crypto/hpke: use new gcm.NewGCMForHPKE for FIPS 140-3 compliance

It does the exact same thing, but we can document it as an allowed and
enforced nonce scheme in the Security Policy.

Change-Id: I9d95ba53354e5c8112cde24101570d4b6a6a6964
Reviewed-on: https://go-review.googlesource.com/c/go/+/728503
Reviewed-by: David Chase <drchase@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Auto-Submit: Filippo Valsorda <filippo@golang.org>

1 files changed, 12 insertions, 0 deletions

diff --git a/src/crypto/internal/fips140/aes/gcm/gcm_nonces.go b/src/crypto/internal/fips140/aes/gcm/gcm_nonces.go
index 052349b533..5686380376 100644
--- a/src/crypto/internal/fips140/aes/gcm/gcm_nonces.go
+++ b/src/crypto/internal/fips140/aes/gcm/gcm_nonces.go
@@ -172,6 +172,18 @@ func NewGCMForTLS13(cipher *aes.Block) (*GCMWithXORCounterNonce, error) {
 	return &GCMWithXORCounterNonce{g: *g}, nil
 }
 
+// NewGCMForHPKE returns a new AEAD that works like GCM, but enforces the
+// construction of nonces as specified in RFC 9180, Section 5.2.
+//
+// This complies with FIPS 140-3 IG C.H Scenario 5.
+func NewGCMForHPKE(cipher *aes.Block) (*GCMWithXORCounterNonce, error) {
+	g, err := newGCM(&GCM{}, cipher, gcmStandardNonceSize, gcmTagSize)
+	if err != nil {
+		return nil, err
+	}
+	return &GCMWithXORCounterNonce{g: *g}, nil
+}
+
 // NewGCMForQUIC returns a new AEAD that works like GCM, but enforces the
 // construction of nonces as specified in RFC 9001, Section 5.3.
 //