crypto/hpke: use new gcm.NewGCMForHPKE for FIPS 140-3 compliance

It does the exact same thing, but we can document it as an allowed and
enforced nonce scheme in the Security Policy.

Change-Id: I9d95ba53354e5c8112cde24101570d4b6a6a6964
Reviewed-on: https://go-review.googlesource.com/c/go/+/728503
Reviewed-by: David Chase <drchase@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Auto-Submit: Filippo Valsorda <filippo@golang.org>

4 files changed, 53 insertions, 9 deletions

diff --git a/src/crypto/hpke/aead.go b/src/crypto/hpke/aead.go
index 1a606c68db..fb55c97ddf 100644
--- a/src/crypto/hpke/aead.go
+++ b/src/crypto/hpke/aead.go
@@ -5,7 +5,6 @@
 package hpke
 
 import (
-	"crypto/aes"
 	"crypto/cipher"
 	"errors"
 	"fmt"
@@ -84,14 +83,6 @@ var chacha20poly1305AEAD = &aead{
 	id:  0x0003,
 }
 
-func newAESGCM(key []byte) (cipher.AEAD, error) {
-	b, err := aes.NewCipher(key)
-	if err != nil {
-		return nil, err
-	}
-	return cipher.NewGCM(b)
-}
-
 func (a *aead) ID() uint16 {
 	return a.id
 }
diff --git a/src/crypto/hpke/aead_fipsv1.0.go b/src/crypto/hpke/aead_fipsv1.0.go
new file mode 100644
index 0000000000..986126cbf9
--- /dev/null
+++ b/src/crypto/hpke/aead_fipsv1.0.go
@@ -0,0 +1,20 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build fips140v1.0
+
+package hpke
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+)
+
+func newAESGCM(key []byte) (cipher.AEAD, error) {
+	b, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+	return cipher.NewGCM(b)
+}
diff --git a/src/crypto/hpke/aead_fipsv2.0.go b/src/crypto/hpke/aead_fipsv2.0.go
new file mode 100644
index 0000000000..710eb1c08f
--- /dev/null
+++ b/src/crypto/hpke/aead_fipsv2.0.go
@@ -0,0 +1,21 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build !fips140v1.0
+
+package hpke
+
+import (
+	"crypto/cipher"
+	"crypto/internal/fips140/aes"
+	"crypto/internal/fips140/aes/gcm"
+)
+
+func newAESGCM(key []byte) (cipher.AEAD, error) {
+	b, err := aes.New(key)
+	if err != nil {
+		return nil, err
+	}
+	return gcm.NewGCMForHPKE(b)
+}
diff --git a/src/crypto/internal/fips140/aes/gcm/gcm_nonces.go b/src/crypto/internal/fips140/aes/gcm/gcm_nonces.go
index 052349b533..5686380376 100644
--- a/src/crypto/internal/fips140/aes/gcm/gcm_nonces.go
+++ b/src/crypto/internal/fips140/aes/gcm/gcm_nonces.go
@@ -172,6 +172,18 @@ func NewGCMForTLS13(cipher *aes.Block) (*GCMWithXORCounterNonce, error) {
 	return &GCMWithXORCounterNonce{g: *g}, nil
 }
 
+// NewGCMForHPKE returns a new AEAD that works like GCM, but enforces the
+// construction of nonces as specified in RFC 9180, Section 5.2.
+//
+// This complies with FIPS 140-3 IG C.H Scenario 5.
+func NewGCMForHPKE(cipher *aes.Block) (*GCMWithXORCounterNonce, error) {
+	g, err := newGCM(&GCM{}, cipher, gcmStandardNonceSize, gcmTagSize)
+	if err != nil {
+		return nil, err
+	}
+	return &GCMWithXORCounterNonce{g: *g}, nil
+}
+
 // NewGCMForQUIC returns a new AEAD that works like GCM, but enforces the
 // construction of nonces as specified in RFC 9001, Section 5.3.
 //