f66d7a2ecdc9187986edbdc1c68e573da33daee7fa2ef3adf4b6179b9a02d31c36e4505d5829ef30058ce5d09ae42fadfe4f66e894c36d7db467ec5ef508e26cf0724b261235579c
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (48 mod 64).
+# DIGEST: 7227537c0113a9f46f7d332a0b37ee5303483d00
+KEY: 3541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e780ab8b700
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac99
+AD: 7deafd64b1fc65de39f4f0
+CT: ad0dff8adc54b5f02f428915bfa9f7277e4743e72e1789dcf552b91cda03bf52c757a9cca0655550c944fd264d287bc97d15dab3b986ed34637f45ffc1eb71b764cf5d5c1444033975829f1e59cb65ce40d787adc630e1f3155b2dc32733a75452efc755b6acd2160fddb9a26e0c4587
+TAG: bb5273d6920ea95b43efeffc99da0dd48a556e357726fe34dad94f0257276f3ac759c16d9b34dd86f09a37bf48227d67765efb83d001eb8dd87636ec32860226db118427a7c7367d53cf085ff86d05a8f35f893a044e99ae5ef14fe490eb03aaf0b97581184956211bd19ad09c9aa9a064e305abff0c654006b8db861c7956ad6cbf46aeac4e5f5d54539a9dede2ac61d8f133c1a9fd2b8e23ef5d2d3068b42baff87faccfd8499cafa30bce2f30e2c1fb203acf1378d0c776f9476ca83e4973ffdd66f2fa86105ed83701fdce6ad64a824d2317f51443c9dd3c520327c7f3bd99413d832bb1b6b70655d31c90b7bb23a1957a146f6e0dd1a272a04e833e0b1c84ba2b09b0c1963ac17350292646566f
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (49 mod 64).
+# DIGEST: d76570385cb65d30c3d636ff25c5efeb8d1ea08e
+KEY: 41a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e780ab8b70043
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997d
+AD: eafd64b1fc65de39f4f035
+CT: 8a1448acbd769e42bfdf00ddd801153db3202daf5ba7997890f5f42a183d3a66faf66d899c7099fa99bbcf5b62b6adcb6ee87fafdd0275a8f625f3f959b0ea9acca88070aa9c61141787435cd60f63e262a80b6aaf931ba554ade7e0fb46b03a318347f1ca84e9fa1786d721b6c222b1b3
+TAG: 7bb49e9f481b45b543195956ddfe975cb63203f4b68b50a05c855d128d311c339676c1b6b38ae280d0731f613f9ae4cfd1945e302451f26eeb379a1b610773750e3e841d50e16da759a603897de6e84aa6733252cb0b6f6539e1a5258751ee7c0a45aa9296c32322d6a465a42e4017f44814fc58402cf561deaffa43d61396d53077cf089cfcd42b182694d286a97f99b65e5c43ecf69898c036381c6dd9657f2cc08144b28e9ad9a00ff10fb0ad3b26e92d8d65cd6879b11ae50f592407188e46a3342308ff9316c898b09648f71513e09367aa2ad5d93f87e4b2430ccc8fba9825c0407135fbf65a0db46d491059f71a989629dbfb1adb10e98d02935fa846628e8b0f8dd01991761945c5e84f9b
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (50 mod 64).
+# DIGEST: 170369666d1f2337b29b5f14af68d47910388e7b
+KEY: a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e780ab8b700433a
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997dea
+AD: fd64b1fc65de39f4f03541
+CT: 0fca069ff1b260179dd5ff1124e557e97a4cc41e069d124cded05275d37913efa220e1ed4768bd04d8e65797040856b686cfcd5b772278bcf5fa64cd8183ba8b7724359804d609b31fc31514a4ed43d84de929d99e63f12306bb497e8ee77648be578ee74f1cb2a09ab32b3ecb913c7b36ae
+TAG: 19b492f83b9458b356020d7c6343b6967f1ab0328801042379e7d8e98dc3f3cf646a96d7842c83bbd210dd8dbc38cfe5fda9d879285aeabe19dec677fcd389651cd284ac650287f13a461ec23f7dc1cb5511dc529e99a078c2c80ebaf0fdc6704bdc35a2c89c728a061095448e6dbee102f4793932a580a826382a244a9f11c665015675322d514be8b1453ed6be846613312a1bf9e4f2c126d2b15dd8e6ae759f5151528361d10d657543767b05e8c1b79df65aac381738e2f43f95cdc77383f22e36e3b26d0c65f695c75f7ab422864e63c230df313fd8e41b265b5a704b7e5f7c96306bffc1a95cd09584519e2726edf93a9d2871b9fddfd7983c81812653152c3775df228a542f06f359bf26
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (51 mod 64).
+# DIGEST: 7c52593d1d37b0dc380297231c6cb7b64e04c493
+KEY: 1be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e780ab8b700433a95
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd
+AD: 64b1fc65de39f4f03541a1
+CT: 8cacbae377d038fe27b37fdb253f3b136aa38660743dc6b4778ab16940a9710c8f08970164316e26c3b603140f2f43f62a88d021426b841baec29fb11a3d8735d0b8c14d133a825e1044be5523932ebd65b34433c083c2d77af313a240b1eeb52391728dcd04852fdcbf9b6f89502dddc317c4
+TAG: 85c893ad99aff613e6f95cf9c6e9045cc22fc8fe421716bb135269202ac57803e67682d09f88ae5970fb4f52e97a28efcdfe0a359df79a0576179a04830becb0551d93d862842c4b5f33c23fc0988f96d6deb37288f96507e432190853aca788d55114946833b6c7c7c10c34a5d5852d6fdb287b9dd97fa6b7991efef4ce66b0dd9f0ed6d112713c314aee9c172675d86c8f52097362f3ed4356ef4309da510a6708f32f24549dd80c9ef72018d7fd90134fa2d1ac1b9858ceb9b382b263cd3dbf697aa40f875eb502d4f128845bdaa9a8b4fd07a31b687bf4a1a1bb4843e205a9ab2b33a3ace650f96935b5f6de6d7577deb9ab68c4295cee108b2f4aed1f2d2fd167085d2173e2e854559222
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (52 mod 64).
+# DIGEST: 09a1659100052d13bebb4defd7f54f975a58ae2b
+KEY: e112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e780ab8b700433a957a
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64
+AD: b1fc65de39f4f03541a11b
+CT: 06b44584c9ddd267bf03aa311730fd0c4d3461678d94b4a794eb3e90b9cf3113ecf0ce0da8789d59bec50a1fd1e08ceea4cf9e00b2e0423706c126af7a3031df6cd82a7bcef877b413662e731b5a74ebf68f781eeeb79cf760cebda2c5070dfb992007716993b0213e822829e23f448a7a5ed880
+TAG: fd65c8c7f6b7795ab5792332f6329c1d606b305f3de89d9e154ff7232947d8581b6666faa823b9ff8bbab2cea14c2526b0fceb5ebaabb79ab4cea0bce96e9d1a3f556d7d2d83b4ce2c1ebdaeceedac3fae6fb8f9869f7c136d47a1ac93c7b5b5ef01f8e56602d808a39b40f069403eab03498959b53b8ac0bfb72f0c5b5063c063183b43d60a616325439b0491e2f3be59f9948c939f533c3fc0923028babbaaee977cbb05fc44f8cf8ea37016141d464716a875ce4ad096e247ee9081a1ae3448183f5412d84a6223daf432dedd679bc3f167ca5dade21fb2cd9057189049e730df47b409a07a8b2c727e2ce04da8e3f02ebc6c2bd528b7726ab803c5fc5dd602496f78b28474ac87911bd4
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (53 mod 64).
+# DIGEST: 230c3353ccbd95e4f0acbbb0073053a0186f833d
+KEY: 12a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e780ab8b700433a957a74
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1
+AD: fc65de39f4f03541a11be1
+CT: 85da88e13f3ca14fc4440ffca7bc837818daf1dc52a4c505583edd070c7cbcdb4642d8ee1ca687037b08e1737a2f49039621823222f9f02deef2c340289af5184a86af8429747ef2f7d98d6aec2af060fc8e6895c2182bd1c479fc6a2e7ecc0390995bafad5b3356e2a795131b0aa7d4ded344e50b
+TAG: f1a1b3f3fcb4cb89587bea4284449bcdb16785c277835bff9083a65ae77ff7543492a1d2710a79b720060ee37954c9719f8dc0f6fb4a75a27bc2a761017ebdc0c81f9e8ea5809a816ee67e731871c476f1ccd6b690b054984a4e74c060fbcdf5dbae743ebe2f72fd865dc1eb96e4e62fca3561a245be1749ace472b312cb1b28a0b2c2d38d089eab44f51ceb88af097627638a3556005952e28212d5c9bbe85c86f89879e55358ed06f28402f40285b97a8046b5479202f28218c71f98a4020ca5d53e16e91ff8387b16cfe6bc4e81c96c44e7691c10ebb0d37686e608773cbda993b816ee3b15c4ccca2a22468b186f8d29d853b945bd27ca0fe3e9ec55bdb9bb4e5477e6f89914e3084c
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (54 mod 64).
+# DIGEST: 701e141608e71005d32dd1e29cd068aea736c9dd
+KEY: a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e780ab8b700433a957a741c
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc
+AD: 65de39f4f03541a11be112
+CT: 10ee64784345c076e3f9aaeacc87cd51d6ee0b0facc9f40b4e6a1b4bec669ac3c5252c948b0c0a4d8e798248e6b10ee247e51c81793c2be91aa8c9666e0d8774439ea159e4745014bdd2e9f379ba461a7e638cab9ba2aba1498397044edd3f271e2b4dbb5990c383167c9191ceeaa8239aa6391c4b27
+TAG: ac2d199535c4d2eba150702b88740058f1e834f89031c3851571dd9122291dc3e35b764eddc5856850c8c59b3caa211feb1ac256b749127bbf4ef56ffab65e3d9eaf438b778e5342a67ee4d876fd3e53aa29a532fab39d0c57e24593374e2adfb22cdf0def5d9cbc8701c9d6a2cf23d835cf75236069ab2874b7264e0e0ea9dd785b463ed8a6cc3cefc3a4c076e5f0d047c7d60be677b7716bd123bbf3daddc0cd5eed4d5c4f0f6d1c19c66e0b5bee5d58d295c2fbe6a164d464b173cda057094b983b2ff974783084a6cc4ebd9644f3b4426a3c157352b70ee37a2f1ddcb85936b0c38be4eadb33bb9cda7108c192597421bce5e36cc2bce7b65868f28adde738fd3bfbeb15608b4dca
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (55 mod 64).
+# DIGEST: 9aaf96b472ea76fd9ff4adf56dab5fe0400d18d6
+KEY: 2933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e780ab8b700433a957a741c9e
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65
+AD: de39f4f03541a11be112a7
+CT: b90220b919dd02b216aa2eb7863372a645b09df88645dcaf138fb73d8896e39aac5a1c2f0535385e15cb850a6febd5d6ea9f3fb573944cdd5b30cb80aff6b73a173ffd7c85673248fab94e3b9544930cff59f52515dcc8ba39b6f51dfd0487bcc9d28773e91c718afe8399d652acb97552b1909335dad8
+TAG: 4db032df3ebf850528a308017477a21da23178403432b4714c1da01a253a635cd2caa77467597e9b8c589ef3e9c6f5b991329b97bcd1bf1332e03638fe1b157763bc41e4f6e78c05a5ec5f83306e3b5e8bd96c9a04aa83291ca90355a3b96a8688cb93ed9bba3b8688834538d1e8bb95a0cf431eb7b849d87199657a402a0e1e5ef79da8c1895cd454c440c57cd424977f6bf9e2fa133d916c8772e447e066ec2cbe3d0de2a7e19f06c74ad5794e5eaf9119fdb70665c07ab81e7d72371d23a4c96290d2da60bc7819af4d60ff4ba832daf3369c6198c45f0ca4c974dd9b4a81c0249706a25b23fcc0fa13271d0f00c6672a06898b2b833ba3b8cbd519e53939f0da6c09f288bff969
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (56 mod 64).
+# DIGEST: ac6871d354eac507556770d8b6bf10b5240273ed
+KEY: 33c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e780ab8b700433a957a741c9eb8
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de
+AD: 39f4f03541a11be112a729
+CT: 9807d89925c67a45c8ba18cfdb817f5bbc21e58c10f7dc8c15b70acd97e8b97e0393d5948d51a65f6f092590b38c845164e6d2b49288bd0f73c4f4b551b362470638f51422dcfdaaff5e8aaf80ff715f3f597fb9385ca18355b8e98d1de17a303d019f7d4b9a3acd07d257c049fc16134c53e1350cfb8c28
+TAG: 7cd3491b8e157876b8091d2742f673196a25077410036ed62855b5440eabb10a01362a8e7c06658ab767be26c43a6eea3e354ec867de2b7b6ce96a4a951696051fe1a76a694d330eb56c1752bb2f866dbf6c1e85b3361316631c7a4a277023fe1d793ec4e4416c8db3b7e8a157e33438eba857e2b54db84e06006f83d93284714dc76cdf33da3d5adee64de2ee9feb689b9d64ecb857588c60c6e8b2eaa3999dd2f1cc2a6727cc5a50fc3902124055705eb726f0e57830732c85bd598519ace6cc86105cd36cdc7ad7f6868babe314b69d33021cf9931720aaf765d5f61e41155c7572ba298d52f3d61b28e3b5080c124821e1a97d1ec78eb5decd34a69d054fecb1209d86ee7779
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (57 mod 64).
+# DIGEST: 050258d6ad6bec54f8bc48c7ba2d669d6416c11e
+KEY: c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e780ab8b700433a957a741c9eb80f
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39
+AD: f4f03541a11be112a72933
+CT: 8d69a3691570f0d175aad5fb77a0e9abd3f882b10355a08f0160c113096acfecdbc4ac32f037d16c2c4dda4bd3325c8690bade6bf39b14435cc11ff575a3d7e9f7b09b5b40f9645d9a5dfb44f42304d82298cdd866e957d4ab64374ffb86879a9339ea892986ac706bd2310927aa2bf27dce3bd6012591cfce
+TAG: d754d4d2dcae21dc4a69c8e56ba3925f9f3ccc53278cc621a0ec4d4ea7b099a289eff5599f8bb1555aa9fddae50f04b5567ca7ae4498e1716f4243932934e2cec1434d4780184f0af1d0d194cf848671e5b0d6982a07b5679826f124c8f69f26cfa37a0105cdf15585697c75504bf8c9c04d583db189cf2dc2dd345aa926d440997a8d76f6ed12a19f2d95a2727fc4c0f8786ac3c50896a6cad6d948712e4d72a44cfb2fc9dc753dbed91f4fe412db6fa5e6b548eb1abed87e3b4e5d808ab4ce11f265efbd4af8e0516bc412fb9ecc3d69ee68bff6b12f3987a585670439ced09a038c526bf226299b0628f6db003a21eb5d943ef84e90f133dbb4c8468f555721c76da689e8d6
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (58 mod 64).
+# DIGEST: 70060f86c76e53512933c09deb5872eb23efad67
+KEY: b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e780ab8b700433a957a741c9eb80f2b
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4
+AD: f03541a11be112a72933c7
+CT: 26d675c591f287b26eb35f87231624e454c4aca1f25491b74a252e971c48ca523b353b4f6c0106c1b3b40182eddbaf7ba47263790c3b22d23b09458d48868bb18b2fb01bdfa965f7c1b211fe02f9b78959b71e872ee05ff3baf548a85797270fd43c9db1f9f97d3b60c62c06bccca0ece2b7249f3c0dc6b04aa7
+TAG: 864b50299da796a664edb8e1d0bd0120ad31405c47919c288884dfba933326b03eb399c634fa77d611e613e958369aa3d9a563f421cce3ea87d5bf2e179c20e5218378cca347fc18b87248a66810ea08806f571f1e86bfde99d089b06c3156cb6f2427503cf03e39bf3a60b1d9542a3789b657956ad925754ca4a369b05d269d481d4cacd35ede8684623ec9fde9ee860ab12975bb1386470e1221d2b2d1091c7a41754b8440740b4878fb19c65ffeb2a120d84661179e07672953243a09085f0d21265a5476c8574bc49e30ba364fd9d7f2035ba1222ef9c6bab7d1e68211c1a9425a13473f692b700c242fb56fe77fded75312bfdbb7fd44a88ab37d85d640e883ed1936ef
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (59 mod 64).
+# DIGEST: 58286fe273bf572a76a2725933dd969777c303c1
+KEY: 4ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e780ab8b700433a957a741c9eb80f2b02
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f0
+AD: 3541a11be112a72933c7b5
+CT: 9c61bfbbd3e8395be166b30a56b3e192748ba3bbbdc334dc3720206ac10c90dd777aa4957695bddaea0b7e554951c94f2f74a2bb7547ac20a7e357fe249614204401144fef61394c140553d5566c18ded15e0fa50fd5836cb725d277fa46210eb588a96d7baec9e2c947fee1b85cbe6556cf23655132ea72dfe4a2
+TAG: e66769c0cd9a2448afe99faea0b64137f4a902158d6b11a58f4bff98df8545e0ea23a7f7127b6dd76e3a3ed43490b44bbcd6a7321e5edb819e6b2e163318ead19f5a306c7b0b137f3b9aca44c4ea070ffa5712102b3f1dcec5c660b494e8f3d809b3722fee1e7dd29cf771613b68e45733a9e66ebda992930d32829d31e61f2217e41620ea4e621840f0fa7f7b8762e0ca509f0eeeded7fd55727462b045e4adff507f3dc4389d9397f0429bd17c2408ed60e0d94efad4936fb55c359052a6a88c056e7ec1e4085f4a48b125bf9340e57be98b5cfddc3f9d07cd036b0b78aa205fdbdc8e9c511ce32b6e4c9dcfe5722fa13f9d8b59821c61ca6f8ef75eb367f4a37453642c
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (60 mod 64).
+# DIGEST: ae701e5c8672dfaf728bf0f43f5e5247ea9ac13a
+KEY: d4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e780ab8b700433a957a741c9eb80f2b021b
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f035
+AD: 41a11be112a72933c7b54e
+CT: 174bb28ef8ee033bf0f39cf6a5d3c2157ec773078860232827fdb1c875e9622e198a00a50fcc03b2cbf1e4a747efcdecda8b612ec3ebac650a7401b4b204185e4b42306d544e3f6512b87bf36b5f55ec0bb4da01c36aad92a16865cb852e1a5d1a86d3d57e6336d4376e8988f00162de8b238cfe36916d5545fa9460
+TAG: 726c9d0511e81f69edf9bbd0397f4c3c49365418afadcca36de0aef99afbacad6dcf042fa62d405c9672e5409a7d28baefb467b7c153a3ed97bfd2b8be9b96e42b33703951bcbf04dec12d9bee63f5f30d2e57ecdcb3818479a163bd2a1caff3a327a911bcbb50bf213b77cdff340c858472223a71d4f15e029fbb800b81ff375d84d4c30ceda7a2c42267e1cf43dfd565c8a4a842556d577633857204af99ca35ca3c28bb02a7dd9ab224ae58938461af1e2bf64492fa2a18b4224ac3ef671c7abd9b6e266a0469cf3b0283b3ad6934240994f1b2d43b35d77e0055e0377c43922527d93426be34191dfd4b0a4296a078d128ea416be209b15c557f5da675c705ef8d1a30ebe78535434d2ff8bd29346abb9bfa
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (61 mod 64).
+# DIGEST: 4f498d0aa9205160827626ef80c163275eca1f78
+KEY: fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e780ab8b700433a957a741c9eb80f2b021b14
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541
+AD: a11be112a72933c7b54ed4
+CT: 9b01cfa97c72b5ae8befd0d357283a52f6b8c5d9292d28f61373334280f815d6b69f878936738cebaf6fc84d20baf51868eb4d2ae08d64e724beea1887a76316acc955a00b5d1230fb120bf7d51f74fdc5f332521c59406bbd3161987c6ec49ad946a6a51755796de19830631daf69c78a847d2e515d409a7b77ffe75e
+TAG: e785184106419b8c7f38061f49cfe3a265e9d4557b9b2d91ecb8f21ef3f52e387643b8ac35aae45594e70e4ad4457b852834718a1456136c5690aa164a152b0cacf020e33bfb33e2f1b79dd23d2fba5adcf22d4288308bc1d055be378eb77b67dad654658906aa3cebca8eadce6127ffe972803bed110a5e301bca0f2c06dfcb7af44275628831bff33807048996115d496f4f13b479f4fc1e8f2ff0991ad73293e789cd909fc0471a484ca11be8383fbb4d9590570c275354cc89a872306f4d285561dbc068c98d2989dc4453b97cea004a73fe238924c321d3a77063c1f20890324ae59860bdd3f7a70a7c21f1c51a790f37305719527a20b879e56b65d38799b899cd9fdd7edafbf456618452eb4fa37cfb
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (62 mod 64).
+# DIGEST: 8c043825b2a3764e8a0cc35a011696fb3ed03c2b
+KEY: d0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e780ab8b700433a957a741c9eb80f2b021b1444
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a1
+AD: 1be112a72933c7b54ed4fa
+CT: 0b0133ac614de667eafb516e1fb33b016a8b49e558f335eed239d50ddd13a4152f1570269615a243502fe1c6db0667a2de7975120ef65186f5af83821598ff45494e943acae24a6095ad46a498971f7b185d7784d451b1260ea478c03babf0e582a8a777cec20905821267eb85aec1a20c0e3b94d78d425a12f2efc4d60c
+TAG: 1d832d65c91d458bf343260419ad0ab95c1ffc09b137d1ad1805cdd648c8ecdaeeaa0ea27075d4e6753538d831577642c92317aeb5525724023beb923c2626bd9536757ab73d1739ed0a850afbaa5914fe94ed606e245274d4d3071201a3d73ea1fbbfb4032e8404c12dd02e0b6cdc38324f4684049e2707f249c9dce0e6df9386b787154ecc3974d041cd6bc5e6d031851247703347bf8324f077ce63ce0393fcbafb4396bbfc9260628f4f82244b77b8ea0ff14e26c2058e0d8b662fcb9d9ef747cacc42ece4777114cd2062e20b8c6d198fd5628b198511274f54964c40f1052d41f68b5d90256e894da5e5ff3dee493f5eb2a7d2a9a88e32b774afe2e0e643d606185c34796b40716a46fb8ba911552a
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (63 mod 64).
+# DIGEST: f3a432271c9be858725fd024071c4f479ca9a971
+KEY: be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e780ab8b700433a957a741c9eb80f2b021b144476
+NONCE: 
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11b
+AD: e112a72933c7b54ed4fad0
+CT: 8d5b92c78a48ca6049da6a036735ca23b99f9c3cfb97122312e5bf0279d094cfca0b976e24f6b65d81f85eff669da35486809cbfdfd1fd615a5347947156148e6b71a11f7bec611e7c29e19f6f62f94bd7f8b89e54b6945dcc1a7e380e51456a31f1d511bb92443deab5987c3bba266329b3f27e24d155ce685f67c34dd18f
+TAG: 295c8072940df20a1ce3a27f32622fd6cdec5f5aaebee91e6654ce96f013cefc348f1425a6fbd6f42cb4e1e866c0fa602afdb503eda59801d8a791fa7de63d22c080369c6a3389034ff92ffd347ebfccb0dc9cc972f6654eb102f5b12baf864b3514f22d55f28df8d51955a1d338b4e5ee9145a4a85ec87655ce41255a6e91435a1d9e4af613d35bc6b4554c2594baca964d2a58c75deccd36d3efb50986f844ca6cf79dae24edbe75ca6008457ec23e69db9e19c6c039feceda6e1672bdcccf0a8c864e957b7efb1b468b4976a97600e3d03ba9341876e6439117d2ec364d479e0743ea9ddfce7effc0a64b73fa55fb1f57c18ea97dbd03b6391963734dfc459d4efe2e0f609bd51ee0a09faa81065ec8
 TAG_LEN: 20
 NO_SEAL: 01
 

crypto/cipher_extra/test/aes_256_cbc_sha1_tls_tests.txt

@@ -42,14 +42,707 @@ TAG_LEN: 20
 NO_SEAL: 01
 FAILS: 01
 
-# Test with maximal padding.
-# DIGEST: c6105cc86e18eb8376c16ea37693db5c07b77137
-KEY: 8503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371e
-NONCE: b8da7dac997deafd64b1fc65de39f4f0
-IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c748
-AD: 1df3f4183aa23fd8d7efd8
-CT: c90e0c2567341ea7e9d968dbde46ecb46ad78dc8be7d47672068de66d6e7eae14b500b94927f24ff6a4f7b07
-TAG: ec90d128ef465f4a3645fd0b2601fbe2b0bceae2f890f0700c7a15c82fcbee6ab492908ba5f2df0f04dd0635c047cbe52069d85fcfabe53ceb43dc71c46e51c0e3a9ff435840d62bdcb93341a1624b69397fa1bbd9229814a2788b91a107534b41ed488f4ce95fd2ab46963e4f1a3096c74acc8466d034eeaa7c0f1fe46a4eee7abb740367266cd36fba96dc74e520f64b9605c067bef516f517f99ec73c1104b43bf3e94eadd7dd6b9b7db847d6ff4c03dc454d8edbf8f694f09754f249fd1dc0bb4b130b2e43ddc1d24a0cc14edc8e7328515cc8498ae89beec66127508676fb04db92055abf2be22e0c2a7a3d9664e17d919f655ffaaaa7246a0ea29f9c42f72b6edd0dfb4867802d6992ce25efd8fe0dd0cb
+# Test with maximal padding (0 mod 64).
+# DIGEST: ceb2d295bd0efd37c6c34dab1854c80e986174fc
+KEY: 37446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11b
+NONCE: e112a72933c7b54ed4fad0be905d4120
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba
+AD: 2fd6773e0d0c302a5f47e0
+CT: 000893d3434c5be7cbf9daffd81f03545f735cb70d1bd16eab26e07da7ee29b4c607d9a57077d74437e5b01a89c808c7ceca0d3838e5c6ee9947f1d4ee1d5e5e
+TAG: 6d8dc4edeeea81cb503d7389da209ae335876393fdab048965c7eb1a1403d05f8ef059788d08c2e906444388fd416a87bf8706f78d35797453b242618f4a99f47c3756116ec0318d96435032225ff82b902b9b6985189ca438e466154ded91676676c645926e2cf8a5d6f3bfafbb713d646cfd35b091f68e5ac2e7ec10badf1fd80767e6953abeecdc89beb2180dc92be21631164ef801147917e0c8d7841bdcdb52ea03344ab5f2bf3d5157794f5be79f51eb1efdacc0b77b27b72e2ce03d05473203522e3c2c196390d77dc28a35951f3aebd72ee58021d55e521dd029719a7660408ed0da5ab41830102bceb514b0b172d0ee10937111edba82b47e719c3beb3ce49a665accdc1c5bf028d465b5e1
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (1 mod 64).
