aead: Support custom AEAD salt sizes

The salt, or often called implicit nonce, varies between AEAD algorithms and
their use in protocols. For IKE and ESP, GCM uses 4 bytes, while CCM uses
3 bytes. With TLS, however, AEAD mode uses 4 bytes for both GCM and CCM.

Our GCM backends currently support 4 bytes and CCM 3 bytes only. This is fine
until we go for CCM mode support in TLS, which requires 4 byte nonces.

15 files changed, 129 insertions, 41 deletions

diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c
index 8c7ba8d55..88ad14faf 100644
--- a/src/libcharon/sa/ikev2/keymat_v2.c
+++ b/src/libcharon/sa/ikev2/keymat_v2.c
@@ -97,10 +97,35 @@ static bool derive_ike_aead(private_keymat_v2_t *this, u_int16_t alg,
 {
 	aead_t *aead_i, *aead_r;
 	chunk_t key = chunk_empty;
+	u_int salt_size;
+
+	switch (alg)
+	{
+		case ENCR_AES_GCM_ICV8:
+		case ENCR_AES_GCM_ICV12:
+		case ENCR_AES_GCM_ICV16:
+			/* RFC 4106 */
+			salt_size = 4;
+			break;
+		case ENCR_AES_CCM_ICV8:
+		case ENCR_AES_CCM_ICV12:
+		case ENCR_AES_CCM_ICV16:
+			/* RFC 4309 */
+		case ENCR_CAMELLIA_CCM_ICV8:
+		case ENCR_CAMELLIA_CCM_ICV12:
+		case ENCR_CAMELLIA_CCM_ICV16:
+			/* RFC 5529 */
+			salt_size = 3;
+			break;
+		default:
+			DBG1(DBG_IKE, "nonce size for %N unknown!",
+				 encryption_algorithm_names, alg);
+			return FALSE;
+	}
 
 	/* SK_ei/SK_er used for encryption */
-	aead_i = lib->crypto->create_aead(lib->crypto, alg, key_size / 8);
-	aead_r = lib->crypto->create_aead(lib->crypto, alg, key_size / 8);
+	aead_i = lib->crypto->create_aead(lib->crypto, alg, key_size / 8, salt_size);
+	aead_r = lib->crypto->create_aead(lib->crypto, alg, key_size / 8, salt_size);
 	if (aead_i == NULL || aead_r == NULL)
 	{
 		DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
diff --git a/src/libipsec/esp_context.c b/src/libipsec/esp_context.c
index 66e14f98b..5e58f66da 100644
--- a/src/libipsec/esp_context.c
+++ b/src/libipsec/esp_context.c
@@ -216,7 +216,8 @@ static bool create_aead(private_esp_context_t *this, int alg,
 		case ENCR_AES_GCM_ICV12:
 		case ENCR_AES_GCM_ICV16:
 			/* the key includes a 4 byte salt */
-			this->aead = lib->crypto->create_aead(lib->crypto, alg, key.len-4);
+			this->aead = lib->crypto->create_aead(lib->crypto, alg,
+												  key.len - 4, 4);
 			break;
 		default:
 			break;
diff --git a/src/libstrongswan/crypto/aead.h b/src/libstrongswan/crypto/aead.h
index c887f53bb..43f71b65e 100644
--- a/src/libstrongswan/crypto/aead.h
+++ b/src/libstrongswan/crypto/aead.h
@@ -102,6 +102,10 @@ struct aead_t {
 	/**
 	 * Get the size of the key material (for encryption and authentication).
 	 *
+	 * This includes any additional bytes requires for the implicit nonce part.
+	 * For AEADs based on traditional ciphers, the length is for both
+	 * the integrity and the encryption key in total.
+	 *
 	 * @return				key size in bytes
 	 */
 	size_t (*get_key_size)(aead_t *this);
@@ -109,6 +113,11 @@ struct aead_t {
 	/**
 	 * Set the key for encryption and authentication.
 	 *
+	 * If the AEAD uses an implicit nonce, the last part of the key shall
+	 * be the implicit nonce. For AEADs based on traditional ciphers, the
+	 * key shall include both integrity and encryption keys, concatenated
+	 * in that order.
+	 *
 	 * @param key			encryption and authentication key
 	 * @return				TRUE if key set successfully
 	 */
diff --git a/src/libstrongswan/crypto/crypto_factory.c b/src/libstrongswan/crypto/crypto_factory.c
index 69225bd1e..6dea30ee3 100644
--- a/src/libstrongswan/crypto/crypto_factory.c
+++ b/src/libstrongswan/crypto/crypto_factory.c
@@ -176,7 +176,7 @@ METHOD(crypto_factory_t, create_crypter, crypter_t*,
 
