crypto: boringcrypto NewGCMTLS no longer accessible

[wadey]

What version of Go are you using (go version)?

go1.19.2

Does this issue reproduce with the latest release?

Yes

What did you do?

Before go1.19, the dev.boringcrypto branch let you access the NewGCMTLS function because it was exposed on the AES cipher struct.

You could do the following:

type gcmtls interface {
	NewGCMTLS() (cipher.AEAD, error)
}

if aesTLS, ok := aesCipher.(gcmtls); ok {
	gcm, err = aesTLS.NewGCMTLS()
} else {
	gcm, err = cipher.NewGCM(c)
}

But this is no longer possible as the method is no longer exposed on the internal/boring AES struct. It was removed by this CL: https://go-review.googlesource.com/c/go/+/403976 as part of #51940.

It is useful to be able to use this GCM mode directly from an application using the boringcrypto experiment. The way it was exposed on the aes struct previously was ideal since it was hidden unless boringcrypto was active, but any other way of exposing it would work as well.

[wadey]

As an extra note, the future to-be approved version of BoringCrypto adds a "Random Nonce" (EVP_aead_aes_256_gcm_randnonce) mode for GCM that will be even more useful for folks using boringcrypto, so finding a good way to expose both of these would be ideal.

https://boringssl-review.googlesource.com/c/boringssl/+/43686

[seankhliao]

cc @golang/security

[wadey]

If anyone finds this, there is another workaround that is possible until this issue is resolved:

//go:linkname newGCMTLS crypto/internal/boring.NewGCMTLS
func newGCMTLS(c cipher.Block) (cipher.AEAD, error)