crypto/hpke: use new gcm.NewGCMForHPKE for FIPS 140-3 compliance

It does the exact same thing, but we can document it as an allowed and
enforced nonce scheme in the Security Policy.

Change-Id: I9d95ba53354e5c8112cde24101570d4b6a6a6964
Reviewed-on: https://go-review.googlesource.com/c/go/+/728503
Reviewed-by: David Chase <drchase@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Auto-Submit: Filippo Valsorda <filippo@golang.org>

diff --git a/src/crypto/hpke/aead.go b/src/crypto/hpke/aead.go
index 1a606c68db627f5c016b62172c9d79736b119665..fb55c97ddf20c9b5f81057974c8559a49515ce0c 100644 (file)
--- a/src/crypto/hpke/aead.go
+++ b/src/crypto/hpke/aead.go
@@ -5,7 +5,6 @@
 package hpke
 
 import (
-       "crypto/aes"
        "crypto/cipher"
        "errors"
        "fmt"
@@ -84,14 +83,6 @@ var chacha20poly1305AEAD = &aead{
        id:  0x0003,
 }
 
-func newAESGCM(key []byte) (cipher.AEAD, error) {
-       b, err := aes.NewCipher(key)
-       if err != nil {
-               return nil, err
-       }
-       return cipher.NewGCM(b)
-}
-
 func (a *aead) ID() uint16 {
        return a.id
 }

diff --git a/src/crypto/hpke/aead_fipsv1.0.go b/src/crypto/hpke/aead_fipsv1.0.go
new file mode 100644 (file)
index 0000000..986126c
--- /dev/null
+++ b/src/crypto/hpke/aead_fipsv1.0.go
@@ -0,0 +1,20 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build fips140v1.0
+
+package hpke
+
+import (
+       "crypto/aes"
+       "crypto/cipher"
+)
+
+func newAESGCM(key []byte) (cipher.AEAD, error) {
+       b, err := aes.NewCipher(key)
+       if err != nil {
+               return nil, err
+       }
+       return cipher.NewGCM(b)
+}

diff --git a/src/crypto/hpke/aead_fipsv2.0.go b/src/crypto/hpke/aead_fipsv2.0.go
new file mode 100644 (file)
index 0000000..710eb1c
--- /dev/null
+++ b/src/crypto/hpke/aead_fipsv2.0.go
@@ -0,0 +1,21 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build !fips140v1.0
+
+package hpke
+
+import (
+       "crypto/cipher"
+       "crypto/internal/fips140/aes"
+       "crypto/internal/fips140/aes/gcm"
+)
+
+func newAESGCM(key []byte) (cipher.AEAD, error) {
+       b, err := aes.New(key)
+       if err != nil {
+               return nil, err
+       }
+       return gcm.NewGCMForHPKE(b)
+}

diff --git a/src/crypto/internal/fips140/aes/gcm/gcm_nonces.go b/src/crypto/internal/fips140/aes/gcm/gcm_nonces.go
index 052349b53356f059f1fd30fb351bcc7abd18a8e2..56863803760466bcfa4fd62a0f2e436abb4766e4 100644 (file)
--- a/src/crypto/internal/fips140/aes/gcm/gcm_nonces.go
+++ b/src/crypto/internal/fips140/aes/gcm/gcm_nonces.go
@@ -172,6 +172,18 @@ func NewGCMForTLS13(cipher *aes.Block) (*GCMWithXORCounterNonce, error) {
        return &GCMWithXORCounterNonce{g: *g}, nil
 }
 
+// NewGCMForHPKE returns a new AEAD that works like GCM, but enforces the
+// construction of nonces as specified in RFC 9180, Section 5.2.
+//
+// This complies with FIPS 140-3 IG C.H Scenario 5.
+func NewGCMForHPKE(cipher *aes.Block) (*GCMWithXORCounterNonce, error) {
+       g, err := newGCM(&GCM{}, cipher, gcmStandardNonceSize, gcmTagSize)
+       if err != nil {
+               return nil, err
+       }
+       return &GCMWithXORCounterNonce{g: *g}, nil
+}
+
 // NewGCMForQUIC returns a new AEAD that works like GCM, but enforces the
 // construction of nonces as specified in RFC 9001, Section 5.3.
 //