 METHOD(crypto_factory_t, create_aead, aead_t*,
 	private_crypto_factory_t *this, encryption_algorithm_t algo,
-	size_t key_size)
+	size_t key_size, size_t salt_size)
 {
 	enumerator_t *enumerator;
 	entry_t *entry;
@@ -190,12 +190,12 @@ METHOD(crypto_factory_t, create_aead, aead_t*,
 		{
 			if (this->test_on_create &&
 				!this->tester->test_aead(this->tester, algo, key_size,
-										 entry->create_aead, NULL,
+										 salt_size, entry->create_aead, NULL,
 										 default_plugin_name))
 			{
 				continue;
 			}
-			aead = entry->create_aead(algo, key_size);
+			aead = entry->create_aead(algo, key_size, salt_size);
 			if (aead)
 			{
 				break;
@@ -474,7 +474,7 @@ METHOD(crypto_factory_t, add_aead, bool,
 	u_int speed = 0;
 
 	if (!this->test_on_add ||
-		this->tester->test_aead(this->tester, algo, 0, create,
+		this->tester->test_aead(this->tester, algo, 0, 0, create,
 								this->bench ? &speed : NULL, plugin_name))
 	{
 		add_entry(this, this->aeads, algo, plugin_name, speed, create);
@@ -1003,7 +1003,7 @@ static u_int verify_registered_algorithms(crypto_factory_t *factory)
 
 	this->lock->read_lock(this->lock);
 	TEST_ALGORITHMS(crypter, 0);
-	TEST_ALGORITHMS(aead, 0);
+	TEST_ALGORITHMS(aead, 0, 0);
 	TEST_ALGORITHMS(signer);
 	TEST_ALGORITHMS(hasher);
 	TEST_ALGORITHMS(prf);
diff --git a/src/libstrongswan/crypto/crypto_factory.h b/src/libstrongswan/crypto/crypto_factory.h
index 281dc256f..7865bcb15 100644
--- a/src/libstrongswan/crypto/crypto_factory.h
+++ b/src/libstrongswan/crypto/crypto_factory.h
@@ -46,7 +46,7 @@ typedef crypter_t* (*crypter_constructor_t)(encryption_algorithm_t algo,
  * Constructor function for aead transforms
  */
 typedef aead_t* (*aead_constructor_t)(encryption_algorithm_t algo,
-									  size_t key_size);
+									  size_t key_size, size_t salt_size);
 /**
  * Constructor function for signers
  */
@@ -100,10 +100,12 @@ struct crypto_factory_t {
 	 *
 	 * @param algo			encryption algorithm
 	 * @param key_size		length of the key in bytes
+	 * @param salt_size		size of salt, implicit part of the nonce
 	 * @return				aead_t instance, NULL if not supported
 	 */
 	aead_t* (*create_aead)(crypto_factory_t *this,
-						   encryption_algorithm_t algo, size_t key_size);
+						   encryption_algorithm_t algo,
+						   size_t key_size, size_t salt_size);
 
 	/**
 	 * Create a symmetric signer instance.
diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c
index 40c4fd362..c6780daf1 100644
--- a/src/libstrongswan/crypto/crypto_tester.c
+++ b/src/libstrongswan/crypto/crypto_tester.c
@@ -315,7 +315,7 @@ static u_int bench_aead(private_crypto_tester_t *this,
 {
 	aead_t *aead;
 
-	aead = create(alg, 0);
+	aead = create(alg, 0, 0);
 	if (aead)
 	{
 		char iv[aead->get_iv_size(aead)];
@@ -364,7 +364,8 @@ static u_int bench_aead(private_crypto_tester_t *this,
 
