From 550c0c898b61628aed108aca7d8dbef32458bc09 Mon Sep 17 00:00:00 2001 From: Filippo Valsorda Date: Tue, 9 Dec 2025 00:41:59 +0100 Subject: [PATCH] crypto/hpke: use new gcm.NewGCMForHPKE for FIPS 140-3 compliance It does the exact same thing, but we can document it as an allowed and enforced nonce scheme in the Security Policy. Change-Id: I9d95ba53354e5c8112cde24101570d4b6a6a6964 Reviewed-on: https://go-review.googlesource.com/c/go/+/728503 Reviewed-by: David Chase LUCI-TryBot-Result: Go LUCI Reviewed-by: Roland Shoemaker Auto-Submit: Filippo Valsorda --- src/crypto/hpke/aead.go | 9 -------- src/crypto/hpke/aead_fipsv1.0.go | 20 ++++++++++++++++++ src/crypto/hpke/aead_fipsv2.0.go | 21 +++++++++++++++++++ .../internal/fips140/aes/gcm/gcm_nonces.go | 12 +++++++++++ 4 files changed, 53 insertions(+), 9 deletions(-) create mode 100644 src/crypto/hpke/aead_fipsv1.0.go create mode 100644 src/crypto/hpke/aead_fipsv2.0.go diff --git a/src/crypto/hpke/aead.go b/src/crypto/hpke/aead.go index 1a606c68db..fb55c97ddf 100644 --- a/src/crypto/hpke/aead.go +++ b/src/crypto/hpke/aead.go @@ -5,7 +5,6 @@ package hpke import ( - "crypto/aes" "crypto/cipher" "errors" "fmt" @@ -84,14 +83,6 @@ var chacha20poly1305AEAD = &aead{ id: 0x0003, } -func newAESGCM(key []byte) (cipher.AEAD, error) { - b, err := aes.NewCipher(key) - if err != nil { - return nil, err - } - return cipher.NewGCM(b) -} - func (a *aead) ID() uint16 { return a.id } diff --git a/src/crypto/hpke/aead_fipsv1.0.go b/src/crypto/hpke/aead_fipsv1.0.go new file mode 100644 index 0000000000..986126cbf9 --- /dev/null +++ b/src/crypto/hpke/aead_fipsv1.0.go @@ -0,0 +1,20 @@ +// Copyright 2025 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build fips140v1.0 + +package hpke + +import ( + "crypto/aes" + "crypto/cipher" +) + +func newAESGCM(key []byte) (cipher.AEAD, error) { + b, err := aes.NewCipher(key) + if err != nil { + return nil, err + } + return cipher.NewGCM(b) +} diff --git a/src/crypto/hpke/aead_fipsv2.0.go b/src/crypto/hpke/aead_fipsv2.0.go new file mode 100644 index 0000000000..710eb1c08f --- /dev/null +++ b/src/crypto/hpke/aead_fipsv2.0.go @@ -0,0 +1,21 @@ +// Copyright 2025 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build !fips140v1.0 + +package hpke + +import ( + "crypto/cipher" + "crypto/internal/fips140/aes" + "crypto/internal/fips140/aes/gcm" +) + +func newAESGCM(key []byte) (cipher.AEAD, error) { + b, err := aes.New(key) + if err != nil { + return nil, err + } + return gcm.NewGCMForHPKE(b) +} diff --git a/src/crypto/internal/fips140/aes/gcm/gcm_nonces.go b/src/crypto/internal/fips140/aes/gcm/gcm_nonces.go index 052349b533..5686380376 100644 --- a/src/crypto/internal/fips140/aes/gcm/gcm_nonces.go +++ b/src/crypto/internal/fips140/aes/gcm/gcm_nonces.go @@ -172,6 +172,18 @@ func NewGCMForTLS13(cipher *aes.Block) (*GCMWithXORCounterNonce, error) { return &GCMWithXORCounterNonce{g: *g}, nil } +// NewGCMForHPKE returns a new AEAD that works like GCM, but enforces the +// construction of nonces as specified in RFC 9180, Section 5.2. +// +// This complies with FIPS 140-3 IG C.H Scenario 5. +func NewGCMForHPKE(cipher *aes.Block) (*GCMWithXORCounterNonce, error) { + g, err := newGCM(&GCM{}, cipher, gcmStandardNonceSize, gcmTagSize) + if err != nil { + return nil, err + } + return &GCMWithXORCounterNonce{g: *g}, nil +} + // NewGCMForQUIC returns a new AEAD that works like GCM, but enforces the // construction of nonces as specified in RFC 9001, Section 5.3. // -- 2.52.0