+# DIGEST: a07054c760cc66fc704edf950201005031f3faac
+KEY: 446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be1
+NONCE: 12a72933c7b54ed4fad0be905d41203f
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2f
+AD: d6773e0d0c302a5f47e037
+CT: a1e92776d0ffcfed03d1be956169f606733755d5a7011620c7ced6a825d8e59627e75692a41a1f2a86e62fc6052873b5458616414584e36bad698cf4c44909e0a2
+TAG: 6e0b32528feac2d7f69abb480efc7aae6cd1c5f8a654bcd10ec5be08b58f5a2198bddd83439d69ba9f55408cdf087e8a7f33fca6859638c5a4e8bc6961afee7534d8ffd95249d554b02e5beb81100be5e10abf679300f4ba514c03f4fbbba3cc62bd13dc8c8b9a726a9f217446c6e3b89cadb40488b177926c88c9d22a6c4ad9deca67f0d976fe62cd24c3cbb2e51dd16ee2e7bfe91d867b77c77a9a65c387e2682d946e617d0128034f5fe436eb7fa88aca82526d71dfefbdeeeb5a2c15d57fce0cf12e6ce0b101ef92d9ca540447e0bb65bc04b6a02e4e6d9378c6eebcd6d530c4ae14243beebb18403e8bcd434c2d88cc121e2df182edc3e1f52b060b1aecc48490c6cf3260299449945c803891
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (2 mod 64).
+# DIGEST: d059c266cf6233af730b7a229b19356a4c6fcf06
+KEY: 6f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112
+NONCE: a72933c7b54ed4fad0be905d41203f5d
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6
+AD: 773e0d0c302a5f47e03744
+CT: f414f0321370af1490839677747893befa438051fef5f02fef488d7b84dc03140b3a5dc3a57041be4c8b688633110fc07251d877de0d6242928e4d937e3cc58ed611
+TAG: 4ee98ac6f10e179314a251a9db190037c47b9fdfc66321d83a995f6dccc5259801b18c3f466f7f4939b7d2d7196e0b161aaa013721e81bb9707b974b904f670e4aa495357b562a254908417b65fa69e86c42b3efdd423838575db08465a7f4889c85201629f6350c0865b5b0cfbac4f51ea1eacc8f9768014975d780438c3bd77f7f18612080abdeac9331e1a068c8f3a345d0026c5723bdbc48643c1a733a5b7ca9078424522db9491bc38d2644dab2d75499715707cd83ed655343ca73672d480f1420754fbbfeae0fba05be3b5235a5fa48bda9f39df0b298351d8f4da3fb8a2feab8b1aca9335eb31ab03f40ab19f668bb864c798ae08de37bf848fe2e898172d26fa23f383787d7199a6990
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (3 mod 64).
+# DIGEST: 8aac0687e33041fcc18da154b41f20a6af2bfb28
+KEY: 5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a7
+NONCE: 2933c7b54ed4fad0be905d41203f5dce
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd677
+AD: 3e0d0c302a5f47e037446f
+CT: b51ab2f8c4ba3e8638d454ea72da5e3cb15336c347c442b8e1ade85c5cbd0dde790dc707d60d452d5b88d72e718f13cd0e0f4c9149b72e8d6be869d817a3232513c958
+TAG: dc8feba112517f6a820ca12de43c5d64c51cca713d3702a2b4a5cdbe86a90946a7369ec26ea8b5b35df329bfc6e29ef50c2774649134bd6e3f3fb38ef13d9c7fbe066e9cac4fb88dd0c02b677472ebbb2d0679dffedcaf13fccef6a25aed3a272ec01e7680becf80a624518e1333d28c97487b06e0581cc80c94989db4e93489f3dece9eab6dbbee73aeab572d1ee7705d18b899d9c62d7a370311e64131a801400b580d3c8f7af88be485b84fbdd89f7f7dacb29afeb56658f3d8e49f27adc542e412b0fd652b9f60575bf61622d7306c54bed50b43d89cdaecf1981ede09f9ea36fd174118ac178ade5f26ba04fcbd2eb035f030e2139506456ff8d342a4e59bd55dfafebda23a66cacfe6d1
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (4 mod 64).
+# DIGEST: 53658226c112b86438dd27b58a71f9e36fc73c1e
+KEY: 91d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a729
+NONCE: 33c7b54ed4fad0be905d41203f5dce99
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e
+AD: 0d0c302a5f47e037446f58
+CT: 87bf1af7e4987cdab35bfe32adc6b1be286751426cf926217f2c699bc095bde7b6ff3d6cc96b79328ab776547c2cb756d9de8c1245d21619a51dba8364ef6914590f15f8
+TAG: 55b9a1ee198080846389dd088016acab73622b1e2f902b0776846c74d99c27e67c7bbb55b2ac0efff91af0f6cb2ddcc0b5b8bab768048bb1662bb343d2f3a164bd4ca4850fbf8111b29e9be7bb836e2a8ac50ec2cb0b1c4529e50904007372284ec9187ea27d8faa03fc9535ba744155d06c06a0a97d96c03de71c13c95f185f426615f1368be346aa5ebf80049ac6771763235f2ee44dc910a01035c53caf8f9fa6f51fe3ad094513a8db177b6a66e24d21e1e40a23aa3629fffad45f84a58a29ef9237fac5eb6f5deb3825de6f399e46b2b2b91faf64ce45d164155e4dc757f6005c7c3e7fb3d8829623fd7c6ca48b923be90c38f5209c6d94696d2b2b7ebc5dfbf2cfa1a37e8ed038e830
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (5 mod 64).
+# DIGEST: 6b7d5268b0b5037afb5be5af6a0ceb34e7656ac4
+KEY: d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933
+NONCE: c7b54ed4fad0be905d41203f5dce998f
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d
+AD: 0c302a5f47e037446f5891
+CT: 44237c388c3d017300db0fc9827f9b575e59bd971a0fd89cde4aeb1763912b49d50e92ba19d7594ef6da27320ac2bd1db3bcfe56b68a9ea8e2347d69890fa1fdc8bed782ad
+TAG: c1068d84aa962e7b89090993378806194ffbf677e7a66524d2ebfa7bdc52d76d09b914168eec4a5fde0953d4567affd3a4e0e48190e7a84471efe8ad1ce577c21df93b9d641c865d90ea1e6069bd703c4ee372379a4ec94f7e99867179561d41e9053977cc985b98f7a9fbc675d77052809b89b8f23f993e191ed1a07f97b89d05de948107f94245f216c413288eb4e40f3cee9c00c15926657d9ef9187ab405ee8000b4bd84d5771464401d59156a97eea7b23b4a6e9f1587cd3b75826a621b699515829dfc57740ad5719c43e88d835e13ebf703a0966779d31dc26866e0e9d27e3376137c92c97af49a876eed425d3980f1904f013143faeccb4fc920185ec2325361e5b318434487f9
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (6 mod 64).
+# DIGEST: 63efe7af502231420ed5aecce9a28446b257828d
+KEY: 7df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7
+NONCE: b54ed4fad0be905d41203f5dce998f8f
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c
+AD: 302a5f47e037446f5891d7
+CT: 2f25b5a3b01af5411466c8aa5d8ece037434d5e12b62306f2732cb063d0dcdfc2725e67118a242a5576d470fcaf9be6d811bf2789cc66f5561d0542438b5432fe713187a879f
+TAG: d80e1f4edc2137f430d36a5ac93680c973fd7c64a03f7c2ce1b7e33085fe94da70ee26f47998947310508448cc70daa595687eaa540e48f048132de108a045da6d71170e39bb45160a344a2fdb5cb56ab020b9c0842ef2a1a5c83b4d63359fb8d71506d1e611fafa29e77d0669474d135e37bd8aefc3e17f024093186ff80fef73889e887b8d6672256dd592946ea84becc08c29445c8d978e896b1dad5e2608e347e54a97f3f757d7362f95f4cedebed07ab45b05713f7119c38d15a0f22d4259893f5e2401267543b3f78b52d54dd2d608173119e2dc7fe01f66589628e95fd7528958e993b21e4db664b8cba2f776d5cc305c42553da936d580c17d6f5090ff04e106c6488b5b18dd
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (7 mod 64).
+# DIGEST: 1a555c300a1d1bd5b03cdd6bf2a678621624eb05
+KEY: f660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b5
+NONCE: 4ed4fad0be905d41203f5dce998f8fb2
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c30
+AD: 2a5f47e037446f5891d77d
+CT: bbf934979c5d9da5c8b27d0341a164d640f12956a392303b0f1665935b5c39de458f53e0a6f824cc56081db1615fc67ffff0d300d1564666b81bb37da59e4da30de9d6a19df74e
+TAG: 9c18b0f9ee6a167a23566325eb330660997193385214abaf945dc18fb8252fbab8330b9809a6f1b300ae5a0c9d841fdd6f77e8d65f1cd0b221fb9b94b5e5d7215e6f501f490a7fa0a754efa7f2d9f5b927a5da2bea736e73af067e5d988901032d503ef3ab89894d03e48a096e7c31fe64bbc2c13f02d878590659ee7606d9212898d4d246e52b03c5646b1c3fbd43baaeda6548156987fc8f490f5763da18198bf0754d20f16dcf7df6bd35ca4bd95cd5c95a60427fc541aaf1f6923ff150de825cff9900ac9492350770bdd13fc4d0ac858ccdf36efbaeeb572aa45ca5470a04a7fa1ce5954d58771730b7202def47b303e560e81ebba2080d044a0851043c5af1a05c30a5a448eb
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (8 mod 64).
+# DIGEST: de9156349b578f2f44945ec6a676a67a829daea1
+KEY: 60ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54e
+NONCE: d4fad0be905d41203f5dce998f8fb2ea
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a
+AD: 5f47e037446f5891d77df6
+CT: 9b9bb61ca4d5aab8d0342d2b174e8f39b8e21db0fb7146025fb298016df3bab4363bb47f5b1fa038587df98851d09d473a68c959ead8062c52b9d6de86bd6a0fc9a2daab4667c621
+TAG: 897472da6d837ec173c2ae738721306e8d3c9e5353b65d1ecb3be3d0039739de379c9b06f42af8e952aa9acb4780a6de888dc8c54fe9a2eec19ae4a864b3b9696d712153bb66c49825ec5c891e30915c4b7b66b190525195429426ad694467dab09e8c2f9f21ffae4d54b74c0c5ed9a05963651dfcb9560677693429c63f3024043385ab0a31066243d42b80d2aa9854005504d6c8b9b7f736a8731c5dea0f3fc9007aae0c6edcd0a91dd1bbc5750de12ee13d4a77379cd3b2c2bbac885fa17338011b7b81cec6711fd5d65178f20a06f5475e09c202deef57939161ca8ed3e4aa9b010277acddc4478d1afb64138b276e265182ef2dea321b4f136c5c439ef6d099621813209a43
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (9 mod 64).
+# DIGEST: 12812df3aa7f3bbc899f6f248f5590e02570c292
+KEY: ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4
+NONCE: fad0be905d41203f5dce998f8fb2eaad
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f
+AD: 47e037446f5891d77df660
+CT: 33ac574b7962d03b7816c0199a7f661a485832b9023867a749fc4bfe8ff0485571744f801139afd8215863b23e2d68ee7a254c60d8029e0f1ee10a1b947a4984f37f98a6767f52661e
+TAG: 3ee493d8cc764880f4ae7fc3c189b95bfe11d89640e3c9ddb55b230ba0d142d53fe18be8b955cf0d0d237c3b295459fc4c723b27ba8a29ed8dd5c80fb9839e30bc92e6afbf28ef6f72d1c28e5452460f986444678e7ea982d8bae63b69788012bd43aa66e5a521840c79831ae74426fb16f0917c5d2747b9c31fe43ecee604f26afddb093a9f1f1205a4451d50080ed0a9208a88ed6dbde37a674932bca837c46dd8725982c2ef6ac54511151c4cd59e511ca3835ea9bdbbd2e0842dc9674a854b8d4b063d0685086cdf917a7b7983dcc28af2addf3bc302034e365da1a87334a68477aa34a3a878d926d4c17f50316749d917e172e47597d060403a0279ee68dcd864652f37c6
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (10 mod 64).
+# DIGEST: f3c89f21c327fca4aa400fabea9e39780378e901
+KEY: 82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fa
+NONCE: d0be905d41203f5dce998f8fb2eaad40
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47
+AD: e037446f5891d77df660ed
+CT: 8517e13ca00214ebfc748efd3a233e8b64801dcce99f9fee3d271357220dff7b1678c1cd6392a6ade62146c0e783248918a7cb69dd26dea525bd9060f380dba75e502bdc19581ebc3295
+TAG: d1f1280699f5514e4a56b08a5c3146142ef8e44c18ccac74577ec0feffbc29884da82212cba95b31d8464954498340f35e9a3d84256e8628368edd166d4b429fcb76e0072d2f5276ed8dc7bd5f34e754f6577ba00ee7ad74e9c89c4f82af0a7716d6ac77c39643909dedcc9356ba42f07874031878229a076da9ac7b0e49b2d170239089ceaf84392e889e7bceb3e383d0f744e229c53e8654ef0099a11773885efc456883e4a973557852f70c0e35668f3f212260e131962087416e668c9f995f226152251f5873fb89047a9dfa65b9fd0116486092b1092c4ee33e7625772944c06a2969b162986cd46d2b4185af2658c25c69a7a599d17f37be0fe1c8250cd7df5e6cf304
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (11 mod 64).
+# DIGEST: e8e41988fad6c8b44c56544964cfe0a347b35b1e
+KEY: 933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0
+NONCE: be905d41203f5dce998f8fb2eaad409a
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e0
+AD: 37446f5891d77df660ed82
+CT: b1cf0005c93547664e09031d923c4ef9ad663a808189cd8aaa68fbada340d8bb13330499131ef3788cd91e9527702a2388802fdd2e91998a53ffbb466bb7e362d06677edd673cae71418a6
+TAG: 7cad97328236aee512598d1a4c7d51b2154218fddf0ef21724921c1afe61fed1b7a1d1b56b8099dafff77362c4154e4bd7089fb0908ab1de49244a053997a0d04229250e52bc1ecf4550da5753a35108b6752f907ddf7a77fefbdb5d7290b02ae231d019d04ad9a5295336639e7e6c81ea46863d2bc3c4fca7d0f3b05237306759b156ac1fd10b044730987d04a943f0f598704f2191f6c627299b92a2c01a4004111c21f650376c3f28fc9793eddaefd74a2bb3cc5dea73685c954c63b71f2924ebcf9853ff084117cc84a0785d96d8d55d02723a2082ecd8c4b49b8d4068071593aff50c2e08fe7c49f6de1d7586e299b42ec723063f2341fd9b3445cf40893cf8c2bfa5
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (12 mod 64).
+# DIGEST: d1c7b2c04dc25fe7b742a1d659aec20e1475ee4f
+KEY: 3f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be
+NONCE: 905d41203f5dce998f8fb2eaad409ae0
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037
+AD: 446f5891d77df660ed8293
+CT: 7195b9643e0f7a4293c865db36442d4fe2cf3ea2c648dc88cd5636fe5e6bcea3d1197966e800da8c78bcb8830f3fa97671aebce98549e62827adf612e70f946673b07e2f953c8fe5e0b97aa1
+TAG: 3a909a9fa57e720bea6251ebbc1a71bbae1fd894f6bbd16e11abe51bbd1293abc0ad4c152a08b4acfac7a65b723fc6bd6923db66bbf202e184e8dbba150e6021ad1310ab4752cd4ae874409688996fdf88636084db7762b9578bb0c98d77c5156a82a97a3f6989db2359d252ff7c6405bd4834708c88d4481b35eabe2f7069bf8bac374fa382f4225659b41dd2a8006c0ff8d7c77c8d157e0373f45fcc0abc804a9f8a6b816f2b729befd606dc61e7f763f18121f56255662e36d120b27adfc8e1b528bd8ced5386cdb62cc73e58cc7918d27253297e9cbb9c740c7765cb014cf7bf160cbf09e00d32d31d462f356791bcf1286bb9023254afa6c41fe3d165f1bf7e6c002ef64ecdf3b5e073fb569028032e6713
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (13 mod 64).
+# DIGEST: 116e20ff1e79e0af464d473b1e7c187f4dd66007
+KEY: 62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be90
+NONCE: 5d41203f5dce998f8fb2eaad409ae021
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e03744
+AD: 6f5891d77df660ed82933f
+CT: 1d50f3eb1cd76d8e08a9f386db0cdc3eddfc694e8502ccae47ab431c2935fc461254b80386c87690b01c22f38ea9bd118d2e0ed316ac249437a3e9c30f6c1f767c150216ec90e6c8913ff3d469
+TAG: e44bfe162cbba654362d1c86088564b14120815f181932e9f111d6da5efb5f4caad61f1161d1d148cc429ad34fcad9128bab101c7cc004fb8f0b516216a809a6599b5144b4c5828cf159fcecac46a86ba0698a6e5267610bad10cd7ce9079b6c691c2ecd522dbe3563074f2ac85712e58cca41761aa94449199a8b440016e68eb8bc9db3ff2c2bd9c64d9d3c71566bfb5d234af1a144859431f16ce6d65b4cc604e9cbf4e5539c192f07a2981b55582376bedc07aa20f5a841c9f500915fef353c37446511da3affd743fc551d5c22454797b3eb957770f1ca16da138c71bf5c00ab7893ae83b3f499a2c42f55551a986555925337e0604227ebf1c65312f0b1a8cdf2d06b5daf3e5ea97ceeb2f33421d0b44b
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (14 mod 64).
+# DIGEST: c081d0d09b2c9eb39a372ef4a7b0246a0956b0f9
+KEY: be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d
+NONCE: 41203f5dce998f8fb2eaad409ae02116
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f
+AD: 5891d77df660ed82933f62
+CT: 4d754c684658bcc89208bcd75f24dc8e18b70a28b8a2201535e60ab755fb20e1ddfa98742d257eadd02d96c6a65f880d058312311efdf67f9a106beff9f5ace0ac6af586aefbb5e8b4850e584bb7
+TAG: a9bc9bdf2c16ace8cd471c2bcfbc2cf933fc1886faeec62d4809ed5cc4dd4fcb6ca6c42f31bab300264b278dc0b10fe8a54005b590160b410dcdfa3db413dd04a72c897b262ed0fe4ad6683fc5229010f1d2bc939e61a2c9e0480ef3e03e90f74a3edd8bb523271adc45d097b197ca9034bff48677efa763e1ae7528d3f775f827b9c56ba7f042d7f9413b4c5d01972e86976ab3a398afae27faf3cd19ef1b24b5342f9d067e7702bf1ae9679540a72f7a12cdbfbac234d596856b3bfdc2190dff0b50f45b4355cfa25ebf8d1d16528fe6c4baf9b0e5a50f95c4091704e939c8ffe69183c2695ecb1f12f24fdf288a8e8bdf3fe510bae70c46d0214303d5503d21366c4eec24cc2808542a203d81789efbb6
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (15 mod 64).
+# DIGEST: 6f7bb1f9e2772eb909c315e653e4737cfed78a18
+KEY: 8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41
+NONCE: 203f5dce998f8fb2eaad409ae0211641
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f58
+AD: 91d77df660ed82933f62be
+CT: 25bc47e58e7d4f3a417c95768699c92240a2be0e86232a41fe02d64f66716023996772e1118be48e685042f989dcd9cdc574614c9c3989f1885b4b71dfd5b1c32c1321ca41ca1e6ff1828e677e30fe
+TAG: c96a78b9ca68054bc1ed2a150dff9f9585174f343d3df80350982002b4c95106b72813a90028f2855faef235909686607f39655ec48f4024e170c9f9574b0c81b63c8df7af6b4d0f0633853a09c334379952bbaead7415125f541a01e320c5f5d9806b71c3ba71890e3229e751f25ac82c245596b5fa688f1b13844d91169354bf0cc03cccf576c2216aeb9eeab33e2a9f8bad2145d36cf0e7585a02296a7a3b434f4efeeaa4d7ed65befda32b287d9d0946e25dbc0edc22de871184ae8c76777528b917585be784d5e0674b1e5693d0b8cbe8253f8db67c879e1d2b7ddd5df4777a15509f813eb4d0f5a935aa011daaf0cc1ba2ebba9a20a74847e9c53b648f6fce4c08b6e7babc1919e6de22210a6f05
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (16 mod 64).
+# DIGEST: 172f4992e692a88f49628e5d3937959be01aed2e
+KEY: c55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d4120
+NONCE: 3f5dce998f8fb2eaad409ae02116417d
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891
+AD: d77df660ed82933f62be8d
+CT: f1ab85a35a17541efb4f906e7fc85e64efec6ab40d59d3da920c4ec09797c3ad47820e9d934e51e3f4d097c4a555575939bfaeb8cfea062b64816a160d6e4d1ff02a5fded435ab9aa2daf22fa7d676fa
+TAG: 14684ce099f4f0e11e785320debb89c79c03e8bb8751860d3779b4b553f6dedabdb23119d2866ad63fc974a6c6442b734394cb6705309a4d3889e90c4a222bbd14624cd89a9c3f904367c418140375dd592107f839ca94d43d09495a8dc8273201bd8f5a447bdf57506421a975ff4db3aab7878ff18e5b73c8f072a8d092461257d0182710ee9df9f86ac5ad321eac7ee96dddb27ecf561db222ed1c7c183c2ecdf4c7f57cf295638de3c4176ea244100d51c006282e98af1a8fd540daf0ca6f2fc0b88c550b4ab638760d95f2f9d09612da198616cd13fbfa1ad12a3fd30ac9956491cb11539a1be43175fb1452393f13f8d03501c89cf5962730125a7e185dc089b41124fc1e7f69b1fad46bd661c1
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (17 mod 64).
+# DIGEST: 00133da1f7c63fd5f0eec364e9a359be02c1d3da
+KEY: 5b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f
+NONCE: 5dce998f8fb2eaad409ae02116417dae
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d7
+AD: 7df660ed82933f62be8dc5
+CT: 5d6bfe91cd2273a9b986397a38e81be5fbbcd0403ef51873c2c467a9fbadc7bf540e83c538a43dc0e0ab780a4c4b1f5b77ced74f65b61f8b8b58b26fa3e8cba568bb717dc7071bf82dd8c68b068e739706
+TAG: 2ab9e654859c35e065f763d949d43c65dc85dc5d918850809ad8efaed6569d4b3ad064bef3427ae4c3be571fb914cefe2362169bed5b4c0cb17d2106fd6993d20ab8a8b70edb5f5d59b3357c8499c36e2b0b67edf7f334ff02d599031f43252b8d30d39affbd2093a6687c771b672329e14901ad9128f063267d3ab332ea31a79d37cb24ad0fd2d07f23b13d4643d1d9c529e1dd0490c851b0009fc1192f2438a48aba5a39be2ee925b1a38647197ead5cdea3499daa5abf9f4503d3581115a6847363348d5e7933948dce867752cde69ecc401012674ad75e12245dee86d775989275a5fc635c66d42c01b7646e180d28798905a3beb210c049be35b522ad580e1ca29f81b9469448749fce961ba6
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (18 mod 64).
+# DIGEST: 60a6821269be6c5b985576b245f106128eb0b325
+KEY: 436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5d
+NONCE: ce998f8fb2eaad409ae02116417dae0c
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77d
+AD: f660ed82933f62be8dc55b
+CT: 16e3c681ba1ece3bdbfb1da491f877e806ddac5f1ae96bc406bd195c9d48bcd4a9b700a8ced21d824bfb99eb057e401c3529818725b51e96c576e8009bfe4866e98f550a23ef4748ff761a4d1c44ccb5eba0
+TAG: a30286b3d06306818a268db0e5116abc2c7361c5a32d334d8ce5f4007aaeab750980018b435c79391151fdd33df2a97dc2cf62c4426ce45be43f7e4949be735bcd33f0e81cc6b5a3c2255fbac9ff5a8fd7e7b57554d7ef00640d92b605c9afb0c19dd5ca4c79c409d85c197e8f21d79e91df01a817bf68e8718bc771028c945471ae003c0a210c572b79d772560031b5d3e5495aa8d9bd6fa3f8ae9976ed7e7f8d7275030d2f12ed5ab05276ebebafcac7d0ca41f9d860583f800e4f1b9658b12fab31fd63f6a5e4b80463918f8295ae11d7b97f9b5f89b8166861aec8f1b1417163a6a8adce23ce66c9a4306acae7ca75435cbaece814d6010a3e335bd7db9783812052179d5337d1c353be6e0b
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (19 mod 64).
+# DIGEST: e2593f3b6741a9ed9fa188fc06efd057556ee624
+KEY: 6965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce
+NONCE: 998f8fb2eaad409ae02116417dae0cef
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df6
+AD: 60ed82933f62be8dc55b43
+CT: 9b51ba0eebf72bbcd7a1b8452a49f30bf2d96bf0cde4d9e5efe7f1903eb4e09f53aec649c5a8ad7e7fc6c28a0dcf4bd3556f4377bbf8b3f9c79dffa5978692559f732c109a7a02390746f5975d5a0aac4d04ce
+TAG: 636f7bcc9b0b5320643f4b6acbecd60a0a89d2511621ab47fa4c9af610fa1ff9c6cc5cb8fb64493d6a4dca0e94a90794f31698cb1c5bb5658e8b6a63a2cc9b2f1f297240d3d6c62087e32f5d5e9f9d608eccf4b41253933c7391983db1138012a5f5caa5abde25c8a16fc33cccb0604421d985f198c48552650f5dd299bf9163c136c042c9a35cdf7120a702bf460d739ab264fe1f58453ff4990f7315379ff074e01730e7cace8d45a5d0355c0acc409db8fbc759516ad56818b37700548aca769719937103787311b6dbc8488d9e68ee439cec3075bafb725f44734326df9b10d6a4f7133ba84489a9985febc96200276a1fb513f8a3c062466cbe63e7ad668cade7ea70c3b8cd040a6162be
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (20 mod 64).
+# DIGEST: 17450a437efe239e1858ac4062f34024305372be
+KEY: 65aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce99
+NONCE: 8f8fb2eaad409ae02116417dae0cef45
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660
+AD: ed82933f62be8dc55b4369
+CT: 5e4df84379f9736d784d9166047003e3ce3375a8e7add80c8687e94f68595aaa52e3bd39a45a7f67d35b4df0c5d62abc81680ebea78d1ec02153833b4dc4bc51b4d1725f5a830a064e33cd5052e90735477c069d
+TAG: ddefe8bc965ff097f22b8978296cb5eac25732862def3ce5a7d2ee9f7b7d6a6cfe5778b9d6901e7540d8c62f3d97f68b43224e00f8536bd7df50f3ccd1e0917eeff5c32d196cc2b594d23347f4bc1db22ede4f2ffa7f0774c1a073b5e91fbec2b634d0d60458f215309be0c2d1b553f22a87cdd75cb64cfaaa0a15ce876bad26f48b2d6464488f97e35899c7aa80957491823239173843dd88a617839e5bbcf78d51dee3418defcea0a72e5ba7a1e8d652139955570510a9c8e6b6902a5c74133c641fe3950db1b7123406eb4cd86e17bf4efda4128e83172ae78e8c2b632c0cef066ef311f38fa1a210a7802a39b95cb699962daf41e5d436d474753997ac3c826ad39980aacc954adbb12c
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (21 mod 64).
