Support backend ciphers in cipher.NewGCMWithRandomNonce (#1673)

mertakman · web-flow · commit ef79040c6fce · 2025-05-29T13:27:34.000Z
* fix: implement aes aead

* fix:correct return value

* fix: implement extended aed

* fix:patch the gcmwithrandomnonce

* fix:wrap returned interface

* fix:add missing returns

* fix:use correct consts

* use custom interface for checking if cipher returned from boring or not

* Fix:openssl patches

* add missing const

* fix:update all backends

* fix:remove extra token

* fix:remove unneccesary code

* revert changes in gcm

* update:panic when none of the cases met for interface casting

* fix: revert backend changes for minimal diff

* fix:use newgcm

* fix:use correct panic msg

* fix:add extra check

* fix:return customgcmwrapper by value

* fix:address PR comments

* readd checks in testgcmaead

* fix:typo
diff --git a/patches/0002-Vendor-crypto-backends.patch b/patches/0002-Vendor-crypto-backends.patch
@@ -18,7 +18,7 @@ Use a 'go' that was recently built by the current branch to ensure stable result
  .../github.com/golang-fips/openssl/v2/aes.go  |  146 ++
  .../golang-fips/openssl/v2/bbig/big.go        |   37 +
  .../github.com/golang-fips/openssl/v2/big.go  |   11 +
- .../golang-fips/openssl/v2/cipher.go          |  603 +++++
+ .../golang-fips/openssl/v2/cipher.go          |  654 ++++++
  .../golang-fips/openssl/v2/const.go           |   93 +
  .../github.com/golang-fips/openssl/v2/des.go  |  113 +
  .../github.com/golang-fips/openssl/v2/dsa.go  |  309 +++
@@ -59,7 +59,7 @@ Use a 'go' that was recently built by the current branch to ensure stable result
  .../internal/cryptokit/hash.go                |  255 +++
  .../internal/cryptokit/hkdf.go                |   77 +
  .../internal/cryptokit/hmac.go                |  144 ++
- .../microsoft/go-crypto-darwin/xcrypto/aes.go |  306 +++
+ .../microsoft/go-crypto-darwin/xcrypto/aes.go |  336 +++
  .../microsoft/go-crypto-darwin/xcrypto/big.go |   16 +
  .../go-crypto-darwin/xcrypto/cgo_go124.go     |   23 +
  .../go-crypto-darwin/xcrypto/cipher.go        |  122 +
@@ -78,7 +78,7 @@ Use a 'go' that was recently built by the current branch to ensure stable result
  .../microsoft/go-crypto-darwin/xcrypto/rsa.go |  194 ++
  .../go-crypto-darwin/xcrypto/xcrypto.go       |   49 +
  .../microsoft/go-crypto-winnative/LICENSE     |   21 +
- .../microsoft/go-crypto-winnative/cng/aes.go  |  393 ++++
+ .../microsoft/go-crypto-winnative/cng/aes.go  |  427 ++++
  .../go-crypto-winnative/cng/bbig/big.go       |   31 +
  .../microsoft/go-crypto-winnative/cng/big.go  |   30 +
  .../go-crypto-winnative/cng/cipher.go         |   52 +
@@ -103,7 +103,7 @@ Use a 'go' that was recently built by the current branch to ensure stable result
  .../internal/subtle/aliasing.go               |   32 +
  .../internal/sysdll/sys_windows.go            |   55 +
  src/vendor/modules.txt                        |   17 +
- 97 files changed, 17015 insertions(+), 7 deletions(-)
+ 97 files changed, 17130 insertions(+), 7 deletions(-)
  create mode 100644 src/crypto/internal/backend/deps_ignore.go
  create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/.gitignore
  create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/.gitleaks.toml
@@ -226,7 +226,7 @@ index 00000000000000..ae4055d2d71303
 +// that are used by the backend package. This allows to track
 +// their versions in a single patch file.
 diff --git a/src/go.mod b/src/go.mod
-index 28e250668dd52c..0856b1d14f7d34 100644
+index 28e250668dd52c..e5aa4b223a54d4 100644
 --- a/src/go.mod
 +++ b/src/go.mod
 @@ -11,3 +11,9 @@ require (
@@ -240,7 +240,7 @@ index 28e250668dd52c..0856b1d14f7d34 100644
 +	github.com/microsoft/go-crypto-winnative v0.0.0-20250224213920-97653fcd3f40
 +)
 diff --git a/src/go.sum b/src/go.sum
-index ca2e7027fad3bd..00efdf0cb6041e 100644
+index ca2e7027fad3bd..f623f220d18598 100644
 --- a/src/go.sum
 +++ b/src/go.sum
 @@ -1,3 +1,9 @@
@@ -254,7 +254,7 @@ index ca2e7027fad3bd..00efdf0cb6041e 100644
  golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc=
  golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY=
 diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go
-index 1eb683a5ae77b7..2adf8c897229cf 100644
+index b261af47e2167c..3ad0b0a3f2f465 100644
 --- a/src/go/build/deps_test.go
 +++ b/src/go/build/deps_test.go
 @@ -518,6 +518,24 @@ var depsRules = `
@@ -311,7 +311,7 @@ index 1eb683a5ae77b7..2adf8c897229cf 100644
  	CRYPTO, FMT, math/big
  	< crypto/internal/boring/bbig
  	< crypto/rand
-@@ -858,7 +879,7 @@ var buildIgnore = []byte("\n//go:build ignore")
+@@ -861,7 +882,7 @@ var buildIgnore = []byte("\n//go:build ignore")
  
