From cb5b47443f5e3a94dc6a6563d00b08a2848afcdb Mon Sep 17 00:00:00 2001
From: Russ Cox <rsc@golang.org>
Date: Thu, 3 Aug 2017 11:59:56 -0400
Subject: [dev.boringcrypto.go1.8] crypto/aes: implement TLS-specific AES-GCM
 mode from BoringCrypto

Change-Id: I8407310e7d00eafe9208879228dbf4ac3d26a907
Reviewed-on: https://go-review.googlesource.com/55477
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
Reviewed-on: https://go-review.googlesource.com/57938
---
 src/crypto/internal/boring/aes.go | 25 ++++++++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/src/crypto/internal/boring/aes.go b/src/crypto/internal/boring/aes.go
index 8b55564138..225d7469c5 100644
--- a/src/crypto/internal/boring/aes.go
+++ b/src/crypto/internal/boring/aes.go
@@ -36,7 +36,10 @@ type extraModes interface {
 	NewCBCEncrypter(iv []byte) cipher.BlockMode
 	NewCBCDecrypter(iv []byte) cipher.BlockMode
 	NewCTR(iv []byte) cipher.Stream
-	NewGCM(size int) (cipher.AEAD, error)
+	NewGCM(nonceSize int) (cipher.AEAD, error)
+
+	// Invented for BoringCrypto.
+	NewGCMTLS() (cipher.AEAD, error)
 }
 
 var _ extraModes = (*aesCipher)(nil)
@@ -172,6 +175,14 @@ type noGCM struct {
 }
 
 func (c *aesCipher) NewGCM(nonceSize int) (cipher.AEAD, error) {
+	return c.newGCM(nonceSize, false)
+}
+
+func (c *aesCipher) NewGCMTLS() (cipher.AEAD, error) {
+	return c.newGCM(gcmStandardNonceSize, true)
+}
+
+func (c *aesCipher) newGCM(nonceSize int, tls bool) (cipher.AEAD, error) {
 	if nonceSize != gcmStandardNonceSize {
 		// Fall back to standard library for GCM with non-standard nonce size.
 		return cipher.NewGCMWithNonceSize(&noGCM{c}, nonceSize)
@@ -180,9 +191,17 @@ func (c *aesCipher) NewGCM(nonceSize int) (cipher.AEAD, error) {
 	var aead *C.GO_EVP_AEAD
 	switch len(c.key) * 8 {
 	case 128:
-		aead = C._goboringcrypto_EVP_aead_aes_128_gcm()
+		if tls {
+			aead = C._goboringcrypto_EVP_aead_aes_128_gcm_tls12()
+		} else {
+			aead = C._goboringcrypto_EVP_aead_aes_128_gcm()
+		}
 	case 256:
-		aead = C._goboringcrypto_EVP_aead_aes_256_gcm()
+		if tls {
+			aead = C._goboringcrypto_EVP_aead_aes_256_gcm_tls12()
+		} else {
+			aead = C._goboringcrypto_EVP_aead_aes_256_gcm()
+		}
 	default:
 		// Fall back to standard library for GCM with non-standard key size.
 		return cipher.NewGCMWithNonceSize(&noGCM{c}, nonceSize)
-- 
cgit v1.2.3-54-g00ecf