This is a really great writeup. But CTR+HMAC is, in fact, a composed authenticated encryption mode. If you have a working system with CTR+HMAC, I'd recommend against spending effort switching to GCM, which is actually harder to get right.
I thought AES-GCM was on its way out? Isn't poly1305-chacha20 what we should use now, given that it's quite a bit cheaper in terms of cost, and the keys are much smaller (32 bytes)?
Also, the code for chacha is easily available.
Also: Don't implement chacha20-poly1305 or AES-GCM yourself, unless you're a crypto expert.
You'll more than likely make a mistake.
Libsodium offers both (but AES-256-GCM is only available if you have hardware support for constant-time implementations).
crypto_aead_chacha20poly1305_encrypt()
crypto_aead_chacha20poly1305_decrypt()
crypto_aead_aes256gcm_encrypt()
crypto_aead_aes256gcm_decrypt()