  func findImports(pkg string) ([]string, error) {
  	vpkg := pkg
@@ -320,7 +320,7 @@ index 1eb683a5ae77b7..2adf8c897229cf 100644
  		vpkg = "vendor/" + pkg
  	}
  	dir := filepath.Join(Default.GOROOT, "src", vpkg)
-@@ -868,7 +889,7 @@ func findImports(pkg string) ([]string, error) {
+@@ -871,7 +892,7 @@ func findImports(pkg string) ([]string, error) {
  	}
  	var imports []string
  	var haveImport = map[string]bool{}
@@ -679,10 +679,10 @@ index 00000000000000..6461f241f863fc
 +type BigInt []uint
 diff --git a/src/vendor/github.com/golang-fips/openssl/v2/cipher.go b/src/vendor/github.com/golang-fips/openssl/v2/cipher.go
 new file mode 100644
-index 00000000000000..2a3a91eb549a68
+index 00000000000000..c9b2a64e181d3e
 --- /dev/null
 +++ b/src/vendor/github.com/golang-fips/openssl/v2/cipher.go
-@@ -0,0 +1,603 @@
+@@ -0,0 +1,654 @@
 +//go:build !cmd_go_bootstrap
 +
 +package openssl
@@ -1010,6 +1010,7 @@ index 00000000000000..2a3a91eb549a68
 +}
 +
 +const (
++	aesBlockSize         = 16
 +	gcmTagSize           = 16
 +	gcmStandardNonceSize = 12
 +	// TLS 1.2 additional data is constructed as:
@@ -1165,6 +1166,56 @@ index 00000000000000..2a3a91eb549a68
 +	return ret
 +}
 +
++func (g *cipherGCM) SealWithRandomNonce(out, nonce, plaintext, aad []byte) {
++	if uint64(len(plaintext)) > uint64((1<<32)-2)*aesBlockSize {
++		panic("crypto/cipher: message too large for GCM")
++	}
++	if len(nonce) != gcmStandardNonceSize {
++		panic("crypto/cipher: incorrect nonce length given to GCMWithRandomNonce")
++	}
++	if len(out) != len(plaintext)+gcmTagSize {
++		panic("crypto/cipher: incorrect output length given to GCMWithRandomNonce")
++	}
++	if inexactOverlap(out, plaintext) {
++		panic("crypto/cipher: invalid buffer overlap of output and input")
++	}
++	if anyOverlap(out, aad) {
++		panic("crypto/cipher: invalid buffer overlap of output and additional data")
++	}
++
++	if g.tls != cipherGCMTLSNone {
++		panic("cipher: encryption failed")
++	}
++
++	RandReader.Read(nonce)
++	ctx, err := newCipherCtx(g.c.kind, cipherModeGCM, cipherOpNone, g.c.key, nil)
++	if err != nil {
++		panic(err)
++	}
++	defer ossl.EVP_CIPHER_CTX_free(ctx)
++	if _, err := ossl.EVP_EncryptInit_ex(ctx, nil, nil, nil, base(nonce)); err != nil {
++		panic(err)
++	}
++	var outl, discard int32
++	if _, err := ossl.EVP_EncryptUpdate(ctx, nil, &discard, baseNeverEmpty(aad), int32(len(aad))); err != nil {
++		panic(err)
++	}
++	if _, err := ossl.EVP_EncryptUpdate(ctx, base(out), &outl, baseNeverEmpty(plaintext), int32(len(plaintext))); err != nil {
++		panic(err)
++	}
++	if len(plaintext) != int(outl) {
++		panic("cipher: incorrect length returned from GCM EncryptUpdate")
++	}
++	if _, err := ossl.EVP_EncryptFinal_ex(ctx, base(out[outl:]), &discard); err != nil {
++		panic(err)
++	}
++	if _, err := ossl.EVP_CIPHER_CTX_ctrl(ctx, ossl.EVP_CTRL_GCM_GET_TAG, 16, unsafe.Pointer(base(out[outl:]))); err != nil {
++		panic(err)
++	}
++	runtime.KeepAlive(g)
++	return
++}
++
 +var errOpen = errors.New("cipher: message authentication failed")
 +
 +func (g *cipherGCM) Open(dst, nonce, ciphertext, aad []byte) (_ []byte, err error) {
@@ -12399,10 +12450,10 @@ index 00000000000000..c9f4d67de4c9f3
 +}
 diff --git a/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/aes.go b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/aes.go
 new file mode 100644
-index 00000000000000..27a42bfc89ca06
+index 00000000000000..c9611eef5e2697
 --- /dev/null
 +++ b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/aes.go
-@@ -0,0 +1,306 @@
+@@ -0,0 +1,336 @@
 +// Copyright (c) Microsoft Corporation.
 +// Licensed under the MIT License.
 +
@@ -12623,6 +12674,36 @@ index 00000000000000..27a42bfc89ca06
 +	return ret
 +}
 +
++func (g *aesGCM) SealWithRandomNonce(out, nonce, plaintext, additionalData []byte) {
++	if uint64(len(plaintext)) > uint64((1<<32)-2)*aesBlockSize {
++		panic("crypto/cipher: message too large for GCM")
++	}
++	if len(nonce) != gcmStandardNonceSize {