 METHOD(crypto_tester_t, test_aead, bool,
 	private_crypto_tester_t *this, encryption_algorithm_t alg, size_t key_size,
-	aead_constructor_t create, u_int *speed, const char *plugin_name)
+	size_t salt_size, aead_constructor_t create,
+	u_int *speed, const char *plugin_name)
 {
 	enumerator_t *enumerator;
 	aead_test_vector_t *vector;
@@ -386,10 +387,14 @@ METHOD(crypto_tester_t, test_aead, bool,
 		{	/* test only vectors with a specific key size, if key size given */
 			continue;
 		}
+		if (salt_size && salt_size != vector->salt_size)
+		{
+			continue;
+		}
 
 		tested++;
 		failed = TRUE;
-		aead = create(alg, vector->key_size);
+		aead = create(alg, vector->key_size, vector->salt_size);
 		if (!aead)
 		{
 			DBG1(DBG_LIB, "%N[%s]: %u bit key size not supported",
@@ -1218,4 +1223,3 @@ crypto_tester_t *crypto_tester_create()
 
 	return &this->public;
 }
-
diff --git a/src/libstrongswan/crypto/crypto_tester.h b/src/libstrongswan/crypto/crypto_tester.h
index 9ac665929..add3b1cdf 100644
--- a/src/libstrongswan/crypto/crypto_tester.h
+++ b/src/libstrongswan/crypto/crypto_tester.h
@@ -54,6 +54,8 @@ struct aead_test_vector_t {
 	encryption_algorithm_t alg;
 	/** key length to use, in bytes */
 	size_t key_size;
+	/** salt length to use, in bytes */
+	size_t salt_size;
 	/** encryption key of test vector */
 	u_char *key;
 	/** initialization vector, using crypters blocksize bytes */
@@ -150,13 +152,15 @@ struct crypto_tester_t {
 	 *
 	 * @param alg			algorithm to test
 	 * @param key_size		key size to test, 0 for default
+	 * @param salt_size		salt length to test, 0 for default
 	 * @param create		constructor function for the aead transform
 	 * @param speed			speed test result, NULL to omit
 	 * @return				TRUE if test passed
 	 */
 	bool (*test_aead)(crypto_tester_t *this, encryption_algorithm_t alg,
-						 size_t key_size, aead_constructor_t create,
-						 u_int *speed, const char *plugin_name);
+					  size_t key_size, size_t salt_size,
+					  aead_constructor_t create,
+					  u_int *speed, const char *plugin_name);
 	/**
 	 * Test a signer algorithm.
 	 *
diff --git a/src/libstrongswan/plugins/ccm/ccm_aead.c b/src/libstrongswan/plugins/ccm/ccm_aead.c
index 65eccb2db..6d4b2e13c 100644
--- a/src/libstrongswan/plugins/ccm/ccm_aead.c
+++ b/src/libstrongswan/plugins/ccm/ccm_aead.c
@@ -343,7 +343,8 @@ METHOD(aead_t, destroy, void,
 /**
  * See header
  */
-ccm_aead_t *ccm_aead_create(encryption_algorithm_t algo, size_t key_size)
+ccm_aead_t *ccm_aead_create(encryption_algorithm_t algo,
+							size_t key_size, size_t salt_size)
 {
 	private_ccm_aead_t *this;
 	size_t icv_size;
@@ -360,6 +361,11 @@ ccm_aead_t *ccm_aead_create(encryption_algorithm_t algo, size_t key_size)
 		default:
 			return NULL;
 	}
+	if (salt_size && salt_size != SALT_SIZE)
+	{
+		/* currently not supported */
+		return NULL;
+	}
 	switch (algo)
 	{
 		case ENCR_AES_CCM_ICV8:
diff --git a/src/libstrongswan/plugins/ccm/ccm_aead.h b/src/libstrongswan/plugins/ccm/ccm_aead.h
index 79ab31804..0f1ec09a7 100644
--- a/src/libstrongswan/plugins/ccm/ccm_aead.h
+++ b/src/libstrongswan/plugins/ccm/ccm_aead.h
@@ -44,8 +44,10 @@ struct ccm_aead_t {
  *
  * @param algo			algorithm to implement, a CCM mode
  * @param key_size		key size in bytes
+ * @param salt_size		size of implicit salt length
  * @return				aead, NULL if not supported
  */
-ccm_aead_t *ccm_aead_create(encryption_algorithm_t algo, size_t key_size);
+ccm_aead_t *ccm_aead_create(encryption_algorithm_t algo, size_t key_size,
+							size_t salt_size);
 
