[dev.boringcrypto] crypto/aes: implement TLS-specific AES-GCM mode from BoringCrypto

Change-Id: I8407310e7d00eafe9208879228dbf4ac3d26a907
Reviewed-on: https://go-review.googlesource.com/55477
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>

diff --git a/src/crypto/internal/boring/aes.go b/src/crypto/internal/boring/aes.go
index 8b55564138a63accfc6ce71fec1f5567871c4a63..225d7469c5f3d48b6d154bb073231249e693a16d 100644 (file)
--- a/src/crypto/internal/boring/aes.go
+++ b/src/crypto/internal/boring/aes.go
@@ -36,7 +36,10 @@ type extraModes interface {
        NewCBCEncrypter(iv []byte) cipher.BlockMode
        NewCBCDecrypter(iv []byte) cipher.BlockMode
        NewCTR(iv []byte) cipher.Stream
-       NewGCM(size int) (cipher.AEAD, error)
+       NewGCM(nonceSize int) (cipher.AEAD, error)
+
+       // Invented for BoringCrypto.
+       NewGCMTLS() (cipher.AEAD, error)
 }
 
 var _ extraModes = (*aesCipher)(nil)
@@ -172,6 +175,14 @@ type noGCM struct {
 }
 
 func (c *aesCipher) NewGCM(nonceSize int) (cipher.AEAD, error) {
+       return c.newGCM(nonceSize, false)
+}
+
+func (c *aesCipher) NewGCMTLS() (cipher.AEAD, error) {
+       return c.newGCM(gcmStandardNonceSize, true)
+}
+
+func (c *aesCipher) newGCM(nonceSize int, tls bool) (cipher.AEAD, error) {
        if nonceSize != gcmStandardNonceSize {
                // Fall back to standard library for GCM with non-standard nonce size.
                return cipher.NewGCMWithNonceSize(&noGCM{c}, nonceSize)
@@ -180,9 +191,17 @@ func (c *aesCipher) NewGCM(nonceSize int) (cipher.AEAD, error) {
        var aead *C.GO_EVP_AEAD
        switch len(c.key) * 8 {
        case 128:
-               aead = C._goboringcrypto_EVP_aead_aes_128_gcm()
+               if tls {
+                       aead = C._goboringcrypto_EVP_aead_aes_128_gcm_tls12()
+               } else {
+                       aead = C._goboringcrypto_EVP_aead_aes_128_gcm()
+               }
        case 256:
-               aead = C._goboringcrypto_EVP_aead_aes_256_gcm()
+               if tls {
+                       aead = C._goboringcrypto_EVP_aead_aes_256_gcm_tls12()
+               } else {
+                       aead = C._goboringcrypto_EVP_aead_aes_256_gcm()
+               }
        default:
                // Fall back to standard library for GCM with non-standard key size.
                return cipher.NewGCMWithNonceSize(&noGCM{c}, nonceSize)