From 29af4f7f761a9348d8296eaf692a239aea4b3e12 Mon Sep 17 00:00:00 2001
From: Zhi Guan <guanzhi1980@gmail.com>
Date: Mon, 13 Feb 2023 23:29:27 +0800
Subject: [PATCH] Add AEAD and GHASH functions

---
 CMakeLists.txt       |   1 +
 include/gmssl/aead.h |  11 +-
 include/gmssl/gcm.h  |  14 ++
 src/aead.c           | 145 ++++++++++++++++++--
 src/gcm.c            |  90 +++++++++++++
 tests/aeadtest.c     | 306 +++++++++++++++++++++++++++++++++++++++++++
 6 files changed, 557 insertions(+), 10 deletions(-)
 create mode 100644 tests/aeadtest.c

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 6c28c291..6557411e 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -142,6 +142,7 @@ set(tests
 	pbkdf2
 	gf128
 	gcm
+	aead
 	pkcs8
 	ec
 	asn1
diff --git a/include/gmssl/aead.h b/include/gmssl/aead.h
index 158fc5b8..22d879f6 100644
--- a/include/gmssl/aead.h
+++ b/include/gmssl/aead.h
@@ -15,6 +15,7 @@
 #include <gmssl/sm3.h>
 #include <gmssl/sm4.h>
 #include <gmssl/zuc.h>
+#include <gmssl/gcm.h>
 
 #ifdef __cplusplus
 extern "C" {
@@ -60,16 +61,22 @@ int sm4_ctr_sm3_hmac_decrypt_finish(SM4_CTR_SM3_HMAC_CTX *ctx, uint8_t *out, siz
 
 
 typedef struct {
+	SM4_CTR_CTX enc_ctx;
+	GHASH_CTX mac_ctx;
+	uint8_t Y[16]; // E(K, Y_0)
+	size_t taglen;
+	uint8_t mac[16];
+	size_t maclen;
 } SM4_GCM_CTX;
 
 int sm4_gcm_encrypt_init(SM4_GCM_CTX *ctx,
 	const uint8_t key[SM4_KEY_SIZE], const uint8_t *iv, size_t ivlen,
-	const uint8_t *aad, size_t aadlen);
+	const uint8_t *aad, size_t aadlen, size_t taglen);
 int sm4_gcm_encrypt_update(SM4_GCM_CTX *ctx, const uint8_t *in, size_t inlen, uint8_t *out, size_t *outlen);
 int sm4_gcm_encrypt_finish(SM4_GCM_CTX *ctx, uint8_t *out, size_t *outlen);
 int sm4_gcm_decrypt_init(SM4_GCM_CTX *ctx,
 	const uint8_t key[SM4_KEY_SIZE], const uint8_t *iv, size_t ivlen,
-	const uint8_t *aad, size_t aadlen);
+	const uint8_t *aad, size_t aadlen, size_t taglen);
 int sm4_gcm_decrypt_update(SM4_GCM_CTX *ctx, const uint8_t *in, size_t inlen, uint8_t *out, size_t *outlen);
 int sm4_gcm_decrypt_finish(SM4_GCM_CTX *ctx, uint8_t *out, size_t *outlen);
 
diff --git a/include/gmssl/gcm.h b/include/gmssl/gcm.h
index 7d6b017b..97c62fcc 100644
--- a/include/gmssl/gcm.h
+++ b/include/gmssl/gcm.h
@@ -44,6 +44,20 @@ extern "C" {
 void ghash(const uint8_t h[16], const uint8_t *aad, size_t aadlen,
 	const uint8_t *c, size_t clen, uint8_t out[16]);
 
+typedef struct {
+	gf128_t H;
+	gf128_t X;
+	size_t aadlen;
+	size_t clen;
+	uint8_t block[16];
+	size_t num;
+} GHASH_CTX;
+
+void ghash_init(GHASH_CTX *ctx, const uint8_t h[16], const uint8_t *aad, size_t aadlen);
+void ghash_update(GHASH_CTX *ctx, const uint8_t *c, size_t clen);
+void ghash_finish(GHASH_CTX *ctx, uint8_t out[16]);
+
+
 int gcm_encrypt(const BLOCK_CIPHER_KEY *key, const uint8_t *iv, size_t ivlen,
 	const uint8_t *aad, size_t aadlen, const uint8_t *in, size_t inlen,
 	uint8_t *out, size_t taglen, uint8_t *tag);
diff --git a/src/aead.c b/src/aead.c
index d331cd54..b687bdea 100644
--- a/src/aead.c
+++ b/src/aead.c
@@ -11,6 +11,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
+#include <gmssl/mem.h>
 #include <gmssl/aead.h>
 #include <gmssl/error.h>
 
