pkg crypto/fips140, func WithoutEnforcement(func()) #74630
pkg crypto/hpke, func AES128GCM() AEAD #75300
pkg crypto/hpke, func AES256GCM() AEAD #75300
pkg crypto/hpke, func ChaCha20Poly1305() AEAD #75300
pkg crypto/hpke, func DHKEM(ecdh.Curve) KEM #75300
pkg crypto/hpke, func ExportOnly() AEAD #75300
pkg crypto/hpke, func HKDFSHA256() KDF #75300
pkg crypto/hpke, func HKDFSHA384() KDF #75300

        bufferIndex += 2;

        // Read session ID
        header.sessionId = SMBUtil.readInt8(buffer, bufferIndex);

        return header;
    }

    /**
     * Get the associated data for AEAD encryption (everything except signature)
     *
     * @return byte array containing associated data
     */
    public byte[] getAssociatedData() {

	MD5, err := hex.DecodeString(md5Hex)
	if err != nil {
		return nil, BadDigest{ // TODO(aead): Return an error that indicates that an invalid ETag has been specified
			ExpectedMD5:   md5Hex,
			CalculatedMD5: "",
		}
	}
	SHA256, err := hex.DecodeString(sha256Hex)
	if err != nil {
		return nil, SHA256Mismatch{ // TODO(aead): Return an error that indicates that an invalid Content-SHA256 has been specified

// IsEncrypted reports whether the ETag is encrypted.
func (e ETag) IsEncrypted() bool {
	// An encrypted ETag must be at least 32 bytes long.
	// It contains the encrypted ETag value + an authentication
	// code generated by the AEAD cipher.
	//
	// Here is an incorrect implementation of IsEncrypted:
	//
	//   return len(e) > 16 && !bytes.ContainsRune(e, '-')
	//
	// An encrypted ETag may contain some random bytes - e.g.

        // toString() implementation may vary, just check it's not null and not empty
        assertFalse(stringRep.isEmpty());
    }

    @Test
    @DisplayName("Should generate correct associated data for AEAD")
    void testGetAssociatedData() {
        // Given
        transformHeader.setNonce(testNonce);
        transformHeader.setOriginalMessageSize(1024);
        transformHeader.setFlags(0x0001);

	GetObjectTags(context.Context, string, string, ObjectOptions) (*tags.Tags, error)
	DeleteObjectTags(context.Context, string, string, ObjectOptions) (ObjectInfo, error)
}

// GetObject - TODO(aead): This function just acts as an adapter for GetObject tests and benchmarks
// since the GetObject method of the ObjectLayer interface has been removed. Once, the
// tests are adjusted to use GetObjectNInfo this function can be removed.

	golang.org/x/sys v0.32.0
	golang.org/x/term v0.31.0
	golang.org/x/time v0.11.0
	google.golang.org/api v0.230.0
	gopkg.in/yaml.v2 v2.4.0
	gopkg.in/yaml.v3 v3.0.1
)

require (
	aead.dev/mem v0.2.0 // indirect
	aead.dev/minisign v0.3.0 // indirect
	cel.dev/expr v0.23.1 // indirect
	cloud.google.com/go v0.120.1 // indirect
	cloud.google.com/go/auth v0.16.0 // indirect

aead.dev/mem v0.2.0 h1:ufgkESS9+lHV/GUjxgc2ObF43FLZGSemh+W+y27QFMI=
aead.dev/mem v0.2.0/go.mod h1:4qj+sh8fjDhlvne9gm/ZaMRIX9EkmDrKOLwmyDtoMWM=
aead.dev/minisign v0.2.0/go.mod h1:zdq6LdSd9TbuSxchxwhpA9zEb9YXcVGoE8JakuiGaIQ=
aead.dev/minisign v0.3.0 h1:8Xafzy5PEVZqYDNP60yJHARlW1eOQtsKNp/Ph2c0vRA=
aead.dev/minisign v0.3.0/go.mod h1:NLvG3Uoq3skkRMDuc3YHpWUTMTrSExqm+Ij73W13F6Y=
aead.dev/mtls v0.2.1 h1:47NHWciMvrmEhlkpnis8/RGEa9HR9gcbDPfcArG+Yqs=

package kms

import (
	"bytes"
	"context"
	"crypto/tls"
	"crypto/x509"
	"encoding/pem"
	"errors"
	"fmt"
	"os"
	"path/filepath"
	"strings"
	"sync"
	"sync/atomic"
	"syscall"
	"time"

	"aead.dev/mtls"
	"github.com/minio/kms-go/kes"
	"github.com/minio/kms-go/kms"
	"github.com/minio/pkg/v3/certs"
	"github.com/minio/pkg/v3/ellipses"
	"github.com/minio/pkg/v3/env"
)

// Environment variables for MinIO KMS.

bytes, and out must be 16 bytes longer than plaintext. // out and plaintext may overlap exactly or not at all. additionalData and out // must not overlap. // // This complies with FIPS 140-3 IG C.H Scenario 2. // // Note that this is NOT a [cipher.AEAD].Seal method. func SealWithRandomNonce(g *GCM, nonce, out, plaintext, additionalData []byte) { if uint64(len(plaintext)) > uint64((1<<32)-2)*gcmBlockSize { panic("crypto/cipher: message too large for GCM") } if len(nonce) != gcmStandardNonceSize {...