[dev.boringcrypto] crypto/internal/boring: fix aesCipher implementation of gcmAble

In CL 48510 the gcmAble interface was changed to include the tag size.
The BoringCrypto aesCipher implementation wasn't updated, causing a
failed type assertion and consequently a performance degradation.

Change-Id: Ie5cff9ef242218d60f82795f3eb6760a57fe06f5
Reviewed-on: https://go-review.googlesource.com/127821
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>

diff --git a/src/crypto/internal/boring/aes.go b/src/crypto/internal/boring/aes.go
index 8ca03b3f3e525d007508dcaa9cb2107c76f667b9..881cd8e2ddc7ce94b6f3812f908d14bb815155a3 100644 (file)
--- a/src/crypto/internal/boring/aes.go
+++ b/src/crypto/internal/boring/aes.go
@@ -38,7 +38,7 @@ type extraModes interface {
        NewCBCEncrypter(iv []byte) cipher.BlockMode
        NewCBCDecrypter(iv []byte) cipher.BlockMode
        NewCTR(iv []byte) cipher.Stream
-       NewGCM(nonceSize int) (cipher.AEAD, error)
+       NewGCM(nonceSize, tagSize int) (cipher.AEAD, error)
 
        // Invented for BoringCrypto.
        NewGCMTLS() (cipher.AEAD, error)
@@ -188,20 +188,25 @@ type noGCM struct {
        cipher.Block
 }
 
-func (c *aesCipher) NewGCM(nonceSize int) (cipher.AEAD, error) {
-       return c.newGCM(nonceSize, false)
+func (c *aesCipher) NewGCM(nonceSize, tagSize int) (cipher.AEAD, error) {
+       if nonceSize != gcmStandardNonceSize && tagSize != gcmTagSize {
+               return nil, errors.New("crypto/aes: GCM tag and nonce sizes can't be non-standard at the same time")
+       }
+       // Fall back to standard library for GCM with non-standard nonce or tag size.
+       if nonceSize != gcmStandardNonceSize {
+               return cipher.NewGCMWithNonceSize(&noGCM{c}, nonceSize)
+       }
+       if tagSize != gcmTagSize {
+               return cipher.NewGCMWithTagSize(&noGCM{c}, tagSize)
+       }
+       return c.newGCM(false)
 }
 
 func (c *aesCipher) NewGCMTLS() (cipher.AEAD, error) {
-       return c.newGCM(gcmStandardNonceSize, true)
+       return c.newGCM(true)
 }
 
-func (c *aesCipher) newGCM(nonceSize int, tls bool) (cipher.AEAD, error) {
-       if nonceSize != gcmStandardNonceSize {
-               // Fall back to standard library for GCM with non-standard nonce size.
-               return cipher.NewGCMWithNonceSize(&noGCM{c}, nonceSize)
-       }
-
+func (c *aesCipher) newGCM(tls bool) (cipher.AEAD, error) {
        var aead *C.GO_EVP_AEAD
        switch len(c.key) * 8 {
        case 128:
@@ -218,7 +223,7 @@ func (c *aesCipher) newGCM(nonceSize int, tls bool) (cipher.AEAD, error) {
                }
        default:
                // Fall back to standard library for GCM with non-standard key size.
-               return cipher.NewGCMWithNonceSize(&noGCM{c}, nonceSize)
+               return cipher.NewGCMWithNonceSize(&noGCM{c}, gcmStandardNonceSize)
        }
 
        g := &aesGCM{aead: aead}
@@ -230,7 +235,7 @@ func (c *aesCipher) newGCM(nonceSize int, tls bool) (cipher.AEAD, error) {
        // to make sure g is not collected (and finalized) before the cgo
        // call returns.
        runtime.SetFinalizer(g, (*aesGCM).finalize)
-       if g.NonceSize() != nonceSize {
+       if g.NonceSize() != gcmStandardNonceSize {
                panic("boringcrypto: internal confusion about nonce size")
        }
        if g.Overhead() != gcmTagSize {