cipher.NewGCMWithNonceSize allows for any nonce size, including one that is zero length. This is not allowed by NIST SP 800-38D and encrypting with such an IV leaks the authentication key.
NIST SP 800-38D:
The bit lengths of the input strings to the authenticated encryption function shall meet the
following requirements:
...
1 ≤ len(IV) ≤ 264-1
Allowing a zero-length nonce opens the package up to misuse, and there is never a valid reason to do this. It could be argued that cipher.NewGCMWithNonceSize isn't meant to be as safe, and the recommended approach is to use cipher.NewGCM, however this is a hardening measure that has no negative side effects, in my opinion.
cipher.NewGCMWithNonceSize docs:
Only use this function if you require compatibility with an existing cryptosystem that uses non-standard nonce lengths. All other users should use NewGCM, which is faster and more resistant to misuse.
/cc @FiloSottile
cipher.NewGCMWithNonceSizeallows for any nonce size, including one that is zero length. This is not allowed by NIST SP 800-38D and encrypting with such an IV leaks the authentication key.NIST SP 800-38D:
Allowing a zero-length nonce opens the package up to misuse, and there is never a valid reason to do this. It could be argued that
cipher.NewGCMWithNonceSizeisn't meant to be as safe, and the recommended approach is to usecipher.NewGCM, however this is a hardening measure that has no negative side effects, in my opinion.cipher.NewGCMWithNonceSize docs:
/cc @FiloSottile