+# DIGEST: a35fc7d25f90dd9cbd35910d5532aca8aba88b29
+KEY: aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f
+NONCE: 8fb2eaad409ae02116417dae0cef457b
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed
+AD: 82933f62be8dc55b436965
+CT: 1ddce9b3f674dfc1b94a6cb34418e6b75c93f14941a6dbe028ed59667404b93afead95ec50b9393a8e0e5f469fc1cbc5136f4dc54f3a005af6c88cf70ff39487cdc730dc131538279704a67492f5241faf00aa8c46
+TAG: d43074349115775a6db0a999c8b492d65bf1c10f046b7c7fa6335d54854a202748ed412c82088bac5d07db529fd2358c66e48a1a40083d9911834522091a61d25013bee70e3d9bed1c1a63ff50c2f0c1ec80bbba5bbb25fd8b2c787e9e6c90fe73a8e476743050c06c8f72344842507a75e6514fdb760f1c733242fd447a8c0658e3045324da0dd132841d0ca758429c6fc0355434a6ae86cc1c798cc9a558e767730437f66f08bc8fd0301d3447f5f5f5ae483ddbbf61f1c8de15bb2421f500ab10ed643d4bb54367946206d5d5cfa6a4a2bd16527a7cfc619d1d7df22fecabdb0541201825e2af362adb3033ccc4eac11db0b563d5bfd65ef1a95a28d5798a33230a78af0b38bed6d429
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (22 mod 64).
+# DIGEST: 73eff0f03358879f900b6ebd515f0f4e5a6929e4
+KEY: be477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8f
+NONCE: b2eaad409ae02116417dae0cef457b9e
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82
+AD: 933f62be8dc55b436965aa
+CT: 6736ca287cf31ea3ec92c68697bfd1f88642e67d9dcab11c5dc8ecfc61611ecffc54a04119f53f9e5476196f220486ab53e2b21e1135bc6745731f0bd32eee9777a1b3d208c21d86048a4cc945389d60ec8954aaec13
+TAG: 53f11651de2a737a0117aef6790d2683681561ca2b26586c5564d5fe06565e17200115d2a473aab781b9f8d4002fb4060f1eb43e77e31f270c143ae08a1cb5a2887c2ba393e050473894f62c6a7ec438eaa575d631b0736c3fcce58b9e81c28701a6d4c1dfd19a5d2de366d7b1c2433997dc826b48222fccf919ae872e42332b74d24027dbdd487014adae3813d52bd20271ab8da425e641701f78312026f117423f90145181d9af2696cfa08059a2f3b1f7f63e48c7ca8f63396620b4046210cc431a1b1311834659338f957141da2cba2d499ce121223f45078668652c9b699209bd1a33832e8a53c7bcd5fad62acbedbcfc1cf839b6d1444a991c573e8c2ecafbe33a23701291a8cb
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (23 mod 64).
+# DIGEST: dd6cea270655225cb4f4231f54c19eaaa146eac5
+KEY: 477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2
+NONCE: eaad409ae02116417dae0cef457b9e5e
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed8293
+AD: 3f62be8dc55b436965aabe
+CT: 95b9375058667abde693e7e3a598dd4c326ae4db29f54667c54453e6191c52f86d2fb4fe324e9a02b94f094f1dc272b1e6ad85529206a511468879d31ab9e74f7666691dcd7365ce52fd6df951c20e7a71ba740901f797
+TAG: 533eaf7ba2c963ee7357a118f8306660f786ef35206612b3bb8a87748c76c6bd67c15aca895927b6a92c1fda33dc4c330e8fca65d6b82343247d070a5bc0d0d632f7ec3060546cf2fa4f3bb7f144356bb2371cd19100e7d7066f2c304039836d62a647300bba5b7501241b8126a8f39bf8ac2946aee674d0a64644b8aa0e261f4049c9ab56b16e717d162d9a43936852047d4adeb17bda109d3aea0a46acb70e7fc9351978b4bfea20cfa0f437fe8c1308e45a390e40ca17739c4edc6a0bf6e0c14d84ea315e36ad0e80d22011b02675ae09e814c08ce607d4e3fe18a4bb9380966c174ca8a1c397966dccddbbaf85f47bbd97c5d99936c26917df99b6356de065ac0ddee7dfede113
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (24 mod 64).
+# DIGEST: 34dd9bf0ce19eff890ecad474388779f63b0af70
+KEY: 7e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2ea
+NONCE: ad409ae02116417dae0cef457b9e5e16
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f
+AD: 62be8dc55b436965aabe47
+CT: eded2db8c302b3b5b5b0c0d556f8d34408fdb2af75d38231049b5f91e02a4086e6ffcfabcba5e3ec68173dfde382a41523d3c8ea1f7944351baad1588516c548125b1005d3375b03a4ff4bb19937068e0efea0abbeac4f8f
+TAG: 379af744a549ee2fc70f6fd955d68da610b9e28178af1e7d6034c5e583f838a84882937060dee0838a6d0e008c51d312956cbc233af4e94ee992a3a9fc427f98283ffa000fe22e62e6181754cd434b066e685a514bc6ec82444c3d722fd37b305e1c514541208c4cc8298acfbc9f41762f50c87a9b95ca7a4d47ef412f0079cff9affdad66dec43d8fa706ef5bfa7deb9826c28ba66a7395e6491bd45ce3750864e3b0d466d236d1d5a5a6dfa8f531c2ae985515d367eca43505de759ad476ca08a6ad5265e8550a4d1fcdb0f8c3ef1a4567ae3262d5d5a78e7ef6c8097ca22815e35ac82ff78fb39b029edf5521311d0904b2e10822ffdf3f93118412181f8679363766430beedf
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (25 mod 64).
+# DIGEST: 7db8cfbd3b29f96d752346eeda3c2bb0bd070099
+KEY: 0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad
+NONCE: 409ae02116417dae0cef457b9e5e16dc
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62
+AD: be8dc55b436965aabe477e
+CT: a56c9d8579b78c9ef40c4a230e8bd42750510340fbd0cf55393bd13d93b105fd2cd1d701b6882bacc661e8da81b7c9eed6b5dd4da12353298150819c748f464f5c60b86f92a9e89e483055b8dd3f42605a3065f08189f74021
+TAG: 2704ec8335c00380797ebe4100b3ce3fceb38704eeb5db223e4256f4b2a5353ec0a89676e0542ccbcf3ccf131832f2d4af2fa86de6fb456ccc6add9e453c16e303755dc4e841344efb5251cd266a88f4f0efa3155db9bb475e9e97904a2efaabd8b2e836d54babc9fe4a5a0805d113ad28843994e83694fef3172ef45abfb037b3c78205fe9e6042fe4c2db156b78fcc52b0f43eb3b2ca0f40ddd0077be8880c29c9cf5d3a5b68eac071874a7c96fc531cac7c0245dfd87febabc641b081a7de6693cc85d7851238f239914d96e8281e6c44b1576d0e2a3ea02079762e05923cd53134db1524c28c02474bd539d0ffd8bea24cc743a35267ccfd405a834bbbeb3819a3060ae254
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (26 mod 64).
+# DIGEST: 4abaa8453e8cfdefd918571a961d8351754ad5b4
+KEY: dd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad40
+NONCE: 9ae02116417dae0cef457b9e5e16dcc5
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be
+AD: 8dc55b436965aabe477e0c
+CT: bf13550fa32201ffc699cbf22de17ca268652f8ba2693dde72b626d01855eea7c21f0afae3fa03dc757491e8efb9091a4c100f8dccfd15a9b4dd94e4fe1f5e90cec62768d0a91e132acb1fbec1052878706359cab3445d38b1a7
+TAG: 87370bba8adc7957b9f4b468f584e1483306cbfa87738a2a047d9e5b0af76efafe46dd1028aba3d3677967124f2adfa8d88922bbad39c82f9272e4734a12c9a82201024147b14c50f110371ca57d3cadba332d46efd5a936feea2f74609ee8b39e22d4e49f608229b9963417661e47610547970d017d1afba6c5d653eeb9d6b596ee2560f1879437c81dd7b7ff64737f68e295cb558c3833fb481b582817bad184290f7b731b611aa09c63272a14f4471ec654e460fe7e2061de628bca07cb52682d4d46a3e29abd90faa42e9cda1118c92ba698ea985bfa4dae1e5a5edc2eff590d609b37786d1d577b55b0cc671d237e338cf46269451be059e44a2e6b40664d060919e7bd
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (27 mod 64).
+# DIGEST: 0fb9d7ffcc7c9b84f34661d472ae2d4fa25d3d99
+KEY: 46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409a
+NONCE: e02116417dae0cef457b9e5e16dcc5b6
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8d
+AD: c55b436965aabe477e0cdd
+CT: 9f9a3ab733e50c1584c4f0c2a2dc0ff71bb3a9b32dbe92da2fcff8fe46a4bf16d4f30ec8efb1319891b7d2586839fffe5012a6dc3d5f0ad21e1572a1ffb48fbb59ee4b8e0234e543786e775dd4c54cb1ed006b4e8f5195610e267f
+TAG: e3e1b44b7aa92166a01da7ba9c7dd6ed9245dfe296ee16fc20addd7a6c15462ca1c0bf1b90a136dba0749837bcf133377d6ff21fd3cb7c1f7fc50df8ada45e671e1bfdd4f711462c9655c8159f2dda37bcc96df425ef3fcba2056973d39378fd2189375bcb96ca84d023f45f880166ba262c3f089e58888b8a67ce85048c5628061e04a7f09d8a6eda422d424482dc4dd4d361fde54b3c659b273ee9a04faa389befbe2816e164d9bcd9fb6ec7aecf51e9288cbeca4d3e0dd776a3c122eb4524196dd7e4b8420a08a3276173c282dc1463ce6e6b17fb419c1bdb47882e6685c877119fb6348bd0f80b867d60fc8ffc4e89768eb33ada5f32a81eca38965b28bac74f5dcaa1
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (28 mod 64).
+# DIGEST: c68fec315401703e49722fe4b39cf28b14e9f50c
+KEY: be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae0
+NONCE: 2116417dae0cef457b9e5e16dcc5b6f2
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc5
+AD: 5b436965aabe477e0cdd46
+CT: b4d33c5131701c960eda4c50fc0a918acbe28cd47fbcaa328c6a9eb08e3c36b697928c6981992ab155c30984c6b8e9340cb00decef7086f589ed2d730cfafd5ccfb95373b8c55044fa1c95927d02278a48f986a6b8301426bbdd504e
+TAG: c327263a3dc33abbbb6985406703ecee6ddb0d9b236ff2366c65effb2c936e5961d99de3bab4eb9c5aba4f65a55bf768a369181b191545f4421be3bc5bd2155257374ba8ac8e70823421da77aa1e2001a4e2f4942a40dc586e1c9e3d0e8dba136bcd823eb644d8d152182fb0c88ba540ba3a71ff1b147e4e072298023ae0c8d37cff859108b02d586d5357076e6e649e2a8ad3d4a9de1ffdea88b4dacb2d2c7fe12c8739e0d50d91e3fb57d54e22e6c4ca3c8e47b2b9c7de9220a1588c631dd6ac85d04f58559b796b8adf5559365f8009181a75e1f7f1a3c1097d81065be9b30bdcd0c5572db64f633561e426f1a6023fd7b7e1c4f66919e9ee67c5ac4026cb11aac92e445d90ba020153333c8db152113c5cbe
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (29 mod 64).
+# DIGEST: 15e1aa5285beab679aaedbf51a86b4aebbe3d7df
+KEY: 99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae021
+NONCE: 16417dae0cef457b9e5e16dcc5b6f256
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b
+AD: 436965aabe477e0cdd46be
+CT: fe6540372ad1c40ec1dd644e935c480b9e34aed05a7f21e2e37dd46db52ebc5352cbc3be2aa289cc2e9712aa7d393f4454c9fa3a4acc30db41ada1257693d3469b0a1d5680dc8dbfea8cbb4768161f829a4f853c1c48d08825aa2b44f1
+TAG: 53f79cf7b8f4380a1d1f1def457d4ad78c5819e0654d4052186213880228c482e2a54bbffb71483d32a8eb97ea8e9057a99a52fc3381820bd5c8fa43b846257380c07075592d6a445075a0df4e48f20dac7e2df8967a1cda41bbd4b0411a54b3ab9e79354a59aef5291599176599db82c0f6ee8a05e012067e2961b147a7baa73a818c64b52dbefd767b285fad111972528e3865b78c3c8aed658b1e84ecfd6ba292bca83ef66968e1bbdc05f616ae79d1d7932a0e8d5fdd7f98159b199bf933ada7670bfd4992bc2ec95daac00f10b7cf2bb68755edeb646395efccbfe322c9f381d39ec36d92c914fabb74d4df8dd506d9a8e233c591a503e92943e9437b10268bc9fd1a512b31a3aa62034ebb2dfc2ee3ae
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (30 mod 64).
+# DIGEST: 8cc0b1164fc844e958e055b7ae43f2f95c29e8c3
+KEY: 371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116
+NONCE: 417dae0cef457b9e5e16dcc5b6f25607
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b43
+AD: 6965aabe477e0cdd46be99
+CT: 22e6c691ae1ba796667ceeaba4dcf85582e398e529d938da63c8221a58c2fbe242f6da82eae8c896dd31b45b3e8b72ff3dd7906130954f7b68d4c8729d3ff66ffad72104047209a56f1d6cdd927b57e8f29108140f903d03da3f4d210219
+TAG: 6c22c87e07027df3721970ac8ebb881edad4c00566f7b53dff9189ba9844543d4c5894ff1579a353db455a1597370c9d8f2c16a191d6e0eacf6c0cb3bc30b979ba40244a12dcdbf806e609fee1cb9531813ab90854c5eef9527b0e546193df1d3b2e52c5c01cb67db0f4fae9e1557e89b130fde7ae3f7b493d1b0296ef965538ddb7519ec972ddd1926ca29e3a9ff5c9f55414f07a1c1785908975ed43b16bb7c96b2820fa3c317582dacaec45c71b3ed841a41358c87340f5fbac68dcd4590d9aa4cdae3374d7c332c6ace45644a8805ac792c4ae5bbd09ca06581fcb46e71381031d5ad54b117005c2924a538501c944c416e19480d48e792a741e863043be0cf0cc12c700c3238a77ca4dbd168da1618a
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (31 mod 64).
+# DIGEST: b51001b6ff9d27bccf3103a4961280e0a1406257
+KEY: 1eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae0211641
+NONCE: 7dae0cef457b9e5e16dcc5b6f25607f0
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b4369
+AD: 65aabe477e0cdd46be9937
+CT: 4772e647d03817c0f9deb39ff4f4f27fb0fed33e0630eb453883c707336f0e74ef206e92e31fb2935a466105dbdfd42c180ef63cf5cdd3c281337895e399df6078c22762eba5d84b8845ea00bd88bf5e4f0da518cae42502e8531b14d979bd
+TAG: a6a89cb7f4f54501b3fc90129f28198a9c3ebebcd6fbf6513ae3b136ab79b5cdf4df4563910a498137864bf3a63b6dc731a29e2ce7768a8216ee39bb67f73b16f73fcf6bfb934ef67dbd964d016d876ed884e5c3357a5238dd7ad6f979e81952d9e2c2c6c5bbcb1ef860c67aa977b8b0e0288bb37c94b48ca7f8f5df733e1bc522c9b06292ae4340710d15079b8d4e9e7dc95b653844a7a5f795d71bd7611900698a21335e0736418cc31a6c29409f501e0d88be63b54d6ab8ab5c7f07f7375860f949168f9555ee49f7fcc41900bbe1b769a65ec344e172e0de68d74c94d261fd9785b6516ff425c6669adeb426c2deef874dd6b510791baa8778601c134dc5e05e0b414836303f21bcc7c300958a0200
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (32 mod 64).
+# DIGEST: aceed075f31ab159f6610f43ff0a6ed3a359bee1
+KEY: b8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417d
+NONCE: ae0cef457b9e5e16dcc5b6f25607f00d
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965
+AD: aabe477e0cdd46be99371e
+CT: 6dadacb58a7b88e2daba277f66e5757042c142115871c9813d1a72a79e5a71366801a757a5f9982e99c355fe7d742fe3f047b711dbe340bf2ffd00cea6dc6ed7a4a416c17138404854ab8a5420960d60cd1b86424b2668740910a922865e4c13
+TAG: 98e4dbc80aff1a2c04156dec77deab9850b5b951f501d58f265f2c75344f7e6d0aba191b077877ed269e75ec40c84d8644070e68e18583be6e13788ff2c7f9a923f84eec8642ffb6eb40ca773a45c003df69c80de0ba199354f231f9091d1b4078ac218835e2df3e76e77d657099bef5a6a1367e6c39b23a0b7cd345bb8f5a97b9dc86300132e95853fc3635da842ed214fd00bac3b46f002f3c26cfd36c575a56af06e74032cec9451837db3542aa717aebf6e3ab3037dfab7cf0aa0177eba2dc3a56c3e3011d4c940b124b565c4450b08ce2f900d400e01a9b469d327cd9bda24af77f60e8ec6f5da196ad850c38d5cec0fba6bbab584c8b486bbac87a7f559be463e5929985ce710243260fb9258e
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (33 mod 64).
+# DIGEST: 976ca4c9819e25a204a024d05fbe7420f717bc58
+KEY: da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae
+NONCE: 0cef457b9e5e16dcc5b6f25607f00d03
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aa
+AD: be477e0cdd46be99371eb8
+CT: 4307f039e09bbc51fa0477941e321dec14e5f562d3a5ba25d71c3c8afa23f44e1ca619d130890b7476e5227442c27995cd292ed9d0a649773b752b3bc7abf171244624bc55784adc9282f1776789fdbcca048313a1e6c8a23119db185ea4ec1925
+TAG: 87187cd5d301d869cd1b4bb721475f6dd5b64be330781e20a24c1784dcd74cbec221914ad4ae88d4c9a1a9eaae7b13052d2c6ded662507a07594feae4de66b72c7fc1143c4e7100293f842ac0022d8a916a687e436ab7bbb56b2a4fc18677a813b38ab1e1d48a474322d44f581a8d007ffc6f7f4a132212e7bef5d5c9b13889dd2009c6398fa2dba18eecfcc5f41c5ed56be7f451f9b7b7a908f0838d3d8e2696512c6ec159a6dd94a1628be9911a3d827105d8cee209b6ec4cee3a488ef5eae355826d9a474f55bc736605c6c24444330fe5eff18a735736b66ea5d0c5b3278e373b57d86dc7815603993814ecb0dbdbd330c69dc46d7e6fc8555a18cc0ba5b5da89e5075c7ad835fef0fa46ea426
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (34 mod 64).
+# DIGEST: ad8cfe7556704bb1974e94f70d8743d147c5c3b4
+KEY: 7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0c
+NONCE: ef457b9e5e16dcc5b6f25607f00d033f
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe
+AD: 477e0cdd46be99371eb8da
+CT: ee9fa11a7d6f965e7d65d8f48810754770b9d237ba0111978b97e24f223817d0c6ce4dbde85c4e0979bea607a36c66f908c25384184fc334d8d985b78c2e9872d82c4cb1aad49d7dc21d6484b80f9192bd724ca57cdced2fdf142283126721c1c2f2
+TAG: ba76fb9c71f51c92d4602572883846812cc94a83e86dd16136d65c3ab932f89b28ecf49ce22335f0c643e3d979401bad3ca97673f062cf69855b23b6a1b14927594d92f689b4204ddb32d95d577ef4379890d804ce26e0e4565dfce891c992a29b9b1fa57f633b0c231e4e9c4939679bd52205988cffc989e34ae744e49a7ada77c6fda5537c5b031208acca0628913fd8a2ecd9f2b5d50254da5f7f00189dfa6d553300d805807141ef0b75557a693f1f90698a8ac912931b7a1a3a889295046219394a0884f823d204d0a3bc4cd4e3fa6adbddab80d123368d2f29ce5e8a992ab9c1c5d2c8cbc99e99647410abb5c73d8e00a0482834f97a576e99311d747088e9e65b8546265f71a237c1f74b
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (35 mod 64).
+# DIGEST: 1dfd9608adabb5a55e12949f1c4bfcd5a77cb703
+KEY: ac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef
+NONCE: 457b9e5e16dcc5b6f25607f00d033fb9
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe47
+AD: 7e0cdd46be99371eb8da7d
+CT: 1a95f47f7bdb2d91358f683b7bf803254d88b59e2d3c1d873a09794e1c18f1c924d480727599a1a6890bb664335e690e4e52c385b634bed45e08410448ffda3ea2593a02a11a03d994617b9f7ac85317bf09c41b08b416863cd90f0244d22c795a34b0
+TAG: 4537e27f1bd4b1b873ef4b3eb83cfc860c44921195a0250a96e553280b15e9ed379d4eac959a2809ce808e40dda881cf8a08cd50302f7dd5e67659613932ffdc086db4de634000cdda80fc576294c265f49a48c79ece6d42423a4f86c25c0a168d5eca502e87c419ec09134c27e4db1f2255de7e10f0102b44f30c67c8e07aa23aecd3f62ac8a24f9e8f82be61b539e288d22f8e05e914c191877c5ad1a546415df68427f97576adcb8d428ce7ce2c96acc98fe0d6dcb42049206ee1679f037955cbc12be9ae020774bea675b7c17d0033a60927f75e87d9c7ca263a5e0ed38450af657a81434afc9b4f4a14f02f82e33e17e7f61c276cc1e630dd773547b6cd78231de0895e447235cbac4b3a
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (36 mod 64).
+# DIGEST: ad2b43eee27e6267d8c5c1c3d558a07dcd6b1f5f
+KEY: 997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef45
+NONCE: 7b9e5e16dcc5b6f25607f00d033fb95f
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e
+AD: 0cdd46be99371eb8da7dac
+CT: 67466a0bda0815f726cd09d159e06088b2530b73775a8c18eab2d09ed7bd12b743b0a10345cb3126dc14d8f5c503b65a45467ef9b56ec7c5b24e5548e734d3f0fc90fd9c8019fc782882ea6e72f4df5fc6e8105e79d12fc588c9137c758995666f480dcf
+TAG: 24b828c3e60182873556d7aa85480180d7cc42ba81732058a109b5ecf21f66f1ab580d18f70604ff31dab5a1bbee007d213d2fc7070e3377aed31399291cfad53a334bad7c1c61ddac5015d19cca020dec137fb76472b1a595e0fd5dbdd127b3267521aee32fd12c1f54493d23c27671750776f8937032b9164ed78bee6b8234972634fc7cb32cc0b7f6fdae850110d1979e380b4578b8747de6f3d89bb66d546949ac94e49b0a460c192f98373e2359fdea2cf2a6ad4d09199cc145fc537459d73f48d265a1cdd458f306e3596b2088f233630ee0a37a5c2c21a76bcd47871a7954cd9bf911ab942ff7221623cc7539344e23dba7b0aea370a7d2e2383a4ec9db06a8123016d73b4323d19a
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (37 mod 64).
+# DIGEST: 3dcddb1e4f49633e7b7bd36f4056d16c53be7f5e
+KEY: 7deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b
+NONCE: 9e5e16dcc5b6f25607f00d033fb95fb0
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0c
+AD: dd46be99371eb8da7dac99
+CT: 34f8a83c831f374e77c5601317b658e47091d811285791eac2fc59fb06658c115dc875c80b1089a62fc7d072534617dc81dc3adffbbba4b9db2e7272eb0b8aea73eb9de6480c43190e239fc300377f186e4659b1f239906614865f10444ee64ae77ccf8e3f
+TAG: 4c975e14b038359ddc06d23ea5a5119eeef3708347d7de47875cc88138b79d5c644507363c0a951623f3c26f8dffd51a2a282641d96ff107fc69684add9e93c56a7d29c8e097dbeac0a56d7afc522b7f5c921cff17c6ae4c7bd456bdbf95c052b18751e1c3ad9a26517c29071361aadf06740e43afb13762b4bc2a80aeb5e042259a36cf03a208b8f6162515fdd3623343b127655de069d5eb8c7b6c00fabec02186cd39bac62768303dbfed24cb20105c7d8b2a6b2c34d5f4472c6f372a841672c1f7b405d70d05c632f7a53997e3e4e0aedbb05813a8712dfcd3c8df4fcd83971cdb81538d2516a3a4a9372dbca6bdee43a2ed77309076fdb367fec85e5db2f01e59d3cc188b67f5edcf
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (38 mod 64).
+# DIGEST: 25b982a242f669c013cab1c18da425330090e3cd
+KEY: eafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e
+NONCE: 5e16dcc5b6f25607f00d033fb95fb09e
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd
+AD: 46be99371eb8da7dac997d
+CT: 2ec0aab31fbb036bd2af5ce39025ee2d5591fd525a199f2233384f52a8746f4fb547843c92d1e4c9fa92bc268174d4a59134142f14e8e1e277f1f1844c64f76dcd20f3b73dfec8e9fc59a639616fe4075a4732dcd3e1de806086239d2e09deca0ffc081f2ef2
+TAG: 3049393a7f477630782378966f7ed4d33451da6b00ba751aee542cfe5aba67748a46953b578d0fad0e37b5627b4295a4f44b0c28d16e300888c0c8db965c14c23310279cdc9834d2ff9ec85932b7e341393fa3b6661bb8d3ab0cff6c6b646d927626b8710d3243ad7a971efbe3f6ede39d8b9f77585e4565a8b07917a712d85b846469807e94f3073097a69c30dfc5f92fd88cc36d3a5f670155aa98ebc80112db1fd1db0685261c1e7711d9c82a73dece8629a4025d7837852749fb8ee1489bacfb0bd8fada1389fc31ece84558d5732c9b559db32d8a498aafdc0aad020240e00f3fe22c2932924305fc1b3d648c53b9fcad835189b41a150ccf234988f26eda2655054c395924fe50
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (39 mod 64).
+# DIGEST: 9d7958e23777ff2472f5a24dea5fc19c151dd921
+KEY: fd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e
+NONCE: 16dcc5b6f25607f00d033fb95fb09e4d
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46
+AD: be99371eb8da7dac997dea
+CT: 90712d5e3edeed5000c62ce80212d41773a393792a3a8fc62a1cfbff38b3555aadd88f0e36f93c8a12897d7779972b3e42978cdf85da7a3ba2e4b261f0a0cf4e1edaf259849e87133a9c057e5d3e693a2a181eff1f5d6f84e0679c625ad9a0f72c47d607ffa453
+TAG: 90b31128a2f6673d25ec56c9431584416b2e8c62fdadf580db2d5dd2ef8fcff5da4edfc09685b16db527abf1258b82c13761e41e41646479c833c8606b438a53fbc3718bb5e2ab3d9e25ee8862ff2d088aa5b37877ce5bcedf184713b2d5acb8408bf2f50b3041a0e582230a1f4034b6eee294808ca78e605b0461c1fa383b8194a30b3e66ed58c1b30331a97b3b87e12d2239f8f34e632caee944450e99165b9a317029c9f658c7182cfaadbb6f52da0f8c4f3fd73959c58559404ff80ea3af53c4430ebf2e41197ddde0e3d380668b4e72f72022e3b1ead76284506cfb3a20b9bf6e8425eeb89fc5582f4f1c6736e1185452e87133cb1e8ec045d2e40315fcdceb02da252a5cbd3a
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (40 mod 64).
