From: Filippo Valsorda Date: Mon, 8 Dec 2025 23:41:59 +0000 (+0100) Subject: crypto/hpke: use new gcm.NewGCMForHPKE for FIPS 140-3 compliance X-Git-Tag: go1.26rc1~1^2~38 X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=550c0c898b61628aed108aca7d8dbef32458bc09;p=gostls13.git crypto/hpke: use new gcm.NewGCMForHPKE for FIPS 140-3 compliance It does the exact same thing, but we can document it as an allowed and enforced nonce scheme in the Security Policy. Change-Id: I9d95ba53354e5c8112cde24101570d4b6a6a6964 Reviewed-on: https://go-review.googlesource.com/c/go/+/728503 Reviewed-by: David Chase LUCI-TryBot-Result: Go LUCI Reviewed-by: Roland Shoemaker Auto-Submit: Filippo Valsorda --- diff --git a/src/crypto/hpke/aead.go b/src/crypto/hpke/aead.go index 1a606c68db..fb55c97ddf 100644 --- a/src/crypto/hpke/aead.go +++ b/src/crypto/hpke/aead.go @@ -5,7 +5,6 @@ package hpke import ( - "crypto/aes" "crypto/cipher" "errors" "fmt" @@ -84,14 +83,6 @@ var chacha20poly1305AEAD = &aead{ id: 0x0003, } -func newAESGCM(key []byte) (cipher.AEAD, error) { - b, err := aes.NewCipher(key) - if err != nil { - return nil, err - } - return cipher.NewGCM(b) -} - func (a *aead) ID() uint16 { return a.id } diff --git a/src/crypto/hpke/aead_fipsv1.0.go b/src/crypto/hpke/aead_fipsv1.0.go new file mode 100644 index 0000000000..986126cbf9 --- /dev/null +++ b/src/crypto/hpke/aead_fipsv1.0.go @@ -0,0 +1,20 @@ +// Copyright 2025 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build fips140v1.0 + +package hpke + +import ( + "crypto/aes" + "crypto/cipher" +) + +func newAESGCM(key []byte) (cipher.AEAD, error) { + b, err := aes.NewCipher(key) + if err != nil { + return nil, err + } + return cipher.NewGCM(b) +} diff --git a/src/crypto/hpke/aead_fipsv2.0.go b/src/crypto/hpke/aead_fipsv2.0.go new file mode 100644 index 0000000000..710eb1c08f --- /dev/null +++ b/src/crypto/hpke/aead_fipsv2.0.go @@ -0,0 +1,21 @@ +// Copyright 2025 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build !fips140v1.0 + +package hpke + +import ( + "crypto/cipher" + "crypto/internal/fips140/aes" + "crypto/internal/fips140/aes/gcm" +) + +func newAESGCM(key []byte) (cipher.AEAD, error) { + b, err := aes.New(key) + if err != nil { + return nil, err + } + return gcm.NewGCMForHPKE(b) +} diff --git a/src/crypto/internal/fips140/aes/gcm/gcm_nonces.go b/src/crypto/internal/fips140/aes/gcm/gcm_nonces.go index 052349b533..5686380376 100644 --- a/src/crypto/internal/fips140/aes/gcm/gcm_nonces.go +++ b/src/crypto/internal/fips140/aes/gcm/gcm_nonces.go @@ -172,6 +172,18 @@ func NewGCMForTLS13(cipher *aes.Block) (*GCMWithXORCounterNonce, error) { return &GCMWithXORCounterNonce{g: *g}, nil } +// NewGCMForHPKE returns a new AEAD that works like GCM, but enforces the +// construction of nonces as specified in RFC 9180, Section 5.2. +// +// This complies with FIPS 140-3 IG C.H Scenario 5. +func NewGCMForHPKE(cipher *aes.Block) (*GCMWithXORCounterNonce, error) { + g, err := newGCM(&GCM{}, cipher, gcmStandardNonceSize, gcmTagSize) + if err != nil { + return nil, err + } + return &GCMWithXORCounterNonce{g: *g}, nil +} + // NewGCMForQUIC returns a new AEAD that works like GCM, but enforces the // construction of nonces as specified in RFC 9001, Section 5.3. //