internal/cryputil: combines aead and cryptutil packages.

- Refactored encrypt / decrypt methods to use aead's NonceSize() interface method.
- Add explicit GenerateKey function.
- Remove mutex on XChaCha20.

authenticate/authenticate.go

@@ -12,7 +12,7 @@ import (
 	"github.com/pomerium/envconfig"
 
 	"github.com/pomerium/pomerium/authenticate/providers"
-	"github.com/pomerium/pomerium/internal/aead"
+	"github.com/pomerium/pomerium/internal/cryptutil"
 	"github.com/pomerium/pomerium/internal/sessions"
 	"github.com/pomerium/pomerium/internal/templates"
 )
@@ -132,7 +132,7 @@ type Authenticator struct {
 	// sesion related
 	csrfStore    sessions.CSRFStore
 	sessionStore sessions.SessionStore
-	cipher       aead.Cipher
+	cipher       cryptutil.Cipher
 
 	provider providers.Provider
 }
@@ -149,7 +149,7 @@ func NewAuthenticator(opts *Options, optionFuncs ...func(*Authenticator) error)
 	if err != nil {
 		return nil, err
 	}
-	cipher, err := aead.New([]byte(decodedAuthCodeSecret))
+	cipher, err := cryptutil.NewCipher([]byte(decodedAuthCodeSecret))
 	if err != nil {
 		return nil, err
 	}

authenticate/handlers.go

@@ -9,7 +9,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/pomerium/pomerium/internal/aead"
+	"github.com/pomerium/pomerium/internal/cryptutil"
 	"github.com/pomerium/pomerium/internal/httputil"
 	"github.com/pomerium/pomerium/internal/log"
 	m "github.com/pomerium/pomerium/internal/middleware"
@@ -339,7 +339,7 @@ func (p *Authenticator) SignOutPage(rw http.ResponseWriter, req *http.Request, m
 // `redirectURI`, allowing the provider to redirect back to the sso proxy after authentication.
 func (p *Authenticator) OAuthStart(rw http.ResponseWriter, req *http.Request) {
 
-	nonce := fmt.Sprintf("%x", aead.GenerateKey())
+	nonce := fmt.Sprintf("%x", cryptutil.GenerateKey())
 	p.csrfStore.SetCSRF(rw, req, nonce)
 
 	authRedirectURL, err := url.Parse(req.URL.Query().Get("redirect_uri"))