+# DIGEST: 09e9eab51bcb9faaa3bc3e473ff66b06e39653fa
+KEY: 64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16
+NONCE: dcc5b6f25607f00d033fb95fb09e4d00
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be
+AD: 99371eb8da7dac997deafd
+CT: ea1b542c224788ae66ded1b3ed9f9e35708252a1cd1d4725b0a187b669c51d282776471be5a07f256faa9ff16fa4248c629a4bcd31a9dfb7f260d9b1cb62dbae424624fd816bd81f781b93ca9dab437b5e0cb64a37874b0117cf7b96adba2cb7d75b834adf572d99
+TAG: 1e6a782f455ebe54ce2dbac88683437494c4433ddef95e45bae93bfbf4b1d5d0d2a459e9db88be408428c47c256f73d42778e42b936dad9ed773a02d0e7298c22b60280cf1b7191eb7c8fa307076f5129720bad5961206dea4ea1a05645827b30ff3bfb6066db13a2f9f1bde975c80ea902e9e51e64086ea4641150c531df51b328de057d850502fdbf50b4a1295d170c0dada86a0209d2026501f111247b75826953366ecfee0e4c3479040cf27370de1711a73d0ccde18e218b9f6f6aa20e0a8cb0fa4aa75ee585e96a0a0968423c86b35c899b5409e577e093c36d18149199b59caf99f19d1163c31a0d3da31b8c5cd372372e2bacdb2b03ed28605e346cf794872e096ae048b
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (41 mod 64).
+# DIGEST: 7b17b7cb19107af8fc4671420e461060e2ef3e61
+KEY: b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dc
+NONCE: c5b6f25607f00d033fb95fb09e4d00d6
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99
+AD: 371eb8da7dac997deafd64
+CT: b1025c9eb02f72e5526ef641778aebe786c2f85961997f1eaa090a33caae3a9df34da7088352a2df7a61eaaa026dadbcd604f5baa3a0de4fcbb3812816408d61384984141d9c78f47e725e99cea9d52f73cdd5e2c3961b035589db1d2283476006a1e10a992d499762
+TAG: 3f441554acad8b8f9565a0a69a17d231684a6293aa032e140eb41ea302b45d0e2e36e62ca23e981f98721a97ec02ea946282e23fd4838dd07b9a8cfbc069d913226cf543235541dc1a8881394e9cc0999c63b543e5ab74c35436637578148ff48bca333734d768b15a6e9535a69705248f28961e50facf4e8bc0825b7d2152cb2b85ac2e767b6650376a677f4c7e76521c790d59d9588e54deb9cda034551544ba80cf9d11a9f589b7e8980e6ab95ab77848e2bba36ed85afd9774f32bc9ab9173db20fb97a53d23091add97f16d8ced6bac6399aa089718d8bcc94c13b6e0d08e805b7fa252e787958d4780d24d812e0ea0df1652c04ac325355be7b21aaa97c2749f274a31c6
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (42 mod 64).
+# DIGEST: 48586ad2eac603c136911b28e2c69f101a8ef371
+KEY: fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5
+NONCE: b6f25607f00d033fb95fb09e4d00d617
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be9937
+AD: 1eb8da7dac997deafd64b1
+CT: 10623f3b3c8888a31cbf51eae0989eb3caad5f5b786c13b41c04e0b6cb2641f850df4ebea610a4d521557c8f987ded40e9702503fc4ae62d1830a0f04d168888062f5b147e858a134a4022bf2790d81a89133aee08a34a704f152cc3cc763c21207d2231109e0b71a801
+TAG: dab4bcc473354bdea1e31b926a19fb97ce2c8b47e76082bcc93a1db2707b67e4f72b18cfb728232ca334bfe9a4a55c347777a25b1a13ada600adfdc4fd57275414b3bfdc9613f300b4b29fefa8820b5c8989bc79db1bcafb69b0d89f7624a510d3a1597f953564a29367aefdaf36d238b957460f50b71adb5f85e9275aa511b7118d2310f5e3cc2bf0c21b0be6e6adcbbb24064a760b74679de7fc146a00014f36d39f59df902925710de6397bf32f5d108902159755feea57fb58a7bcce680babfb90e05a8d15c1b42a3b7d779af99e3cab04eb59e5ef45128195ca17bdc25dcaefee874e919bc8edbc8e28e3997aa396768ccfcd25e59dfe27e46de35dd101c38f7e48bd8d
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (43 mod 64).
+# DIGEST: c37456cfc543ba6e5848b9b8f4ac5a58a104b521
+KEY: 65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6
+NONCE: f25607f00d033fb95fb09e4d00d6172e
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371e
+AD: b8da7dac997deafd64b1fc
+CT: 60d4a0ba2caff08ac046349b511017a7c5f5537eff0bda94bf838d50c14d59426424e4a8f531103773aa0eb9d242a9e6f2ba5002ef04aef8144c8a88f05788fa5fa1ab1cb5cad84da0d31b280ff8a55c2e8f32f39549736bb055169ad5ae93c02561006a3f13e65094f7d4
+TAG: 140431d7b2bcf5139b7c9436fdfb3b44834ca810fb478eb0aaf7b0e2c68ce434f05c1f825b245d9fb4af48056925a50315b9f1b7d340e5f797dde4f460ad3c526853049976c0f680b691b28fb79d61cc9f7d8a4b28ddab1f610ac6cc44b91d64275ff1d26aa2b5ef314b1f280181cf72cd8b8fbc939a8751538d85f7fe03617a9cabd79dea5e64832d0b4aeb4893ac35c0d9f1475d928e3ed40292687926ccf5f9f76f78e00f217c013a12e38686423dcee930366e79950955c07399183d775c7030a50addaa42c7aabe5d8ebb95611f3c2f68be067e179e3de60d45b828d54bd6be07948508ff8a9b68abd944da07a484a8b9bfd4be1a22ff006e578b0c43c2bb1359d012
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (44 mod 64).
+# DIGEST: fc113d192686652653a15887974eb1f9b8e32248
+KEY: de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f2
+NONCE: 5607f00d033fb95fb09e4d00d6172e78
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8
+AD: da7dac997deafd64b1fc65
+CT: e59fdb3d1413cd6a1098b5daf1662c698076996e2581e11a286e5acd6f29d41ff9d04da8308ce7f5defc52be0b4d1ee96d8e5f4eddbdd5fa9894e7d1b0a1bed483b7e7549e1c10cf5b8ebd1e7f1177972ff061cdecdad8d97bb0308b19bbc2c84d32a41f4c2b7e58721349e9
+TAG: 6cfe1e101e9b8fd2b209a30c0c1127e1bc8a51b8826c64258b573711f4af7c7e4ede036de4a94d70e17695481424907475180c7899a982d7eb94536a30a57be43d5c6b5e9c34972e61b9356a9338af6e8dbf27c920edc9bd02ed5535018d3b3e3df45664f4c0bc01f1876f36338e85b4a127181b42f7cdfa7a4da5a6c249f1bcee2959e25d0fe17717b0181c026ca814cf21d6af3b548435df052ffa0a0e8f74b8c3f7bb37a6b5bcd2b3f2c0e4b24daad586f7b59996072f82c123aa0ae66d3f6bd9980e8ea0312ab9fe0052e1fb3911e35d880f1df50612799033c384f4899f69714efe5df2727528f7b3af6d69e525a04375391643febed777fe3fa3807a73aae666c137dff28eb3b2ccc1d07bc665094d33c4
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (45 mod 64).
+# DIGEST: bb6e5b5be84ee383caac0378cb6f541726ecf61f
+KEY: 39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f256
+NONCE: 07f00d033fb95fb09e4d00d6172e780a
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da
+AD: 7dac997deafd64b1fc65de
+CT: 9764272fe16e12bb42a8f2a6620e44d4f202c21d51692e2948e2f4e4a18acf58a12d399310f15e78bac1f5f2a48416e5f4262ab9a8480d9f1429e5e9d15d81df0719f8db8d7ac08da696048e8a048255071ba8926be1dfbbcf53e7430862f64c891edaf772a830fd525aa8796c
+TAG: 2cdb47ae25d087c752c007dc8b83cc050b53376aa92e9bc2c46d05ac7137dce0f70ac601b76fe40efd84be464015b5397031ec3e394f880713ad10727d270730e469ca30ea5897a84fd204bb14a920c4c1bba0d27fb154cd1f8277fa6aab1f4c743b52b51d09657b80398aac269f57196fdfb219d745f53a72ca08cfaebd736e7d016806d68e5deba428b484d958335bf03c0ab713b9a54b9a5bb4f3b82b76c45d04b5b6141aeb7271d0a71ebf90ba74b27dff1ece371f6353b8ce8615475a1b82c3276569b99de52b7ae5f27cb1cf9ceca291c1922382ad5260ebbb32cf995772eab6d6213d2e4c438909f691a81825c2adad290839c08566e5cfb3c13de4ebb016529de5549a9ac57d2e76086db82a3ad881
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (46 mod 64).
+# DIGEST: a27799fc2e00e7abec4c5939451a834c4606cf7a
+KEY: f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607
+NONCE: f00d033fb95fb09e4d00d6172e780ab8
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7d
+AD: ac997deafd64b1fc65de39
+CT: 9b6a8359acfc5d15067e2e6d812727d768f44b3edf4272f57fb54db41d95153fb03d7a7b3371e91c4be80326f4d70a8f2ac1e867ad3772901c513895e694214d6c0fa1f431aeb016ccc93faacb4950082f0cf00d3a5879c9a4f3fdb281e911b40d6d0a84b05f4ce32f85b1657d75
+TAG: a3c72b69369cbf0d435790c97438a38109f36b147943b0629b1c2e4926e831d27155f5617f1f884af2799774b69bf0e092d29158fa51495e132b206cf51156c2116b23848ea51d684808d5a291b68f57250626d2190a7c0779512bca6ed44e619d0f7f8bc28e1c9b729514e12e7cc08e8e8d72bd1ae30229e56fa7e3246dab29e75bfc866a2b83c48036ea0296dfad04357ed990aecf6b28a0a3fe7eaed48f5fa59202f109ad0cfe6aa5cbedfcd62eeeb15df7be0645e161ee6f7f9dd811c98158de6534739268757a1813e1aa6c331586867acc75ae410c371a81cab835fcd928519d9468ed61fb5d7c191807e613d40fe174c8b33a400baea2e96d9d7f1734dd11092481e71d0b0c0c86419d5c50cf6e18
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (47 mod 64).
+# DIGEST: f30eaff92a640a397f98e6803623e8d1f0c1fea6
+KEY: f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f0
+NONCE: 0d033fb95fb09e4d00d6172e780ab8b7
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac
+AD: 997deafd64b1fc65de39f4
+CT: 5818d2a656fce95d7a24bcb216f4d6b91d45d58d6ca2df5c9d6412d917951a9f61ff07fcb6b078fad69862aace436194f86f309373452e813c461fdb36a95f575fdf0f784ffa0914f0c0ee0c57ed1e604ca7a7a4b3d20c272b3b7f2e65b18c1abdf8c88e1e7e7dbbe9569eddfb226a
+TAG: f6bfe8a461cc83a7bc7c5a39b6c521ed3e0ff050a6b01999b2710e0997e1a36a72c11363307aab1e4d921e9364ce826419d15b3a14e251e82bca615281c19bd243a294365492b11567341f13f14764e2b30ebc8ac4d313047694a884598daae76a45797f583a8279529e9352c8c13a06510ece3057c0936de84e6c292e3266424eb9aa4b7e5891fe7180f0a31580a700a4e24d7f1e53e1b69bf36a7c0db63473566920565cb9a22a47aad6afc8910a6b6019a67a092ae814c0260f2fada1a6dc44c5447217b6831457f66d7a2ecdc9187986edbdc1c68e573da33daee7fa2ef3adf4b6179b9a02d31c36e4505d5829ef30058ce5d09ae42fadfe4f66e894c36d7db467ec5ef508e26cf0724b261235579c
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (48 mod 64).
+# DIGEST: 7227537c0113a9f46f7d332a0b37ee5303483d00
+KEY: 3541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d
+NONCE: 033fb95fb09e4d00d6172e780ab8b700
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac99
+AD: 7deafd64b1fc65de39f4f0
+CT: ad0dff8adc54b5f02f428915bfa9f7277e4743e72e1789dcf552b91cda03bf52c757a9cca0655550c944fd264d287bc97d15dab3b986ed34637f45ffc1eb71b764cf5d5c1444033975829f1e59cb65ce40d787adc630e1f3155b2dc32733a75452efc755b6acd2160fddb9a26e0c4587
+TAG: bb5273d6920ea95b43efeffc99da0dd48a556e357726fe34dad94f0257276f3ac759c16d9b34dd86f09a37bf48227d67765efb83d001eb8dd87636ec32860226db118427a7c7367d53cf085ff86d05a8f35f893a044e99ae5ef14fe490eb03aaf0b97581184956211bd19ad09c9aa9a064e305abff0c654006b8db861c7956ad6cbf46aeac4e5f5d54539a9dede2ac61d8f133c1a9fd2b8e23ef5d2d3068b42baff87faccfd8499cafa30bce2f30e2c1fb203acf1378d0c776f9476ca83e4973ffdd66f2fa86105ed83701fdce6ad64a824d2317f51443c9dd3c520327c7f3bd99413d832bb1b6b70655d31c90b7bb23a1957a146f6e0dd1a272a04e833e0b1c84ba2b09b0c1963ac17350292646566f
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (49 mod 64).
+# DIGEST: d76570385cb65d30c3d636ff25c5efeb8d1ea08e
+KEY: 41a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d03
+NONCE: 3fb95fb09e4d00d6172e780ab8b70043
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997d
+AD: eafd64b1fc65de39f4f035
+CT: 8a1448acbd769e42bfdf00ddd801153db3202daf5ba7997890f5f42a183d3a66faf66d899c7099fa99bbcf5b62b6adcb6ee87fafdd0275a8f625f3f959b0ea9acca88070aa9c61141787435cd60f63e262a80b6aaf931ba554ade7e0fb46b03a318347f1ca84e9fa1786d721b6c222b1b3
+TAG: 7bb49e9f481b45b543195956ddfe975cb63203f4b68b50a05c855d128d311c339676c1b6b38ae280d0731f613f9ae4cfd1945e302451f26eeb379a1b610773750e3e841d50e16da759a603897de6e84aa6733252cb0b6f6539e1a5258751ee7c0a45aa9296c32322d6a465a42e4017f44814fc58402cf561deaffa43d61396d53077cf089cfcd42b182694d286a97f99b65e5c43ecf69898c036381c6dd9657f2cc08144b28e9ad9a00ff10fb0ad3b26e92d8d65cd6879b11ae50f592407188e46a3342308ff9316c898b09648f71513e09367aa2ad5d93f87e4b2430ccc8fba9825c0407135fbf65a0db46d491059f71a989629dbfb1adb10e98d02935fa846628e8b0f8dd01991761945c5e84f9b
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (50 mod 64).
+# DIGEST: 170369666d1f2337b29b5f14af68d47910388e7b
+KEY: a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033f
+NONCE: b95fb09e4d00d6172e780ab8b700433a
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997dea
+AD: fd64b1fc65de39f4f03541
+CT: 0fca069ff1b260179dd5ff1124e557e97a4cc41e069d124cded05275d37913efa220e1ed4768bd04d8e65797040856b686cfcd5b772278bcf5fa64cd8183ba8b7724359804d609b31fc31514a4ed43d84de929d99e63f12306bb497e8ee77648be578ee74f1cb2a09ab32b3ecb913c7b36ae
+TAG: 19b492f83b9458b356020d7c6343b6967f1ab0328801042379e7d8e98dc3f3cf646a96d7842c83bbd210dd8dbc38cfe5fda9d879285aeabe19dec677fcd389651cd284ac650287f13a461ec23f7dc1cb5511dc529e99a078c2c80ebaf0fdc6704bdc35a2c89c728a061095448e6dbee102f4793932a580a826382a244a9f11c665015675322d514be8b1453ed6be846613312a1bf9e4f2c126d2b15dd8e6ae759f5151528361d10d657543767b05e8c1b79df65aac381738e2f43f95cdc77383f22e36e3b26d0c65f695c75f7ab422864e63c230df313fd8e41b265b5a704b7e5f7c96306bffc1a95cd09584519e2726edf93a9d2871b9fddfd7983c81812653152c3775df228a542f06f359bf26
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (51 mod 64).
+# DIGEST: 7c52593d1d37b0dc380297231c6cb7b64e04c493
+KEY: 1be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb9
+NONCE: 5fb09e4d00d6172e780ab8b700433a95
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd
+AD: 64b1fc65de39f4f03541a1
+CT: 8cacbae377d038fe27b37fdb253f3b136aa38660743dc6b4778ab16940a9710c8f08970164316e26c3b603140f2f43f62a88d021426b841baec29fb11a3d8735d0b8c14d133a825e1044be5523932ebd65b34433c083c2d77af313a240b1eeb52391728dcd04852fdcbf9b6f89502dddc317c4
+TAG: 85c893ad99aff613e6f95cf9c6e9045cc22fc8fe421716bb135269202ac57803e67682d09f88ae5970fb4f52e97a28efcdfe0a359df79a0576179a04830becb0551d93d862842c4b5f33c23fc0988f96d6deb37288f96507e432190853aca788d55114946833b6c7c7c10c34a5d5852d6fdb287b9dd97fa6b7991efef4ce66b0dd9f0ed6d112713c314aee9c172675d86c8f52097362f3ed4356ef4309da510a6708f32f24549dd80c9ef72018d7fd90134fa2d1ac1b9858ceb9b382b263cd3dbf697aa40f875eb502d4f128845bdaa9a8b4fd07a31b687bf4a1a1bb4843e205a9ab2b33a3ace650f96935b5f6de6d7577deb9ab68c4295cee108b2f4aed1f2d2fd167085d2173e2e854559222
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (52 mod 64).
+# DIGEST: 09a1659100052d13bebb4defd7f54f975a58ae2b
+KEY: e112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95f
+NONCE: b09e4d00d6172e780ab8b700433a957a
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64
+AD: b1fc65de39f4f03541a11b
+CT: 06b44584c9ddd267bf03aa311730fd0c4d3461678d94b4a794eb3e90b9cf3113ecf0ce0da8789d59bec50a1fd1e08ceea4cf9e00b2e0423706c126af7a3031df6cd82a7bcef877b413662e731b5a74ebf68f781eeeb79cf760cebda2c5070dfb992007716993b0213e822829e23f448a7a5ed880
+TAG: fd65c8c7f6b7795ab5792332f6329c1d606b305f3de89d9e154ff7232947d8581b6666faa823b9ff8bbab2cea14c2526b0fceb5ebaabb79ab4cea0bce96e9d1a3f556d7d2d83b4ce2c1ebdaeceedac3fae6fb8f9869f7c136d47a1ac93c7b5b5ef01f8e56602d808a39b40f069403eab03498959b53b8ac0bfb72f0c5b5063c063183b43d60a616325439b0491e2f3be59f9948c939f533c3fc0923028babbaaee977cbb05fc44f8cf8ea37016141d464716a875ce4ad096e247ee9081a1ae3448183f5412d84a6223daf432dedd679bc3f167ca5dade21fb2cd9057189049e730df47b409a07a8b2c727e2ce04da8e3f02ebc6c2bd528b7726ab803c5fc5dd602496f78b28474ac87911bd4
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (53 mod 64).
+# DIGEST: 230c3353ccbd95e4f0acbbb0073053a0186f833d
+KEY: 12a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb0
+NONCE: 9e4d00d6172e780ab8b700433a957a74
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1
+AD: fc65de39f4f03541a11be1
+CT: 85da88e13f3ca14fc4440ffca7bc837818daf1dc52a4c505583edd070c7cbcdb4642d8ee1ca687037b08e1737a2f49039621823222f9f02deef2c340289af5184a86af8429747ef2f7d98d6aec2af060fc8e6895c2182bd1c479fc6a2e7ecc0390995bafad5b3356e2a795131b0aa7d4ded344e50b
+TAG: f1a1b3f3fcb4cb89587bea4284449bcdb16785c277835bff9083a65ae77ff7543492a1d2710a79b720060ee37954c9719f8dc0f6fb4a75a27bc2a761017ebdc0c81f9e8ea5809a816ee67e731871c476f1ccd6b690b054984a4e74c060fbcdf5dbae743ebe2f72fd865dc1eb96e4e62fca3561a245be1749ace472b312cb1b28a0b2c2d38d089eab44f51ceb88af097627638a3556005952e28212d5c9bbe85c86f89879e55358ed06f28402f40285b97a8046b5479202f28218c71f98a4020ca5d53e16e91ff8387b16cfe6bc4e81c96c44e7691c10ebb0d37686e608773cbda993b816ee3b15c4ccca2a22468b186f8d29d853b945bd27ca0fe3e9ec55bdb9bb4e5477e6f89914e3084c
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (54 mod 64).
+# DIGEST: 701e141608e71005d32dd1e29cd068aea736c9dd
+KEY: a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e
+NONCE: 4d00d6172e780ab8b700433a957a741c
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc
+AD: 65de39f4f03541a11be112
+CT: 10ee64784345c076e3f9aaeacc87cd51d6ee0b0facc9f40b4e6a1b4bec669ac3c5252c948b0c0a4d8e798248e6b10ee247e51c81793c2be91aa8c9666e0d8774439ea159e4745014bdd2e9f379ba461a7e638cab9ba2aba1498397044edd3f271e2b4dbb5990c383167c9191ceeaa8239aa6391c4b27
+TAG: ac2d199535c4d2eba150702b88740058f1e834f89031c3851571dd9122291dc3e35b764eddc5856850c8c59b3caa211feb1ac256b749127bbf4ef56ffab65e3d9eaf438b778e5342a67ee4d876fd3e53aa29a532fab39d0c57e24593374e2adfb22cdf0def5d9cbc8701c9d6a2cf23d835cf75236069ab2874b7264e0e0ea9dd785b463ed8a6cc3cefc3a4c076e5f0d047c7d60be677b7716bd123bbf3daddc0cd5eed4d5c4f0f6d1c19c66e0b5bee5d58d295c2fbe6a164d464b173cda057094b983b2ff974783084a6cc4ebd9644f3b4426a3c157352b70ee37a2f1ddcb85936b0c38be4eadb33bb9cda7108c192597421bce5e36cc2bce7b65868f28adde738fd3bfbeb15608b4dca
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (55 mod 64).
+# DIGEST: 9aaf96b472ea76fd9ff4adf56dab5fe0400d18d6
+KEY: 2933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d
+NONCE: 00d6172e780ab8b700433a957a741c9e
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65
+AD: de39f4f03541a11be112a7
+CT: b90220b919dd02b216aa2eb7863372a645b09df88645dcaf138fb73d8896e39aac5a1c2f0535385e15cb850a6febd5d6ea9f3fb573944cdd5b30cb80aff6b73a173ffd7c85673248fab94e3b9544930cff59f52515dcc8ba39b6f51dfd0487bcc9d28773e91c718afe8399d652acb97552b1909335dad8
+TAG: 4db032df3ebf850528a308017477a21da23178403432b4714c1da01a253a635cd2caa77467597e9b8c589ef3e9c6f5b991329b97bcd1bf1332e03638fe1b157763bc41e4f6e78c05a5ec5f83306e3b5e8bd96c9a04aa83291ca90355a3b96a8688cb93ed9bba3b8688834538d1e8bb95a0cf431eb7b849d87199657a402a0e1e5ef79da8c1895cd454c440c57cd424977f6bf9e2fa133d916c8772e447e066ec2cbe3d0de2a7e19f06c74ad5794e5eaf9119fdb70665c07ab81e7d72371d23a4c96290d2da60bc7819af4d60ff4ba832daf3369c6198c45f0ca4c974dd9b4a81c0249706a25b23fcc0fa13271d0f00c6672a06898b2b833ba3b8cbd519e53939f0da6c09f288bff969
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (56 mod 64).
+# DIGEST: ac6871d354eac507556770d8b6bf10b5240273ed
+KEY: 33c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00
+NONCE: d6172e780ab8b700433a957a741c9eb8
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de
+AD: 39f4f03541a11be112a729
+CT: 9807d89925c67a45c8ba18cfdb817f5bbc21e58c10f7dc8c15b70acd97e8b97e0393d5948d51a65f6f092590b38c845164e6d2b49288bd0f73c4f4b551b362470638f51422dcfdaaff5e8aaf80ff715f3f597fb9385ca18355b8e98d1de17a303d019f7d4b9a3acd07d257c049fc16134c53e1350cfb8c28
+TAG: 7cd3491b8e157876b8091d2742f673196a25077410036ed62855b5440eabb10a01362a8e7c06658ab767be26c43a6eea3e354ec867de2b7b6ce96a4a951696051fe1a76a694d330eb56c1752bb2f866dbf6c1e85b3361316631c7a4a277023fe1d793ec4e4416c8db3b7e8a157e33438eba857e2b54db84e06006f83d93284714dc76cdf33da3d5adee64de2ee9feb689b9d64ecb857588c60c6e8b2eaa3999dd2f1cc2a6727cc5a50fc3902124055705eb726f0e57830732c85bd598519ace6cc86105cd36cdc7ad7f6868babe314b69d33021cf9931720aaf765d5f61e41155c7572ba298d52f3d61b28e3b5080c124821e1a97d1ec78eb5decd34a69d054fecb1209d86ee7779
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (57 mod 64).
+# DIGEST: 050258d6ad6bec54f8bc48c7ba2d669d6416c11e
+KEY: c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6
+NONCE: 172e780ab8b700433a957a741c9eb80f
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39
+AD: f4f03541a11be112a72933
+CT: 8d69a3691570f0d175aad5fb77a0e9abd3f882b10355a08f0160c113096acfecdbc4ac32f037d16c2c4dda4bd3325c8690bade6bf39b14435cc11ff575a3d7e9f7b09b5b40f9645d9a5dfb44f42304d82298cdd866e957d4ab64374ffb86879a9339ea892986ac706bd2310927aa2bf27dce3bd6012591cfce
+TAG: d754d4d2dcae21dc4a69c8e56ba3925f9f3ccc53278cc621a0ec4d4ea7b099a289eff5599f8bb1555aa9fddae50f04b5567ca7ae4498e1716f4243932934e2cec1434d4780184f0af1d0d194cf848671e5b0d6982a07b5679826f124c8f69f26cfa37a0105cdf15585697c75504bf8c9c04d583db189cf2dc2dd345aa926d440997a8d76f6ed12a19f2d95a2727fc4c0f8786ac3c50896a6cad6d948712e4d72a44cfb2fc9dc753dbed91f4fe412db6fa5e6b548eb1abed87e3b4e5d808ab4ce11f265efbd4af8e0516bc412fb9ecc3d69ee68bff6b12f3987a585670439ced09a038c526bf226299b0628f6db003a21eb5d943ef84e90f133dbb4c8468f555721c76da689e8d6
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (58 mod 64).
