Add validation that firstSegmentOffset is not negative.

This parameter can only be set in the subtle API, and I don't think anybody uses it.

PiperOrigin-RevId: 627982997
Change-Id: Id387c2637933e8b832757e9d35e62ea6ae5db889

src/main/java/com/google/crypto/tink/subtle/AesCtrHmacStreaming.java

@@ -179,6 +179,9 @@ private static void validateParameters(
       throw new InvalidAlgorithmParameterException(
           "ikm too short, must be >= " + Math.max(16, keySizeInBytes));
     }
+    if (firstSegmentOffset < 0) {
+      throw new InvalidAlgorithmParameterException("firstSegmentOffset must not be negative");
+    }
     Validators.validateAesKeySize(keySizeInBytes);
     if (tagSizeInBytes < 10) {
       throw new InvalidAlgorithmParameterException("tag size too small " + tagSizeInBytes);

src/test/java/com/google/crypto/tink/subtle/AesCtrHmacStreamingTest.java

@@ -256,6 +256,22 @@ public void testEncryptDecryptRandomAccessLastSegmentFull() throws Exception {
     testEncryptDecryptRandomAccess(16, 12, 256, 16, 440);
   }
 
+  @Test
+  public void testNegativeFirstSegmentOffset_throws() throws Exception {
+    byte[] ikm = Hex.decode("000102030405060708090a0b0c0d0e0f00112233445566778899aabbccddeeff");
+    assertThrows(
+        GeneralSecurityException.class,
+        () ->
+            new AesCtrHmacStreaming(
+                ikm,
+                "HmacSha256",
+                /* keySizeInBytes= */ 16,
+                "HmacSha256",
+                /* tagSizeInBytes= */ 12,
+                /* ciphertextSegmentSize= */ 4096,
+                /* firstSegmentOffset= */ -1));
+  }
+
   /**
    * One case that is sometimes problematic is writing single bytes to a stream. This test
    * constructs an OutputStream from a WritableByteChannel and tests whether encryption works on