@@ -19,6 +20,7 @@ int sm4_cbc_sm3_hmac_encrypt_init(SM4_CBC_SM3_HMAC_CTX *ctx,
 	const uint8_t key[SM4_KEY_SIZE + SM3_HMAC_SIZE], const uint8_t iv[SM4_BLOCK_SIZE],
 	const uint8_t *aad, size_t aadlen)
 {
+	memset(ctx, 0, sizeof(*ctx));
 	if (sm4_cbc_encrypt_init(&ctx->enc_ctx, key, iv) != 1) {
 		error_print();
 		return -1;
@@ -56,6 +58,7 @@ int sm4_cbc_sm3_hmac_decrypt_init(SM4_CBC_SM3_HMAC_CTX *ctx,
 	const uint8_t key[SM4_KEY_SIZE + SM3_HMAC_SIZE], const uint8_t iv[SM4_BLOCK_SIZE],
 	const uint8_t *aad, size_t aadlen)
 {
+	memset(ctx, 0, sizeof(*ctx));
 	if (sm4_cbc_decrypt_init(&ctx->enc_ctx, key, iv) != 1) {
 		error_print();
 		return -1;
@@ -84,6 +87,7 @@ int sm4_cbc_sm3_hmac_decrypt_update(SM4_CBC_SM3_HMAC_CTX *ctx, const uint8_t *in
 			return 1;
 		} else {
 			memcpy(ctx->mac + ctx->maclen, in, len);
+			ctx->maclen += len;
 			in += len;
 			inlen -= len;
 		}
@@ -135,6 +139,8 @@ int sm4_cbc_sm3_hmac_decrypt_finish(SM4_CBC_SM3_HMAC_CTX *ctx, uint8_t *out, siz
 		error_print();
 		return -1;
 	}
+	memset(ctx->mac, 0, SM3_HMAC_SIZE);
+	ctx->maclen = 0;
 	return 1;
 }
 
@@ -142,6 +148,7 @@ int sm4_ctr_sm3_hmac_encrypt_init(SM4_CTR_SM3_HMAC_CTX *ctx,
 	const uint8_t key[SM4_KEY_SIZE + SM3_HMAC_SIZE], const uint8_t iv[SM4_BLOCK_SIZE],
 	const uint8_t *aad, size_t aadlen)
 {
+	memset(ctx, 0, sizeof(*ctx));
 	if (sm4_ctr_encrypt_init(&ctx->enc_ctx, key, iv) != 1) {
 		error_print();
 		return -1;
@@ -179,6 +186,7 @@ int sm4_ctr_sm3_hmac_decrypt_init(SM4_CTR_SM3_HMAC_CTX *ctx,
 	const uint8_t key[SM4_KEY_SIZE + SM3_HMAC_SIZE], const uint8_t iv[SM4_BLOCK_SIZE],
 	const uint8_t *aad, size_t aadlen)
 {
+	memset(ctx, 0, sizeof(*ctx));
 	if (sm4_ctr_decrypt_init(&ctx->enc_ctx, key, iv) != 1) {
 		error_print();
 		return -1;
@@ -207,6 +215,7 @@ int sm4_ctr_sm3_hmac_decrypt_update(SM4_CTR_SM3_HMAC_CTX *ctx, const uint8_t *in
 			return 1;
 		} else {
 			memcpy(ctx->mac + ctx->maclen, in, len);
+			ctx->maclen += len;
 			in += len;
 			inlen -= len;
 		}
@@ -258,41 +267,161 @@ int sm4_ctr_sm3_hmac_decrypt_finish(SM4_CTR_SM3_HMAC_CTX *ctx, uint8_t *out, siz
 		error_print();
 		return -1;
 	}
+	memset(ctx->mac, 0, SM3_HMAC_SIZE);
+	ctx->maclen = 0;
 	return 1;
 }
 