++		panic("crypto/cipher: incorrect nonce length given to GCMWithRandomNonce")
++	}
++	if len(out) != len(plaintext)+gcmTagSize {
++		panic("crypto/cipher: incorrect output length given to GCMWithRandomNonce")
++	}
++	if inexactOverlap(out, plaintext) {
++		panic("crypto/cipher: invalid buffer overlap of output and input")
++	}
++	if anyOverlap(out, additionalData) {
++		panic("crypto/cipher: invalid buffer overlap of output and additional data")
++	}
++
++	if g.tls != cipherGCMTLSNone {
++		panic("cipher: TLS 1.2 and 1.3 modes do not support random nonce")
++	}
++
++	tag := out[len(out)-gcmTagSize:]
++	// Generate a random nonce
++	RandReader.Read(nonce)
++	err := cryptokit.EncryptAESGCM(g.key, plaintext, nonce, additionalData, out[:len(out)-gcmTagSize], tag)
++	if err != 0 {
++		panic("cipher: encryption failed")
++	}
++}
++
 +var errOpen = errors.New("cipher: message authentication failed")
 +
 +func (g *aesGCM) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) {
@@ -14483,10 +14564,10 @@ index 00000000000000..9e841e7a26e4eb
 +    SOFTWARE
 diff --git a/src/vendor/github.com/microsoft/go-crypto-winnative/cng/aes.go b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/aes.go
 new file mode 100644
-index 00000000000000..097a0fc77f0adb
+index 00000000000000..692a36ec7079cc
 --- /dev/null
 +++ b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/aes.go
-@@ -0,0 +1,393 @@
+@@ -0,0 +1,427 @@
 +// Copyright (c) Microsoft Corporation.
 +// Licensed under the MIT License.
 +
@@ -14826,6 +14907,40 @@ index 00000000000000..097a0fc77f0adb
 +	return ret
 +}
 +
++func (g *aesGCM) SealWithRandomNonce(out, nonce, plaintext, additionalData []byte) {
++	if uint64(len(plaintext)) > uint64((1<<32)-2)*aesBlockSize {
++		panic("crypto/cipher: message too large for GCM")
++	}
++	if len(nonce) != gcmStandardNonceSize {
++		panic("crypto/cipher: incorrect nonce length given to GCMWithRandomNonce")
++	}
++	if len(out) != len(plaintext)+gcmTagSize {
++		panic("crypto/cipher: incorrect output length given to GCMWithRandomNonce")
++	}
++	if subtle.InexactOverlap(out, plaintext) {
++		panic("crypto/cipher: invalid buffer overlap of output and input")
++	}
++	if subtle.AnyOverlap(out, additionalData) {
++		panic("crypto/cipher: invalid buffer overlap of output and additional data")
++	}
++
++	if g.tls != cipherGCMTLSNone {
++		panic("cipher: TLS 1.2 and 1.3 modes do not support random nonce")
++	}
++
++	RandReader.Read(nonce)
++	info := bcrypt.NewAUTHENTICATED_CIPHER_MODE_INFO(nonce, additionalData, out[len(out)-gcmTagSize:])
++	var encSize uint32
++	err := bcrypt.Encrypt(g.kh, plaintext, unsafe.Pointer(info), nil, out, &encSize, 0)
++	if err != nil {
++		panic(err)
++	}
++	if int(encSize) != len(plaintext) {
++		panic("crypto/cipher: plaintext not fully encrypted")
++	}
++	runtime.KeepAlive(g)
++}
++
 +var errOpen = errors.New("cipher: message authentication failed")
 +
 +func (g *aesGCM) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) {
@@ -18837,7 +18952,7 @@ index 00000000000000..1722410e5af193
 +	return getSystemDirectory() + "\\" + dll
 +}
 diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt
-index 4c87639632f887..35848b6d6cd2dd 100644
+index 4c87639632f887..271c698c1d681b 100644
 --- a/src/vendor/modules.txt
 +++ b/src/vendor/modules.txt
 @@ -1,3 +1,20 @@
diff --git a/patches/0003-Implement-crypto-internal-backend.patch b/patches/0003-Implement-crypto-internal-backend.patch
@@ -2710,10 +2710,10 @@ index 00000000000000..5e4b436554d44d
 +// from complaining about the missing body
 +// (because the implementation might be here).
 diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go
-index 0095243ce2b0b7..af62328edf5eca 100644
+index 3ad0b0a3f2f465..2e4b1fd1b370cc 100644
 --- a/src/go/build/deps_test.go
 +++ b/src/go/build/deps_test.go
-@@ -535,6 +535,11 @@ var depsRules = `
+@@ -536,6 +536,11 @@ var depsRules = `
  	< github.com/microsoft/go-crypto-winnative/internal/bcrypt
  	< github.com/microsoft/go-crypto-winnative/cng;
  
