proposal: crypto/cipher: expose NewGCMWithCounterNonce

[wadey]

Proposal Details

The internal method crypto.internal.fips140.aes.gcm.NewGCMWithCounterNonce was added in go1.24. This method would be nice to expose for users that want to use it for FIPS-140 compliance reasons.

Outside of FIPS reasons, this method is also nice because it asserts your GCM nonces are non-repeating (when you are using a counter).

NewGCMWithRandomNonce was exposed in crypto/cipher with #69981, so I imagine it could be exposed in a similar way.

[gabyhelp]

Related Issues

• crypto/cipher: add NewGCMWithRandomNonce #69981 (closed)

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[Lekensteyn]

This method is required for QUIC record encryption where the AES-GCM nonce is constructed as follows:

• 62-bit packet counter, left-padded with zeroes, XORed with a 96-bit IV. RFC 9001, Section 5.3
• This 96-bit IV is generated together with the key RFC 9001, Section 5.1

Implementation Guidance FIPS 140-3, C.H. Scenario 3

The first 4 bytes of the IV is treated as 32-bit "name". The last 8 bytes of the IV XORed with the packet number is treated as counter. As desired.

[gopherbot]

Change https://go.dev/cl/723760 mentions this issue: crypto/internal/fips140/aes/gcm: add more GCM nonce modes