 int sm4_gcm_encrypt_init(SM4_GCM_CTX *ctx,
 	const uint8_t key[SM4_KEY_SIZE], const uint8_t *iv, size_t ivlen,
-	const uint8_t *aad, size_t aadlen)
+	const uint8_t *aad, size_t aadlen, size_t taglen)
 {
-	return -1;
+	uint8_t H[16] = {0};
+	uint8_t Y[16];
+
+	if (taglen > SM4_GCM_MAX_TAG_SIZE) {
+		error_print();
+		return -1;
+	}
+
+	memset(ctx, 0, sizeof(*ctx));
+	ctx->taglen = taglen;
+
+	if (sm4_ctr_encrypt_init(&ctx->enc_ctx, key, H) != 1) {
+		error_print();
+		return -1;
+	}
+
+	sm4_encrypt(&ctx->enc_ctx.sm4_key, H, H);
+
+	ghash_init(&ctx->mac_ctx, H, aad, aadlen);
+
+	if (ivlen == 12) {
+		memcpy(Y, iv, 12);
+		Y[12] = Y[13] = Y[14] = 0;
+		Y[15] = 1;
+	} else {
+		ghash(H, NULL, 0, iv, ivlen, Y);
+	}
+
+	memcpy(ctx->enc_ctx.ctr, Y, 16);
+
+	sm4_encrypt(&ctx->enc_ctx.sm4_key, Y, ctx->Y);
+
+	gmssl_secure_clear(H, sizeof(H));
+	gmssl_secure_clear(Y, sizeof(Y));
+	return 1;
 }
 
 int sm4_gcm_encrypt_update(SM4_GCM_CTX *ctx, const uint8_t *in, size_t inlen, uint8_t *out, size_t *outlen)
 {
-	return -1;
+	if (sm4_ctr_encrypt_update(&ctx->enc_ctx, in, inlen, out, outlen) != 1) {
+		error_print();
+		return -1;
+	}
+	ghash_update(&ctx->mac_ctx, out, *outlen);
+	return 1;
 }
 
 int sm4_gcm_encrypt_finish(SM4_GCM_CTX *ctx, uint8_t *out, size_t *outlen)
 {
-	return -1;
+	uint8_t mac[16];
+
+	if (sm4_ctr_encrypt_finish(&ctx->enc_ctx, out, outlen) != 1) {
+		error_print();
+		return -1;
+	}
+	ghash_update(&ctx->mac_ctx, out, *outlen);
+	ghash_finish(&ctx->mac_ctx, mac);
+
+	gmssl_memxor(mac, mac, ctx->Y, ctx->taglen);
+	memcpy(out + *outlen, mac, ctx->taglen);
+	*outlen += ctx->taglen;
+
+	return 1;
 }
 
 int sm4_gcm_decrypt_init(SM4_GCM_CTX *ctx,
 	const uint8_t key[SM4_KEY_SIZE], const uint8_t *iv, size_t ivlen,
-	const uint8_t *aad, size_t aadlen)
+	const uint8_t *aad, size_t aadlen, size_t taglen)
 {
-	return -1;
+	return sm4_gcm_encrypt_init(ctx, key, iv, ivlen, aad, aadlen, taglen);
 }
 