+# DIGEST: 70060f86c76e53512933c09deb5872eb23efad67
+KEY: b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d617
+NONCE: 2e780ab8b700433a957a741c9eb80f2b
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4
+AD: f03541a11be112a72933c7
+CT: 26d675c591f287b26eb35f87231624e454c4aca1f25491b74a252e971c48ca523b353b4f6c0106c1b3b40182eddbaf7ba47263790c3b22d23b09458d48868bb18b2fb01bdfa965f7c1b211fe02f9b78959b71e872ee05ff3baf548a85797270fd43c9db1f9f97d3b60c62c06bccca0ece2b7249f3c0dc6b04aa7
+TAG: 864b50299da796a664edb8e1d0bd0120ad31405c47919c288884dfba933326b03eb399c634fa77d611e613e958369aa3d9a563f421cce3ea87d5bf2e179c20e5218378cca347fc18b87248a66810ea08806f571f1e86bfde99d089b06c3156cb6f2427503cf03e39bf3a60b1d9542a3789b657956ad925754ca4a369b05d269d481d4cacd35ede8684623ec9fde9ee860ab12975bb1386470e1221d2b2d1091c7a41754b8440740b4878fb19c65ffeb2a120d84661179e07672953243a09085f0d21265a5476c8574bc49e30ba364fd9d7f2035ba1222ef9c6bab7d1e68211c1a9425a13473f692b700c242fb56fe77fded75312bfdbb7fd44a88ab37d85d640e883ed1936ef
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (59 mod 64).
+# DIGEST: 58286fe273bf572a76a2725933dd969777c303c1
+KEY: 4ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e
+NONCE: 780ab8b700433a957a741c9eb80f2b02
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f0
+AD: 3541a11be112a72933c7b5
+CT: 9c61bfbbd3e8395be166b30a56b3e192748ba3bbbdc334dc3720206ac10c90dd777aa4957695bddaea0b7e554951c94f2f74a2bb7547ac20a7e357fe249614204401144fef61394c140553d5566c18ded15e0fa50fd5836cb725d277fa46210eb588a96d7baec9e2c947fee1b85cbe6556cf23655132ea72dfe4a2
+TAG: e66769c0cd9a2448afe99faea0b64137f4a902158d6b11a58f4bff98df8545e0ea23a7f7127b6dd76e3a3ed43490b44bbcd6a7321e5edb819e6b2e163318ead19f5a306c7b0b137f3b9aca44c4ea070ffa5712102b3f1dcec5c660b494e8f3d809b3722fee1e7dd29cf771613b68e45733a9e66ebda992930d32829d31e61f2217e41620ea4e621840f0fa7f7b8762e0ca509f0eeeded7fd55727462b045e4adff507f3dc4389d9397f0429bd17c2408ed60e0d94efad4936fb55c359052a6a88c056e7ec1e4085f4a48b125bf9340e57be98b5cfddc3f9d07cd036b0b78aa205fdbdc8e9c511ce32b6e4c9dcfe5722fa13f9d8b59821c61ca6f8ef75eb367f4a37453642c
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (60 mod 64).
+# DIGEST: ae701e5c8672dfaf728bf0f43f5e5247ea9ac13a
+KEY: d4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e78
+NONCE: 0ab8b700433a957a741c9eb80f2b021b
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f035
+AD: 41a11be112a72933c7b54e
+CT: 174bb28ef8ee033bf0f39cf6a5d3c2157ec773078860232827fdb1c875e9622e198a00a50fcc03b2cbf1e4a747efcdecda8b612ec3ebac650a7401b4b204185e4b42306d544e3f6512b87bf36b5f55ec0bb4da01c36aad92a16865cb852e1a5d1a86d3d57e6336d4376e8988f00162de8b238cfe36916d5545fa9460
+TAG: 726c9d0511e81f69edf9bbd0397f4c3c49365418afadcca36de0aef99afbacad6dcf042fa62d405c9672e5409a7d28baefb467b7c153a3ed97bfd2b8be9b96e42b33703951bcbf04dec12d9bee63f5f30d2e57ecdcb3818479a163bd2a1caff3a327a911bcbb50bf213b77cdff340c858472223a71d4f15e029fbb800b81ff375d84d4c30ceda7a2c42267e1cf43dfd565c8a4a842556d577633857204af99ca35ca3c28bb02a7dd9ab224ae58938461af1e2bf64492fa2a18b4224ac3ef671c7abd9b6e266a0469cf3b0283b3ad6934240994f1b2d43b35d77e0055e0377c43922527d93426be34191dfd4b0a4296a078d128ea416be209b15c557f5da675c705ef8d1a30ebe78535434d2ff8bd29346abb9bfa
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (61 mod 64).
+# DIGEST: 4f498d0aa9205160827626ef80c163275eca1f78
+KEY: fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e780a
+NONCE: b8b700433a957a741c9eb80f2b021b14
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541
+AD: a11be112a72933c7b54ed4
+CT: 9b01cfa97c72b5ae8befd0d357283a52f6b8c5d9292d28f61373334280f815d6b69f878936738cebaf6fc84d20baf51868eb4d2ae08d64e724beea1887a76316acc955a00b5d1230fb120bf7d51f74fdc5f332521c59406bbd3161987c6ec49ad946a6a51755796de19830631daf69c78a847d2e515d409a7b77ffe75e
+TAG: e785184106419b8c7f38061f49cfe3a265e9d4557b9b2d91ecb8f21ef3f52e387643b8ac35aae45594e70e4ad4457b852834718a1456136c5690aa164a152b0cacf020e33bfb33e2f1b79dd23d2fba5adcf22d4288308bc1d055be378eb77b67dad654658906aa3cebca8eadce6127ffe972803bed110a5e301bca0f2c06dfcb7af44275628831bff33807048996115d496f4f13b479f4fc1e8f2ff0991ad73293e789cd909fc0471a484ca11be8383fbb4d9590570c275354cc89a872306f4d285561dbc068c98d2989dc4453b97cea004a73fe238924c321d3a77063c1f20890324ae59860bdd3f7a70a7c21f1c51a790f37305719527a20b879e56b65d38799b899cd9fdd7edafbf456618452eb4fa37cfb
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (62 mod 64).
+# DIGEST: 8c043825b2a3764e8a0cc35a011696fb3ed03c2b
+KEY: d0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e780ab8
+NONCE: b700433a957a741c9eb80f2b021b1444
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a1
+AD: 1be112a72933c7b54ed4fa
+CT: 0b0133ac614de667eafb516e1fb33b016a8b49e558f335eed239d50ddd13a4152f1570269615a243502fe1c6db0667a2de7975120ef65186f5af83821598ff45494e943acae24a6095ad46a498971f7b185d7784d451b1260ea478c03babf0e582a8a777cec20905821267eb85aec1a20c0e3b94d78d425a12f2efc4d60c
+TAG: 1d832d65c91d458bf343260419ad0ab95c1ffc09b137d1ad1805cdd648c8ecdaeeaa0ea27075d4e6753538d831577642c92317aeb5525724023beb923c2626bd9536757ab73d1739ed0a850afbaa5914fe94ed606e245274d4d3071201a3d73ea1fbbfb4032e8404c12dd02e0b6cdc38324f4684049e2707f249c9dce0e6df9386b787154ecc3974d041cd6bc5e6d031851247703347bf8324f077ce63ce0393fcbafb4396bbfc9260628f4f82244b77b8ea0ff14e26c2058e0d8b662fcb9d9ef747cacc42ece4777114cd2062e20b8c6d198fd5628b198511274f54964c40f1052d41f68b5d90256e894da5e5ff3dee493f5eb2a7d2a9a88e32b774afe2e0e643d606185c34796b40716a46fb8ba911552a
+TAG_LEN: 20
+NO_SEAL: 01
+
+# Test with maximal padding (63 mod 64).
+# DIGEST: f3a432271c9be858725fd024071c4f479ca9a971
+KEY: be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e780ab8b7
+NONCE: 00433a957a741c9eb80f2b021b144476
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11b
+AD: e112a72933c7b54ed4fad0
+CT: 8d5b92c78a48ca6049da6a036735ca23b99f9c3cfb97122312e5bf0279d094cfca0b976e24f6b65d81f85eff669da35486809cbfdfd1fd615a5347947156148e6b71a11f7bec611e7c29e19f6f62f94bd7f8b89e54b6945dcc1a7e380e51456a31f1d511bb92443deab5987c3bba266329b3f27e24d155ce685f67c34dd18f
+TAG: 295c8072940df20a1ce3a27f32622fd6cdec5f5aaebee91e6654ce96f013cefc348f1425a6fbd6f42cb4e1e866c0fa602afdb503eda59801d8a791fa7de63d22c080369c6a3389034ff92ffd347ebfccb0dc9cc972f6654eb102f5b12baf864b3514f22d55f28df8d51955a1d338b4e5ee9145a4a85ec87655ce41255a6e91435a1d9e4af613d35bc6b4554c2594baca964d2a58c75deccd36d3efb50986f844ca6cf79dae24edbe75ca6008457ec23e69db9e19c6c039feceda6e1672bdcccf0a8c864e957b7efb1b468b4976a97600e3d03ba9341876e6439117d2ec364d479e0743ea9ddfce7effc0a64b73fa55fb1f57c18ea97dbd03b6391963734dfc459d4efe2e0f609bd51ee0a09faa81065ec8
 TAG_LEN: 20
 NO_SEAL: 01
 

crypto/cipher_extra/test/aes_256_cbc_sha256_tls_tests.txt

@@ -42,14 +42,707 @@ TAG_LEN: 32
 NO_SEAL: 01
 FAILS: 01
 
-# Test with maximal padding.
-# DIGEST: 3519ab2b2943d2a50996628f6c26bea29f84c95af4c128cc3af012bb358ee9f7
-KEY: 481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371e
-NONCE: b8da7dac997deafd64b1fc65de39f4f0
-IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8
-AD: afa22993a340b9b3c589c7
-CT: c90e0c2567341ea7e9d968dbde46ecb46ad78dc8be7d47672068de66d6e7eae1
-TAG: bc33ca235ae35aad13e540cc9f0714dab00678652cc476d57c543967c39dddc9eb9045fddd9fab64fd564959daf731fd95181a79f4e1d5e98ad446d8a625b68a1185d14f4d17a90a23e9f63e3470c37a367efe6765da9174fcdef198cc90d4acfe1ea34b2a38776fba7dfaca92b99ec5be216e7c196f1a615c787f8a11dac7259b3b6982d1415fe53c5e37c428099f6aef8a13b20d77e482c0900528b10b0a008e5ecd673762de36b1ad38fc33fc5ec70cfb963c62a8f3d8e471e2cc863fc65ce54dccdd3d95fa449378784f4e39a24c3cdfbe74fd352b74fccfde6dc777fafd3dca970e63f5b07e8c53d7ea0f77c26f80c9a62b7d1ab8a5f2b6707ea4efbefd2bd04e535587a7e13ae0005e1e3401935f424c2eb7e27e4137135997e26957d6
+# Test with maximal padding (0 mod 64).
+# DIGEST: 6d9cc64eaa0b3c7482d8431bff6d24c9bec634ef6459d873af4ff97756c9fe46
+KEY: 37446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be
+NONCE: 905d41203f5dce998f8fb2eaad409ae0
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba
+AD: 2fd6773e0d0c302a5f47e0
+CT: 7195b9643e0f7a4293c865db36442d4fe2cf3ea2c648dc88cd5636fe5e6bcea3d1197966e800da8c78bcb8830f3fa97671aebce98549e62827adf612e70f9466
+TAG: aecfefa9e983ae857f033408f04a2f4dc9069ce275e00f9c35649716c3c65e9bebbcbf75ea3445ffde4dea79bf5c3d1dc4cd15a351972492445d1fdca03f7834b18e556e7e37e1ee1fe9a3c9d99010fee3a7506677e3ac5cbd5448549ee3a5e7bdd5a7b584767e76f1964a864ad2dad467e35702a5771d960b47f0cc4654a09a5cb4b7336fd43cd4fe5290b15ff50ca286f654b215c3bdbf3b918ae042fc17626ebdae135302ab9553416224cfee1203f804d99804d9653ec2a99a7fbf5d2a54bccbac2ef38e6d58b22ed53804cd5851e07f7cefc52df184a3c9acce574ec14c99a3abfda4f21ad119dec4a7743b384490136e77b1216d0df8b58607cc1cb4dcdbf25682dcdee237b773fe9714d24f2b3531037614585df4f56c855fda9949cd
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (1 mod 64).
+# DIGEST: bb57bd76fe5f29b96ee3f2d62d8f3c4d1c8c986c0991382834046dc907fe1ea7
+KEY: 446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be90
+NONCE: 5d41203f5dce998f8fb2eaad409ae021
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2f
+AD: d6773e0d0c302a5f47e037
+CT: 1d50f3eb1cd76d8e08a9f386db0cdc3eddfc694e8502ccae47ab431c2935fc461254b80386c87690b01c22f38ea9bd118d2e0ed316ac249437a3e9c30f6c1f7636
+TAG: 4b376f558ddf76137f0690dd8eb88720c506760c182e4cbb2fddb2f64e269bbf9e4bd20d1f2e1b8203f10df5a92a5950a7394525c2c36006716d741e686473de9895bbbf47849ad3a340dd262c095263be3d7678734ca7edeebd4eee8d3375c8f552436e3a90c7305aa0bafed0bd42f8f651a38666e28455e335ed58d86ed265da1e9cb77c780d4be9a5674e3bf7b624ec862aa9f5201793cc1cfbad7d0f700ce44d3894ed8e19884277bb1e58fe2ff4d4439163c6642f11f13be03c62d5a13182edc3e62bb72cdd7d0e157fb20fe4815a6803425781c1701d0601153811ef79ecf6ed3852eb87f886abee0e4ff13622b32dd040691810a80f3e21cb1d24fd2dd2b74cdeca38c49a7a1d68d72aad5484c6907a4e6440743a56cb8b6394d2a9
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (2 mod 64).
+# DIGEST: b09802c727f0f85cb590791372c52bfdc2e69de36b9695daaf7a93d2fcf56fda
+KEY: 6f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d
+NONCE: 41203f5dce998f8fb2eaad409ae02116
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6
+AD: 773e0d0c302a5f47e03744
+CT: 4d754c684658bcc89208bcd75f24dc8e18b70a28b8a2201535e60ab755fb20e1ddfa98742d257eadd02d96c6a65f880d058312311efdf67f9a106beff9f5ace06577
+TAG: 261eb376dbb9e82baf29687e823a93bd63961414b1bc396d5fd21e70afa47aafee1103248a9be160a0cc35a7cf05e6a07984ccfc354d37903f9a199698485d5e136648b1fe6adee40b0dfb589979df3b158fd8b3d35c8ab4c387f61782242e23e5698e5f7ebb4e733a63f3282ecd0c565f9c9535df36f6156aabd988e06e754fb3082afa90800af3e564a8d275d9afe184a72d538bd26ca1b4b8c12dc0ed449e643c1a1aeb8b943bd74abda7dc19b2e303a778d348fbbfe221df38d538c921030ce6485ea2bf899284e5bc8329432b16e4562d1609af0fdc616d3bd91688c2655dc0d5b436c0db8e0b434d897687e91a60f749a7e5a6e88e43a16b5f7a4c68d5c8325c260915139d901988ab924f7e9b72bb16020f0cc0c6b3f97ce4380f
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (3 mod 64).
+# DIGEST: 13588ebf114df38b7b59f890dffab8b1a4c85f090c3f4a0e508603ecd34f78f4
+KEY: 5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41
+NONCE: 203f5dce998f8fb2eaad409ae0211641
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd677
+AD: 3e0d0c302a5f47e037446f
+CT: 25bc47e58e7d4f3a417c95768699c92240a2be0e86232a41fe02d64f66716023996772e1118be48e685042f989dcd9cdc574614c9c3989f1885b4b71dfd5b1c323db52
+TAG: 9e72a44693493371870022657655991223f9a9570caa8d43b20b7e567cacc129dcbf03e2a7583b5b494bd6c52cc66ff1d1b3ecb7c39e26efb5fe025ea5bbef7dc579c58c9cc8f272d36b3b596910477d4af7e7105055f7769ee01dbdfc684956d44d583748085de4d2d4f5a9aea177e1f59f4b851c2794e1ee26ef2462b77f1ffb6d41fa793cac4aaac3aa88bcafc60066cbfba2af3a006bf929621350aa66aeffcd8fd7928e50df5dd27ca0831119107aeb0a2e7af5531da7b4033a049180a477ba24b8bd8042c4d30385ca098f9a8f16be6c286811bc036b827576da12beabf69c481a2633f6bcc7cc9255d5c2ffbaf5fc5813c6350f45b8cc664ad18304cf895907ac6c1c1fa5f9485f8d87e0a61f702334db886fa0aedc353fe50f
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (4 mod 64).
+# DIGEST: 25c98c13e308408c882677b48f3a49a53b500146eadf5bbc0f5a240ab6ccbfb8
+KEY: 91d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d4120
+NONCE: 3f5dce998f8fb2eaad409ae02116417d
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e
+AD: 0d0c302a5f47e037446f58
+CT: f1ab85a35a17541efb4f906e7fc85e64efec6ab40d59d3da920c4ec09797c3ad47820e9d934e51e3f4d097c4a555575939bfaeb8cfea062b64816a160d6e4d1f282dbe90
+TAG: 2e3eea7d54f2a95572c0dc382ef826f9fa138637df323adf2f64e42a4be6d493ee3d087704d9a1ddadfa34b0cc2c35f4d7802a87fe3e14be035b269c8135e822771faf57a21ee9f892f26e2231a0e4e03b32f2a809d560ce72c7e910ba4c1b524b171bd50a7a150ed327e791e2f76551d4eaac1e53091f5d701caa50edb892c6e1e2c2f8ac0413b864847fc10875d6f702c03fe366ee4971ee4602d078ce648f54b8e71bcd383bc4c3a14342ebfae042fa52f59bc5ad73a51cd1c561ae615fbfe24eda7301794349431ae59fa6a791dbd0691a83dfe1f8cb0fbe9e385708a9dc9449186cd6026f962552903753372934e220c7d5eadc2ea75356a73cd086f850f40a9b83f1e9331009d23785bb5468feee97f6e9e21d2a17a9eb2b5d
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (5 mod 64).
+# DIGEST: 3fb8ba4df90f52332bc7a20df805fe903351279e0424c232365cfc4e62982296
+KEY: d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f
+NONCE: 5dce998f8fb2eaad409ae02116417dae
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d
+AD: 0c302a5f47e037446f5891
+CT: 5d6bfe91cd2273a9b986397a38e81be5fbbcd0403ef51873c2c467a9fbadc7bf540e83c538a43dc0e0ab780a4c4b1f5b77ced74f65b61f8b8b58b26fa3e8cba574bb9527e4
+TAG: 8f360ea3d348aa4a950019f720333de020f23bb86eb11ab2bad10665f2294b914eace65dd890642fe33979f0ab04de5fd00b98757e734cc1becc43830eaabd48d415ca58dedad92d4c71f0b7744b74326b9d1dcc7b9afa134c097fd563bb001d8e91dd71a41d5f906080097d811355c268581ddc1c7698d9a65179526eb8c96bfc03aca614f84aa2c871958e71fcef12efe601309efdd7084c7c02aec5a6649dd7fde231de46b4b0b4c52676edc19edb740b33f8c90885147137011c921336b52b3597a30334319d69d71498b11feb841c09577c2167b58430784a056310d1b264e52af8ae737d7f8dc6431b305afe2ad43640cb90c2eb6fb4d5cb8540ebeed729416c04d2260a6b923ad698541a3315f938ed6a1b1626b1e73ea0
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (6 mod 64).
+# DIGEST: 23f13497afad98ac65bd2a1642935ff7185a839a672fd94b18279ff92202a3b7
+KEY: 7df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5d
+NONCE: ce998f8fb2eaad409ae02116417dae0c
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c
+AD: 302a5f47e037446f5891d7
+CT: 16e3c681ba1ece3bdbfb1da491f877e806ddac5f1ae96bc406bd195c9d48bcd4a9b700a8ced21d824bfb99eb057e401c3529818725b51e96c576e8009bfe486610501aa3068c
+TAG: 52e952e88946079d0e7e443f24f113c0c13ee17438fb7c302d82abec8e24524ddb4121bd1f2f1ba18389ea5aaa2ff43b9978425f1795cf3b2b5245f13d74afbce0e6f4107c9478c9e76a803be141320ed0ebd81ad6133d0ba901cfc4ef9802c29dafb2fa0d4b6ec49bde0ad8e359265b9fcdb9caed5c2c3772f2777c8dc59190d554a76d6ddeb67f12a3cb382015a36a93ea747a808feee5cf9abb7dd413acadd6519125a68071f7f490209f2de8049724a87dedfe208322cc01ebafac59d1d7bcc8c2896074908b40c23094a878a0b33592ecb8d407a9c68016a112ff1b5226a0ca7ffc9fcebc4f674b4f13711ee64dafd5bfa757f3820366a26b12f74fc30297a1209c16ea6299841713d46b72d03a12a51c5309317939d556
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (7 mod 64).
+# DIGEST: fc71e48cdc62c15988a84f32ad60aa760b5766c892e559fa1ebd882a587ce590
+KEY: f660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce
+NONCE: 998f8fb2eaad409ae02116417dae0cef
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c30
+AD: 2a5f47e037446f5891d77d
+CT: 9b51ba0eebf72bbcd7a1b8452a49f30bf2d96bf0cde4d9e5efe7f1903eb4e09f53aec649c5a8ad7e7fc6c28a0dcf4bd3556f4377bbf8b3f9c79dffa597869255f783cf0c89206f
+TAG: d94d45b132507172de566b7fafe7ff2f6b50387ba1cb27c2f2d566eeb644490a01e89745aeec464c3aae3fcb240dacea5c13f8fab5e3db55a415052a01e0ea77d0ce06a75cdcbe0b7c83433b33022de91034a18188f7ddb699c55957611f0d1f2fccbf1e8e325d33e50ffde6b62cb153c43547f7faa3934eadc45b5bb18a88dc25470dbe6456ccc99ad306e664226630a761e9673f673262690af6e2922f2376ee9dd486872314d2afa8be11db1baa876a9c0c8d4f2050d65bcebf39a11656760142d0d4d505e2a80a0ae3533608c161cf6f9ed4de850a9fe77a0212bbab0c82b9fec6fd151bf391bc794229736b1a51bdb2b012393ee405f8ac64db7471aa63077d9aca9ab11da3d078947dbb7e8c3935c0dbce060df66655
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (8 mod 64).
+# DIGEST: ff4f42d72ae561abda38963a2713bb743038589bc2d7efa0f3fab298630b9c02
+KEY: 60ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce99
+NONCE: 8f8fb2eaad409ae02116417dae0cef45
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a
+AD: 5f47e037446f5891d77df6
+CT: 5e4df84379f9736d784d9166047003e3ce3375a8e7add80c8687e94f68595aaa52e3bd39a45a7f67d35b4df0c5d62abc81680ebea78d1ec02153833b4dc4bc5112f4dc2b3f14deeb
+TAG: 9772a910db4e6582b98dbcd4ddcf7833fd0e20fb8044161467d80288acdc76685c62394023653d4942a5d1d27e63c12b44dcca72217d43555728199bf2e751a1e17bfddbc0ff8c6b618715fbcd27990a7f94fa7009466dcf570508fcce46e0a807c6892e805aed7141fb4cd151642dffce62f8d9e677a6a5b3f3506c4aab3cf3cac29bf4bc04d8a2379b8ae4d55a3f7b1414cfa7f576f8345457a87f257a75cbe7862829a5b0f9f779aa50bdeaf36ac6411a1fa7ddbba9519fa933a0729f02a404eaeb2c35ba4ee424bab056ee3a8ad0cc5b5199e6eafa0795dab533d062410f775277907f36375ec1cda175ab1b8f8032899298557bab8f3eb67190175b710854f0338418cd46da7e1d4d0ef8fb8881df16f781df7f47b7
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (9 mod 64).
+# DIGEST: f4f7f147b43ea50a1f5a4f19c093ef917d3b92b46e5798e18b5294b0a0fef814
+KEY: ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f
+NONCE: 8fb2eaad409ae02116417dae0cef457b
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f
+AD: 47e037446f5891d77df660
+CT: 1ddce9b3f674dfc1b94a6cb34418e6b75c93f14941a6dbe028ed59667404b93afead95ec50b9393a8e0e5f469fc1cbc5136f4dc54f3a005af6c88cf70ff39487dec8dec0a9e6ad33c0
+TAG: 6875fe08d6aec1a18c56b4f446562a523b95c8434fcea5942abbc10f6e10ff7c455db0e80f945f81462a0e689df450630a34a8c9c3379c4494821e762c16a73b029df8e3e5775e78ac2a4106d539a5aa2522dd0a586a974b84bc09e86ffb21f3fc6a0d1c9e1d75179bada55085a3d9f9779c2461f2ccc990765da2450815da4cff73913b224bb946204ba50acf5884f71da7a487b743bfa20a09175a4dc11e9ee6a0b12bba1a7330fb482f925f36532c52a3ead78a8924cd30a1e3053faa174d5acf16fc3e02e0867b921d382c842afe2b69556bb89c853338f6f32434e2b9da81bcf7a237e709fd55ede388b51b2ae62e10b1ca69b4fcbdfa3ac73114713c66eb51fb36678137aa4516530a92e03b9454ca6b8ef35263
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (10 mod 64).
+# DIGEST: c48f43e4386dbf727ca93d57b5b2a4ccd8e1f27b201db03000660078b773faf7
+KEY: 82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8f
+NONCE: b2eaad409ae02116417dae0cef457b9e
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47
+AD: e037446f5891d77df660ed
+CT: 6736ca287cf31ea3ec92c68697bfd1f88642e67d9dcab11c5dc8ecfc61611ecffc54a04119f53f9e5476196f220486ab53e2b21e1135bc6745731f0bd32eee9752fe18aa410159805977
+TAG: 5e40a60a3661940d928cc1818e0f0277390296d5a20f1d020452845b5ecf83dabb95153285213d50438bfd32980c294aefd1d302517cf2aad8bdefc63d87d2995523db2f2380cbec94cf5f5a7af4f605d7c9cb2c2c5fc67b567c5c219de53c39e92ce4e597ff10c929d7e66f7a156f3bb8fcf5c05df504924dc282bb94fbc7045e5c758239b70c3f171bc9c34e95f8821738b02b1049c8e1b21d66e8ce2ad606c8492749b78592ddb0df4a51de74514a1f25fc4278b22dfd5aa0761e1afc5e4d622e9088879df40964ba02503e876ebc70ab5e75c33d7ba0d3879e32255ac7a884a723a673fcf7007c8105e7dedcfa91832ebecf6a929033da1069839a1ad5ea9f659e2f2d295b06d5d6c5e685732f8d9c4b95eca515
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (11 mod 64).