 #endif /** CCM_AEAD_H_ @}*/
diff --git a/src/libstrongswan/plugins/gcm/gcm_aead.c b/src/libstrongswan/plugins/gcm/gcm_aead.c
index ba5f2e4b3..4ab17017f 100644
--- a/src/libstrongswan/plugins/gcm/gcm_aead.c
+++ b/src/libstrongswan/plugins/gcm/gcm_aead.c
@@ -375,7 +375,8 @@ METHOD(aead_t, destroy, void,
 /**
  * See header
  */
-gcm_aead_t *gcm_aead_create(encryption_algorithm_t algo, size_t key_size)
+gcm_aead_t *gcm_aead_create(encryption_algorithm_t algo,
+							size_t key_size, size_t salt_size)
 {
 	private_gcm_aead_t *this;
 	size_t icv_size;
@@ -392,6 +393,11 @@ gcm_aead_t *gcm_aead_create(encryption_algorithm_t algo, size_t key_size)
 		default:
 			return NULL;
 	}
+	if (salt_size && salt_size != SALT_SIZE)
+	{
+		/* currently not supported */
+		return NULL;
+	}
 	switch (algo)
 	{
 		case ENCR_AES_GCM_ICV8:
diff --git a/src/libstrongswan/plugins/gcm/gcm_aead.h b/src/libstrongswan/plugins/gcm/gcm_aead.h
index 846c3c76c..5c09477c3 100644
--- a/src/libstrongswan/plugins/gcm/gcm_aead.h
+++ b/src/libstrongswan/plugins/gcm/gcm_aead.h
@@ -44,8 +44,10 @@ struct gcm_aead_t {
  *
  * @param algo			algorithm to implement, a gcm mode
  * @param key_size		key size in bytes
+ * @param salt_size		size of implicit salt length
  * @return				aead, NULL if not supported
  */
-gcm_aead_t *gcm_aead_create(encryption_algorithm_t algo, size_t key_size);
+gcm_aead_t *gcm_aead_create(encryption_algorithm_t algo, size_t key_size,
+							size_t salt_size);
 
 #endif /** GCM_AEAD_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_gcm.c b/src/libstrongswan/plugins/openssl/openssl_gcm.c
index 842111bd3..147e4afb4 100644
--- a/src/libstrongswan/plugins/openssl/openssl_gcm.c
+++ b/src/libstrongswan/plugins/openssl/openssl_gcm.c
@@ -202,7 +202,8 @@ METHOD(aead_t, destroy, void,
 /*
  * Described in header
  */
-aead_t *openssl_gcm_create(encryption_algorithm_t algo, size_t key_size)
+aead_t *openssl_gcm_create(encryption_algorithm_t algo,
+						   size_t key_size, size_t salt_size)
 {
 	private_aead_t *this;
 
@@ -236,6 +237,13 @@ aead_t *openssl_gcm_create(encryption_algorithm_t algo, size_t key_size)
 			return NULL;
 	}
 
+	if (salt_size && salt_size != SALT_LEN)
+	{
+		/* currently not supported */
+		free(this);
+		return NULL;
+	}
+
 	switch (algo)
 	{
 		case ENCR_AES_GCM_ICV8:
diff --git a/src/libstrongswan/plugins/openssl/openssl_gcm.h b/src/libstrongswan/plugins/openssl/openssl_gcm.h
index 12d2e8ab6..4ae268bd6 100644
--- a/src/libstrongswan/plugins/openssl/openssl_gcm.h
+++ b/src/libstrongswan/plugins/openssl/openssl_gcm.h
@@ -30,8 +30,10 @@
  *
  * @param algo			algorithm to implement
  * @param key_size		key size in bytes
+ * @param salt_size		size of implicit salt length
  * @return				aead_t object, NULL if not supported
  */
-aead_t *openssl_gcm_create(encryption_algorithm_t algo, size_t key_size);
+aead_t *openssl_gcm_create(encryption_algorithm_t algo, size_t key_size,
+							size_t salt_size);
 