 int sm4_gcm_decrypt_update(SM4_GCM_CTX *ctx, const uint8_t *in, size_t inlen, uint8_t *out, size_t *outlen)
 {
-	return -1;
+	size_t len;
+
+	if (ctx->maclen > ctx->taglen) {
+		error_print();
+		return -1;
+	}
+
+	if (ctx->maclen < ctx->taglen) {
+		len = ctx->taglen - ctx->maclen;
+		if (inlen <= len) {
+			memcpy(ctx->mac + ctx->maclen, in, inlen);
+			ctx->maclen += inlen;
+			return 1;
+		} else {
+			memcpy(ctx->mac + ctx->maclen, in, len);
+			ctx->maclen += len;
+			in += len;
+			inlen -= len;
+		}
+	}
+
+	if (inlen <= ctx->taglen) {
+		ghash_update(&ctx->mac_ctx, ctx->mac, inlen);
+		if (sm4_ctr_decrypt_update(&ctx->enc_ctx, ctx->mac, inlen, out, outlen) != 1) {
+			error_print();
+			return -1;
+		}
+		len = ctx->taglen - inlen;
+		memcpy(ctx->mac, ctx->mac + inlen, len);
+		memcpy(ctx->mac + len, in, inlen);
+	} else {
+		ghash_update(&ctx->mac_ctx, ctx->mac, ctx->taglen);
+		if (sm4_ctr_decrypt_update(&ctx->enc_ctx, ctx->mac, ctx->taglen, out, outlen) != 1) {
+			error_print();
+			return -1;
+		}
+		out += *outlen;
+
+		inlen -= ctx->taglen;
+		ghash_update(&ctx->mac_ctx, in, inlen);
+		if (sm4_ctr_decrypt_update(&ctx->enc_ctx, in, inlen, out, &len) != 1) {
+			error_print();
+			return -1;
+		}
+		*outlen += len;
+		memcpy(ctx->mac, in + inlen, GHASH_SIZE);
+	}
+	return 1;
 }
 
 int sm4_gcm_decrypt_finish(SM4_GCM_CTX *ctx, uint8_t *out, size_t *outlen)
 {
-	return -1;
+	uint8_t mac[GHASH_SIZE];
+
+	if (ctx->maclen != ctx->taglen) {
+		error_print();
+		return -1;
+	}
+	ghash_finish(&ctx->mac_ctx, mac);
+	if (sm4_ctr_decrypt_finish(&ctx->enc_ctx, out, outlen) != 1) {
+		error_print();
+		return -1;
+	}
+
+	gmssl_memxor(mac, mac, ctx->Y, ctx->taglen);
+	if (memcmp(mac, ctx->mac, ctx->taglen) != 0) {
+		error_print();
+		return -1;
+	}
+	memset(ctx->mac, 0, GHASH_SIZE);
+	ctx->maclen = 0;
+	return 1;
 }
 
 int zuc_with_mac_encrypt_init(ZUC_WITH_MAC_CTX *ctx,
diff --git a/src/gcm.c b/src/gcm.c
index 3f032f57..b052aea0 100644
--- a/src/gcm.c
+++ b/src/gcm.c
@@ -11,6 +11,8 @@
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
+#include <assert.h>
+#include <gmssl/mem.h>
 #include <gmssl/gf128.h>
 #include <gmssl/gcm.h>
 #include <gmssl/oid.h>
@@ -79,6 +81,94 @@ void ghash(const uint8_t h[16], const uint8_t *aad, size_t aadlen, const uint8_t
 	gf128_to_bytes(H, out);
 }
 