+# DIGEST: 4fb8d7ccd762998c343aef821e49cf91783d15669105b725eb1123ddc16ea445
+KEY: 933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2
+NONCE: eaad409ae02116417dae0cef457b9e5e
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e0
+AD: 37446f5891d77df660ed82
+CT: 95b9375058667abde693e7e3a598dd4c326ae4db29f54667c54453e6191c52f86d2fb4fe324e9a02b94f094f1dc272b1e6ad85529206a511468879d31ab9e74f44d9f388b72cd2461fb67f
+TAG: 7d5b0073be50f1aa588d60ff430da154c9793c30646b9d98ff8581febbf8541698a3a14e8dcd317d3f5102a828923b4a060843e4f813cc0198d19bc7b8c7c3fb00bbeadde45d84393bcbf90e4caa0b4fb7e8ce97584d639aaedca28b685083417c996ea73686a504e58ce170d5e59dd1e75cc2527c9a9976ab552533fd3e9c22603c5b4b25456d833182821116d7f80fbfeb9b0a840c127a755b4ac4121cd82f12508b0eabcf1255d5ed866b11366f9a2a59becf0aa3944ed0b1531c92342cb89dc819fa342d19db29556a98a6f1d7f166406257c4fc2019f5cfb8e1a2f02a161e2e6e91bd717c3c0b7429e9eb9d50f873ccdf0b487ee1996e38b248b0bc29ff17d713b810907bacca6f4dcc0633757d84bc065497
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (12 mod 64).
+# DIGEST: 756ef874fe4546df371e012dc34660cebd6321b67dac201988cc72e48917d7b0
+KEY: 3f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2ea
+NONCE: ad409ae02116417dae0cef457b9e5e16
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037
+AD: 446f5891d77df660ed8293
+CT: eded2db8c302b3b5b5b0c0d556f8d34408fdb2af75d38231049b5f91e02a4086e6ffcfabcba5e3ec68173dfde382a41523d3c8ea1f7944351baad1588516c548942da82684d52639453ffdca
+TAG: 518bf4d7ce510d2d8b41b8948c72f652efcc6973337da9e53d8daafd49a8fadebd391c0867ffe253dc07d26c12985933288fc617b9f1e0b74ba51b4a85e11d14de331f9af1c3ec66f4c85e0db13e2669a0429b3be48cb3e8a59f3fae779aba1ae3cf8a9c7d3c7c3d7046b3e7592c67da2779af921b2fe68801d739ebc0fe61ff52724a034f8d6ab916cfac58e9530a541148da1bcd17957a9fd9481571d054e6e38f6f13460fc1bfcc51052a7ae75f514a4d6525dd85d067698197322e61212d58c3fdd3f08e0a06189d8773f87f18c0156eda94657acf5659c6bd687188fe8e3f09b7cceb63d6c78e0198cfb985bfea1e6ef70f2e1727b50c45b123d189607c3dbe0e06f1b359ac5f8dfe1766580afe966c8f68
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (13 mod 64).
+# DIGEST: 01fbec0db232a15b4f3e02a14f412e296a0f2c7bbc539ea1e5e835206e197929
+KEY: 62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad
+NONCE: 409ae02116417dae0cef457b9e5e16dc
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e03744
+AD: 6f5891d77df660ed82933f
+CT: a56c9d8579b78c9ef40c4a230e8bd42750510340fbd0cf55393bd13d93b105fd2cd1d701b6882bacc661e8da81b7c9eed6b5dd4da12353298150819c748f464fa35936dbdb39149ed790f58777
+TAG: ec23664bb72e227a2d60f8e04aa12b33b78d59f1237f2305c1041793344510993f4dee5081f28a969c122c414a4218d4a73e4e8ba26ad8f6a8c3f73bfde7b0412f8fd6941f26ab73eca7110a4873cceccd43a917d5ea6418c85788512fbd262c72e594d2defd5a0a136ee74e9d1e76f335965a7679b3a059fdd6b72eab855763e4af5e028e9239418197e00088c7e2f661142d63babe769de4df2bb36f2fbb39b3723516d0c85b1214e82f12367582e9c707097cbd91650f2b0ae6f13a006cdaf65f9384496055bed36622b4b495335850b10fc6376112b99c4ca121228814539a2024bd4e839bb020efb32f858322b4474bf5317fced4ba64817e022bd53eb839793c59e673d4a50aea352db65143bc0a1d14
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (14 mod 64).
+# DIGEST: c49af18a935082656e153daa62270e736e336727424bf48be78da0b7dced9de0
+KEY: be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad40
+NONCE: 9ae02116417dae0cef457b9e5e16dcc5
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f
+AD: 5891d77df660ed82933f62
+CT: bf13550fa32201ffc699cbf22de17ca268652f8ba2693dde72b626d01855eea7c21f0afae3fa03dc757491e8efb9091a4c100f8dccfd15a9b4dd94e4fe1f5e90a96a8ee973df3f67b1b87adde382
+TAG: 45c6bd5afe30cb502e43d1b3b2440faaa2908d171c8e7f53480efb6d74fecc454a6dbe10ca0ea6368b4afc200632c1b078250369c85a463c63c8c79a95a8d5c3b2ed6ea220b8f624e381022f78cb94d401bc384c5c6be68e8f56f353524d93b68dbb590ca9afefe04e642fb8d8650c8e94a873985c14c1fc7f7e114b2dadf9c9cd89e504636329f476fce6fec894337704b6406c634aed0330cc20030543261a628efd49bbd4c52e7d70fe4b32415359135e2328027b388e3dd4edc43977e8eeecc04919087ec0935f3b7482defceac851adad46db682cb19d407a2615164e2930278c26f942572b64ff9ade93d2debb185309fc2c526a80aa57ce225ca7cfbddd4ae17cea86afaf38b1544a8efcef6df761
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (15 mod 64).
+# DIGEST: 8d6f1fdc3d60175573775cc289d7436b88d10dfa029e90e10e513c8e739666c4
+KEY: 8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409a
+NONCE: e02116417dae0cef457b9e5e16dcc5b6
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f58
+AD: 91d77df660ed82933f62be
+CT: 9f9a3ab733e50c1584c4f0c2a2dc0ff71bb3a9b32dbe92da2fcff8fe46a4bf16d4f30ec8efb1319891b7d2586839fffe5012a6dc3d5f0ad21e1572a1ffb48fbb82daa5c2de27d8d64515d8b50556ac
+TAG: d59e25e24c745028ce4239294565972873c4debbf863e3a3b5d69c5a32127916516037aff509bacc58b89e041ef8d2c56b7a3898aad9426f6c26c7d61adf61790362e299c73eda72314b6429d9f64985d91820bcfa806cf4b99d45d60369f52c369970c8162499f6c39948bea9a7ccb7ded6b4f69f13a98cb1665a9be4ad2f8e3e584157a7cf74009f504622b4529e55d36e92cc45df30bfea3d3687437ade9ae87e16f64da2960d30d6660faea9c890d4110e18c20576b729bf0157c151397aec86b563c1234f2deedfea18b2ed2a780b3fba34ddf21edef8bacc5155834e2ad144b39eacde01196a70e309122eeada9c1c589ecb7cd22a954a8025edd31383b2e36f453f9bc1fd8779e7a23653cfbea7
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (16 mod 64).
+# DIGEST: 11a40304bc276c51e2e7d8e3fa16f905bf050f3861586be68ca4257b1e6cc566
+KEY: c55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae0
+NONCE: 2116417dae0cef457b9e5e16dcc5b6f2
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891
+AD: d77df660ed82933f62be8d
+CT: b4d33c5131701c960eda4c50fc0a918acbe28cd47fbcaa328c6a9eb08e3c36b697928c6981992ab155c30984c6b8e9340cb00decef7086f589ed2d730cfafd5ccfb95373b8c55044fa1c95927d02278a
+TAG: 713f2e3e88f54fa870bb429940553f8a55526f219f062dadacd69284718a21914f86d905517eb301bb5693610d69a32becab289041fb962d940eb0a37da57724b4d07c3b968700dec4d019f6672cfc45be30e4ea80a33dfa7d88abc6733a1cc7a788c6dd12f2e18f001a9d8f0deea3411c00e9234d9484fd030375bb6c3519e8068694019cd8e7eda59760cbb775a01d68626f88ccb026604fb260c0e3eeecd3482619d1108c3ed9ee2f992c0d221f8a0b3964a6ac23bdab18f2a825a2bd8893551686224eaab405e027bcf3cf6cfd840479be33ebd22479b72d61e1d26c0d62ec8e378982a61e85da137019fdb017338fb245ed0f82c531be137dcd56af636c69197228ed2be7ae7dfb0097c4f7e5144577a2cb0cff362c52e28bb1d2b284c0
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (17 mod 64).
+# DIGEST: da3fd1aaca630fe609395b45a44384c57f779505188c8b12391b9f34de17dbf5
+KEY: 5b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae021
+NONCE: 16417dae0cef457b9e5e16dcc5b6f256
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d7
+AD: 7df660ed82933f62be8dc5
+CT: fe6540372ad1c40ec1dd644e935c480b9e34aed05a7f21e2e37dd46db52ebc5352cbc3be2aa289cc2e9712aa7d393f4454c9fa3a4acc30db41ada1257693d3469b0a1d5680dc8dbfea8cbb4768161f8291
+TAG: fb0e5d817e59ba33aad224a3d75b490058e8d743e6db43e920b30fff5e931aa17ebdd9f33ffd1eb9d73a2b9301fec0981bd29d85edd9804def4edcc9d25c04e7bb4f092b71322dbfb1c54fb71de189c88b0c63a4fc615a389b7d67758732f2356924813539ba0248d47fe0a536d141210b4e01d3a3cd1a846933c45abf7441eba3de98bf42c217ba29eab4dd52bdb44bc8ba97c7cdf10106f0e5ed04df11835e1ed86290c2b4b79e5b9a3597dfce92a71958957ceed5bab67ca5b00eb19c0897ea081929a9fa4c45db9dceb70875cf9773cb5dc543885f62bede29135a5e637c078029b09b290347f1e39b6ce35c43294fbee0cf3d9359c25d2a55083eb7d3d13486e851b1b60e1f51ef7fc48d16fa427d7440aa890d300d7a2876ab371686
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (18 mod 64).
+# DIGEST: 2ea803a4525d24849aeda1b0adb81676b32d99c42bcd0011932085424a0a8078
+KEY: 436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116
+NONCE: 417dae0cef457b9e5e16dcc5b6f25607
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77d
+AD: f660ed82933f62be8dc55b
+CT: 22e6c691ae1ba796667ceeaba4dcf85582e398e529d938da63c8221a58c2fbe242f6da82eae8c896dd31b45b3e8b72ff3dd7906130954f7b68d4c8729d3ff66ffad72104047209a56f1d6cdd927b57e8d08e
+TAG: 0325aa247e8c830cb0fbe906d495777fb41894e5721f07b1aadd8b0a2419dd28c973681d131ad8866e938ceb84e65762930d3961ec13c2ca461e927a8aa79cab8508709520b1dee01e81ab4c6f5ee93eb610d6185469d88b32f8acd04f6e8e138aab41456c9ecbe0ebc1d6f9edbcf8e4d543515f9cde2610b1a1454072d5d66b7948ababc0c99cf55e2ae3e9a1f0b141bdd8df4a1647f98becceb6229d190341072594cc3c2c61070c88b0513045aabd07d2261df9dfceee46c5f353dccd3c1b2fe4a2ebbaf8ab7b2939761aa86f88a19b84e611a957ba9fbae9009ab565279de6f972f82b42f324fbf7e9668b4f17415bfd796e4886566ee0febeb27397bf971795a7f49d8d302e13d7e8cc4b20fe89999665d03f83245b807fbdeb43cb
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (19 mod 64).
+# DIGEST: 6802d4c044d85fe270b3761ec10ae5cb4b912a565e00cafc8eab935935523126
+KEY: 6965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae0211641
+NONCE: 7dae0cef457b9e5e16dcc5b6f25607f0
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df6
+AD: 60ed82933f62be8dc55b43
+CT: 4772e647d03817c0f9deb39ff4f4f27fb0fed33e0630eb453883c707336f0e74ef206e92e31fb2935a466105dbdfd42c180ef63cf5cdd3c281337895e399df6078c22762eba5d84b8845ea00bd88bf5e1439a8
+TAG: 294f0bd94a45371cd6205187e9f8357817072cbb1940abd8c54418f1835616f05a75c38117165c43c0bbeaee69f8e20875121564bc383cd435e1e2fe4a36a6db906918c606edd336dd2dd7617c19a3d701756682d46e04609bc2e983b557cab0c8e3facf110be1f18baf31a69d09ff01fb8f51842e38fe3c38e42990c1bf68838cba82a82c4d77d796a59ba70abad4e0d6bb2f989e52622328458d5809ecbec33764dc77df403cc574c9535512c10446147077f8f05aa63fbc0f73195692ae69fcacc30253054064241ea28263b52feaae58d0b07c990308809a86327ff6b031f010c05720779ba1332ac1f93ef398491a438f4f823e45a4f2c5420c91447815e88fcb5f80717141516d8a1974db7a21fba576d77f929f52c84af22ad6
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (20 mod 64).
+# DIGEST: d159516557052899ecffe8072d2cdb753939d812db2f8861e3ba7a837f0fe29e
+KEY: 65aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417d
+NONCE: ae0cef457b9e5e16dcc5b6f25607f00d
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660
+AD: ed82933f62be8dc55b4369
+CT: 6dadacb58a7b88e2daba277f66e5757042c142115871c9813d1a72a79e5a71366801a757a5f9982e99c355fe7d742fe3f047b711dbe340bf2ffd00cea6dc6ed7a4a416c17138404854ab8a5420960d6021e2deb4
+TAG: aedd593c686dc75c7bee2e9e90c2ee010801d48e40d62b6d64cf8371d478a9319dc95d959937396c8e2a887865478cecb1d3e9dff34adb0aa0642ddb5b29693c2d9a3e78a7d71f60d6150f53dac8ec04b3832b7af35ae5244f5e49a97308d5dc1dad0254af32fa1848249e00d4dd547eaf98ec112db7d519c338d698e9633c64f47f9471843c2482e647878c5fc32b5bcc092f4580a39489d7ab61bd211fe4af348fcc18ed48389d670eb903313c79a5bd2bcc250f1ea5cf639e965c30c3b3aad31972c4cb451829d05448d5e12b76b03dd22ad2b7e906ed80d72bb13e6f60cbac269c605a47aa8b676fca372b7969fbb608c04b8d105b5e8323ab9b1e442248fd894e263d2cdad5e3a34fadeaf478c5512206980d0f4113c6bc3898
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (21 mod 64).
+# DIGEST: 8b4c76888085f1030618cca2b0ef708b79b68fbe879c266adab2211c35baebae
+KEY: aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae
+NONCE: 0cef457b9e5e16dcc5b6f25607f00d03
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed
+AD: 82933f62be8dc55b436965
+CT: 4307f039e09bbc51fa0477941e321dec14e5f562d3a5ba25d71c3c8afa23f44e1ca619d130890b7476e5227442c27995cd292ed9d0a649773b752b3bc7abf171244624bc55784adc9282f1776789fdbcc5c043dadf
+TAG: 10d9216fcf6eb71ad30348d591c025c364715c73d46bdd26f04cece2b14ba8f5183b7250750c75017bccf9b394579be5fd2c83e77a30eb11c9b2fba8355390a3bc19c98d0cd5f65144701f3f08fadebc29150ce3ecaf4bff75e9db3043228d037861656c2c462668e25a2a6b9d1da7929a44dccbfe3758501ff0952c064508025ca73687ecc1a89f825eb09a762c1d7a63edbbded5ac0ed6baea7ed19677c8844a063254a9a0f464da61ea782ff5ce62462009c64d9ebe9597c467e1d2f5a2ff39c18eeac0ab03cd771dc0c75bb826167703855b96a9ea6acf8f5a1c95f59582a56addbbb8ddefa5c73405b212c8945a60920dd18e3dd4c3571003f227f1a1cab2b41b67d133d0d20708ff44598440f8c5b2f438a6c0c14113d075
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (22 mod 64).
+# DIGEST: c93f922285c3abf65fd70f22abd7ef859a392a9db0a979acbc99563829e3fd77
+KEY: be477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0c
+NONCE: ef457b9e5e16dcc5b6f25607f00d033f
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82
+AD: 933f62be8dc55b436965aa
+CT: ee9fa11a7d6f965e7d65d8f48810754770b9d237ba0111978b97e24f223817d0c6ce4dbde85c4e0979bea607a36c66f908c25384184fc334d8d985b78c2e9872d82c4cb1aad49d7dc21d6484b80f9192092da38282bb
+TAG: 4ba52b012bc5146d24c5cd7101ffc935c90fddb5c25d4939422b08a9f36afb92a71ed5cf86418748b8268e236cde7ea7bf8e757079d3b5e74044939d104f48d8df2cf17880f08f9eb7da709132fa7fe6bc1ca3cf9308625e15595a56ba4b2bd12eb3a4fcb06cac3a7f8d5e046e464d5eab6f502e5a9a7542938e95a8e6e0f4106b5b77f100c1b39db7de14e6f777a0cfd8bf205a6d70a76c1820b48bf8e2f1d473f82b71dd5440251473e5878ee858d60a60afe9b9f07f201d208d0e60660cf6ba2440cd0cb2ce4ca1ff0b6085a864fdc8a70fb760747208a72f9108c7d3234ccd69c1218be9d3d59351827500244d0e1eb39d08c82be77ed837d29b8650fda3abf8e8e922f754119433bb1c27769cf7e042c49a6e87f75de521
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (23 mod 64).
+# DIGEST: fecc2d68e7e0874de9d063a889b18ca83d3d5908aae064db20d723a8da1b3978
+KEY: 477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef
+NONCE: 457b9e5e16dcc5b6f25607f00d033fb9
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed8293
+AD: 3f62be8dc55b436965aabe
+CT: 1a95f47f7bdb2d91358f683b7bf803254d88b59e2d3c1d873a09794e1c18f1c924d480727599a1a6890bb664335e690e4e52c385b634bed45e08410448ffda3ea2593a02a11a03d994617b9f7ac85317689cff682990c7
+TAG: cf55f1531360cf0dba29ca8baeba795e3ae57ae1c8d233e5d771be0a7b5e483b1871057aeb254958d0353264bd6c61834295431d1e624f194559d3e476216b295f81ba3a7ce67edad2c998d4d5f2cb4ebf6a83d3d40bf36eb0cfe75652752a4f8aa295663fc4577270c2b49ccb411c0f6e3a2978d77df2bad8db2e7252472562a6622a0c21570beff15ab6d21df869bb7b1f351035b7462753c36bbb0ac6e3b750591cb02c7ecd9b03819fdc47ca0106ba37c21cfd5123479629b57839cfaa4ec72382ac3fd6f1a8f24809921cef7e0474a6372cd4beaf7481b554da8cab83dd4de5767c3c7d0194ce7117100c07161889b01f4deb05ab1fd9de79f7b634009c5e40f2ba9ae916ea70e622ae14c915efd902758953ed3c63f9
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (24 mod 64).
+# DIGEST: a182bceec087418714d31fdad208a5d5c578fa8917a754e0b0527364378afa81
+KEY: 7e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef45
+NONCE: 7b9e5e16dcc5b6f25607f00d033fb95f
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f
+AD: 62be8dc55b436965aabe47
+CT: 67466a0bda0815f726cd09d159e06088b2530b73775a8c18eab2d09ed7bd12b743b0a10345cb3126dc14d8f5c503b65a45467ef9b56ec7c5b24e5548e734d3f0fc90fd9c8019fc782882ea6e72f4df5f5f827d6e8c60c86a
+TAG: f6c2c4b7de380be8cbfcd90f06ba067ae2e3e23286dc1079ceee60c2cb7384c229639917d38d6d50c24224981c7ad657c0b4672b2e3e0cb75a2745801195902c4ecaf772ab99592ab86682aa2f0b46607f5e0422b159a8d06bbf243728d0711dd3e68277b9a6f29a66a6cee41dee43a7121ac2d8e9c0d02d2cfa397515fde2161e5484679200c7be71015f0f73b88724adcb6ba772997119a6e17446c9872df0b8b50c571d5ea5ad71a14e9f4a81ad6437c1eccff6a93d1385115f55b7131225b5b49550cf9dad67fe8c9992f8482de6380b64abd01357fe46f98fd28dd2a3dc11f43b9c2306b5dd6f6fa02ec5bf3d9d495f0ec432c9f527f55680d64916bdb2a4088a72985c1ec03f418ef2a49870e1d8f77da41c227ac8
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (25 mod 64).
+# DIGEST: 81dd23016c18f838fcfdaa8afa9c52009af9d93092e250bde67ac11e8588a238
+KEY: 0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b
+NONCE: 9e5e16dcc5b6f25607f00d033fb95fb0
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62
+AD: be8dc55b436965aabe477e
+CT: 34f8a83c831f374e77c5601317b658e47091d811285791eac2fc59fb06658c115dc875c80b1089a62fc7d072534617dc81dc3adffbbba4b9db2e7272eb0b8aea73eb9de6480c43190e239fc300377f1839a750fb5a915c63f4
+TAG: f201dd303f2be93385e189f963a1b038564f9648cc09ee82bebd9d471564156e14933ed0ceb36f768064a038f1c86e936d05bd32fe132c068f635a41f5e6c0c9c1bc579b9e218e5b1e0e95e2f95a05171a4670ce0028aa7aeb78229f6b3ddca48e35c5948443bfb0234b083fef65ccd11d3d8894918289dcf13586868c3cfb535dd9d4d79cdc391a59c8a7d5917e47202108fc8ab98f8be0cdacf80582843ddbbf7f158841bc02f01d402b5b8c004b33a1d20d85590d37ca0704e58c3071b0da1f64ecc52532e76736cef4967641ede072cdd0b61a02b5078c310a7091beb07c1184ff74a65db5e71f42fd9ff622040c331687f72f6daa6f7752e21d0d844d4f646202eb18677308ad8747823c524d516398531c356f3b
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (26 mod 64).
+# DIGEST: 20f01a20150588ee1067e30a2ab84904a34ac56cb9e327756a700b1af24c6200
+KEY: dd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e
+NONCE: 5e16dcc5b6f25607f00d033fb95fb09e
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be
+AD: 8dc55b436965aabe477e0c
+CT: 2ec0aab31fbb036bd2af5ce39025ee2d5591fd525a199f2233384f52a8746f4fb547843c92d1e4c9fa92bc268174d4a59134142f14e8e1e277f1f1844c64f76dcd20f3b73dfec8e9fc59a639616fe4076fabc5d3fc116a8db5b2
+TAG: 58aa84e06a34424ee932af39466c3309363d93e3af6a37473f54788f7c1564549660ff8e96cbd74ea459c318d52566475062f7b6ef434a4bff703f831c4c5ef574d7cbfab0eb130bff93f7b7121f3bbfd56574f6bb89fc227257ced565ad4d73ae3c72b25f36be22ef5bd0cb5750cb23c52743bcc1306d63acb3f7ef73117a352a95418e8fc12696e99ca1f44c055c227eaf0a116c0847d49a32d1ea611e88f6d2500dc0d2c4cfc84978a31c43f30e2d5028602d7cfa4a48efe16b18d46f078502c5976a63ae91a63266bd068175bf842646264da36df63c134df8171f160fcaa144b78fdb81534ef248ed1c7bc234d045aee646aa6eac6d770f4487e1bb4bfe9e103bf83b1f8fb3a12bd56ecf0c8eb1c5a0d0f35cd7
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (27 mod 64).
+# DIGEST: 83a45f4fafff7e1ec40a34e75a49a431478bbe8c9234da4c1b3129aeaf453d5a
+KEY: 46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e
+NONCE: 16dcc5b6f25607f00d033fb95fb09e4d
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8d
+AD: c55b436965aabe477e0cdd
+CT: 90712d5e3edeed5000c62ce80212d41773a393792a3a8fc62a1cfbff38b3555aadd88f0e36f93c8a12897d7779972b3e42978cdf85da7a3ba2e4b261f0a0cf4e1edaf259849e87133a9c057e5d3e693a420b7861b96e3f10b34f7b
+TAG: ea3b1f0a196af1f2df325a7a1f4fe1799ff35df267da4a912cf0cac8ad6472428fd08ecf4356cacd67de7eaa0e92498afa1f8d01c9230d6dff346752970758ab979e62d3012356e83924e2f9cff28e485cb96c5d87c1882ab472a4dc6dbd79b68ec3e64990a389e864a4a2fe9e8fb4fc66ea5b1f07893864e1d6c38e73fa60ed109bf75d6b96d8512574e0afa2f6114d1acffcfa23433eacc0f021e05b6c4eb3148836449c72485e69635243a8aeae09fea475b361271acc9dba14ab957ecbb4b0a03edc3460d63eae1aaef92341456b395011321fcb7a85be0fdb812259397f8b52ff8653aa27040c17ea4fad7c6f6c9c941d1c83ae08d52c1719bd2c66fcb79c0179e3c1827785cc7880607de862e8c2bc8b4ddf
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (28 mod 64).
+# DIGEST: ec9b1b48a2e7600c92e69277c9e55d1cf7a9135ec73cb736fd26718c5531fb7b
+KEY: be99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16
+NONCE: dcc5b6f25607f00d033fb95fb09e4d00
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc5
+AD: 5b436965aabe477e0cdd46
+CT: ea1b542c224788ae66ded1b3ed9f9e35708252a1cd1d4725b0a187b669c51d282776471be5a07f256faa9ff16fa4248c629a4bcd31a9dfb7f260d9b1cb62dbae424624fd816bd81f781b93ca9dab437bee7e80bb7baeac902deeecff
+TAG: 650eb292cbefb80b7401e38e9803fd2b8dbb13ff21f0f0986eb42280ddf019458c06aca80c4784da1930a92427f96531e97f89e62ee5b945f07a8c7fd2b1dc6710f0a97096036d22493c2ea2592fea8e4b2cc93111959d33838e4919068385645f898736a0bcb391a30124694d7421f6cfe486047a95f55546c80a75fb7473ecb4a751db0c1dfab931081167e80a5116977c296d0b9e818dcd72d3404546589038d51f08ae71db0721c64e9ce9449aaec77fd362c41b6b9822c91f267e3cf0ceebffcfd55c7e16abca6ece0de8fd0b58919359aea7062af61e48a6185bb186db113a39be60fbf00d7f3664d3cc64e9f9eed70e01240e4d7f51587b846787c82723195a307c6144b3a1db94a10743df47c86386a7
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (29 mod 64).
+# DIGEST: 7b0d19af32e867b61fe57398a3ed863a56666fbb67100e6a5ff01971ab693fc8
+KEY: 99371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dc
+NONCE: c5b6f25607f00d033fb95fb09e4d00d6
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b
+AD: 436965aabe477e0cdd46be
+CT: b1025c9eb02f72e5526ef641778aebe786c2f85961997f1eaa090a33caae3a9df34da7088352a2df7a61eaaa026dadbcd604f5baa3a0de4fcbb3812816408d61384984141d9c78f47e725e99cea9d52fc16797a3ee4dcd80b6e5ac836c
+TAG: b1a3af10a3a38373bb7043194d9f0acc257f231ae324faa30c0457ed219deef787c85dce075c04e448ad2039d84718b9dbe23965df0b253986123e8f4427b833ef7679b4c6951d555c98ac8e151c3bcac077b8ffab30b8e6623809c39b7ffbf6c247f8be4993e91841a204b9af2ed9104749d573b01259646e8711d9a8b0959d4e9ba5ced78ccaf37a83035a096dbdca802070baf44c9d97b009c9c6eeefae4f1348ffe11bd512070636627d0defccb8dd737d6aac08116654cad9b36d3f183b3392a020d25f8e03142302415d3d0575ae203caa7581c754c36343bfbc37627320e9e7c0e66cf277e738346bff15b8277c5675827a25e0ee68482849df97d135df15e544159ded6d7eba4fe11c74f01051bd9f
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (30 mod 64).