 #endif /** OPENSSL_GCM_H_ @}*/
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ccm.c b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ccm.c
index 8de180ad5..95c41ecbc 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ccm.c
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ccm.c
@@ -21,7 +21,8 @@
  * originally from "fips cavs fax files on hand at Red Hat".
  */
 aead_test_vector_t aes_ccm1 = {
-	.alg = ENCR_AES_CCM_ICV16, .key_size = 16, .len = 32, .alen = 0,
+	.alg = ENCR_AES_CCM_ICV16, .key_size = 16, .salt_size = 3,
+	.len = 32, .alen = 0,
 	.key	= "\x83\xac\x54\x66\xc2\xeb\xe5\x05\x2e\x01\xd1\xfc\x5d\x82\x66\x2e"
 			  "\x96\xac\x59",
 	.iv		= "\x30\x07\xa1\xe2\xa2\xc7\x55\x24",
@@ -33,7 +34,8 @@ aead_test_vector_t aes_ccm1 = {
 };
 
 aead_test_vector_t aes_ccm2 = {
-	.alg = ENCR_AES_CCM_ICV16, .key_size = 16, .len = 32, .alen = 32,
+	.alg = ENCR_AES_CCM_ICV16, .key_size = 16, .salt_size = 3,
+	.len = 32, .alen = 32,
 	.key	= "\x1e\x2c\x7e\x01\x41\x9a\xef\xc0\x0d\x58\x96\x6e\x5c\xa2\x4b\xd3"
 			  "\x4f\xa3\x19",
 	.iv		= "\xd3\x01\x5a\xd8\x30\x60\x15\x56",
@@ -47,7 +49,8 @@ aead_test_vector_t aes_ccm2 = {
 };
 
 aead_test_vector_t aes_ccm3 = {
-	.alg = ENCR_AES_CCM_ICV16, .key_size = 24, .len = 0, .alen = 32,
+	.alg = ENCR_AES_CCM_ICV16, .key_size = 24, .salt_size = 3,
+	.len = 0, .alen = 32,
 	.key	= "\xf4\x6b\xc2\x75\x62\xfe\xb4\xe1\xa3\xf0\xff\xdd\x4e\x4b\x12\x75"
 			  "\x53\x14\x73\x66\x8d\x88\xf6\x80\xa0\x20\x35",
 	.iv		= "\x26\xf2\x21\x8d\x50\x20\xda\xe2",
@@ -57,7 +60,8 @@ aead_test_vector_t aes_ccm3 = {
 };
 
 aead_test_vector_t aes_ccm4 = {
-	.alg = ENCR_AES_CCM_ICV16, .key_size = 24, .len = 32, .alen = 32,
+	.alg = ENCR_AES_CCM_ICV16, .key_size = 24, .salt_size = 3,
+	.len = 32, .alen = 32,
 	.key	= "\x56\xdf\x5c\x8f\x26\x3f\x0e\x42\xef\x7a\xd3\xce\xfc\x84\x60\x62"
 			  "\xca\xb4\x40\xaf\x5f\xc9\xc9\x01\xd6\x3c\x8c",
 	.iv		= "\x86\x84\xb6\xcd\xef\x09\x2e\x94",
@@ -71,7 +75,8 @@ aead_test_vector_t aes_ccm4 = {
 };
 
 aead_test_vector_t aes_ccm5 = {
-	.alg = ENCR_AES_CCM_ICV8, .key_size = 32, .len = 32, .alen = 32,
+	.alg = ENCR_AES_CCM_ICV8, .key_size = 32, .salt_size = 3,
+	.len = 32, .alen = 32,
 	.key	= "\xe0\x8d\x99\x71\x60\xd7\x97\x1a\xbd\x01\x99\xd5\x8a\xdf\x71\x3a"
 			  "\xd3\xdf\x24\x4b\x5e\x3d\x4b\x4e\x30\x7a\xb9\xd8\x53\x0a\x5e\x2b"
 			  "\x1e\x29\x91",
@@ -86,7 +91,8 @@ aead_test_vector_t aes_ccm5 = {
 };
 
 aead_test_vector_t aes_ccm6 = {
-	.alg = ENCR_AES_CCM_ICV12, .key_size = 32, .len = 32, .alen = 32,
+	.alg = ENCR_AES_CCM_ICV12, .key_size = 32, .salt_size = 3,
+	.len = 32, .alen = 32,
 	.key	= "\x7c\xc8\x18\x3b\x8d\x99\xe0\x7c\x45\x41\xb8\xbd\x5c\xa7\xc2\x32"
 			  "\x8a\xb8\x02\x59\xa4\xfe\xa9\x2c\x09\x75\x9a\x9b\x3c\x9b\x27\x39"
 			  "\xf9\xd9\x4e",
@@ -101,7 +107,8 @@ aead_test_vector_t aes_ccm6 = {
 };
 