+
+void ghash_init(GHASH_CTX *ctx, const uint8_t h[16], const uint8_t *aad, size_t aadlen)
+{
+	gf128_t A;
+
+	memset(ctx, 0, sizeof(*ctx));
+	ctx->H = gf128_from_bytes(h);
+	ctx->X = gf128_zero();
+	ctx->aadlen = aadlen;
+	ctx->clen = 0;
+
+	while (aadlen) {
+		if (aadlen >= 16) {
+			A = gf128_from_bytes(aad);
+			aad += 16;
+			aadlen -= 16;
+		} else {
+			memset(ctx->block, 0, 16);
+			memcpy(ctx->block, aad, aadlen);
+			A = gf128_from_bytes(ctx->block);
+			aadlen = 0;
+		}
+		ctx->X = gf128_add(ctx->X, A);
+		ctx->X = gf128_mul(ctx->X, ctx->H);
+	}
+}
+
+void ghash_update(GHASH_CTX *ctx, const uint8_t *c, size_t clen)
+{
+	gf128_t C;
+
+	assert(ctx->num < 16);
+
+	ctx->clen += clen;
+
+	if (ctx->num) {
+		size_t left = 16 - ctx->num;
+		if (clen < left) {
+			memcpy(ctx->block + ctx->num, c, clen);
+			ctx->num += clen;
+			return;
+		} else {
+			memcpy(ctx->block + ctx->num, c, left);
+			C = gf128_from_bytes(ctx->block);
+			ctx->X = gf128_add(ctx->X, C);
+			ctx->X = gf128_mul(ctx->X, ctx->H);
+			c += left;
+			clen -= left;
+		}
+	}
+
+	while (clen >= 16) {
+		C = gf128_from_bytes(c);
+		ctx->X = gf128_add(ctx->X, C);
+		ctx->X = gf128_mul(ctx->X, ctx->H);
+		c += 16;
+		clen -= 16;
+	}
+
+	ctx->num = clen;
+	if (clen) {
+		memcpy(ctx->block, c, clen);
+	}
+}
+
+void ghash_finish(GHASH_CTX *ctx, uint8_t out[16])
+{
+	gf128_t C;
+	gf128_t L;
+
+	if (ctx->num) {
+		memset(ctx->block + ctx->num, 0, 16 - ctx->num);
+		C = gf128_from_bytes(ctx->block);
+		ctx->X = gf128_add(ctx->X, C);
+		ctx->X = gf128_mul(ctx->X, ctx->H);
+	}
+
+	PUTU64(ctx->block, (uint64_t)ctx->aadlen << 3);
+	PUTU64(ctx->block + 8, (uint64_t)ctx->clen << 3);
+	L = gf128_from_bytes(ctx->block);
+
+	ctx->X = gf128_add(ctx->X, L);
+	ctx->H = gf128_mul(ctx->X, ctx->H);
+	gf128_to_bytes(ctx->H, out);
+
+	gmssl_secure_clear(ctx, sizeof(*ctx));
+}
+
 int gcm_encrypt(const BLOCK_CIPHER_KEY *key, const uint8_t *iv, size_t ivlen,
 	const uint8_t *aad, size_t aadlen, const uint8_t *in, size_t inlen,
 	uint8_t *out, size_t taglen, uint8_t *tag)
diff --git a/tests/aeadtest.c b/tests/aeadtest.c
new file mode 100644
index 00000000..d8dea8e2
--- /dev/null
+++ b/tests/aeadtest.c
@@ -0,0 +1,306 @@
+/*
+ *  Copyright 2014-2023 The GmSSL Project. All Rights Reserved.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the License); you may
+ *  not use this file except in compliance with the License.
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ */
+
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <assert.h>
+#include <gmssl/hex.h>
+#include <gmssl/rand.h>
+#include <gmssl/aead.h>
+#include <gmssl/error.h>
+
+
+
+
+
+static int test_aead_sm4_cbc_sm3_hmac(void)
+{
+	SM4_CBC_SM3_HMAC_CTX aead_ctx;
+	uint8_t key[16 + 32];
+	uint8_t iv[16];
+	uint8_t aad[29];
+	uint8_t plain[71];
+	size_t plainlen = sizeof(plain);
+	uint8_t cipher[256];
+	size_t cipherlen = 0;
+	uint8_t buf[256];
+	size_t buflen = 0;
+
+	size_t lens[] = { 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37 };
+	uint8_t *in = plain;
+	uint8_t *out = cipher;
+	size_t inlen, outlen;
+	size_t i;
+
+	rand_bytes(key, sizeof(key));