+# DIGEST: e3b7a347d9bdc63bb1c689eb823076d5ab24c3f502c328f70d71a1b3f00111d2
+KEY: 371eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5
+NONCE: b6f25607f00d033fb95fb09e4d00d617
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b43
+AD: 6965aabe477e0cdd46be99
+CT: 10623f3b3c8888a31cbf51eae0989eb3caad5f5b786c13b41c04e0b6cb2641f850df4ebea610a4d521557c8f987ded40e9702503fc4ae62d1830a0f04d168888062f5b147e858a134a4022bf2790d81a20976e2b98e407e7cb7ee4355bc5
+TAG: d1ffa2b9b4db22b1de1eb8d9926e651ce34a85560c2e75605d9448c508e3030ce78f3a5973bd87d99be66603310d19d4e4a94a2cfc4ca9fd480dbf4315a814702d507d8699ed17e89dfa8c3b7c0491e4c22d63daf87bdf3e1ea54b759e2969ef392a659d9a8237bf4545b78d268cced5d4c6ee177ae96f77e555b27cfd6ccac215aef995c383e84419293d32401aa7d98634e99fd5124334aeb505f1b389d6b80b78eb57fd85f8c020c17789696078178dbc1e328ce213a623b6650a4d914037e4bec86ec6e1cf12881b4c71a204058970a1e607846421b8ca0fb346c19ea40a2b6be17fc0cdaff9d3c30868889b4e8664f2b586620ea74960c04e5dc3f9304dd78e8cd2fdc5c10d5b9cb640ff911e4ab323
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (31 mod 64).
+# DIGEST: 9ee27167f084f493a4e6e5b80c1cd07babdac057ed98dc28cea1f107ebc68787
+KEY: 1eb8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6
+NONCE: f25607f00d033fb95fb09e4d00d6172e
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b4369
+AD: 65aabe477e0cdd46be9937
+CT: 60d4a0ba2caff08ac046349b511017a7c5f5537eff0bda94bf838d50c14d59426424e4a8f531103773aa0eb9d242a9e6f2ba5002ef04aef8144c8a88f05788fa5fa1ab1cb5cad84da0d31b280ff8a55cbd75f2327f726d6dcbcebbbf490012
+TAG: 26ce951279729891effbc740a3e38a8eec1d8fd4bfcce6180a117931b1f3ac5a423772156307853624240be289aa9bd4868d9c8b3b93d332a2bdb679bd14eb8f91034468fb1771d679321b067ff9dedb04cafae3cf43c046350c23b97bc3791821d3b4fe50a5ca66057432994e75d53365fbabef04a3b6c4af9f2429dc478145c6e67f3dc1990d0c21fc5d816b25ffe4be41a7b465d8485b2e4c22d597a1419b021714faec3c2d2ce1546b73145a2bfe44ce6a4d6ff162c6904977388cb01e8495aa05a448a157cb986b59d74e3abaac98c024d4658ad842e9e10195b69a244aa42cdc5c073f08313cc9b2036f830a1aed7e70117c91a8fabbabc556d9fe8aed1ea047a83963f985c1914d524e058ef04a
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (32 mod 64).
+# DIGEST: f6b15333af80c49e8ea591c2272618074822d453d85ed3a96c29f249873acfc1
+KEY: b8da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f2
+NONCE: 5607f00d033fb95fb09e4d00d6172e78
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965
+AD: aabe477e0cdd46be99371e
+CT: e59fdb3d1413cd6a1098b5daf1662c698076996e2581e11a286e5acd6f29d41ff9d04da8308ce7f5defc52be0b4d1ee96d8e5f4eddbdd5fa9894e7d1b0a1bed483b7e7549e1c10cf5b8ebd1e7f1177972ff061cdecdad8d97bb0308b19bbc2c8
+TAG: 511574a8be372a8f1f9d856e674d266dffbee195e3f7e710f3ea76bc1c83e449fea70886b5cf0917543e45f8cc968502e873e362f1bb376a529cd4301b8e5427342869118fc7d2346aa78a4b3071024c5ae51a73af441ed02bbba31d0c106b720da7d9dd3cb9902048bdfe1e7ab6df1c2cbc78bec0c37333abc14b0725fca3278d54cd188140e35afbc743eaff515db5b740f97ce8062a20ac53b2a5cf527999529726f79cbf4220e0fcfe51863c2251f23a2a139182250e1ba6a9e889d998cc429dc503d5c3c4604346e2ca0adca12699b4ee8f0694609c3816ad161612c9710f6333e5c48e3c07f5a644714554869417dc31dbb5ddbc2de6518b683e6a7bc9355c0332ae155be0b126234b7c7a53c1852e7bcbedcd86e8bca69986dc5512f3
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (33 mod 64).
+# DIGEST: 02dd1eae128cbeb47dbbbf90e2f5cd63293bb0091815c93bc1153d46f176374f
+KEY: da7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f256
+NONCE: 07f00d033fb95fb09e4d00d6172e780a
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aa
+AD: be477e0cdd46be99371eb8
+CT: 9764272fe16e12bb42a8f2a6620e44d4f202c21d51692e2948e2f4e4a18acf58a12d399310f15e78bac1f5f2a48416e5f4262ab9a8480d9f1429e5e9d15d81df0719f8db8d7ac08da696048e8a048255071ba8926be1dfbbcf53e7430862f64c04
+TAG: 3859f6154fee0d5bb25811575cf137d0005e997ceaaf7def4d374e778bb2cc0b956159543f797667c24c28a2a0bbc352356054e532c663947e8a0b6e949ed9c93fc2897682142c43a60f8927bf2d37cb25c4faf709066465cb2df7765d97d7ceca95391b28e37dfa87e66d8e9dc1715524d22ac9cf618b2427e3099e2574990760c7f729c7859399965abd3cf7dba2c0ad3962bac36b443d318babd6107a11285c79bd897d5145ae0cf3f6aefa7f36e5d28f386c9ed1606d6e61808e79417a38d9a79b03e42c3fa9de1adda9d592a1c1314721c9d24b73d437a94a03668fb9fe43c15d48c0096254a95194928a78843b03d341df7d547d60dc1c93472c31c521f6433595231dbf6cadd58ecfb51df0245b4ffb4c022a86ae2ad502d851eaea
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (34 mod 64).
+# DIGEST: 137fc408ae1b3684a802229d78368f9fc2202311cd6f5da091b2eb998ceb048e
+KEY: 7dac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607
+NONCE: f00d033fb95fb09e4d00d6172e780ab8
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe
+AD: 477e0cdd46be99371eb8da
+CT: 9b6a8359acfc5d15067e2e6d812727d768f44b3edf4272f57fb54db41d95153fb03d7a7b3371e91c4be80326f4d70a8f2ac1e867ad3772901c513895e694214d6c0fa1f431aeb016ccc93faacb4950082f0cf00d3a5879c9a4f3fdb281e911b4e46d
+TAG: 60872631a4f0e7e07e7ababf7c02aec42c1696e836bb12ee942e3cc5833f3b48366bc15e90cbedb280b01aad3239bdfd49faddc5d1b580995e53b6ed934a57252f498c199149307d63d0785de5cdd501c864cce15cb7b04b0187ef35b3495a164121f6c6773052990733f62842a6a011586182487394bc36abeed63663d0acd8a9c5b3dfd9ad1e944d179723800c1a04566b804b38b4e2dfe81d04d1f4ccc262a65033d83cf299e8e39184576c60c410285ffb46930812f6d4fa4e2f5043d3eee385dd473277300d1feb6e29f81f051f5fb6c28de99bb8445f2a389aa71c1fbeb3d91aa66596fcfd46b3ca0e74c71694a5eb7da4b5abc8cb115a1bc65b8faeee4e96392a9bf2a15914405cf563e35428b69b15afbc9878b47f803b8b479a
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (35 mod 64).
+# DIGEST: ac9d4fe33627d4e9868c57a42aab21659ccc7efe18df8b57819b7d25e665454c
+KEY: ac997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f0
+NONCE: 0d033fb95fb09e4d00d6172e780ab8b7
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe47
+AD: 7e0cdd46be99371eb8da7d
+CT: 5818d2a656fce95d7a24bcb216f4d6b91d45d58d6ca2df5c9d6412d917951a9f61ff07fcb6b078fad69862aace436194f86f309373452e813c461fdb36a95f575fdf0f784ffa0914f0c0ee0c57ed1e604ca7a7a4b3d20c272b3b7f2e65b18c1a3fd191
+TAG: 93435a8da7fbb8fc3baae118d82bea0df990cf1018ca14993d2ab594117bdf1a6b9ee715af7d64353d1afe398734f5d88d97fc9cec550e6bda06c31ef12f21ba6e891cf9c24accb264a771570f3773129a5fa2d78e5a4a1299bf7eb6e0fc4fcc9d4ea7f4bef1ff089cbb840a04e4fd81775a72278cfdb757c2b041c190a830206a45ab4b5e261bd65bb206f60c7290b6c15c3f04b5fb0bdc64f775d7b88ad77617da94228b649ad948eb84915970fce864f776541d740fb6491843e27088de5e7ad51b9e80c4f55760ca996631be10cd005146356b7754ec34b62a2e19ff2ccd8e4526664f4bbb6c84ae5595515a5c8ed312a63b983d241eee86511736edee964c12d8f5b2eb775fecbcca740c7c3b2024fd5a6652990b5e1a3f3cd7ab
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (36 mod 64).
+# DIGEST: e59c699ea2887f6c829b7a0e895c45710aef6911fa3c930de3da61fc988e955b
+KEY: 997deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d
+NONCE: 033fb95fb09e4d00d6172e780ab8b700
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e
+AD: 0cdd46be99371eb8da7dac
+CT: ad0dff8adc54b5f02f428915bfa9f7277e4743e72e1789dcf552b91cda03bf52c757a9cca0655550c944fd264d287bc97d15dab3b986ed34637f45ffc1eb71b764cf5d5c1444033975829f1e59cb65ce40d787adc630e1f3155b2dc32733a754360ec1e1
+TAG: 6a74ea2b3f209b6f81b27fc58b28585c7b378a9b11b346aa0f155a495e1bca762cc9c73a00796ef7fb398aa1229119d7cbba739c3daffb0f460c0c6bbfe4c6e99164d0b88d262a1ac5c050533db32f61c2e06da092e1e019e1e01dd79a92b9433b2938f89917846f7b04bfd7ee42bdab140e1854db8312f28af64c979360d89b1583896c0c592508106adee7144867c8300d36ddd7bb87482a990141cc0a793dd2e490305feb1b1c7eb9cd3e76bf7b8c767cf17a614d9c816abc8b6c8ddcab95f1dc0f78404704d77403a97f4547742c33bbadd1944e34b20f2e3293418cfd8faf2ac19f0800f6aef3ec0babe1d2a5b721bf3da4c23d80f74c0e157689320d8c1b517f3dc9619874e8b3ecafdad75250e631cff0d5be6e553120cec5
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (37 mod 64).
+# DIGEST: b0ffb7b78f23593d738e845daeb3ed175ee48ed5ed2d827565030b047dd0ed17
+KEY: 7deafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d03
+NONCE: 3fb95fb09e4d00d6172e780ab8b70043
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0c
+AD: dd46be99371eb8da7dac99
+CT: 8a1448acbd769e42bfdf00ddd801153db3202daf5ba7997890f5f42a183d3a66faf66d899c7099fa99bbcf5b62b6adcb6ee87fafdd0275a8f625f3f959b0ea9acca88070aa9c61141787435cd60f63e262a80b6aaf931ba554ade7e0fb46b03a06a57db627
+TAG: 3fd3782dfec59549a1f357785c8056274d24d4a9fe64a7fd66f48dc76f831901ae3b39825c1bf24b1990cdb264db072005f5c55c5543a65467ced4291297af0607420f4254947fcc514ed2512e0c678e4d51721b5d6c3536a3f7b57327440c94cd24ad71cdd2d7209a24a8e9402c7c07de667d72854b232f6ab97a44b736322fc9512ae432f5e55d4d1176b985ea0e6204ab2b9f94cdd63db5b0e3e0e7b79f2c1687a055e9345813c718da09a233ab50e054812aca10cf18de8023fd6f28d029b4f38a5c3122e539748c60b12075c0faee5209b346055dc8c5ccca9093fcf4d87a7a9917a34e39fbea94a8f8456c6ec2a1b4a733b562563c79f4bf944068188e099ccffd60c75b87ddf211d55e182f8821b5918654afea2fb66090
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (38 mod 64).
+# DIGEST: e8928848fef7e0556377fbf3ed36b4105f334fa17bd5c5fbe2117ef82051903f
+KEY: eafd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033f
+NONCE: b95fb09e4d00d6172e780ab8b700433a
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd
+AD: 46be99371eb8da7dac997d
+CT: 0fca069ff1b260179dd5ff1124e557e97a4cc41e069d124cded05275d37913efa220e1ed4768bd04d8e65797040856b686cfcd5b772278bcf5fa64cd8183ba8b7724359804d609b31fc31514a4ed43d84de929d99e63f12306bb497e8ee776485dc822c1ea53
+TAG: 447babe3275b7d8f53437e527fecbb6106e50e8831b2f5df5ee8067d4e3e3f9b320ca4b72a7ed1785a94f24d4c92916fd6ca8fb1f4322abe0152b377a5161ac5c3d2c0bb5912378184c1b19582d979d6ab88681eebef4ce6836137f03195b0b19e3d632009ed05cde65f6996686820632ef4c0845d282b504974ca5eb3232ad95fdbfff4229b8385184fc87d7190d17f68c274f4aeb3d07745f52d4a92a02c776a0b256546104a827cf92047138e641ad188e65649ea1c4bec3c61411d5f931831bd5b5ac45982baacece549255d1c102c80dcca28878b789cf76146ec44f68d8fecc7e5c4b7780ffd5b93bddd40185f63977299381833957757f837a297c207d93d84ca9c0776b1dd87c952bee715acfb350c3f435700caf824
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (39 mod 64).
+# DIGEST: cfc1420c24eff01a9e6acebe2a96090e25738c3e1c14da2c6f36f9e20a857165
+KEY: fd64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb9
+NONCE: 5fb09e4d00d6172e780ab8b700433a95
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46
+AD: be99371eb8da7dac997dea
+CT: 8cacbae377d038fe27b37fdb253f3b136aa38660743dc6b4778ab16940a9710c8f08970164316e26c3b603140f2f43f62a88d021426b841baec29fb11a3d8735d0b8c14d133a825e1044be5523932ebd65b34433c083c2d77af313a240b1eeb59a73a2b7e05a56
+TAG: a497c1ca95443d00804466d23f2e960a3ca86bc9688581f6f78734a7f90376fbd81d074b5618b6e4e19b091549f91d7acc16147d9ee30a7e51d528d8aac4f3f49d0afc542d2c652727fe8ead274c3178a83795aedcb8019a4fb9726c3f53718338bd279368e6bafbb4ff9bc5ff57662f16bfd03875770ca633f66c6def6cdff3070ea34e77ca487d68b4a5443e1ed81a80dd0a58c1c7f1313f6dd976c9fca2d378e894ccfc233eb99c0dfba33d95a3c29742038067089ed97c737e3137f28b06847e4147b0c2eb01320feba305c39f3d55747a74d76fb300c11bab7d216729be4f2b1a3a4afce0b3d2475ac26a2ea086a1b681cf1b6444239bd991aee39cb5e45fad5395ab17ad95c37f590dd49d8dfe19768aa86ef271fb81
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (40 mod 64).
+# DIGEST: bdb122b808f40da0ae98fe9ace91fef7f2b39bc734f4f735f7cbccb2c00e4666
+KEY: 64b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95f
+NONCE: b09e4d00d6172e780ab8b700433a957a
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be
+AD: 99371eb8da7dac997deafd
+CT: 06b44584c9ddd267bf03aa311730fd0c4d3461678d94b4a794eb3e90b9cf3113ecf0ce0da8789d59bec50a1fd1e08ceea4cf9e00b2e0423706c126af7a3031df6cd82a7bcef877b413662e731b5a74ebf68f781eeeb79cf760cebda2c5070dfbb7c6d1ae6fa2a177
+TAG: c897a50e7bb28f06a5d1848ef4ad3688639503d7a832199155e61da6784097c06d178711af2bf868096d23772256707fd05d4c43963f885e5037dff18172b0a89fd04392ef01504ac2a664b6a74c120ed6e50e1309ae47171b6eb9912e85e3f812cecd79b55d2ad7759043c5995acdbac92b0090c9503508febbfa8116cfcbff92a80618cfb0223819548b04acca6da9dbd690da34368faa4cc9058c177f16fdacef52183ccabc3139509620243baedc601758240f26fe58b1632cb21440d905cd3f6ce3c17efc82e2e167132100dc18eb4c92b62810aa8651288c0ab882815b18f75175d61ef47393913f125e37b9126d5d8dcbdfa6221a28683f6c4aa7628ee28d95e0a3815ef3e601ed44bea3be0bee95a0ca5fd15f28
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (41 mod 64).
+# DIGEST: a1c40dc7a17b3ef6c9170eeaa9500014ef9ada833615b6d40af3fb2e14d7ddb7
+KEY: b1fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb0
+NONCE: 9e4d00d6172e780ab8b700433a957a74
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99
+AD: 371eb8da7dac997deafd64
+CT: 85da88e13f3ca14fc4440ffca7bc837818daf1dc52a4c505583edd070c7cbcdb4642d8ee1ca687037b08e1737a2f49039621823222f9f02deef2c340289af5184a86af8429747ef2f7d98d6aec2af060fc8e6895c2182bd1c479fc6a2e7ecc03eb4b03204db79e18b5
+TAG: bfb333acf9be1bb3abd081f67f54bb1a198e007b1152a081c13cd0279770cd9314999ae438b54d9b5e516ac648fc0c83f3788a4a4f396a4a65517bf8499e74528ec72fc640f26dba748606e16f566017ccb911caa94a814235c1f08c080934dcaace98ec6220ddf784c2c281776bf1aa758608466561cb62867a1d165f3d46de65d7d3a8bbb36e3ba645b5049ec1760e80d114374a0a6c1628c99f5352cfcf397df3dbdab10a44379ad1ef93727191d076bbaf70de831e14721162e8173531efe43a2a739bc3c76359bbead3d5032006efff46ac2c7fcd48a8071c3211496a61f2a6de0d690de8338c628fb0e3983bfef09738c1bc2bbd6dd9c51613d15fe0c85c02f2f9560809894974ff005b083d5abdc56f5106ef04
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (42 mod 64).
+# DIGEST: 677f053b9f421414ba91c060ec7ed66d27982e992da0372e5264898c9edd2bab
+KEY: fc65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e
+NONCE: 4d00d6172e780ab8b700433a957a741c
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be9937
+AD: 1eb8da7dac997deafd64b1
+CT: 10ee64784345c076e3f9aaeacc87cd51d6ee0b0facc9f40b4e6a1b4bec669ac3c5252c948b0c0a4d8e798248e6b10ee247e51c81793c2be91aa8c9666e0d8774439ea159e4745014bdd2e9f379ba461a7e638cab9ba2aba1498397044edd3f2759dfa56f488a0118e6c5
+TAG: 3db7a5fdcdc460c6454407a23ea3d0a8b10439d34f66016049a07d33d7598f5debab758abfd5140243a129c0de5dcd36172bcff878216959047099c4675effc9f8faec3c5749afef3624adaf4aaeac2bf6b8c39119d10689de6b734e8fde8461da3f3e71030ac2dc83c662b646169cd492f7fc426088025f5812b73ce182fa9bd7f024c056a7ba3778b5b369c2ef437c9cfc8b25e9ee868ff17d64a814a8cbaacf9079ad75dc055bd3afc491331bfffb8a61c058012879be54680e44d01cef9a35c796dfa3cc450a6f69d239d1b4609917abec22d969b7e3da0a400f359b93c78ca4134effbef8c3fc63e94264aa67b4e98548d14c5cb3817f59de84dd54d8120b317f07a96115fb0d75ac600491ef781475e2adb6ee
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (43 mod 64).
+# DIGEST: 9c1c2b1853244d015dde7f4068220d7640501b1aca325b82c1be8c015b61e59d
+KEY: 65de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d
+NONCE: 00d6172e780ab8b700433a957a741c9e
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371e
+AD: b8da7dac997deafd64b1fc
+CT: b90220b919dd02b216aa2eb7863372a645b09df88645dcaf138fb73d8896e39aac5a1c2f0535385e15cb850a6febd5d6ea9f3fb573944cdd5b30cb80aff6b73a173ffd7c85673248fab94e3b9544930cff59f52515dcc8ba39b6f51dfd0487bc9f8eb23b031c3f6d70b763
+TAG: c9d421b4b147c4392238c3c6e3bb6421e47773160722749bb244efc4a9ffe3a55b2952aafce9bf5e46d29f9d916c582e9ab426f60258bcd75c96fb4493fe0923356d7647382e103ea4ef363ca1a063ac89ec2e1ed9c45e84aa8d4e279af1bf40ecc0e5aa8a4af86b7e7390ec15852515e28bd8ee956709bd90172d8d03624c5a81dcfce21b573e1063d416ed59afb316a4a7fd1d22dfab206473567ac0b94aab64b2c201b84f8e89a575c5d1510cde801dc4a24b7537e062d1caf08f6008f2f14424edf16bfbe3960a857a2784ea033fad0ecedc84a917405458dccb12a107fc7f603565eeacc7573571d05483ea8dda7519bf10903b9ef9feef4ac6682956b193e2201dea4150b5aeb6c122cf4e0a854673736837
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (44 mod 64).
+# DIGEST: 6bfc1f2aeae329867e5d7f268979743cf267d0dd73b7882abc0240ea586b21fd
+KEY: de39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00
+NONCE: d6172e780ab8b700433a957a741c9eb8
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8
+AD: da7dac997deafd64b1fc65
+CT: 9807d89925c67a45c8ba18cfdb817f5bbc21e58c10f7dc8c15b70acd97e8b97e0393d5948d51a65f6f092590b38c845164e6d2b49288bd0f73c4f4b551b362470638f51422dcfdaaff5e8aaf80ff715f3f597fb9385ca18355b8e98d1de17a302b81470c8e64a2443883cb88
+TAG: b90eda5e4260d45f777533784bb41a3f580fecdd1c088958d001c2a34b3f19ff6edb5176fc369816ce5a3dc30bebcf6c727a64acad6e390588789aee7ec9371fa86589d89306ecd74b90ff8811b6c79a9319bda6fac4317e10a756044e97b68c47a63af7b20984d58d9e982ba135b620eea8b84fa0e4837f935e847a85b81167766f9bcba496f54d47652076e48c96aa2c723f52f1efe6b8188bec0c53c71c4a27a39a25d13b7fc94f44babaca1676d8140509f65983911a2aa09547b5db116d77c734ba30e766101b5efea44b1b425b6af818c1583c5e3d24d517b4693d819a1eb7f85c890b1cc560722faa2170ca6f7d426ead202e9c3186864bb4fd21db770a972bade06e4968caf0f06348dd00608d074646
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (45 mod 64).
+# DIGEST: c1702d4f70a18932e2f4d3951603ed904588a990123e0a02d29d7259afeedf69
+KEY: 39f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6
+NONCE: 172e780ab8b700433a957a741c9eb80f
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da
+AD: 7dac997deafd64b1fc65de
+CT: 8d69a3691570f0d175aad5fb77a0e9abd3f882b10355a08f0160c113096acfecdbc4ac32f037d16c2c4dda4bd3325c8690bade6bf39b14435cc11ff575a3d7e9f7b09b5b40f9645d9a5dfb44f42304d82298cdd866e957d4ab64374ffb86879ada9fc8d6a17a7ff1b06cf33529
+TAG: 1355e78bcb4dab39264351b32e7007598508d90f012029967337855deed8787fb8907de3958efefe76d5373c1834d53e506d18ed9a60578955c019a04fbbbb9ef011e6c284734f28e4d228f5901c163145257073d12dcbbad11055192c4d4781e7385f892e4d712e5e265e846d19712159bbd7c7bbee86f2a5201569018c7a4bee87a9f12e78472183f748f72c53046529394b5793598ca555d00efe86f582c6baea187cd47216cb02c6452429dc70f0926dbff7d6cfc830134da8073f2a4fe97ea612cbfaff430d64f7e111291c6abc02f6443230b492c7acc794c22376be011b1a71b9665657632e1354f49faa097e381a3fff3b1c355aff053dc7c2fdbdfd8279b300b1e06d6f6cb6170429f25090c78ac1
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (46 mod 64).
+# DIGEST: 09ec84331099e1d602d0998d99c199a6037255a5a4d96bb3af54cfba357bbbf1
+KEY: f4f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d617
+NONCE: 2e780ab8b700433a957a741c9eb80f2b
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7d
+AD: ac997deafd64b1fc65de39
+CT: 26d675c591f287b26eb35f87231624e454c4aca1f25491b74a252e971c48ca523b353b4f6c0106c1b3b40182eddbaf7ba47263790c3b22d23b09458d48868bb18b2fb01bdfa965f7c1b211fe02f9b78959b71e872ee05ff3baf548a85797270f456c24459e019d00f06b8a73aaf1
+TAG: 11cb33f42c68fed775b06e02f9dcb709d62614f7f3b74d8b6c429b10d0f3763d2036a18e502fcf000e9f831d01588656c5be6298f8d6b757818edde84acbcedd0608a6a36c1d827f750d7a4ef5f6df6193a620ea2f101d2b9aac4ce02a4bdde76d195cc3641bf1c0a3242e95ce5fe82c653696cb753e0cbc22bed985a860615b036ddb30a4c8c0f0ec22cb94ce3b792c9126d283eccc7d42a92c57ac389eef5020b1c1f0ca880137d21fbbe99ff07ce2317bf608ea29df9ee4179fd84dec1f9285a1e601186af282030a68a4477b59c9153d8a91c08d6e94c0746d641f9b108cec371c32d9c6068fb3f05131089787a0cc113c32403cb196dc4f98bda7460403a7f6ab6d8162ac4679b531dc266297c7a132
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (47 mod 64).