 aead_test_vector_t aes_ccm7 = {
-	.alg = ENCR_AES_CCM_ICV16, .key_size = 32, .len = 32, .alen = 32,
+	.alg = ENCR_AES_CCM_ICV16, .key_size = 32, .salt_size = 3,
+	.len = 32, .alen = 32,
 	.key	= "\xab\xd0\xe9\x33\x07\x26\xe5\x83\x8c\x76\x95\xd4\xb6\xdc\xf3\x46"
 			  "\xf9\x8f\xad\xe3\x02\x13\x83\x77\x3f\xb0\xf1\xa1\xa1\x22\x0f\x2b"
 			  "\x24\xa7\x8b",
@@ -116,7 +123,8 @@ aead_test_vector_t aes_ccm7 = {
 };
 
 aead_test_vector_t aes_ccm8 = {
-	.alg = ENCR_AES_CCM_ICV8, .key_size = 16, .len = 0, .alen = 0,
+	.alg = ENCR_AES_CCM_ICV8, .key_size = 16, .salt_size = 3,
+	.len = 0, .alen = 0,
 	.key	= "\xab\x2f\x8a\x74\xb7\x1c\xd2\xb1\xff\x80\x2e\x48\x7d\x82\xf8\xb9"
 			  "\xaf\x94\x87",
 	.iv		= "\x78\x35\x82\x81\x7f\x88\x94\x68",
@@ -124,7 +132,8 @@ aead_test_vector_t aes_ccm8 = {
 };
 
 aead_test_vector_t aes_ccm9 = {
-	.alg = ENCR_AES_CCM_ICV8, .key_size = 24, .len = 0, .alen = 32,
+	.alg = ENCR_AES_CCM_ICV8, .key_size = 24, .salt_size = 3,
+	.len = 0, .alen = 32,
 	.key	= "\x39\xbb\xa7\xbe\x59\x97\x9e\x73\xa2\xbc\x6b\x98\xd7\x75\x7f\xe3"
 			  "\xa4\x48\x93\x39\x26\x71\x4a\xc6\xee\x49\x83",
 	.iv		= "\xe9\xa9\xff\xe9\x57\xba\xfd\x9e",
@@ -134,7 +143,8 @@ aead_test_vector_t aes_ccm9 = {
 };
 
 aead_test_vector_t aes_ccm10 = {
-	.alg = ENCR_AES_CCM_ICV8, .key_size = 32, .len = 0, .alen = 0,
+	.alg = ENCR_AES_CCM_ICV8, .key_size = 32, .salt_size = 3,
+	.len = 0, .alen = 0,
 	.key	= "\xa4\x4b\x54\x29\x0a\xb8\x6d\x01\x5b\x80\x2a\xcf\x25\xc4\xb7\x5c"
 			  "\x20\x2c\xad\x30\xc2\x2b\x41\xfb\x0e\x85\xbc\x33\xad\x0f\x2b\xff"
 			  "\xee\x49\x83",
@@ -143,7 +153,8 @@ aead_test_vector_t aes_ccm10 = {
 };
 
 aead_test_vector_t aes_ccm11 = {
-	.alg = ENCR_AES_CCM_ICV8, .key_size = 24, .len = 32, .alen = 32,
+	.alg = ENCR_AES_CCM_ICV8, .key_size = 24, .salt_size = 3,
+	.len = 32, .alen = 32,
 	.key	= "\x58\x5d\xa0\x96\x65\x1a\x04\xd7\x96\xe5\xc5\x68\xaa\x95\x35\xe0"
 			  "\x29\xa0\xba\x9e\x48\x78\xd1\xba\xee\x49\x83",
 	.iv		= "\xe9\xa9\xff\xe9\x57\xba\xfd\x9e",
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/aes_gcm.c b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_gcm.c
index 7534633e1..68e6de5d9 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors/aes_gcm.c
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_gcm.c
@@ -20,7 +20,8 @@
  * McGrew & Viega - http://citeseer.ist.psu.edu/656989.html
  */
 aead_test_vector_t aes_gcm1 = {
-	.alg = ENCR_AES_GCM_ICV8, .key_size = 16, .len = 64, .alen = 0,
+	.alg = ENCR_AES_GCM_ICV8, .key_size = 16, .salt_size = 4,
+	.len = 64, .alen = 0,
 	.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
 			  "\xca\xfe\xba\xbe",
 	.iv		= "\xfa\xce\xdb\xad\xde\xca\xf8\x88",
@@ -36,7 +37,8 @@ aead_test_vector_t aes_gcm1 = {
 };
 
