Refactor ALTS handshake + record layer, add AES-GCM(-ReKey) support, tighten framing & timeouts

[mateeullahmalik]

Why
Performance: XChaCha20-Poly1305 is ~3× slower than AES-GCM on our hosts.

Stability: The goroutine-per-read approach sometimes leaked when peers hung the socket.

Security hardening: No guard against oversized frames → easy DoS.

Extensibility: Adding a new record cipher required touching switch statements all over.

Impact
API – No public signature changes; callers are unaffected.

Interop – New code still advertises XChaCha for older peers, but prefers AES-GCM-ReKey when both sides support it.

Perf – Local bench (go test -run=NONE -bench .) shows ≈ +40 % throughput on encryption/decryption; handshake allocs down ~1.5 KB.

Security – Oversized-frame and slow-loris attempts now fail fast.

[Copilot]

Pull Request Overview

This PR refactors the ALTS handshake and record layer to improve performance, stability, and security by adding support for AES-GCM(-ReKey) and tightening framing and timeouts.

• Change the default record protocol from XChaCha20-Poly1305ReKey to AESGCMReKey.
• Replace goroutine-based handshake message reads with synchronous calls leveraging connection deadlines.
• Introduce a thread-safe protocol registration mechanism and add new AES-GCM cipher implementations.

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File	Description
pkg/net/credentials/alts/handshake/handshake.go	Updated default protocol and streamlined handshake read functions.
pkg/net/credentials/alts/conn/register.go	Added thread-safe protocol registration via mutex-protected maps.
pkg/net/credentials/alts/conn/record.go	Integrated new AES-GCM and AES-GCM-ReKey implementations with init().
pkg/net/credentials/alts/common/utils.go	Improved handshake message normalization and enforced a max frame size.

Comments suppressed due to low confidence (3)

pkg/net/credentials/alts/handshake/handshake.go:95

• The default protocol has been changed to RecordProtocolAESGCMReKey. Confirm that all components relying on the previous protocol are updated and tested for compatibility.

protocol:     RecordProtocolAESGCMReKey,

pkg/net/credentials/alts/conn/record.go:106

• The Encrypt method always initializes the nonce as a zeroed slice. Ensure that nonce uniqueness is guaranteed by the external frame layer or update the nonce generation strategy to prevent reuse.

nonce := make([]byte, r.aead.NonceSize())

pkg/net/credentials/alts/common/utils.go:77

• The maxFrameSize constant (64 KiB) is imposed on handshake messages; verify that this limit accommodates all expected handshake message sizes to avoid unintended rejections.

if handshakeLen == 0 || handshakeLen > maxFrameSize {