+# DIGEST: 7d506a5c0299a82f5f93dd69526156e0de9aa5cf94f9fcaa12064ef920a1c5b6
+KEY: f03541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e
+NONCE: 780ab8b700433a957a741c9eb80f2b02
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac
+AD: 997deafd64b1fc65de39f4
+CT: 9c61bfbbd3e8395be166b30a56b3e192748ba3bbbdc334dc3720206ac10c90dd777aa4957695bddaea0b7e554951c94f2f74a2bb7547ac20a7e357fe249614204401144fef61394c140553d5566c18ded15e0fa50fd5836cb725d277fa46210e57fe3c24d3641fef78c33a009fcfe0
+TAG: e39c89ecfffe2aab2a48fbd01a8b58895abf2bd66029bd5ce1b539c46e5878cca37f1c8031c8a820cf0e2500aa2a2c65a4974bc260c949d91180d660d21c918415c5cad09f1c5561bfb21f9f765c5c7f60e2c4352c0d90cf1266fca704562d003132e3b1690ae9bd9ba969c469f8d43c821f92e3a622f25d03967127a9ac4c3b2a62956216d525216ab6082fac62c80eeb993eeea3f966952065cd2b1ad1e9bbf4d27d07a377d363d1955ff2e8bad69db97c1fe49e1dcf405b73eedffb9c5992015b56073530d68503aae7b6b4ed8df988253429e900ad63f7e925e415174b24f724c9df43e95ff5b96a365beeecf08fded61eb6c2219bf4102351111231ec0c4fdbae472892eca04c91646521bd2ada50
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (48 mod 64).
+# DIGEST: 5e9c0270955ffa14e3383a79a1cfef00baec4e8be496c867cc14dbcaf609b61a
+KEY: 3541a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e78
+NONCE: 0ab8b700433a957a741c9eb80f2b021b
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac99
+AD: 7deafd64b1fc65de39f4f0
+CT: 174bb28ef8ee033bf0f39cf6a5d3c2157ec773078860232827fdb1c875e9622e198a00a50fcc03b2cbf1e4a747efcdecda8b612ec3ebac650a7401b4b204185e4b42306d544e3f6512b87bf36b5f55ec0bb4da01c36aad92a16865cb852e1a5d1a86d3d57e6336d4376e8988f00162de
+TAG: 0e7f9138058d2a9141ce79d896edb6f752349a730e9b9de2edbe431d9e3cca2b617e3611e84edf9c87917806ec955ee0bacc7474224d8bb364164127bbdb1b1560130ff08004ccafab3af0902d937dab57a572f08179771b00b214ad684b9b939d959b9b1e980c5164cbc56a4432c9837b154d2ca86b0c7882cf1c631602e8054bb07665230f10259ea41f812454eb01ae06f5f923a01764f29fb130e93ac4156317659d07e5fdade989a8e1d86dbc7033c7898d34932d6165e12ee01110aa86031812df4d79e6abd101709c42aed2b8eb722507f0d282469e6bb1db4dcd23ae4c9fdc96fa8c3382150a4798cfa9900f4a515d858f82ce1471723b4a289904143e34b892f4c8d761de9c0c0ed11f276ba964a734f60a1cf0a5415a0318473d2c
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (49 mod 64).
+# DIGEST: 57739c0c5b8e1f0255bb93eb53822ce8688a4078d971c0a51e757a0269760bde
+KEY: 41a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e780a
+NONCE: b8b700433a957a741c9eb80f2b021b14
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997d
+AD: eafd64b1fc65de39f4f035
+CT: 9b01cfa97c72b5ae8befd0d357283a52f6b8c5d9292d28f61373334280f815d6b69f878936738cebaf6fc84d20baf51868eb4d2ae08d64e724beea1887a76316acc955a00b5d1230fb120bf7d51f74fdc5f332521c59406bbd3161987c6ec49ad946a6a51755796de19830631daf69c7d9
+TAG: 37cbf6f77fc5e964017bfc5582ba07d6b111668bd2db6aa7273b6cb35e6c440397401307fb7f979b6cb39cffdc26c3ef3ca83a11c0fcad66423677bc0c459c4448d87130c23e949561dfbc097b947832104e38dca519416e9ab9d98922188eb9fafb20a771f05e0713a56e47dfe1fab667c2bdc23c6287ef14c9ca985082ebf601bd18128702c54b5fe221040306a40314c9be88b86fce8887e465e9d2e062a5236bfe6ca2914a9f0aa5c43a88a7353761e10516c27dea9cd619a69b05e6287c0e8e28e2f5572c1a48884e9f8a890e11f4bae1be67beea5efd34cd69ca5e17ab7eee5ee4bc3af28a6e49bb47a0bf4a9a967bdf14054e54e9e8788e3ecaf5c4e8d5ee3e3844e560f5056503788810ba1aa91f51d47fea9ba1b276d83b0ad78c
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (50 mod 64).
+# DIGEST: 0ec4072fc3c850d4ee958a0af170d5aabd223b024c617df36f4ad245d0304c0a
+KEY: a11be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e780ab8
+NONCE: b700433a957a741c9eb80f2b021b1444
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997dea
+AD: fd64b1fc65de39f4f03541
+CT: 0b0133ac614de667eafb516e1fb33b016a8b49e558f335eed239d50ddd13a4152f1570269615a243502fe1c6db0667a2de7975120ef65186f5af83821598ff45494e943acae24a6095ad46a498971f7b185d7784d451b1260ea478c03babf0e582a8a777cec20905821267eb85aec1a2ff29
+TAG: e275096ae20d00bc4a15e380c877226c0b2ca24ffe959b13bac702c8eb499c2668abac60eb58c7a87c3f8d6af3e659784b87ab549ea4a1b069dfd5307a46aca1617019e262967c9e92affb78af2dbf7e8734a736263def3b210e3cc1cbafe1f652d427aca9220fecd8cbd5be52c711bf5a8cc9434ac1ff4b9c54965e477af9366830dac8b6573f969d21d989ba454b3a1439ba7186e4793473df702bcb9f191de383cc4447c07204d680649712502d1122b4fa4c7f980c453dd3b7478695a8cc555db1f8c7cdf1e41c9ad40a67c35f753a0318127e9be4225e957d3b34c625f5e5bd475d0d8dbb9bdd8c22336b5a70509ee2383e4142eba73748e1d9cbc1d361ba8e27e2cc33bbf6f455b876813aeea97ccc8c2d51ba96f3fb2c6b77fc4d
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (51 mod 64).
+# DIGEST: 640ba3888e6cc260a6022fb69dbe5c5267dc8604aa92216e11888394fe59d292
+KEY: 1be112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e780ab8b7
+NONCE: 00433a957a741c9eb80f2b021b144476
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd
+AD: 64b1fc65de39f4f03541a1
+CT: 8d5b92c78a48ca6049da6a036735ca23b99f9c3cfb97122312e5bf0279d094cfca0b976e24f6b65d81f85eff669da35486809cbfdfd1fd615a5347947156148e6b71a11f7bec611e7c29e19f6f62f94bd7f8b89e54b6945dcc1a7e380e51456a31f1d511bb92443deab5987c3bba2663e44640
+TAG: 7acf0a75baf749f03853423ce40ae4561a255e37361b6c1d7112ece841573d869f21625490196ee94935af6cc3cf789cae11eb8d4e4919796eb984510bace170f192626127324a5defe85e0a226c8376f952528151bc78f33d093453fda77dfda1e6364cbcce001c22b3018689cdf769580642616eaeebd22345191c0c30b6e7a07a83d333aed065b0fab2c9c40e2cc08537afbf8682d434f5f9538292d7094519bfad7842b0c708af475b43770067b5b86a9178ab148e5d8c0815cf4403f6336d66079763f4923b12a53ec020967df5f1a416bcbe2f851af26f7eb79a26946fed4fb3586f6f5219e1a995a5e11ea22dcd9b78867c373d04d17241f19cf705df9cf57bd58e38952d8dc30d262948dfbf00f8b4b4ff9f7d7dd3f5fde29f
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (52 mod 64).
+# DIGEST: 7c10e4553a91588e2c39060e9b438736721926cb7bf53858293ad763e9b70fe2
+KEY: e112a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e780ab8b700
+NONCE: 433a957a741c9eb80f2b021b1444769d
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64
+AD: b1fc65de39f4f03541a11b
+CT: 997bd62c118718ee23b9d75f5ad15bea914cace8858ccf9534ffc79a626768802f7e86930243b3dae80d38782a6a61429cf0278d37bdb60a0ce3ea74163ab77eb299285efafa2895fac6d7f2ea65b35e579e07a7a6395e2488db288c415b402a913d727cbf3df623ae4a205d9867c59658d48c7a
+TAG: 6cea3ef5940f79c341e22ca98771e1f4a27dea38724916ed5027d2747056a192e72ed7bf35cd1e3d9a724935bd778866a7454ee24a7d9ae6781aaf221ea99ee6e61d72a8918caf36d30d5a190494f0ba02ec3d96b4e9b12ff747e0f1c98ee1483ca32cdb68fe1312ff5f0f49f2e8e89eba814807cc8e44abae69cdab9d7ea9ca0b1a785b743f9fa4444c23e29fb77fa5c329941ac842b47c8b052a26e59eff599d1007f9c2a037c035c475134d272abff2a4fdff42e561afc2a589686be3eced7ab14ec72400dde1bca8738605794cdd80688b8caf366f08c0be0f200fc6fca9bdbc8e5ca54d75c1d02832d8eda711e4a4db319b622cb1af0ee8ef22d88d16e4552fd6a38d4f8517db6cd9ea6420c6d89b99ef60f87e43a0f6b3c63a
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (53 mod 64).
+# DIGEST: 0e88468ae741a9ac1114e212499c092ba60869973f2cdaf456ceb336ad40cee9
+KEY: 12a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e780ab8b70043
+NONCE: 3a957a741c9eb80f2b021b1444769da0
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1
+AD: fc65de39f4f03541a11be1
+CT: 6ddfb308153a27c84009486ba4794d3ae0367fe3f75e289a28e2bd79af4ac294827e034a8957cf3727463c10ebb82542a1a84d89214905da11bbf882b702168e670725717f360b255b6b1c4035c0192b743e62c20545f6f8706010fe2fc8ff25c7ecbb2184460d0944c1e29f66484c450b2b06fec4
+TAG: d15b520c601564fce30151843ef4a8bce43516f2ff8acc27920dadccaf244a659d6ae5fe5568439d8af51273fac3982e690127a424b82ea2c5accc995c3002d70b6ccf3d46d86e4a231092b0c2a2b3fd2e9d199f8fbff1c4a2cdaa03ad6be6def2378c8991edaaee10c27347cce20ad1576f664b8cdcb3815416c89b62a3bb8477041bf3d070f2b862295c6fcfa2066894bc573858ea750607e0cdbd2a41771664b0d35c7b7cf9144e5802252b26cc2090e46887c2836f2d1a8bd4d82cf00915be9af229081d9766b95215c275271b2ee52b16fc6dba1ce627556d4749d058de8bb849021579c462f918cae2f4eed68ee4447100dbf246287022fdeacfc9599296b9ea3adee378f0743a78650abf652a78fbdf1ac7c64c844e115c
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (54 mod 64).
+# DIGEST: 4bc1f00622d792e473151668845b2ffb30c43027972bf59ff86ce53a380f2aea
+KEY: a72933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e780ab8b700433a
+NONCE: 957a741c9eb80f2b021b1444769da00f
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc
+AD: 65de39f4f03541a11be112
+CT: 452c39f1ed638a315dd21cfbfa383115d3345ae07f9968f2c30e47a05891ceacdc0f3b4669c929765f51f69c0db940b6ed5d0266894292e57d04c2fbb3b1fe2bc3acb98f87974341ed985a151f82673c237d101161ec73bdfa6144198a83a6e7ce8866b5fbb7bfdaa908dfc2fb15b9175ae8d6cb87f7
+TAG: f7a43f52963dcf384be1ab05d5c76c82b0c56ad9cc7b75e28f08422429f128acc6768d744d05668eae006037f8f7e868a3489d746f5c756c130c910b48cb2572e351b38f89b9ef2d2b4b2a8890b5e3084cc630519519f3e767f284f060e04445562d201b94b5c07938ced76cb43ea1f6497fb86751f3cf76d58af9d9b32e367e012202f94c0bacdacf632c28c3f5d1623031e3695b7e4d82799ba9378415713cf3837e6dc815895ecfb6712207042ab4ad7afab51677b4132e5ec548346b062ae85eb0fb0e1a181022cf06edf4181aed1c28e3c615a11c825f70c182689dd401eeba16f021efb28505d570cf461237710533e101991196db42b2c82d4063377c3013cc2e2be6d8e544d44678eb80a137c7ff63377027f71d1a20
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (55 mod 64).
+# DIGEST: 7ddb9526ac0b917c3d63a2c0a4cd720d4814a25e29c34a5b203d8aa4d4e0eb00
+KEY: 2933c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e780ab8b700433a95
+NONCE: 7a741c9eb80f2b021b1444769da00fcf
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65
+AD: de39f4f03541a11be112a7
+CT: 8aacfaa8f3562d65f4ef8490db090ba2c6a4e80b99fdf707317a66b871dbfdc3a99d04229410d3e7e69325c62aab79ee16e898c32f56d3fe6edcd636291f195f60deaa0deb05b233f25530dce9ffc8e7a75de992afc6929e90e53093758b94038584acc9f235cc463722a18d0de99069c086062de66b39
+TAG: 6031ef2bc636aa219307178d4e56307079c664416b5abf00149aa8040229322a006f6c621628e371d85d733037069df7356b8800a694d5c964f8321f250088f1d10d8a967b8290c9495c75c26d81ebde01469f46bb4b39934200b3da55f26847ed74dd5c26f641b9f48331dcedaaba9216bf4a9329022294e2c79b770ae73ef355b98ce6fc755c38e24d1782a74764e3720c01342cc07283d8925789c42a7f29704437476c1d510fb04c16e9e5f89d824fa861b05c9a18e52a8435e8b6aa8abb22a9a8ef48ab8cdee50636130a63a05dbab01908d12f30ec71d8475f54af9936c00d1ed3d69be870f6dfd10542473b472fae1171e8dc2f66643ac3720b8931a06b6f460b76f63fb12bc2d82acd6180d8f7a3340ab84c125b9f
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (56 mod 64).
+# DIGEST: cf85268a8412f6a450d7c8d48a2e744b508b00017da678e76cac09902ca6b0ad
+KEY: 33c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e780ab8b700433a957a
+NONCE: 741c9eb80f2b021b1444769da00fcfab
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de
+AD: 39f4f03541a11be112a729
+CT: 1425f735d28f545c7ab1627588b21089cfd0641b2746bae57d36f0286c43e9f9476f47da0ed156600455ac14c65c5f2999e8aac4d99f69a0deaf7ea1653dde591fe26139e30f64ba29d0b11c7853938d86d801e721ce7ec81be6fa8b5f281d31b14fe3388a028319f0fb12ab50438a3ecc32ee959cb5d393
+TAG: 03ba0e494d4f1f602f3554bf4888706d6f686c9e04a1189d755a8b43f41abad6f5abac893019a9c3fc38f17a34b5b257107206d04a7a3d2afbd3cb03e5f10f2c79c5e2b18ba925a2eb112eea5477d9b862bd7323d0275a24b63675ffa375692b4a9237bca54478ee86981acd437ed1e4e2d71508b39c35b3ad3633ec617ef2d35ee174d52946a3018674eacc4dd64e705df60203cbfadc3b1f21c80a562cf2f6c42287e5df030da4553fc450b89e908ba0a6beca9c228729055d875f65c1313f5356b63a986233d10b5a00308ccfd8b7e1524e1b96a07afb980e8607d9586bfd0c50098a399fa12ee706b26eb1df88181103c2828710990c311ab321ccdabe2406c6acce5ebde7c10c612fbf6397a3da38ae1b016208eb9d
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (57 mod 64).
+# DIGEST: 0ecc677bf17604e63d1e4ac4a1d56702dfb16e205af1da5d105d553e87d14680
+KEY: c7b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e780ab8b700433a957a74
+NONCE: 1c9eb80f2b021b1444769da00fcfab0f
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39
+AD: f4f03541a11be112a72933
+CT: 368ce97b3b9c28678363cbcee49ac8474b6a12ff63d783060a8cb33ad951edd059260c4927d5bc2ce252b4deabfd902ec1025a8847bd6fa57324d1d8cdad0f23aacd338c8162f77024291f106dd73b1dba3746e7a8dc3c3132c6edf1367aa576046a7d537df7827059b25e469dbb6aec50f33836bd166761fa
+TAG: b69fa0f760a7bd618bfd2225597444ba67a29e91a8bf110dd8cba1cbe05d335b40a51b1626c389046bdd3cd6f4211e127c58fd8b2fcdfc8d137652a8e3bbb7e3fc6ffab78b6b3b95ed52cc9884a5362339928db7e8d85a83dcc6634d92ed8df610885a3ba813ce831eebf22358d1c46b24cb89ccddf41ae4a4166eb9d48a62a6e3da218fc992a87154280093c178c3fb86133cd0427e8a23338536a7c6fe2614002e5a7765c49ea08ef1cb816d74dd7f6460a674f82e779ecc4d1346e6367b8e06586a1219cabb6e73de95c6546f7472bda8f17a2fa3462e1356d64affde34dd51c2fde2877ec1479030f38418c23c429189c16d38b2be3726a46f96d0013378b7a6418c9a29ce256fb50f991f3e32810c69e34fd73d9b
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (58 mod 64).
+# DIGEST: 75073f11e219dda101a54987959be5353c48af4af654fa6dd23e32639ca2ea1a
+KEY: b54ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e780ab8b700433a957a741c
+NONCE: 9eb80f2b021b1444769da00fcfab0f5f
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4
+AD: f03541a11be112a72933c7
+CT: f48fa6c6c0ba5d8904335d29ba3c5ec00b90041b67806c726a4f3b88c105db3b373499eb79f0ab9e348da562828ffd75369c90fb026cbd76cec6666bbd61b74548fdbf7f44c45c127e82dbb690641bdc7e9271fe154f6e148c0831d08ad7fbd38a4e3a9cf47e0d4803b4bb045e6808b228d1a8605661c54ed964
+TAG: b4e59c14bf8f6fef19c49bc43295dcac4a43bafbb931ea101cb4a5fd7b3d14ff22ca54c5e0c3ef3317314f7676e327452bc5e46216f1337fca84e93de5afbf3d50fc3466e5aa3a23772fe9fc05da1fdb3c5520740b372733ad60dd874f592fb48aa9a2583ac61ad50bfa680f029b0b31cab014791e9374076e015995dc64b403d0307999cac380237e2063730356767323bbd11e8363876bef0c390091cd2c5a4102f08d15f4aea5761a8576b059ba59f6403b5f286d370f987a54db50b464af74df3c53a9e90f1503313cddada7719c2e5a43db5b94ac79f51bdd0747bb38db9dc38261b1212128b7acbafdf4172402b64fa9cb9fad382dbe28d14d0b40957c045565cacfdbbaaf0b0332ce1f67ee60aae09e29832c
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (59 mod 64).
+# DIGEST: 7390da1949a9ec86934b6f6c7af07d60fc37be21edd0ba9d937e888402731c54
+KEY: 4ed4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e780ab8b700433a957a741c9e
+NONCE: b80f2b021b1444769da00fcfab0f5f93
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f0
+AD: 3541a11be112a72933c7b5
+CT: e4879e4b80eac7bf4b235ee71db7af4a9b68cd4151d92ec1d33476595c714d4c6d97810f5c88c7ce2f45b181cb0a20b1969c88039248f7fce86f7f9458f51b726faf05610b76cef8afd0855a658feea188abdd705a3de0a655ce2e9a54617d8b646853210dc47dcb094c1db4c198cb1bc55147837b1c0bba9822ba
+TAG: b82121c2929f5c4caf4220dd99bf0836b91dd5db0c753d8c6c88dd63a4964b60896712d926229acd3ebfd86d40aac7b8045739a6800284a57e4cfdb9f1d58782aa709b89f529a4b148e2ef9f4772bd57567a0b6f331b800e8fa71052eb99aa64efacf5f7060dd42b7cc653df1d3b784befcb1069bd2450f6b683c91ed7bb892a3f637587140aeece58cbc1500a8b93e86292062545308af906ede1f999bf1ac3f99ba5384fcef40967cb2a50270171cbf45cb5aa3b04fcb33ec022d82254a8852bde63db56730a64c163a017c9cac043ecbe2847ff740d768c72894311c210c0959a737abe70c1e20353c0db83dad2c4bd2d407fb389351381381c3bb3ccabb5d571f550c148ce940c0c401dd21230467dcc06fe44
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (60 mod 64).
+# DIGEST: 174d05b7079b80d455325eda1a010ec9bfec7110a14120c6cfe365d270099069
+KEY: d4fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e780ab8b700433a957a741c9eb8
+NONCE: 0f2b021b1444769da00fcfab0f5f93b5
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f035
+AD: 41a11be112a72933c7b54e
+CT: e067519b3b6b3271ec55bfd3b68ee9c762887b3eb80cd4f65d3267fe3c6baf3b83620aefab953b7406b7b8cc6fd5e8f8180af789d3c57c55d580b00ea780cff26f5758edba93b7a08b2292104ff11e4743e404f04055e136bac3300170b0731c35bee9de79de13da8e24635b882b9f7c85fcd6f94e310fad8d27cef5
+TAG: ecd6d54ea9ef0297664a6f0c3ee972e2752233d0fe4381474bd846d99174f15e7312bd2f58547a9e8f301c8ba706d7bd0bb8b8a3bf16821d72895af7787acdb345c9d0f58171564995e53783343e782eefc468858321350c6c8f0ab1918eed7b01eb0265749226a19221f57818af356a3909ff17daf229510acf26b07273e21713d0ecb8f8f19c6c1679377409c4dbe2bd04de8c6546a6e6b00bdb72613b210412fe79998955e0de4e04a6a113243051b1e2d3ecb0a8beecb32f0374f78c804b0818410a12a12db227d49fd7107c02ccbd6dee62856cdcb49354e96cc434cab526b0cc4f215dc4c8e2262bc44e3c1a7fdef268d03803d1766c039d576c5799c4ebb148ee655daf7fd8e9632f90dd88b5cb6f4145
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (61 mod 64).
+# DIGEST: 338800a96a5cf6db2ec5d06de2a53d0fb1b94918f1f8d5c0f222640d4c1bb96d
+KEY: fad0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e780ab8b700433a957a741c9eb80f
+NONCE: 2b021b1444769da00fcfab0f5f93b511
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541
+AD: a11be112a72933c7b54ed4
+CT: 9b5f06ef7caa30028667c9d88efe9069c214d2244ab9b30443691c7298ba292241099693d831c5bc50dcf8a7eb983df8bd7d91497d8e6892e3c6ed49aae987bc5f047ea53b3a44960b469142662b1d0aa726b99170cf0c0edbbd2223efa7fd3c97afeeb9c50ca0a8074d2d339e8b4ebc0def814188cd87dee400b23ba1
+TAG: c512d19b8c661985b1bddf12672f3ce85664c911566da59c3d0f4f8f044fa5fe6200371b1bbcdef5a5771cc7ee919e36c6b0d035e9a8b518be4aa8464ed8eecaf4e49d3270080d0b29589309fabc79fb533efdd869e42b2f3fea9d78756c266b245b4a37310eb1cbc24a878441b7701a813cdf7692a1fd2172001a90346c7a80b80ee21249e45e1eee7b19472987efcf4335f8b0c59c2ec21fa6d52624e7ebdf5a2a5d595a098eb56a6ec24636b021b5a899c27868f6ea549cce01a64af21e36525ae16e54700e9b9f57fa61caf0fd49a2c948b0059b315592cf52d5976d2022e6425ba227c9d9cf1d477517b5d25fdf33f6f719c2a6f91a032c5745477f53072c373f5507757417f26126b156ca91500325ae
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (62 mod 64).
+# DIGEST: 6dc3a2d32318422ad20e9c7b09a9a73d8608a326eb14efd6eb52b87ffe4bad09
+KEY: d0be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e780ab8b700433a957a741c9eb80f2b
+NONCE: 021b1444769da00fcfab0f5f93b51106
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a1
+AD: 1be112a72933c7b54ed4fa
+CT: a7a27ff44599a6263753294a057c527552f4659590b97b9135c74da778a88607d0781df713f4e0d72d044f0c2c7daab6fdcbf162cd700d236999e29c25be1c599b5b5941c774432494b848f6d862da9f95d28d132c7333a4ab436d5488466ff8304415494bac0a922c8aadf885ac23dbdfc19a0311857d4d58d69f714939
+TAG: f18f948248b93ce700f586b0d146f3156b4135696992754f1b8d15fb1066b23b63006e15e5545e7072a8d7701b259692e6651dbf00692201d981bc0bcfbd7896ae69fc0219f089ec44cb737d07c25dea40c029a1146c062496765b002128a8b0fc1d11795e908aa0cfd095e96dd84c3a205db31bc1547aee7b31fe35eb388e15f8742e9c6aba30f7fab80fbb794e31f8801ed5aeb125826b545ece1440c33b3cd5f7fb4a422f456ed501248844da374ca8a033b541904c430ec09f0f72a53d458519eb55142156c823425ed89a64a5b0e5d20a1bec8d7146e62877daa08d4164fdedc5c85d93c4b1cd914055c6a80ba366f8f8739fe377be0afe56d198e96970d952d694cff07c9d83d9ef13e0e135d4ae86
+TAG_LEN: 32
+NO_SEAL: 01
+
+# Test with maximal padding (63 mod 64).
+# DIGEST: e2c5b8d5e6f07c136223bdb8a1c0197cd99132dd8320a3f1dd1a393a90e575ad
+KEY: be905d41203f5dce998f8fb2eaad409ae02116417dae0cef457b9e5e16dcc5b6f25607f00d033fb95fb09e4d00d6172e780ab8b700433a957a741c9eb80f2b02
+NONCE: 1b1444769da00fcfab0f5f93b511060c
+IN: 936a91d0b5d2c0267218cb7090c6171386d641b87797b684e0fb56f97c3961d8afa22993a340b9b3c589c7481df3f4183aa23fd8d7efd88503f78b8ed1c8e9ba2fd6773e0d0c302a5f47e037446f5891d77df660ed82933f62be8dc55b436965aabe477e0cdd46be99371eb8da7dac997deafd64b1fc65de39f4f03541a11b
+AD: e112a72933c7b54ed4fad0
+CT: bef9d1b0ca29860a27227b7d32af256a09503a9febf9c1124054533c15117d846447e74f8963fe6eece8507f168adcce0664448a4c499b1db6d0d0a57eb9b4f86f797f2defefc7d9f3b5883758ffe189b6f9fd921eaf4a4d6b7f445e5c871c7fad06031e5a5efe9ad995b5e0887765a8966f27680ac925884d4850192214e5
+TAG: e23947c16b562a55cf3b68611ca4d729dfd0b33405313299329e4eeacb6a8edbc64ddb87711bcbcf11c72fe70121557f1a0ef0512f606ce8e3221afa9fdd6b23b8f7bcbd9c296bb48821104f2701c6cbde78615c1a90adb1653f9f559d4291a339c385f9c26a29d37d923987226522cc939053fe951ab61cccb61846f89f0a4791f30166d5d9a04821b453917614a36766fd78fa099ae22ce788c44c0980df3a73d6ea2306dee86866143f8203357db580c00d4e4dbdbe9b53c37f08fad9736fca2819b52728849d9e36a0e7d75dbc48a7347b70cdadfcf8a81bf5734faaf01c795adbcc0340201402950b072359db8fcc5d7b68d84d59ad34bd20c3a9b529e397937700fbe5817a8f1c997cb0fb7c1d02
 TAG_LEN: 32
 NO_SEAL: 01