+	rand_bytes(iv, sizeof(iv));
+	rand_bytes(plain, plainlen);
+
+	if (sm4_cbc_sm3_hmac_encrypt_init(&aead_ctx, key, iv, aad, sizeof(aad)) != 1) {
+		error_print();
+		return -1;
+	}
+	for (i = 0; plainlen; i++) {
+		assert(i < sizeof(lens)/sizeof(lens[0]));
+
+		inlen = plainlen < lens[i] ? plainlen  : lens[i];
+		if (sm4_cbc_sm3_hmac_encrypt_update(&aead_ctx, in, inlen, out, &outlen) != 1) {
+			error_print();
+			return -1;
+		}
+		in += inlen;
+		plainlen -= inlen;
+		out += outlen;
+		cipherlen += outlen;
+	}
+	if (sm4_cbc_sm3_hmac_encrypt_finish(&aead_ctx, out, &outlen) != 1) {
+		error_print();
+		return -1;
+	}
+	out += outlen;
+	cipherlen += outlen;
+
+	format_bytes(stdout, 0, 4, "plaintext ", plain, sizeof(plain));
+	format_bytes(stdout, 0, 4, "ciphertext", cipher, cipherlen);
+
+	in = cipher;
+	out = buf;
+
+	if (sm4_cbc_sm3_hmac_decrypt_init(&aead_ctx, key, iv, aad, sizeof(aad)) != 1) {
+		error_print();
+		return -1;
+	}
+	for (i = sizeof(lens)/sizeof(lens[0]) - 1; cipherlen; i--) {
+		inlen = cipherlen < lens[i] ? cipherlen : lens[i];
+
+		if (sm4_cbc_sm3_hmac_decrypt_update(&aead_ctx, in, inlen, out, &outlen) != 1) {
+			error_print();
+			return -1;
+		}
+		in += inlen;
+		cipherlen -= inlen;
+		out += outlen;
+		buflen += outlen;
+	}
+	if (sm4_cbc_sm3_hmac_decrypt_finish(&aead_ctx, out, &outlen) != 1) {
+		error_print();
+		return -1;
+	}
+	out += outlen;
+	buflen += outlen;
+
+	format_bytes(stdout, 0, 4, "plaintext ", buf, buflen);
+
+	if (buflen != sizeof(plain)) {
+		error_print();
+		return -1;
+	}
+	if (memcmp(buf, plain, sizeof(plain)) != 0) {
+		error_print();
+		return -1;
+	}
+
+	printf("%s() ok\n", __FUNCTION__);
+	return 1;
+}
+
+static int test_aead_sm4_ctr_sm3_hmac(void)
+{
+	SM4_CTR_SM3_HMAC_CTX aead_ctx;
+	uint8_t key[16 + 32];
+	uint8_t iv[16];
+	uint8_t aad[29];
+	uint8_t plain[71];
+	size_t plainlen = sizeof(plain);
+	uint8_t cipher[256];
+	size_t cipherlen = 0;
+	uint8_t buf[256];
+	size_t buflen = 0;
+
+	size_t lens[] = { 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37 };
+	uint8_t *in = plain;
+	uint8_t *out = cipher;
+	size_t inlen, outlen;
+	size_t i;
+
+	rand_bytes(key, sizeof(key));
+	rand_bytes(iv, sizeof(iv));
+	rand_bytes(plain, plainlen);
+
+	if (sm4_ctr_sm3_hmac_encrypt_init(&aead_ctx, key, iv, aad, sizeof(aad)) != 1) {
+		error_print();
+		return -1;
+	}
+	for (i = 0; plainlen; i++) {
+		assert(i < sizeof(lens)/sizeof(lens[0]));
+
+		inlen = plainlen < lens[i] ? plainlen  : lens[i];
+		if (sm4_ctr_sm3_hmac_encrypt_update(&aead_ctx, in, inlen, out, &outlen) != 1) {
+			error_print();
+			return -1;
+		}
+		in += inlen;
+		plainlen -= inlen;
+		out += outlen;
+		cipherlen += outlen;
+	}
+	if (sm4_ctr_sm3_hmac_encrypt_finish(&aead_ctx, out, &outlen) != 1) {
+		error_print();
+		return -1;
+	}
+	out += outlen;
+	cipherlen += outlen;
+
+	format_bytes(stdout, 0, 4, "plaintext ", plain, sizeof(plain));
+	format_bytes(stdout, 0, 4, "ciphertext", cipher, cipherlen);
+
+	in = cipher;
+	out = buf;
+
+	if (sm4_ctr_sm3_hmac_decrypt_init(&aead_ctx, key, iv, aad, sizeof(aad)) != 1) {
+		error_print();
+		return -1;
+	}
