internal/cryputil: combines aead and cryptutil packages.

- Refactored encrypt / decrypt methods to use aead's NonceSize() interface method. - Add explicit GenerateKey function. - Remove mutex on XChaCha20.
2025-05-21 21:17:13 +02:00 · 2019-01-18 11:55:04 -08:00 · 2019-01-18 11:55:04 -08:00 · 24b11b0428
commit 24b11b0428
parent 131810ccfe
11 changed files with 44 additions and 89 deletions
--- a/internal/sessions/cookie_store.go
+++ b/internal/sessions/cookie_store.go
@ -7,7 +7,7 @@ import (
 	"net/http"
 	"time"

-	"github.com/pomerium/pomerium/internal/aead"
+	"github.com/pomerium/pomerium/internal/cryptutil"
 )

 // ErrInvalidSession is an error for invalid sessions.
@ -36,14 +36,14 @@ type CookieStore struct {
 	CookieSecure       bool
 	CookieHTTPOnly     bool
 	CookieDomain       string
-	CookieCipher       aead.Cipher
+	CookieCipher       cryptutil.Cipher
 	SessionLifetimeTTL time.Duration
 }

 // CreateMiscreantCookieCipher creates a new miscreant cipher with the cookie secret
 func CreateMiscreantCookieCipher(cookieSecret []byte) func(s *CookieStore) error {
 	return func(s *CookieStore) error {
-		cipher, err := aead.New(cookieSecret)
+		cipher, err := cryptutil.NewCipher(cookieSecret)
 		if err != nil {
 			return fmt.Errorf("miscreant cookie-secret error: %s", err.Error())
 		}
--- a/internal/sessions/session_state.go
+++ b/internal/sessions/session_state.go
@ -4,7 +4,7 @@ import (
 	"errors"
 	"time"

-	"github.com/pomerium/pomerium/internal/aead"
+	"github.com/pomerium/pomerium/internal/cryptutil"
 )

 var (
@ -48,13 +48,13 @@ func isExpired(t time.Time) bool {

 // MarshalSession marshals the session state as JSON, encrypts the JSON using the
 // given cipher, and base64-encodes the result
-func MarshalSession(s *SessionState, c aead.Cipher) (string, error) {
+func MarshalSession(s *SessionState, c cryptutil.Cipher) (string, error) {
 	return c.Marshal(s)
 }

 // UnmarshalSession takes the marshaled string, base64-decodes into a byte slice, decrypts the
 // byte slice using the passed cipher, and unmarshals the resulting JSON into a session state struct
-func UnmarshalSession(value string, c aead.Cipher) (*SessionState, error) {
+func UnmarshalSession(value string, c cryptutil.Cipher) (*SessionState, error) {
 	s := &SessionState{}
 	err := c.Unmarshal(value, s)
 	if err != nil {
--- a/internal/sessions/session_state_test.go
+++ b/internal/sessions/session_state_test.go
@ -5,12 +5,12 @@ import (
 	"testing"
 	"time"

-	"github.com/pomerium/pomerium/internal/aead"
+	"github.com/pomerium/pomerium/internal/cryptutil"
 )

 func TestSessionStateSerialization(t *testing.T) {
-	secret := aead.GenerateKey()
-	c, err := aead.New([]byte(secret))
+	secret := cryptutil.GenerateKey()
+	c, err := cryptutil.NewCipher([]byte(secret))
 	if err != nil {
 		t.Fatalf("expected to be able to create cipher: %v", err)
 	}