 aead_test_vector_t aes_gcm2 = {
-	.alg = ENCR_AES_GCM_ICV12, .key_size = 16, .len = 64, .alen = 0,
+	.alg = ENCR_AES_GCM_ICV12, .key_size = 16, .salt_size = 4,
+	.len = 64, .alen = 0,
 	.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
 			  "\xca\xfe\xba\xbe",
 	.iv		= "\xfa\xce\xdb\xad\xde\xca\xf8\x88",
@@ -52,7 +54,8 @@ aead_test_vector_t aes_gcm2 = {
 };
 
 aead_test_vector_t aes_gcm3 = {
-	.alg = ENCR_AES_GCM_ICV16, .key_size = 16, .len = 64, .alen = 0,
+	.alg = ENCR_AES_GCM_ICV16, .key_size = 16, .salt_size = 4,
+	.len = 64, .alen = 0,
 	.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
 			  "\xca\xfe\xba\xbe",
 	.iv		= "\xfa\xce\xdb\xad\xde\xca\xf8\x88",
@@ -68,7 +71,8 @@ aead_test_vector_t aes_gcm3 = {
 };
 
 aead_test_vector_t aes_gcm4 = {
-	.alg = ENCR_AES_GCM_ICV16, .key_size = 16, .len = 60, .alen = 20,
+	.alg = ENCR_AES_GCM_ICV16, .key_size = 16, .salt_size = 4,
+	.len = 60, .alen = 20,
 	.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
 			  "\xca\xfe\xba\xbe",
 	.iv		= "\xfa\xce\xdb\xad\xde\xca\xf8\x88",
@@ -86,7 +90,8 @@ aead_test_vector_t aes_gcm4 = {
 };
 
 aead_test_vector_t aes_gcm5 = {
-	.alg = ENCR_AES_GCM_ICV16, .key_size = 24, .len = 64, .alen = 0,
+	.alg = ENCR_AES_GCM_ICV16, .key_size = 24, .salt_size = 4,
+	.len = 64, .alen = 0,
 	.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
 			  "\xfe\xff\xe9\x92\x86\x65\x73\x1c\xca\xfe\xba\xbe",
 	.iv		= "\xfa\xce\xdb\xad\xde\xca\xf8\x88",
@@ -102,7 +107,8 @@ aead_test_vector_t aes_gcm5 = {
 };
 
 aead_test_vector_t aes_gcm6 = {
-	.alg = ENCR_AES_GCM_ICV16, .key_size = 32, .len = 64, .alen = 0,
+	.alg = ENCR_AES_GCM_ICV16, .key_size = 32, .salt_size = 4,
+	.len = 64, .alen = 0,
 	.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
 			  "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
 			  "\xca\xfe\xba\xbe",
@@ -119,7 +125,8 @@ aead_test_vector_t aes_gcm6 = {
 };
 
 aead_test_vector_t aes_gcm7 = {
-	.alg = ENCR_AES_GCM_ICV16, .key_size = 32, .len = 60, .alen = 20,
+	.alg = ENCR_AES_GCM_ICV16, .key_size = 32, .salt_size = 4,
+	.len = 60, .alen = 20,
 	.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
 			  "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
 			  "\xca\xfe\xba\xbe",
@@ -136,4 +143,3 @@ aead_test_vector_t aes_gcm7 = {
 			  "\xc5\xf6\x1e\x63\x93\xba\x7a\x0a\xbc\xc9\xf6\x62\x76\xfc\x6e\xce"
 			  "\x0f\x4e\x17\x68\xcd\xdf\x88\x53\xbb\x2d\x55\x1b",
 };
-