@@ -2725,7 +2725,7 @@ index 0095243ce2b0b7..af62328edf5eca 100644
  	FIPS, internal/godebug < crypto/fips140;
  
  	crypto, hash !< FIPS;
-@@ -545,16 +550,28 @@ var depsRules = `
+@@ -546,16 +551,28 @@ var depsRules = `
  	NONE < crypto/internal/boring/sig, crypto/internal/boring/syso;
  	sync/atomic < crypto/internal/boring/bcache;
  
@@ -2756,7 +2756,7 @@ index 0095243ce2b0b7..af62328edf5eca 100644
  	< crypto/boring
  	< crypto/aes,
  	  crypto/des,
-@@ -578,8 +595,12 @@ var depsRules = `
+@@ -579,8 +596,12 @@ var depsRules = `
  	math/big, github.com/microsoft/go-crypto-darwin/xcrypto < github.com/microsoft/go-crypto-darwin/bbig;
  	math/big, github.com/microsoft/go-crypto-winnative/cng < github.com/microsoft/go-crypto-winnative/cng/bbig;
  
@@ -2801,7 +2801,7 @@ index 00000000000000..8d0c3fde9ab5e8
 +const AllowCryptoFallback = true
 +const AllowCryptoFallbackInt = 1
 diff --git a/src/internal/goexperiment/flags.go b/src/internal/goexperiment/flags.go
-index c2a8b7f860d780..451a8924ae423d 100644
+index 6b4289503d57ae..12fba96b868c9e 100644
 --- a/src/internal/goexperiment/flags.go
 +++ b/src/internal/goexperiment/flags.go
 @@ -78,6 +78,14 @@ type Flags struct {
diff --git a/patches/0004-Use-crypto-backends.patch b/patches/0004-Use-crypto-backends.patch
