crypto/cipher: NewGCMWithRandomNonce error with GOEXPERIMENT=boringcrypto

[ancientlore]

Go version

go version go1.24.0 linux/amd64

Output of go env in your module/workspace:

AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE=''
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/home/ec2-user/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/home/ec2-user/.config/go/env'
GOEXE=''
GOEXPERIMENT='boringcrypto'
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2932934674=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/home/ec2-user/sap/tools/me/fieldcrypt/go.mod'
GOMODCACHE='/home/ec2-user/go/pkg/mod'
GONOPROXY='*.concur.com,*.wdf.sap.corp,*.tools.sap'
GONOSUMDB='*.concur.com,*.wdf.sap.corp,*.tools.sap'
GOOS='linux'
GOPATH='/home/ec2-user/go'
GOPRIVATE='*.concur.com,*.wdf.sap.corp,*.tools.sap'
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/home/ec2-user/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.0'
GOWORK=''
PKG_CONFIG='pkg-config'

What did you do?

When using cipher.NewGCMWithRandomNonce, the function will error when GOEXPERIMENT=boringcrypto is enabled.

aesCipher, err := aes.NewCipher(key)
if err != nil {
        panic(err)
}
aead, err := cipher.NewGCMWithRandomNonce(aesCipher)
if err != nil {
        panic(err)
}

What did you see happen?

The function reports the error cipher: NewGCMWithRandomNonce requires aes.Block.
It does not do that when BoringCrypto is not used. The error comes from https://github.com/golang/go/blob/master/src/crypto/cipher/gcm.go#L96 where it tests for a cipher.(*aes.Block), which is apparently not the case when using BoringCrypto.

What did you expect to see?

I expected to see no error when using BoringCrypto. It is easy to work around by using cipher.NewGCM instead.

[seankhliao]

cc @golang/security
seems to be that crypto/aes may return different concrete types depending on the implementation https://cs.opensource.google/go/go/+/refs/tags/go1.24.0:src/crypto/aes/aes.go;l=44-48

[gabyhelp]

Related Issues

• crypto/cipher: Unnecessary allocations when using boringcrypto's AES-GCM implementation #71139
• boringcrypto: require `CGO_ENABLED=1` when `GOEXPERIMENT=boringcrypto` #68588
• go/src/crypto/cipher/gcm.go: package should return error instead of panicking #70087 (closed)
• crypto: boringcrypto NewGCMTLS no longer accessible #56326
• crypto/internal/boring: NewCTR does not panic when given an IV with different length than block size #68377

Related Code Changes

• [dev.boringcrypto] crypto/aes: use BoringCrypto
• [dev.boringcrypto.go1.8] crypto/internal/boring: add initial BoringCrypto access
• [dev.boringcrypto.go1.8] crypto/aes: implement TLS-specific AES-GCM mode from BoringCrypto
• [dev.boringcrypto] crypto/aes: implement TLS-specific AES-GCM mode from BoringCrypto
• [dev.boringcrypto.go1.8] crypto/internal/cipherhw: fix AESGCMSupport for BoringCrypto

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[mauri870]

This bug was introduced in #69981 for go1.24.0. Since boringcrypto is not used outside of Google, it went unnoticed.

NewGCMWithRandomNonce expects the parameter to be of type *aes.Block but for boringcrypto it is of type *boring.aesCipher. Given that the doc comment states The cipher must have been created by aes.NewCipher it should work with boringcrypto.

cc @FiloSottile