Generate k256 test vectors on secp

Cargo.toml

@@ -33,6 +33,7 @@ subtle = { version = "2.6", default-features = false }
 zeroize = { version = "1", default-features = false, features = ["zeroize_derive"] }
 
 [dev-dependencies]
+aes-gcm = "0.10"
 criterion = { version = "0.4", features = ["html_reports"] }
 hex = "0.4"
 hex-literal = "0.4"

src/aead.rs

@@ -236,6 +236,11 @@ impl<A: Aead, Kdf: KdfTrait, Kem: KemTrait> AeadCtx<A, Kdf, Kem> {
             .labeled_expand(&self.suite_id, b"sec", exporter_ctx, out_buf)
             .map_err(|_| HpkeError::KdfOutputTooLong)
     }
+
+    #[cfg(test)]
+    pub(crate) fn current_nonce(&self) -> AeadNonce<A> {
+        mix_nonce::<A>(&self.base_nonce, &self.seq)
+    }
 }
 
 /// The HPKE receiver's context. This is what you use to `open` ciphertexts and `export` secrets.
@@ -355,7 +360,7 @@ impl<A: Aead, Kdf: KdfTrait, Kem: KemTrait> AeadCtxR<A, Kdf, Kem> {
 }
 
 /// The HPKE senders's context. This is what you use to `seal` plaintexts and `export` secrets.
-pub struct AeadCtxS<A: Aead, Kdf: KdfTrait, Kem: KemTrait>(AeadCtx<A, Kdf, Kem>);
+pub struct AeadCtxS<A: Aead, Kdf: KdfTrait, Kem: KemTrait>(pub(crate) AeadCtx<A, Kdf, Kem>);
 
 // AeadCtx -> AeadCtxS via wrapping
 impl<A: Aead, Kdf: KdfTrait, Kem: KemTrait> From<AeadCtx<A, Kdf, Kem>> for AeadCtxS<A, Kdf, Kem> {
@@ -456,14 +461,18 @@ impl<A: Aead, Kdf: KdfTrait, Kem: KemTrait> AeadCtxS<A, Kdf, Kem> {
 }
 
 // Export all the AEAD implementations
+#[cfg(test)]
+mod aes_gcm;
 mod chacha20_poly1305;
 mod export_only;
+#[cfg(test)]
+pub use crate::aead::aes_gcm::*;
 #[doc(inline)]
 pub use crate::aead::{chacha20_poly1305::*, export_only::*};
 
 #[cfg(test)]
 mod test {
-    use super::{AeadTag, ChaCha20Poly1305, ExportOnlyAead, Seq};
+    use super::{AeadTag, AesGcm128, AesGcm256, ChaCha20Poly1305, ExportOnlyAead, Seq};
 
     use crate::{
         kdf::HkdfSha256, test_util::gen_ctx_simple_pair, Deserializable, HpkeError, Serializable,
@@ -672,6 +681,8 @@ mod test {
         };
     }
 
+    test_invalid_nonce!(test_invalid_nonce_aes128, AesGcm128);
+    test_invalid_nonce!(test_invalid_nonce_aes256, AesGcm128);
     test_invalid_nonce!(test_invalid_nonce_chacha, ChaCha20Poly1305);
 
     #[cfg(all(feature = "secp", any(feature = "alloc", feature = "std")))]
@@ -686,6 +697,16 @@ mod test {
         );
         test_overflow!(test_overflow_k256, crate::kem::SecpK256HkdfSha256);
 
+        test_ctx_correctness!(
+            test_ctx_correctness_aes128_k256,
+            AesGcm128,
+            crate::kem::SecpK256HkdfSha256
+        );
+        test_ctx_correctness!(
+            test_ctx_correctness_aes256_k256,
+            AesGcm256,
+            crate::kem::SecpK256HkdfSha256
+        );
         test_ctx_correctness!(
             test_ctx_correctness_chacha_k256,
             ChaCha20Poly1305,

src/aead/aes_gcm.rs

@@ -0,0 +1,21 @@
+use crate::aead::Aead;
+
+/// The implementation of AES-128-GCM
+pub struct AesGcm128;
+
+impl Aead for AesGcm128 {
+    type AeadImpl = aes_gcm::Aes128Gcm;
+
+    // RFC 9180 §7.3: AES-128-GCM
+    const AEAD_ID: u16 = 0x0001;
+}
+
+/// The implementation of AES-256-GCM
+pub struct AesGcm256 {}
+
+impl Aead for AesGcm256 {
+    type AeadImpl = aes_gcm::Aes256Gcm;
+
+    // RFC 9180 §7.3: AES-256-GCM
+    const AEAD_ID: u16 = 0x0002;
+}