+	for (i = sizeof(lens)/sizeof(lens[0]) - 1; cipherlen; i--) {
+		inlen = cipherlen < lens[i] ? cipherlen : lens[i];
+
+		if (sm4_ctr_sm3_hmac_decrypt_update(&aead_ctx, in, inlen, out, &outlen) != 1) {
+			error_print();
+			return -1;
+		}
+		in += inlen;
+		cipherlen -= inlen;
+		out += outlen;
+		buflen += outlen;
+
+	}
+	if (sm4_ctr_sm3_hmac_decrypt_finish(&aead_ctx, out, &outlen) != 1) {
+		error_print();
+		return -1;
+	}
+	out += outlen;
+	buflen += outlen;
+
+	format_bytes(stdout, 0, 4, "plaintext ", buf, buflen);
+
+	if (buflen != sizeof(plain)) {
+		error_print();
+		return -1;
+	}
+	if (memcmp(buf, plain, sizeof(plain)) != 0) {
+		error_print();
+		return -1;
+	}
+
+	printf("%s() ok\n", __FUNCTION__);
+	return 1;
+}
+
+static int test_aead_sm4_gcm(void)
+{
+	SM4_GCM_CTX aead_ctx;
+	uint8_t key[16];
+	uint8_t iv[16];
+	uint8_t aad[29];
+	uint8_t plain[71];
+	size_t plainlen = sizeof(plain);
+	uint8_t cipher[256];
+	size_t cipherlen = 0;
+	uint8_t buf[256];
+	size_t buflen = 0;
+
+	size_t lens[] = { 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37 };
+	uint8_t *in = plain;
+	uint8_t *out = cipher;
+	size_t inlen, outlen;
+	size_t i;
+
+	rand_bytes(key, sizeof(key));
+	rand_bytes(iv, sizeof(iv));
+	rand_bytes(plain, plainlen);
+
+	if (sm4_gcm_encrypt_init(&aead_ctx, key, iv, sizeof(iv), aad, sizeof(aad), GHASH_SIZE) != 1) {
+		error_print();
+		return -1;
+	}
+	for (i = 0; plainlen; i++) {
+		assert(i < sizeof(lens)/sizeof(lens[0]));
+
+		inlen = plainlen < lens[i] ? plainlen  : lens[i];
+		if (sm4_gcm_encrypt_update(&aead_ctx, in, inlen, out, &outlen) != 1) {
+			error_print();
+			return -1;
+		}
+		in += inlen;
+		plainlen -= inlen;
+		out += outlen;
+		cipherlen += outlen;
+	}
+	if (sm4_gcm_encrypt_finish(&aead_ctx, out, &outlen) != 1) {
+		error_print();
+		return -1;
+	}
+	out += outlen;
+	cipherlen += outlen;
+
+	format_bytes(stdout, 0, 4, "plaintext ", plain, sizeof(plain));
+	format_bytes(stdout, 0, 4, "ciphertext", cipher, cipherlen);
+
+	in = cipher;
+	out = buf;
+
+	if (sm4_gcm_decrypt_init(&aead_ctx, key, iv, sizeof(iv), aad, sizeof(aad), GHASH_SIZE) != 1) {
+		error_print();
+		return -1;
+	}
+	for (i = sizeof(lens)/sizeof(lens[0]) - 1; cipherlen; i--) {
+		inlen = cipherlen < lens[i] ? cipherlen : lens[i];
+
+		if (sm4_gcm_decrypt_update(&aead_ctx, in, inlen, out, &outlen) != 1) {
+			error_print();
+			return -1;
+		}
+		in += inlen;
+		cipherlen -= inlen;
+		out += outlen;
+		buflen += outlen;
+
+	}
+	if (sm4_gcm_decrypt_finish(&aead_ctx, out, &outlen) != 1) {
+		error_print();
+		return -1;
+	}
+	out += outlen;
+	buflen += outlen;
+
+	format_bytes(stdout, 0, 4, "plaintext ", buf, buflen);
+
+	if (buflen != sizeof(plain)) {
+		error_print();
+		return -1;
+	}
+	if (memcmp(buf, plain, sizeof(plain)) != 0) {
+		error_print();
+		return -1;
+	}
+
+	printf("%s() ok\n", __FUNCTION__);
+	return 1;
+}
+
+int main(void)
+{
+	if (test_aead_sm4_cbc_sm3_hmac() != 1) { error_print(); return -1; }
+	if (test_aead_sm4_ctr_sm3_hmac() != 1) { error_print(); return -1; }
+	if (test_aead_sm4_gcm() != 1) { error_print(); return -1; }
+	printf("%s all tests passed!\n", __FILE__);
+	return 0;
+}